Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Data Execution Prevention is ruining my daughter's (and therefore my) life


  • This topic is locked This topic is locked
7 replies to this topic

#1 mjabaley

mjabaley

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:07:27 PM

Posted 07 June 2013 - 04:47 PM

Mod Edit: Moved topic from Vista to the Malware Removal Logs forum. ~bloopie

 

Hi, Acer Aspire 4330, she says she has been having problems with DEP intermittently blocking Internet Explorer for several weeks, but now it is consistent and makes the computer useless. It also blocks Outlook, DISTNOTED, the HP printer manager, and other applications.

I have run Malwarebytes several times and it found 10 items the first time, and each time since it finds the same two items, a PUM.UserWLoad and a Trojan.Ransom. They seem to come back even after repair and restart each time.


I have also restored from the oldest restore point (only 3 days ago) with no change.


Malwarebytes log and hijackthis logs attached.

Appreciate any help you can provide!

Attached Files


Edited by bloopie, 08 June 2013 - 06:45 AM.


BC AdBot (Login to Remove)

 


#2 jhayz

jhayz

  • BC Advisor
  • 6,922 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:27 AM

Posted 08 June 2013 - 02:54 AM

Will report this to the proper authorities. :thumbup2: Please hold on.


Tekken
 


#3 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:08:27 PM

Posted 08 June 2013 - 07:42 AM

Hello mjbaley, and Welcome (I love the title name)!
 
My name is bloopie and I'll be helping you with your problems as best I can! :thumbup2:

I have moved this topic to the Logs forum where it will stay, and I will continue to work with you until we get your malware issues solved.

A few things to keep in mind while we are working together:
  • If you have since resolved the original problem you were having, I would appreciate it if you let me know.
  • If you are unsure about any of the steps just post what you can and I will guide you!
  • Please tell me if you have your original Windows CD/DVD available.
  • Please copy and paste all logs here unless otherwise instructed!
  • Upon completing the steps below I will review your topic an do my best to resolve your issues.
  • Also, please refrain from running any other tools while we're working together, unless you're instructed to do so.
==========

Okay now that we got that out of the way, let's get to business. :)

I see the two entries in your MBAM log are also in your HJT log, but I don't see the file being removed. I suspect a full scan with MBAM may remove the file itself, but I'd like to use a more versatile and slightly more aggressive tool.

If the file isn't removed in Combofix's first run, then we'll go after the file and anything else that shows in the updated log it will produce:

Run Combofix

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out here or here

Combofix may need to reboot your computer more than once to do its job...this is normal.

You can download Combofix from one of these links.
  • Close any open browsers or any other programs that are open.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you C:\Combofix.txt. Please include that in your next reply.
Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

==========

After copying/pasting the Combofix log in your reply, please let me know how the machine is running now!

bloopie

#4 mjabaley

mjabaley
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:07:27 PM

Posted 08 June 2013 - 06:16 PM

Thanks bloopie, I did run a full scan of MBAM and it again identified the two files, but they seem to come back every restart (if they in fact are removed at all).

 

Also, everytime I start the computer I get:

 

"Could not load or ruun 'C:\Users\Name\LOCALS~1\Temp\okqzommhierz.bat' specified in the registry.  Make sure the file exists on your computer or remove the reference to it in the registry.'

 

I ran combofix, and after running it, the computer restarted, and upon restart I got the following error:

 

C:\Windows\system32\taskmgr.exe

Illegal operation attempted on a registry key that has been marked for deletion.

 

The combofix log is below:

 

