Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Can not access the file. You may not have the right permissions


  • This topic is locked This topic is locked
63 replies to this topic

#1 dmckee2009

dmckee2009

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:10:07 PM

Posted 12 February 2012 - 09:46 PM

I am receiving an error on my laptop that says "Windows Can not access the file. You may not have the right permissions". I have tried running several virus scan and malware solutions (AVG, Spybot, Malware Bytes, etc) to no avail. I can only access files when booting into Safe mode - otherwise, I get the above error with anything I click on. Attached below is the DDS log I captured earlier this evening. Thanks! Dave
Attached File  dds.txt   12.1KB   0 downloads

DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_29
Run by Administrator at 21:24:20 on 2012-02-12
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.613 [GMT -5:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
E:\HiJackThis.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "c:\program files\microsoft\bingbar\BingExt.dll"
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRunOnce: [<NO NAME>]
uRunOnce: [spchecker] "c:\program files\avg\avg10\notification\SPCheckerTE.exe"
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [VAIO Recovery] c:\windows\sonysys\vaio recovery\PartSeal.exe
mRun: [SonyPowerCfg] c:\program files\sony\vaio power management\SPMgr.exe
mRun: [ISBMgr.exe] c:\program files\sony\isb utility\ISBMgr.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Switcher.exe] c:\program files\sony\wireless switch setting utility\Switcher.exe
mRun: [VAIOCameraUtility] "c:\program files\sony\vaio camera utility\VCUServe.exe"
mRun: [SsAAD.exe] c:\progra~1\sony\sonics~1\SsAAD.exe
mRun: [dcmsvc] c:\program files\dcmsvc\dcmsvc.exe
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd.exe"
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRunOnce: [Malwarebytes Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRunOnce: [<NO NAME>]
mExplorerRun: [<NO NAME>] 1 (0x1)
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pictur~2.lnk - c:\program files\sony corporation\picture package\picture package menu\SonyTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pictur~1.lnk - c:\program files\sony corporation\picture package\picture package applications\Residence.exe
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://support.gateway.com/support/profiler/PCPitStop.CAB
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://active.macromedia.com/flash2/cabs/swflash.cab
TCP: DhcpNameServer = 192.168.1.1 71.252.0.12
TCP: Interfaces\{6897D9B8-BBE3-43F8-B268-A856E5B8C230} : DhcpNameServer = 192.168.1.1 71.252.0.12
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
Notify: igfxcui - igfxdev.dll
Notify: VESWinlogon - VESWinlogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\fbfhnuz2.default\
FF - plugin: c:\documents and settings\owner\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\owner\application data\move networks\plugins\npqmp071701000002.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-2-22 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-3-16 32592]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-4-4 295248]
S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-1-7 230608]
S1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-3-1 40016]
S2 AMPingService;AMPingService;c:\docume~1\owner\locals~1\temp\AMPing.exe [2010-7-9 28480]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\AVGIDSAgent.exe [2011-10-12 4433248]
S2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]
S2 CEEBC40A-FDED-4C59-B354-939132350B01;Roxio File Backup Service;c:\program files\roxio\backontrack\file backup\FileBackupSVC.exe [2009-3-4 96752]
S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlservr.exe -svaio_vedb --> c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlservr.exe -sVAIO_VEDB [?]
S2 va6dxauqoito;Print Spooler Service;c:\windows\system32\dhsxmeho.exe /service --> c:\windows\system32\dhsxmeho.exe [?]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-10-18 24652]
S3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2010-7-12 30432]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2010-7-12 30432]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-4-14 134608]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-2-10 24272]
S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-2-10 16720]
S3 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-2-28 183560]
S3 cpuz134;cpuz134;\??\c:\docume~1\owner\locals~1\temp\cpuz134\cpuz134_x32.sys --> c:\docume~1\owner\locals~1\temp\cpuz134\cpuz134_x32.sys [?]
S3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\system32\drivers\SonyImgF.sys [2006-3-15 29184]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlagent.exe -i vaio_vedb --> c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlagent.EXE -i VAIO_VEDB [?]
S3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2006-3-15 226304]
.
=============== Created Last 30 ================
.
2012-02-13 02:03:21 -------- d-----w- c:\program files\Xenocode
2012-02-13 02:03:20 -------- d-----w- c:\windows\XSxS
2012-02-13 02:03:20 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Xenocode
2012-02-12 00:25:56 -------- d-sh--w- c:\documents and settings\administrator\PrivacIE
2012-02-12 00:20:36 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Mozilla
2012-02-11 23:19:55 -------- d-----w- c:\documents and settings\administrator\application data\Malwarebytes
2012-02-11 23:16:18 -------- d-sh--w- c:\documents and settings\administrator\IETldCache
2012-02-11 23:12:40 -------- d-sh--w- C:\found.001
2012-02-11 20:17:03 -------- d-sh--w- C:\found.000
.
==================== Find3M ====================
.
2011-12-10 20:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-25 21:57:19 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 12:35:08 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-16 14:21:44 354816 ----a-w- c:\windows\system32\winhttp.dll
2011-11-16 14:21:44 152064 ----a-w- c:\windows\system32\schannel.dll
.
============= FINISH: 21:25:42.14 ===============

BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:07 AM

Posted 17 February 2012 - 08:58 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

----------------------------------------------

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
Posted Image
m0le is a proud member of UNITE

#3 dmckee2009

dmckee2009
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:10:07 PM

Posted 18 February 2012 - 02:11 PM

Hi m0le - I am here, and I've received your reply. I'm running GMER as we speak, and will post the results later today. Thanks again for your help.

