Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

windows.tool.disabled


  • This topic is locked This topic is locked
2 replies to this topic

#1 m_schwieger

m_schwieger

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:24 AM

Posted 28 July 2011 - 02:21 PM

I have windows.tool.disabled on my laptop and can not get rid of it. I have ran malwarebytes quick scan and full scan in both normal mode and safe mode. The file windows.tool.disabled is detected, I delete it, reboot, rescan and it is detected again. I have deleted the entry from the registry and it STILL persists. I have tried several malware/spyware tools and this file does not go away. Can anyone help me??? I have attacehed the file from hijackthis, Regcleaner, and the DDS log is below.
.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 7.0.5730.13
Run by a80362 at 14:17:07 on 2011-07-28
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3055.2177 [GMT -5:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
C:\Program Files\Common Files\Juniper Networks\JUNS\dsAccessService.exe
C:\Program Files\Common Files\Juniper Networks\TNC Client\jTnccService.exe
C:\Program Files\Common Files\Juniper Networks\Endpoint Defense\dsEES.exe
C:\Program Files\Juniper Networks\Odyssey Access Client\odClientService.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\idt\wdm\STacSV.exe
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\Program Files\LANDesk\Shared Files\residentagent.exe
C:\WINDOWS\system32\CBA\pds.exe
C:\PROGRA~1\LANDesk\LDClient\issuser.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LANDesk\LDClient\policy.client.invoker.exe
C:\Program Files\LANDesk\LDClient\tmcsvc.exe
C:\PROGRA~1\LANDesk\LDClient\collector.exe
C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\system32\mfevtps.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\ScriptLogic\Desktop Authority\Client Files\8.10.255\SLClient.exe
c:\windows\system32\slinstall.exe
C:\Program Files\LANDesk\LDClient\softmon.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\LANDesk\LDClient\LocalSch.EXE
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\PROGRA~1\LANDesk\LDClient\rcgui.exe
C:\Program Files\ScriptLogic\Desktop Authority\Client Files\8.10.255\CBM\ScriptLogic.CBM.Agent.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
C:\Source\BGinfo\bginfo.exe
C:\Program Files\ScriptLogic\Desktop Authority\Client Files\8.10.255\CBM\ScriptLogic.CBM.UserExperience.exe
C:\Program Files\Microsoft Office Communicator\communicator.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hardcopy\hardcopy.exe
C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\LANDesk\LDClient\policy.sync.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\Program Files\LANDesk\Shared Files\proxyhost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://wwwi.wfhealthcare.org
uWindow Title = Windows Internet Explorer provided by Wheaton Franciscan Healthcare
uInternet Settings,ProxyOverride = <local>
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [DesktopAuthority User Experience] "c:\program files\scriptlogic\desktop authority\client files\8.10.255\cbm\ScriptLogic.CBM.UserExperience.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Communicator] "c:\program files\microsoft office communicator\communicator.exe" /fromrunkey
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hardcopy.lnk - c:\program files\hardcopy\hardcopy.exe
uPolicies-explorer: NoSimpleStartMenu = 0 (0x0)
uPolicies-explorer: NoSMMyPictures = 0 (0x0)
uPolicies-explorer: NoStartMenuMyMusic = 0 (0x0)
uPolicies-explorer: NoDFSTab = 0 (0x0)
uPolicies-explorer: NoWindowsUpdate = 0 (0x0)
uPolicies-explorer: NoThemesTab = 0 (0x0)
uPolicies-system: HideLogonScripts = 1 (0x1)
mPolicies-system: HideLogonScripts = 0 (0x0)
mPolicies-system: MaxGPOScriptWait = 3600 (0xe10)
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
Trusted Zone: actionsoftware.com\ci20
Trusted Zone: adjuvantonline.com
Trusted Zone: aurora.org\clinical
Trusted Zone: ewsiaiis01
Trusted Zone: ewsiaiistst
Trusted Zone: filebound.com
Trusted Zone: filebound.com\wfh
Trusted Zone: mediclick.com\proclick
Trusted Zone: microsoft.com\go
Trusted Zone: qiproject.org
Trusted Zone: transolutions.net
Trusted Zone: virtualedge.com
Trusted Zone: webex.com\pressganeycs
Trusted Zone: Zynx.com\www
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
TCP: DhcpNameServer = 10.1.207.100 10.1.207.101 10.8.13.100
TCP: Interfaces\{D6EA2D48-8F24-4664-8BFE-98C4C0DBF222} : DhcpNameServer = 10.1.207.100 10.1.207.101 10.8.13.100