ComboFix 13-06-08.01 - Nicole 06/08/2013  15:01:09.1.2 - x86
Microsoft® Windows Vista™ Home Basic   6.0.6002.2.1252.1.1033.18.1977.933 [GMT -4:00]
Running from: c:\users\Nicole\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Symantec Endpoint Protection *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Symantec Endpoint Protection *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\SelectRebates
c:\program files\SelectRebates\FFToolbar\chrome.manifest
c:\program files\SelectRebates\FFToolbar\chrome\sahtoolbar.jar
c:\program files\SelectRebates\FFToolbar\defaults\preferences\sahtoolbar.js
c:\program files\SelectRebates\FFToolbar\install.rdf
c:\program files\SelectRebates\SahImages\alert.png
c:\program files\SelectRebates\SahImages\check.png
c:\program files\SelectRebates\SahImages\close.png
c:\program files\SelectRebates\SelectAlerts.dat
c:\program files\SelectRebates\SelectRebates.exe
c:\program files\SelectRebates\SelectRebates.ini
c:\program files\SelectRebates\SelectRebatesA.dat
c:\program files\SelectRebates\SelectRebatesApi.exe
c:\program files\SelectRebates\SelectRebatesB.dat
c:\program files\SelectRebates\SelectRebatesBT.dat
c:\program files\SelectRebates\SelectRebatesDownload.exe
c:\program files\SelectRebates\SelectRebatesH.dat
c:\program files\SelectRebates\SelectRebatesUninstall.exe
c:\program files\SelectRebates\SRebates.dll
c:\program files\SelectRebates\SRFF3.dll
c:\program files\SelectRebates\Toolbar\AddtoList.bmp
c:\program files\SelectRebates\Toolbar\basis.xml
c:\program files\SelectRebates\Toolbar\Basis.xml.dym
c:\program files\SelectRebates\Toolbar\Blank.bmp
c:\program files\SelectRebates\Toolbar\CashBack.bmp
c:\program files\SelectRebates\Toolbar\Coupons.bmp
c:\program files\SelectRebates\Toolbar\GroceryCoupon.bmp
c:\program files\SelectRebates\Toolbar\i_magnifying.bmp
c:\program files\SelectRebates\Toolbar\icons.bmp
c:\program files\SelectRebates\Toolbar\ImageCache\alert-red.bmp
c:\program files\SelectRebates\Toolbar\logo.bmp
c:\program files\SelectRebates\Toolbar\logo_24.bmp
c:\program files\SelectRebates\Toolbar\logo_HotSpots.bmp
c:\program files\SelectRebates\Toolbar\ReviewSite.bmp
c:\program files\SelectRebates\Toolbar\RightControls.dym
c:\program files\SelectRebates\Toolbar\sahtb-alert.bmp
c:\program files\SelectRebates\Toolbar\sahtb-go.bmp
c:\program files\SelectRebates\Toolbar\sahtb-grocerycoupons.bmp
c:\program files\SelectRebates\Toolbar\sahtb-icons.bmp
c:\program files\SelectRebates\Toolbar\sahtb-restaurant.bmp
c:\program files\SelectRebates\Toolbar\sahtb-wishlist.bmp
c:\program files\SelectRebates\Toolbar\Scissors.bmp
c:\programdata\doxmjijm.dat
c:\programdata\qnmhma.dat
c:\users\Nicole\AppData\Local\Temp\99cab429-f99d-4f69-9d04-113ad532bd0f\CliSecureRT.dll
c:\users\Nicole\AppData\Roaming\.#
c:\users\Nicole\AppData\Roaming\.#\MBX@1668@1EC2990.###
c:\users\Nicole\AppData\Roaming\.#\MBX@1668@1EC29C0.###
c:\users\Nicole\AppData\Roaming\.#\MBX@1668@1EC29F0.###
c:\users\Nicole\Documents\~WRL0285.tmp
c:\users\Nicole\Documents\~WRL0293.tmp
c:\users\Nicole\Documents\~WRL1610.tmp
c:\users\Nicole\Documents\~WRL1689.tmp
c:\users\Nicole\Documents\~WRL1788.tmp
c:\users\Nicole\Documents\~WRL1793.tmp
c:\users\Nicole\Documents\~WRL1795.tmp
c:\users\Nicole\Documents\~WRL2641.tmp
c:\users\Nicole\Documents\~WRL2661.tmp
c:\users\Nicole\Documents\~WRL2664.tmp
c:\users\Nicole\Documents\~WRL2686.tmp
c:\users\Nicole\Documents\~WRL3245.tmp
c:\users\Nicole\Documents\TMPF945.tmp
c:\windows\system32\spsys.log
D:\install.exe
.
.
(((((((((((((((((((((((((   Files Created from 2013-05-08 to 2013-06-08  )))))))))))))))))))))))))))))))
.
.
2013-06-08 19:13 . 2013-06-08 19:13 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-05-10 07:57 . 2013-05-10 07:57 187456 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-05-15 10:24 . 2012-04-21 19:24 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-05-15 10:24 . 2011-06-28 22:13 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-04-04 18:50 . 2010-09-20 00:40 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-04-02 14:09 . 2013-04-02 14:09 4550656 ----a-w- c:\windows\system32\GPhotos.scr
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-07-30 00:52 121392 ----a-w- c:\program files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MobileDocuments"="c:\program files\Common Files\Apple\Internet Services\ubd.exe" [2012-02-23 59240]
"KiesPreload"="c:\program files\Samsung\Kies\Kies.exe" [2012-07-02 975288]
"KiesPDLR"="c:\program files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe" [2012-07-02 21432]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2008-06-20 6244896]
"eDataSecurity Loader"="c:\program files\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe" [2008-07-30 526896]
"BkupTray"="c:\program files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe" [2008-04-26 28672]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2008-07-02 850440]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-02-22 1037608]
"ePower_DMC"="c:\program files\Acer\Empowering Technology\ePower\ePower_DMC.exe" [2008-08-01 405504]
"ArcadeDeluxeAgent"="c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe" [2008-07-24 147456]
"CLMLServer"="c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe" [2008-07-24 167936]
"PlayMovie"="c:\program files\Acer Arcade Deluxe\PlayMovie\PMVService.exe" [2008-07-18 167936]
"Acer Assist Launcher"="c:\program files\Acer\Acer Assist\launcher.exe" [2007-11-19 1261568]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-06-02 80896]
"Skytel"="Skytel.exe" [2007-11-21 1826816]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-10-06 59240]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-02-08 488984]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-26 136216]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-26 171032]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-26 170520]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-08-28 59280]
