Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Guest Account will not go away


  • This topic is locked This topic is locked
38 replies to this topic

#1 IMDOUGIE

IMDOUGIE

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:30 PM

Posted 25 May 2011 - 11:23 PM

Heres the quick and dirty.

Win XP, Media Edition (Home), SP3

A couple weeks ago my daughter enabled the guest account. Every time I try to disable it it comes back.

When I logoff or shutdown, I see a message stating "Logoff Script Running." Since I am on Home Edition, I do not have the Group Policy Editor to manages such scripts. If I pull the power after disabling the account, it looks like a login script is running to re-enable it.

The scary part is that the account comes back as a member of Administrators and Remote Desktop Users, even though I remove the groups each time. MBAM Finds nothing. Hijack this shows nothing fishy. CombFix deleted a script file, but that does not seem to be it. I would appreciate any advice.

Doug.

ComboFix Log:

ComboFix 11-05-24.01 - xxxxxxxxxxxx 05/24/2011 18:09:01.11.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.608 [GMT -6:00]
Running from: c:\documents and settings\[User]\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\GroupPolicy\User\Scripts\scripts.ini
.
.
((((((((((((((((((((((((( Files Created from 2011-04-25 to 2011-05-25 )))))))))))))))))))))))))))))))
.
.
2011-05-18 12:22 . 2011-05-18 12:22 -------- d--h--w- c:\windows\system32\GroupPolicy
2011-05-18 12:21 . 2008-04-14 00:12 36864 ----a-w- c:\windows\system32\drivers\etc\netstat.exe
2011-05-18 12:21 . 2008-04-14 00:12 124928 ----a-w- c:\windows\system32\drivers\etc\1.exe
2011-05-18 12:21 . 2004-08-10 12:00 47872 ----a-w- c:\windows\system32\drivers\etc\2.exe
2011-05-18 12:21 . 2004-08-10 12:00 15360 ----a-w- c:\windows\system32\drivers\etc\logoff.exe
2011-05-18 12:19 . 2011-05-18 12:19 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer
2011-05-18 12:19 . 2011-05-18 12:19 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Apple Computer
2011-05-18 12:19 . 2011-05-18 12:19 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\LogMeIn
2011-05-06 23:05 . 2011-05-07 00:01 -------- d-----w- c:\documents and settings\Guest
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-07 05:33 . 2004-11-24 18:48 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2004-11-24 17:37 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2004-11-24 17:37 1857920 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((( SnapShot_2011-03-10_10.57.08 )))))))))))))))))))))))))))))))))))))))))
.

Update:
I ran a search for all files containing the text: HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users
I figured the scripts are using this to reactivate and change membership on the account.
Unfortunately, no hits. I made sure to search all hidden and system files on C: (my only drive).
Is there any way to make the PC save a log with the scripts it runs on logon and logoff?

Merged posts. ~ OB

Edited by Orange Blossom, 27 May 2011 - 05:15 PM.
Moved from XP ~Budapest


BC AdBot (Login to Remove)

 


#2 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:12:30 AM

Posted 05 June 2011 - 10:38 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Please take note:

  • If you have since resolved the original problem you were having, we would appreciate you letting us know.
  • If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • If you are unable to perform the steps we have recommended please try one more time and if unsuccessful alert us of such and we will design an alternate means of obtaining the necessary information.
  • If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.
  • If you have already posted a DDS log, please do so again, as your situation may have changed.
  • Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Thanks and again sorry for the delay.

Best Regards,
oneof4.


#3 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:12:30 AM

Posted 09 June 2011 - 04:04 PM

Do you still need help?

Best Regards,
oneof4.


#4 IMDOUGIE

IMDOUGIE
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:30 PM

Posted 10 June 2011 - 08:18 AM

I do still need help. Sorry for the delay, as this is on my home computer, and I rarely get time enough to do all of the log collection.

In the meantime, is there anyone who can tell me how to find what scripts are running when i log in and out of Windows XP, Home Edition? I am at the point now that when i start up the PC, I just go straight to Management and disable the guest account (and remove it from Adminstrators), and that sticks until I shut down the PC and the logout script runs.

I am still planning to get the information requested in the previous post, but time (having the time to sit and do it) is an issue.

Thank you.