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Notify: igfxcui - igfxdev.dll
Notify: OdysseyClient - odyEvent.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2011-7-21 344712]
R0 odFips;odFips;c:\windows\system32\drivers\odFIPS.sys [2010-8-27 9856]
R0 odFips2;odFips2;c:\windows\system32\drivers\odFIPS2.sys [2010-8-27 282496]
R2 CBA8;LANDesk® Management Agent;c:\program files\landesk\shared files\residentAgent.exe [2010-10-15 147456]
R2 JuniperAccessService;Juniper Unified Network Service;c:\program files\common files\juniper networks\juns\dsAccessService.exe [2010-8-16 198000]
R2 LANDesk Policy Invoker;LANDesk Policy Invoker;c:\program files\landesk\ldclient\policy.client.invoker.exe [2011-2-15 205312]
R2 LANDesk Targeted Multicast;LANDesk Targeted Multicast;c:\program files\landesk\ldclient\tmcsvc.exe [2011-2-15 178688]
R2 McAfeeEngineService;McAfee Engine Service;c:\program files\mcafee\virusscan enterprise\EngineServer.exe [2010-8-25 22816]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2009-9-25 120128]
R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2010-8-25 147984]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2010-8-25 66880]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-7-21 69192]
R2 ScriptLogic CBM Service;ScriptLogic CBM Service;c:\program files\scriptlogic\desktop authority\client files\8.10.255\cbm\ScriptLogic.CBM.Agent.exe [2010-11-7 427008]
R2 SLClient;ScriptLogic Service;c:\program files\scriptlogic\desktop authority\client files\8.10.255\SLClient.exe [2010-11-7 557920]
R2 SLInstall;Desktop Authority Client Provisioning Service;c:\windows\system32\slinstall.exe [2011-1-18 557920]
R2 Softmon;LANDesk® Software Monitoring Service;c:\program files\landesk\ldclient\SoftMon.exe [2011-2-15 385024]
R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\cisco\cisco anyconnect vpn client\vpnagent.exe [2009-10-9 493248]
R3 AESTAud;AEST Audio Service;c:\windows\system32\drivers\AESTAud.sys [2010-7-15 113664]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [2010-7-15 166568]
R3 EacService;Juniper TNC Endpoint Assessment;c:\program files\common files\juniper networks\tnc client\jTnccService.exe [2010-8-27 152944]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2010-7-15 44800]
R3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [2010-7-15 125696]
R3 jnprna;Juniper Network Agent Miniport;c:\windows\system32\drivers\jnprna.sys [2010-12-21 420464]
R3 JnprVaMgr;Juniper Networks Virtual Adapter Manager Service;c:\windows\system32\drivers\jnprvamgr.sys [2010-12-21 34800]
R3 ldblank;Screen Blanking driver for Remote Control;c:\windows\system32\drivers\ldblank.sys [2011-2-15 14336]
R3 ldmirror;ldmirror;c:\windows\system32\drivers\ldmirror.sys [2011-2-15 5120]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2011-7-21 91896]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2011-7-21 43192]
R3 mirrorflt;Mirror Filter Driver for Uninstall;c:\windows\system32\drivers\mirrorflt.sys [2011-2-15 6144]
R3 nusb3hub;NEC Electronics USB 3.0 Hub Driver;c:\windows\system32\drivers\nusb3hub.sys [2010-8-4 58880]
R3 nusb3xhc;NEC Electronics USB 3.0 Host Controller Driver;c:\windows\system32\drivers\nusb3xhc.sys [2010-8-4 137728]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2010-8-4 57320]
R3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
R3 rismc32;RICOH Smart Card Reader;c:\windows\system32\drivers\rismc32.sys [2010-7-15 49152]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-1-19 136176]
S2 ProcTrigger;LANDesk® Process Trigger Service;c:\program files\landesk\ldclient\ProcTriggerSvc.exe [2011-2-15 143360]
S2 tracksvc;LANDesk® Power Management Track Service;c:\program files\landesk\ldclient\tracksvc.exe [2011-2-15 66048]
S3 AltirisAgentProvider;AltirisAgentProvider;"c:\program files\altiris\altiris agent\agents\wmiprovideragent\altirisagentprovider.exe" --> c:\program files\altiris\altiris agent\agents\wmiprovideragent\AltirisAgentProvider.exe [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-1-19 136176]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\drivers\IntcDAud.sys [2010-7-15 205824]
S3 jnprva;Juniper Networks Virtual Adapter Service;c:\windows\system32\drivers\jnprva.sys [2010-12-21 17776]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-12-29 22712]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-7-21 66536]
S4 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-12-29 366640]
UnknownUnknown LNS;LNS; [x]