"KiesTrayAgent"="c:\program files\Samsung\Kies\KiesTrayAgent.exe" [2012-07-02 3524536]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-04-19 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-09-10 421776]
.
c:\users\Nicole\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Nicole\AppData\Roaming\Dropbox\bin\Dropbox.exe [2013-5-24 27776968]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Google Calendar Sync.lnk - c:\program files\Google\Google Calendar Sync\GoogleCalendarSync.exe [2011-4-8 542264]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-11-18 275072]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Audible Download Manager.lnk]
backup=c:\windows\pss\Audible Download Manager.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Desktop Manager.lnk]
backup=c:\windows\pss\Desktop Manager.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HotSync Manager.lnk]
backup=c:\windows\pss\HotSync Manager.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^Nicole^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^YPOPs.lnk]
backup=c:\windows\pss\YPOPs.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ    PLA DPS BFE mpssvc
HPZ12 REG_MULTI_SZ    Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ    hpqcxs08 hpqddsvc
HPService REG_MULTI_SZ    HPSLPSVC
LocalServiceAndNoImpersonation REG_MULTI_SZ    FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2013-06-08 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-21 10:24]
.
2013-06-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 19:25]
.
2013-06-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 19:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=2&o=vb32&d=1008&m=aspire_4330
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
ShellIconOverlayIdentifiers-{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} - (no file)
HKCU-Run-KiesAirMessage - c:\program files\Samsung\Kies\KiesAirMessage.exe
HKCU-Run-doxmjijm - c:\programdata\doxmjijm.dat
HKCU-Run-qnmhma - c:\programdata\qnmhma.dat
Notify-SEP - (no file)
SafeBoot-WudfPf
SafeBoot-WudfRd
MSConfigStartUp-SelectRebates - c:\program files\SelectRebates\SelectRebates.exe
AddRemove-01_Simmental - c:\program files\Samsung\USB Drivers\01_Simmental\Uninstall.exe
AddRemove-02_Siberian - c:\program files\Samsung\USB Drivers\02_Siberian\Uninstall.exe
AddRemove-03_Swallowtail - c:\program files\Samsung\USB Drivers\03_Swallowtail\Uninstall.exe
AddRemove-04_semseyite - c:\program files\Samsung\USB Drivers\04_semseyite\Uninstall.exe
AddRemove-05_Sloan - c:\program files\Samsung\USB Drivers\05_Sloan\Uninstall.exe
AddRemove-06_Spencer - c:\program files\Samsung\USB Drivers\06_Spencer\Uninstall.exe
AddRemove-07_Schorl - c:\program files\Samsung\USB Drivers\07_Schorl\Uninstall.exe
AddRemove-08_EMPChipset - c:\program files\Samsung\USB Drivers\08_EMPChipset\Uninstall.exe
AddRemove-09_Hsp - c:\program files\Samsung\USB Drivers\09_Hsp\Uninstall.exe
AddRemove-11_HSP_Plus_Default - c:\program files\Samsung\USB Drivers\11_HSP_Plus_Default\Uninstall.exe
AddRemove-16_Shrewsbury - c:\program files\Samsung\USB Drivers\16_Shrewsbury\Uninstall.exe
AddRemove-17_EMP_Chipset2 - c:\program files\Samsung\USB Drivers\17_EMP_Chipset2\Uninstall.exe
AddRemove-18_Zinia_Serial_Driver - c:\program files\Samsung\USB Drivers\18_Zinia_Serial_Driver\Uninstall.exe
AddRemove-19_VIA_driver - c:\program files\Samsung\USB Drivers\19_VIA_driver\Uninstall.exe
AddRemove-20_NXP_Driver - c:\program files\Samsung\USB Drivers\20_NXP_Driver\Uninstall.exe
AddRemove-21_Searsburg - c:\program files\Samsung\USB Drivers\21_Searsburg\Uninstall.exe
AddRemove-22_WiBro_WiMAX - c:\program files\Samsung\USB Drivers\22_WiBro_WiMAX\Uninstall.exe
AddRemove-24_flashusbdriver - c:\program files\Samsung\USB Drivers\24_flashusbdriver\Uninstall.exe
AddRemove-25_escape - c:\program files\Samsung\USB Drivers\25_escape\Uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-06-08 17:45
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\SepMasterService]
"ImagePath"="\"c:\program files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe\" /s \"Symantec Endpoint Protection\" /m \"c:\program files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\sms.dll\" /prefetch:1"
--
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\SmcService]
"ImagePath"="\"c:\program files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\Smc.exe\" /prefetch:1"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{49DE1C67-83F8-4102-99E0-C16DCC7EEC796}]
"ImagePath"="\??\c:\program files\Acer Arcade Deluxe\PlayMovie\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(8516)
c:\program files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
c:\program files\Acer\Empowering Technology\eDataSecurity\x86\sysenv.dll
c:\program files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
c:\windows\system32\AUDIODG.EXE
c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\windows\system32\atashost.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe
c:\program files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe
c:\program files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
c:\program files\Acer\Empowering Technology\Service\ETService.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\acer\Mobility Center\MobilityService.exe
c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe
c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
c:\program files\OpenDNS Updater\OpenDNS Updater.exe
c:\program files\Cyberlink\Shared files\RichVideo.exe
c:\program files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe
c:\windows\System32\WUDFHost.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2013-06-08  17:53:35 - machine was rebooted
ComboFix-quarantined-files.txt  2013-06-08 21:53
.
Pre-Run: 4,734,611,456 bytes free
Post-Run: 6,069,510,144 bytes free
.
- - End Of File - - 66B0A58E32BC202EAB4FAA146E856390
4E21D458A40C15E660464D81BF7302E4
 