#4 dmckee2009

dmckee2009
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:10:07 PM

Posted 18 February 2012 - 04:55 PM

Hi m0le . I ran GMER as requested, but had to run it in SAFE mode to get it to work. All of the check boxes along the right hand side of the screen were "checked" as a default, so it may have scanned the entire system? I did NOT get any warning boxes related to rootkit activity, etc. At the end of the scan however, it did not provide any option to SAVE a log file (?). There was only an option to "Scan", an "Ok" button, and a "Cancel" button that was viewable. The following three entries did appear in the window during the scan (the "show all" check box was NOT checked during the process). Hopefully, this is useful:

Type Name Value

REG HKLM\SOFTWARE\Classes\CLSID\{CF62420D-F319-2743-CAE3-CFDB6FA35002}\LocalServer32@ "C:\WINDOWS\system32\logagent
REG HKLM\SOFTWARE\Classes\CLSID\{CF62420D-F319-2743-CAE3-CFDB6FA35002}\ProglD@ Logagent.Logagent.1
REG HKLM\SOFTWARE\Classes\CLSID\{CF62420D-F319-2743-CAE3-CFDB6FA35002}\VersionIndependentProgID@ Logagent.Logagent

Thanks again for your help. Dave

#5 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:07 AM

Posted 18 February 2012 - 06:11 PM

Okay, this message appearing doesn't usually indicate malware so please click the Microsoft link here and run through the steps.

Let me know how you get on.
Posted Image
m0le is a proud member of UNITE

#6 dmckee2009

dmckee2009
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:10:07 PM

Posted 19 February 2012 - 12:50 PM

Just to be sure I'm not screwing something up along the way - I wanted to briefly explain the accounts on the laptop just to be sure I'm okay. When powering on the laptop via normal operation, we have ONE account (Named Tracy & Dave) that is password protected and has always allowed us to do everything. That's the one account that shows up when the laptop is powered up normally, and the account we log in to daily. In SAFE mode - there are two accounts that appear. One is called "Administrator" - the other is our regulard user account (Tracy & Dave). When I am in Safe mode, and have chosen the "Administrator" account, I can launch programs without any problem. When I'm in SAFE mode, and have chosen our regular account (Tracy & Dave) - I get the identical symptoms than if I've booted the computer in normal mode. I followed the link you provided and ran the steps in both "normal" and "safe" modes (with different accounts). Here are the results.


In normal mode (booting the laptop up regularly, and entering our login password as we do each day):
Method 1: Check to see if you have permission to open the file: ((When looking at the properties of any file or folder, there is no "Security" tab presented as an option to click. The tabs are listed as: General, Version, Compatibility, Digital Signatures, Summary. I looked through the other "Advanced" buttons, etc within each tab, but it has nothing related to file permissions or which Group or User Names are provided access)).

Method 2: Check to make sure the file location is available: ((The path(s) appear to be available. I can work through explorer to the actual folder without any problem. It's when the system tries to launch the executable is when the error occurs)).

Method 3: Make sure that the file has not been moved or deleted: ((I confirmed the file is still there on the path listed - on a couple of different programs just to be sure - firefox.exe and mbam.exe))

Method 4: Recreate the shortcut to check for corruption: ((The system will not alllow me to do this. It gives a rundll32.exe error that reads: Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.))

Method 5: Check to see if the file has been blocked by Windows: ((I right clicked on the file and looked at the "General" tab as requested. There is no "unblock" option or check box available.))

Method 6: Check to see if your antivirus software is blocking the file: ((Virus scan was disabled, however, I still receive the same error)).


In SAFE mode, using the administrator account, everything is normal when working through the steps above (I can launch the programs as usual). In SAFE mode, using our regular user account (Tracy & Dave) however, I get the same error when trying to launch anything: Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item. Here are the specific results from SAFE mode using our regular (Tracy & Dave) user account:

Method 1: Check to see if you have permission to open the file: ((When looking at the properties of a file or folder, iTunes for example - it does offer a security tab in this view. When you look at the access for the user listed as "Everyone", only the "Read & Execute" and "Read" check boxes are checked in the "Allow" column. The administrators user group seems to have full access, as does the user named "System", and the user named "Power Users".

Method 2: Check to make sure the file location is available: ((The path(s) appear to be available. I can work through explorer to the actual folder without any problem. It's when the system tries to launch the executable is when the error occurs also in this mode)).