.
=============== Created Last 30 ================
.
2011-07-28 17:49:35 138240 ----a-w- c:\temp\IntResource.dll
2011-07-28 16:32:25 -------- d-----w- c:\documents and settings\a80362\local settings\application data\Threat Expert
2011-07-28 16:25:06 -------- d-----w- c:\program files\PC Tools Security
2011-07-28 16:25:06 -------- d-----w- c:\program files\common files\PC Tools
2011-07-28 16:24:00 -------- d-----w- c:\documents and settings\all users\application data\PC Tools
2011-07-28 15:49:45 388096 ----a-r- c:\documents and settings\a80362\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-07-28 15:49:44 -------- d-----w- c:\program files\Trend Micro
2011-07-26 15:15:38 1409 ----a-w- c:\windows\system32\tmp62CD2.FOT
2011-07-26 13:22:56 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-25 20:46:45 90112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2011-07-25 20:46:45 32768 ----a-w- c:\windows\system32\JAWTAccessBridge.dll
2011-07-25 20:46:45 167936 ----a-w- c:\windows\system32\JavaAccessBridge.dll
2011-07-25 20:46:11 -------- d-----w- c:\program files\SkillSoft
2011-07-25 16:50:29 1409 ----a-w- c:\windows\system32\tmpA1BA8.FOT
2011-07-22 01:00:42 66536 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2011-07-22 01:00:42 43192 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2011-07-22 01:00:41 91896 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2011-07-22 01:00:41 76024 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2011-07-22 01:00:40 64208 ----a-w- c:\windows\system32\drivers\mfetdik.sys
2011-07-22 01:00:40 344712 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2011-07-22 01:00:39 69192 ----a-w- c:\windows\system32\mfevtps.exe
2011-07-22 01:00:28 -------- d-----w- c:\program files\common files\McAfee
2011-07-21 21:14:51 1409 ----a-w- c:\windows\system32\tmp37BB3.FOT
2011-07-21 16:56:57 -------- d-----w- c:\documents and settings\a80362\application data\Sammsoft
2011-07-21 15:48:17 -------- d-----w- c:\documents and settings\all users\application data\STOPzilla!
2011-07-19 21:35:31 1409 ----a-w- c:\windows\system32\tmpBC57B.FOT
2011-07-19 18:01:20 -------- d-----w- c:\program files\common files\xing shared
2011-07-18 16:38:51 1409 ----a-w- c:\windows\system32\tmp6540B.FOT
2011-07-13 15:56:24 -------- d-----w- C:\CS1K6PDF
2011-07-11 19:22:01 1409 ----a-w- c:\windows\system32\tmpF81CF.FOT
2011-07-05 16:21:54 1409 ----a-w- c:\windows\system32\tmpCBD20.FOT
2011-06-29 21:11:16 1409 ----a-w- c:\windows\system32\tmpBEEEC.FOT
2011-06-29 15:11:15 1409 ----a-w- c:\windows\system32\tmpBD7F5.FOT
.
==================== Find3M ====================
.
2011-07-19 18:00:57 499712 ----a-w- c:\windows\system32\msvcp71.dll
2011-07-19 18:00:57 348160 ----a-w- c:\windows\system32\msvcr71.dll
2011-07-07 00:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-07 00:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-28 16:51:47 1409 ----a-w- c:\windows\system32\tmpCAF98.FOT
2011-06-27 16:52:49 1409 ----a-w- c:\windows\system32\tmp1D7C0.FOT
2011-06-22 08:16:24 1409 ----a-w- c:\windows\system32\tmpF7DBE.FOT
2011-06-20 16:34:15 1409 ----a-w- c:\windows\system32\tmp88659.FOT
2011-06-07 16:12:02 1409 ----a-w- c:\windows\system32\tmpD9F2E.FOT
2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-31 17:57:19 1409 ----a-w- c:\windows\system32\tmp1597B.FOT
2011-05-25 21:18:00 1409 ----a-w- c:\windows\system32\tmpBDD79.FOT
2011-05-24 21:14:25 1409 ----a-w- c:\windows\system32\tmp5CDFB.FOT
2011-05-19 16:58:45 1409 ----a-w- c:\windows\system32\tmpBEC06.FOT
2011-05-18 06:15:48 1409 ----a-w- c:\windows\system32\tmp10BAE.FOT
2011-05-16 21:28:01 1409 ----a-w- c:\windows\system32\tmpE4866.FOT
2011-05-12 16:09:27 1409 ----a-w- c:\windows\system32\tmp572FE.FOT
2011-05-10 21:30:43 1409 ----a-w- c:\windows\system32\tmp0BD56.FOT
2011-05-04 16:13:07 1409 ----a-w- c:\windows\system32\tmp62A04.FOT
2011-05-02 15:31:52 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-05-01 20:01:09 1409 ----a-w- c:\windows\system32\tmp92D83.FOT
2011-04-30 16:35:14 1409 ----a-w- c:\windows\system32\tmp16E7B.FOT
.
============= FINISH: 14:17:36.73 ===============

Attached Files


Edited by hamluis, 28 July 2011 - 02:34 PM.
Moved from XP to Malware Removal Logs.


BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:24 AM

Posted 06 August 2011 - 02:00 PM

Hi,

Please do the following:



Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:24 AM

Posted 11 August 2011 - 08:39 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users