#5 IMDOUGIE

IMDOUGIE
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:30 PM

Posted 10 June 2011 - 08:23 AM

.
DDS (Ver_2011-06-03.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Cuddlewell at 7:20:43 on 2011-06-10
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.344 [GMT -6:00]
.
AV: Symantec AntiVirus Corporate Edition *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\iPod Access for Windows\iPAHelper.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://my.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
Trusted Zone: intuit.com\ttlc
Trusted Zone: turbotax.com
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
TCP: DhcpNameServer = 192.168.10.1
TCP: Interfaces\{FF9A3BB1-14E9-4C68-838D-3FC611706B83} : DhcpNameServer = 192.168.10.1
Notify: AtiExtEvent - Ati2evxx.dll
Notify: LMIinit - LMIinit.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
.
============= SERVICES / DRIVERS ===============
.
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-7-19 192160]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-7-19 169632]
R2 DLSDB;Dell Printer Status Database;c:\program files\dell printers\additional color laser software\status monitor\dlsdbnt.exe [2009-4-4 140184]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2010-5-31 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2010-10-15 47640]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-9-27 1813232]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-5-10 105592]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110609.002\naveng.sys [2011-6-9 86008]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110609.002\navex15.sys [2011-6-9 1542392]
S2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2004-11-24 14336]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-29 135664]
S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-9-27 374152]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-29 135664]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-9-27 116464]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
S4 vsdatant;vsdatant;a --> a [?]
.
=============== Created Last 30 ================
.
2011-06-05 08:32:46 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-18 12:22:00 -------- d--h--w- c:\windows\system32\GroupPolicy
2011-05-18 12:21:57 47872 ----a-w- c:\windows\system32\drivers\etc\2.exe
2011-05-18 12:21:57 36864 ----a-w- c:\windows\system32\drivers\etc\netstat.exe
2011-05-18 12:21:57 15360 ----a-w- c:\windows\system32\drivers\etc\logoff.exe
2011-05-18 12:21:57 124928 ----a-w- c:\windows\system32\drivers\etc\1.exe
.
==================== Find3M ====================
.
2011-05-29 15:11:30 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 15:11:20 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
.
============= FINISH: 7:21:59.45 ===============

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:30 AM

Posted 13 June 2011 - 10:10 AM

Hi IMDOUGIE,

I will be assisting you with the issue.

  • Click on this link--> virustotal

    Click the browse button. Copy and paste the lines in bold in the open box, then click Send File after pasting one line. You will only be able to have one file scanned at a time.

    c:\windows\system32\drivers\etc\2.exe
    c:\windows\system32\drivers\etc\1.exe


    If the file is analyzed before, click Reanalyse File Now button.
    Please copy and paste the results of the scan in your next post.
  • Please download MiniRegTool.zip and unzip it.
    • Run the tool.
    • Copy and paste the content of code box into the edit box:
      HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
      HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    • Check the Query Key(s) radio button.
    • Press Go button and post the result (Result.txt).
  • Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box into a new file:

    @ECHO OFF
    dir /a/s "c:\documents and settings\Administrator\Local Settings\Application Data\Apple Computer" >log.txt
    dir /a/s "c:\documents and settings\Administrator\Local Settings\Application Data\LogMeIn" >>log.txt
    dir /a/s "c:\windows\system32\GroupPolicy" >>log.txt
    dir /a/s c:\netstat.exe c:\logoff.exe >>log.txt
    START log.txt
    
    • Go to the File menu at the top of the Notepad and select Save as.
    • Select Save in: desktop
    • Fill in File name: look.bat
    • Save as type: All file types (*.*)
    • Click save.
    • Close the Notepad.
    • Locate look.bat on the desktop. It should look like this: Posted Image
    • Double-click to run it.
    • A notepad opens, copy and paste the content (log.txt) to your reply.
  • Please run DDS and post only the Attach.txt, no need to zip it.

Edited by farbar, 13 June 2011 - 10:47 AM.


#7 IMDOUGIE

IMDOUGIE
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:30 PM

Posted 13 June 2011 - 11:00 AM

File name: 2.exe
Submission date: 2011-06-13 15:45:05 (UTC)
Current status: queued (#33) queued (#33) analysing finished