Method 3: Make sure that the file has not been moved or deleted: ((I confirmed the file is still there on the path listed - on a couple of different programs just to be sure - iTunes.exe, firefox.exe and mbam.exe))

Method 4: Recreate the shortcut to check for corruption: ((The system will not alllow me to do this. It gives a rundll32.exe error that reads: Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.))

Method 5: Check to see if the file has been blocked by Windows: ((I right clicked on the file and looked at the "General" tab as requested. There is no "unblock" option or check box available.))

Method 6: Check to see if your antivirus software is blocking the file: ((Virus scan was disabled, however, I still receive the same error)).

Thanks!!!




#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:07 AM

Posted 19 February 2012 - 06:11 PM

Go to your password protected account and visit this site

http://www.dougknox.com/xp/file_assoc.htm

The ninth link down is the file association fix for .exe. Follow the instructions to download and run the program.

Then see if you can access any programs.
Posted Image
m0le is a proud member of UNITE

#8 dmckee2009

dmckee2009
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:10:07 PM

Posted 19 February 2012 - 07:13 PM

When I launch the browser (IE) - it comes up with a "Welcome to Internet Explorer 8" window (and allows me to click a dialog box that reads: "ask me later"). After that, a screen (in IE) appears that says "your security setting level puts your computer at risk" - and immediately thereafter, a smaller dialog box appears that reads: "A program on your computer has corrupted your default search provider settings for Internet Explorer. Internet Explorer has reset this setting to your original search provider. Live Search (search.live.com). Internet Explorer will now open Search Settings, where you can change this setting or install more search providers". From here, it will actually let me click on the link you provided, however, when I click on the 9th link down - an error appears and reads: "Your current security settings do not allow this file to be downloaded". I went to control panel (security tab) - and there is no "Internet" zone listed - - only one that says "my computer" - with the security setting set to "High". It will not allow me to modify that security setting, nor do anything else on that screen.

#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:07 AM

Posted 19 February 2012 - 07:25 PM

There are some things in your last post which look more like malicious resets.

Please run Combofix, among other more powerful things it will default set your browser

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications including Firewalls, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#10 dmckee2009

dmckee2009
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:10:07 PM

Posted 19 February 2012 - 08:39 PM

When logged in normally, it will not let me run the comfix.exe executable (I get the usual windows error). Will it accomplish the same thing if I run it while in Safe mode? Sorry, thought I'd double check before trying that option and moving forward. Thanks.

#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:07 AM

Posted 20 February 2012 - 06:50 PM

Try these two methods to run Combofix.

1. Click the Windows 'Start' button > Select 'Run' - then copy/paste this into the run box & click OK: (assuming ComboFix.exe is on the desktop as was instructed)

"%userprofile%\desktop\combofix.exe"



2. Open Task Manager by pressing the Ctrl Alt and Del keys, at the same time.

In the menu at the top of the dialog box, click File>New Task (Run...)

Copy/paste (or type) the following in the Run box and click OK: (assuming ComboFix.exe is on the desktop as was instructed)

"%userprofile%\desktop\combofix.exe"


If they both fail then boot to safe mode and run Combofix from there.
Posted Image
m0le is a proud member of UNITE

#12 dmckee2009

dmckee2009
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:10:07 PM

Posted 21 February 2012 - 10:53 PM

Regret I've been away on a business trip and just returned. I will run Combofix Wednesday and post the results immediately thereafter. FYI - I quickly tried running it via the first two options you mentioned below (via start/run and via task manager) and neither worked (I received the windows error on both occasions). I will run it via Safe mode and post the results and log file once done.

#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:07 AM

Posted 22 February 2012 - 06:15 PM

:thumbup2:
Posted Image
m0le is a proud member of UNITE

#14 dmckee2009

dmckee2009
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:10:07 PM

Posted 22 February 2012 - 07:44 PM

Combfix is saying that my AVG is still active, however, I can't find any way to temporarily disable AVG while in Safe mode. I looked through your previous links (about disabling) - but didn't find anything that appears to let me do this. In fact, when I open AVG in safe mode, it comes up with a dialog box to conduct the scan via a command line interface. When I look at task manager while in safe mode, here are the processes currently active (none of which outwardly appear as AVG). Any suggestions?


explorer.exe
NirCmd.3X3
taskmgr.exe
svchost.exe (three instances, one for local service, two for network services)
cmd.3XE
svchost.exe (system)
Isass.exe
services.exe
winlogon.exe
csrss.exe
smss.exe
System
System Idle Process

#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:07 AM

Posted 22 February 2012 - 09:09 PM

AVG is a problem, it can be disabled (just) but we usually recommend you uninstall the program while we're cleaning the machine.

Use the uninstaller below if the add/remove programs still doesn't stop the Combofix alert.

http://download.avg.com/filedir/util/avg_arm_sup_____.dir/avgremover.exe
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users