#5 mjabaley

mjabaley
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:07:27 PM

Posted 08 June 2013 - 06:26 PM

oh, and it still doesn't start IE.  But it's not giving the DEP error anymore.  It just say IE has stopper working, windows will close the program and notify you if a solution is available



#6 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:08:27 PM

Posted 09 June 2013 - 12:57 PM

Hello again, and sorry for the delay!
 

I ran combofix, and after running it, the computer restarted, and upon restart I got the following error:
 
C:\Windows\system32\taskmgr.exe
Illegal operation attempted on a registry key that has been marked for deletion.

I had a note specifically for that error:

Note 2: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

Restart the computer as noted above and let me know if you still have the error.
 
==========
 
Interesting...Combofix mentioned that it removed two orphaned entries that I would go after on a second run, but your start error:

"Could not load or ruun 'C:\Users\Name\LOCALS~1\Temp\okqzommhierz.bat' specified in the registry.  Make sure the file exists on your computer or remove the reference to it in the registry.'

...mentions it can't find the batchfile in question.
 
I'd like to try a one-two punch to these files and orphans, to make sure they're gone. Step 1 below is to remove the registry entries, and step 2 is to try and remove the files (if they still exist):
 
Step :step1:

  • Please re-run Hijack This, and choose the bottom selection "None of the above, just start the program".
  • Next, click on Scan. When the scan finishes, place a checkmark next to "only" the three entries listed below:

F3 - REG:win.ini: load=C:\Users\Nicole\LOCALS~1\Temp\okqzommhierz.bat
O4 - HKCU\..\Run: [doxmjijm] regsvr32.exe /s "C:\ProgramData\doxmjijm.dat"
O4 - HKCU\..\Run: [qnmhma] regsvr32.exe /s "C:\ProgramData\qnmhma.dat"

  • Close all open windows and browsers
  • Click the FixChecked box
  • Click Yes to the warning

Now, close the program and before rebooting, proceed to the next step:

==========

Step :step2:

Run a Combofix Script


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy the text in the codebox below, then paste it into the empty notepad:
 

File::
C:\Users\Nicole\LOCALS~1\Temp\okqzommhierz.bat
C:\ProgramData\doxmjijm.dat
C:\ProgramData\qnmhma.dat

ClearJavaCache::

Save this as CFScript.txt, in the same location as ComboFix.exe


CFScriptB-4.gif

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

==========

Please copy/paste the latest Combofix report in your next reply, and let me know of any remaining errors as well as how the machine is running now!

Any changes?


bloopie



#7 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:08:27 PM

Posted 14 June 2013 - 08:44 AM

Hello again,

Are you still with me? :)

This is a Topic Bump! It has been several days since my last post. If you still wish to receive help please follow the instructions in my last post.

If you do not respond in another 48 hours, I will be forced to close this topic!

 

If you need more time, please just ask.

bloopie



#8 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:08:27 PM

Posted 16 June 2013 - 09:54 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users