Result: 0/ 42 (0.0%)
VT Community

goodware
Safety score: 100.0%
Compact Print results Antivirus Version Last Update Result
AhnLab-V3 2011.06.13.00 2011.06.13 -
AntiVir 7.11.9.167 2011.06.13 -
Antiy-AVL 2.0.3.7 2011.06.13 -
Avast 4.8.1351.0 2011.06.13 -
Avast5 5.0.677.0 2011.06.13 -
AVG 10.0.0.1190 2011.06.13 -
BitDefender 7.2 2011.06.13 -
CAT-QuickHeal 11.00 2011.06.13 -
ClamAV 0.97.0.0 2011.06.13 -
Commtouch 5.3.2.6 2011.06.13 -
Comodo 9053 2011.06.13 -
DrWeb 5.0.2.03300 2011.06.13 -
eSafe 7.0.17.0 2011.06.13 -
eTrust-Vet 36.1.8383 2011.06.13 -
F-Prot 4.6.2.117 2011.06.13 -
F-Secure 9.0.16440.0 2011.06.13 -
Fortinet 4.2.257.0 2011.06.11 -
GData 22 2011.06.13 -
Ikarus T3.1.1.104.0 2011.06.13 -
Jiangmin 13.0.900 2011.06.13 -
K7AntiVirus 9.106.4807 2011.06.13 -
Kaspersky 9.0.0.837 2011.06.13 -
McAfee 5.400.0.1158 2011.06.13 -
McAfee-GW-Edition 2010.1D 2011.06.13 -
Microsoft 1.6903 2011.06.13 -
NOD32 6203 2011.06.13 -
Norman 6.07.10 2011.06.13 -
nProtect 2011-06-13.02 2011.06.13 -
Panda 10.0.3.5 2011.06.13 -
PCTools 7.0.3.5 2011.06.10 -
Prevx 3.0 2011.06.13 -
Rising 23.62.00.03 2011.06.13 -
Sophos 4.66.0 2011.06.13 -
SUPERAntiSpyware 4.40.0.1006 2011.06.13 -
Symantec 20111.1.0.186 2011.06.13 -
TheHacker 6.7.0.1.230 2011.06.12 -
TrendMicro 9.200.0.1012 2011.06.13 -
TrendMicro-HouseCall 9.200.0.1012 2011.06.13 -
VBA32 3.12.16.1 2011.06.13 -
VIPRE 9571 2011.06.13 -
ViRobot 2011.6.13.4509 2011.06.13 -
VirusBuster 14.0.78.0 2011.06.13 -
Additional informationShow all
MD5 : f002378c8416d21c4b7ed1b15398e647
SHA1 : 9bd93089bc14e2df2674bb49a3b13ca320f98dce
SHA256: f7323a28ea709ff05ea0f57268a4bc69400627a7912599fc4beb1ea3f67fcd06
ssdeep: 768:xAzCMrw2iQlnmT6BBw+GYUOvJF7+RhYnkmk0oFzQLsA+D:KDr+YmWBBc2kRhFpVzGsA+
File size : 47872 bytes
First seen: 2008-03-30 20:09:54
Last seen : 2011-06-13 15:45:05
TrID:
Win16 NE executable (generic) (89.4%)
Generic Win/DOS Executable (5.2%)
DOS Executable Generic (5.2%)
sigcheck:
publisher....: Microsoft Corporation
copyright....: Copyright © Microsoft Corp. 1981-1996
product......: Microsoft_ Windows™ Operating System
description..: Windows User-interface core component
original name: USER.EXE
internal name: USER
file version.: 3.10
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

ExifTool:
file metadata
FileSize: 47 kB
FileType: Win16 EXE
MIMEType: application/octet-stream



VT Community


-------------------------------------------------------

0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 1 VT Community user(s) with a total of 1 reputation credit(s) say(s) this sample is malware.
File name: 1.exe
Submission date: 2011-06-13 15:56:30 (UTC)
Current status: queued (#42) queued analysing finished


Result: 1/ 42 (2.4%)
VT Community

malware
Safety score: 0.0%
Compact Print results Antivirus Version Last Update Result
AhnLab-V3 2011.06.13.00 2011.06.13 -
AntiVir 7.11.9.167 2011.06.13 -
Antiy-AVL 2.0.3.7 2011.06.13 -
Avast 4.8.1351.0 2011.06.13 -
Avast5 5.0.677.0 2011.06.13 -
AVG 10.0.0.1190 2011.06.13 -
BitDefender 7.2 2011.06.13 -
CAT-QuickHeal 11.00 2011.06.13 -
ClamAV 0.97.0.0 2011.06.13 -
Commtouch 5.3.2.6 2011.06.13 -
Comodo 9053 2011.06.13 -
DrWeb 5.0.2.03300 2011.06.13 -
Emsisoft 5.1.0.8 2011.06.13 -
eSafe 7.0.17.0 2011.06.13 Win32.TrojanHorse
eTrust-Vet 36.1.8383 2011.06.13 -
F-Prot 4.6.2.117 2011.06.13 -
Fortinet 4.2.257.0 2011.06.11 -
GData 22 2011.06.13 -
Ikarus T3.1.1.104.0 2011.06.13 -
Jiangmin 13.0.900 2011.06.13 -
K7AntiVirus 9.106.4807 2011.06.13 -
Kaspersky 9.0.0.837 2011.06.13 -
McAfee 5.400.0.1158 2011.06.13 -
McAfee-GW-Edition 2010.1D 2011.06.13 -
Microsoft 1.6903 2011.06.13 -
NOD32 6203 2011.06.13 -
Norman 6.07.10 2011.06.13 -
nProtect 2011-06-13.02 2011.06.13 -
Panda 10.0.3.5 2011.06.13 -
PCTools 7.0.3.5 2011.06.10 -
Prevx 3.0 2011.06.13 -
Rising 23.62.00.03 2011.06.13 -
Sophos 4.66.0 2011.06.13 -
SUPERAntiSpyware 4.40.0.1006 2011.06.13 -
Symantec 20111.1.0.186 2011.06.13 -
TheHacker 6.7.0.1.230 2011.06.12 -
TrendMicro 9.200.0.1012 2011.06.13 -
TrendMicro-HouseCall 9.200.0.1012 2011.06.13 -
VBA32 3.12.16.1 2011.06.13 -
VIPRE 9572 2011.06.13 -
ViRobot 2011.6.13.4509 2011.06.13 -
VirusBuster 14.0.78.0 2011.06.13 -
Additional informationShow all
MD5 : 3f14c041342e3fba343f2a1d11e74bba
SHA1 : 4221467faee4926d692bd5ae71cf0a37f326bf42
SHA256: 5ac753e1d8f6efc537070e60c3aa1f8791873c2e5c161ebd9f5e6adadf90011b

#8 IMDOUGIE

IMDOUGIE
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:30 PM

Posted 13 June 2011 - 11:10 AM

I ran the look.bat file and Minireg. Minireg did not seem to do anything.

--------

New Development!
The XP Antispyware app popped up. I killed the process and ran ComboFix.
Posting result of that as well.
Thanks.
D.

Attached Files



#9 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:30 AM

Posted 13 June 2011 - 11:19 AM

Please do the step with MiniRegTool once more and wait until the log opens. Those lines are on each XP computer and there should be a result.

#10 IMDOUGIE

IMDOUGIE
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:30 PM

Posted 13 June 2011 - 11:39 AM

How long should it take?
It is still running (I think).
Here is an export of the keys you requested. Will this do?

Attached Files



#11 IMDOUGIE

IMDOUGIE
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:30 PM

Posted 13 June 2011 - 11:55 AM

So when I run your tool, I see the icon on my start bar flashing between your logo and a red X. When I hover it says "(paused) MiniregTool.exe"

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:30 AM

Posted 13 June 2011 - 12:15 PM

It should take a fraction of second unless the wrong radio button is checked.

But it seems there is something wrong with the settings on your computer.

Right-click on the system tray icon to exit the tool. Bring up task manager and end cmd.exe or swreg.exe if they are running.

Please go to start => Run => Copy and paste the bold line in the run-box and click OK:

"C:\Qoobox\Add-Remove Programs.txt"

A text file opens up, copy and paste the content to your reply.

#13 IMDOUGIE

IMDOUGIE
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:30 PM

Posted 13 June 2011 - 12:25 PM

Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop Album 2.0 Starter Edition
Adobe Photoshop Elements 2.0
Adobe Premiere Standard
Adobe Reader 9.1
Adobe Shockwave Player
ALCATEL PC Suite V6.3.1
AnswerWorks 4.0 Runtime - English
AnswerWorks 5.0 English Runtime
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
Avanquest update
AviSynth 2.5
AVS DVDMenu Editor 1.2.1.19
AVS Video Tools 5.6
BlackBerry Desktop Software 4.6
Bonjour
CCleaner
Click to DVD 2.0.02 Menu Data
Click to DVD 2.3.01
Compatibility Pack for the 2007 Office system
Coupon Printer for Windows
Dell Printer Software
Digital DJ Pro 1.7.0
DVgate Plus
Google Chrome
Google Earth Plug-in
Google SketchUp Pro 7.1
Google Toolbar for Internet Explorer
Google Update Helper
GoToMeeting 4.5.0.456
High Definition Audio Driver Package - KB835221
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB981793)
Intel Application Accelerator
Intel® PRO Network Adapters and Drivers
InterActual Player
InterVideo WinDVD 5 for VAIO
iPod Access for Windows v4.2.2
ISScript
iTunes
J2SE Runtime Environment 5.0
Java™ 6 Update 10
LiveUpdate 3.3 (Symantec Corporation)
LogMeIn
magicJack
magicJack Outlook Add-In 1.0.3.521
Malwarebytes' Anti-Malware version 1.51.0.1200
Memory Stick Formatter
Microsoft .NET Framework 1.0 Hotfix (KB953295)
Microsoft .NET Framework 1.0 Hotfix (KB979904)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional 2007
Microsoft Office Professional Edition 2003
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Visio Professional 2003
Microsoft Office Word MUI (English) 2007
Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable - KB2467175
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
MoodLogic
Motorola Driver Installation
Motorola Phone Tools
Movielink eHome version 1.1
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB954459)
Netflix Movie Viewer
NVIDIA Drivers
OpenMG Limited Patch 4.0-04-08-02-01
OpenMG Metadata Extractor for Windows Media Player
OpenMG Secure Module 4.0.00
OpenOffice.org Installer 1.0
OverDrive Media Console
PictureGear Studio 2.0
PQ DVD to iPod Video Suite (remove only)
QuickTime
Realtek High Definition Audio Driver
Roxio Media Manager
Safari
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB2466156)
Security Update for 2007 Microsoft Office System (KB2509488)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Excel 2007 (KB2464583)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB2535818)
Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)
Security Update for Microsoft Office Publisher 2007 (KB2284697)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Sonic Encoders
Sonic RecordNow!
SonicStage 2.1.02
SonicStage Mastering Studio 1.4
SonicStage Mastering Studio Audio Filter Custom Preset
SonicStage Mastering Studio Plugins
SonicStage MP3 Add-on program
Sony Certificate PCH
Sony TV Tuner Library 1.0
Sony Video Shared Library
Spelling Dictionaries Support For Adobe Reader 9
Symantec AntiVirus
TurboTax 2008
TurboTax 2008 wcoiper
TurboTax 2008 WinPerFedFormset
TurboTax 2008 WinPerProgramHelp
TurboTax 2008 WinPerReleaseEngine
TurboTax 2008 WinPerTaxSupport
TurboTax 2008 WinPerUserEducation
TurboTax 2008 wrapper
TurboTax 2009
TurboTax 2009 wcoiper
TurboTax 2009 WinPerFedFormset
TurboTax 2009 WinPerReleaseEngine
TurboTax 2009 WinPerTaxSupport
TurboTax 2009 wrapper
TurboTax Home & Business 2007
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office Outlook 2007 (KB2509470)
Update for Outlook 2007 Junk Email Filter (KB2536413)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB978506)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update Rollup 1 for Windows XP Media Center Edition 2005 with HDTV Support (KB873369)
VAIO Control Center
VAIO Edit Components
VAIO Entertainment Platform
VAIO Help and Support
VAIO Media 3.1
VAIO Media Integrated Server 3.1
VAIO Media Redistribution 3.1
VAIO Original Screen Saver
VAIO Original Screen Saver VAIO Scene HD Normal Contents
VAIO Registration
VAIO Structure Wallpaper
VAIO Survey Standalone
VAIO Update 2
Videora iPod Converter 5.03
WebFldrs XP
Welcome to VAIO life
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format Runtime
Windows Media Player 10 Hotfix [See KB886612 for more information]
Windows XP Media Center Edition 2005 KB973768
Windows XP Service Pack 3
WinRAR archiver
Wireless Desktop
Xvid 1.1.3 final uninstall
YouTube Downloader App 2.03

#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:30 AM

Posted 13 June 2011 - 12:29 PM

I see LogMeIn software is installed on your computer. This software is designed to provide remote access to the computer. At the time of install a few system files are copied to etc directory. Have you installed this software yourself?

#15 IMDOUGIE

IMDOUGIE
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:30 PM

Posted 13 June 2011 - 01:12 PM

I installed that a long time ago, and it is usually deactivated unless I need it.

Edited by IMDOUGIE, 13 June 2011 - 01:12 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users