14 replies to this topic

[lissaleone]

I am unable to run any of the antispyware programs on my daughter's Toshiba laptop (XP Home). When I started up malwarebytes, hijackthis, superantispyware, adaware, etc., each ran for about 5 seconds then disappeared. Now every time I try to run any of these programs I get the message "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item." This is happening in both regular and safe modes. The only program I've found that I can run is CCleaner.

If I click the IE icon I get the same "Windows cannot access..." error. However, I can go through Windows Explorer in safe mode and access IE7 that way, although it doesn't appear that I can download anything while online.

I'm only able to start up in regular mode if I use the "Diagnostic Startup" configuration through msconfig. Otherwise the following message appears: "The system is shutting down. Please save all work in progress and log off. All unsaved work will be lost. This shutdown was initiated by NT AUTHORITY SYSTEM. The system process:C\Windows\System32\services.exe terminated unexpectedly with status code 1073741482." It doesn't actually shut down, but all I ever see once the timer runs out is the desktop wallpaper and a working cursor.

Any assistance is much appreciated. Thank you in advance.

Melissa

[sjpritch25]

Welcome to Malwarebytes!!!!

Please download Win32kDiag.exe by AD to your Desktop.
Double-click on Win32kDiag.exe.
It will create Win32kDiag.txt on your Desktop.
In your next reply, please include the log. Thanks

[lissaleone]

Thank you. Here is the log from Win32kDiag:



Running from: C:\Documents and Settings\Katie\Desktop\Win32kDiag.exe
Log file at : C:\Documents and Settings\Katie\Desktop\Win32kDiag.txt
WARNING: Could not get backup privileges!
Searching 'C:\WINDOWS'...

Cannot access: C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe
[1] 2004-08-04 07:00:00 743936 C:\WINDOWS\$NtServicePackUninstall$\helpsvc.exe (Microsoft Corporation)
[1] 2008-04-13 19:12:21 744448 C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe ()
[1] 2008-04-13 19:12:21 744448 C:\WINDOWS\ServicePackFiles\i386\helpsvc.exe (Microsoft Corporation)

Cannot access: C:\WINDOWS\system32\MRT.exe
[1] 2009-08-28 14:38:22 24689600 C:\WINDOWS\system32\MRT.exe ()

Cannot access: C:\WINDOWS\system32\wbem\SET12.tmp
[1] 2009-02-06 05:10:02 227840 C:\WINDOWS\system32\wbem\SET12.tmp ()

Cannot access: C:\WINDOWS\system32\wbem\SET14.tmp
[1] 2009-02-06 05:10:02 227840 C:\WINDOWS\system32\wbem\SET14.tmp ()

Cannot access: C:\WINDOWS\system32\wbem\SETE.tmp
[1] 2009-02-06 05:10:02 227840 C:\WINDOWS\system32\wbem\SETE.tmp ()

Cannot access: C:\WINDOWS\system32\wbem\wmiprvse.exe
[1] 2009-02-06 05:15:13 227840 C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\wmiprvse.exe (Microsoft Corporation)
[1] 2004-08-04 07:00:00 218112 C:\WINDOWS\$NtServicePackUninstall$\wmiprvse.exe (Microsoft Corporation)
[1] 2008-04-13 19:12:40 218112 C:\WINDOWS\$NtUninstallKB956572$\wmiprvse.exe (Microsoft Corporation)
[1] 2008-04-13 19:12:40 218112 C:\WINDOWS\ServicePackFiles\i386\wmiprvse.exe (Microsoft Corporation)
[1] 2009-02-06 11:39:29 227840 C:\WINDOWS\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP2GDR\wmiprvse.exe (Microsoft Corporation)
[1] 2009-02-06 04:41:05 227840 C:\WINDOWS\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP2QFE\wmiprvse.exe (Microsoft Corporation)
[1] 2009-02-06 05:10:02 227840 C:\WINDOWS\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP3GDR\wmiprvse.exe (Microsoft Corporation)
[1] 2009-02-06 05:15:13 227840 C:\WINDOWS\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP3QFE\wmiprvse.exe (Microsoft Corporation)
[1] 2009-02-06 05:10:02 227840 C:\WINDOWS\system32\dllcache\wmiprvse.exe (Microsoft Corporation)
[1] 2009-02-06 05:10:02 227840 C:\WINDOWS\system32\wbem\wmiprvse.exe ()


Finished!

[sjpritch25]

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3





--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.

When finished, it will produce a report for you.

• Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.

[lissaleone]

HijackThis won't run on the laptop and I'm having trouble trying to download a new copy. But here is the ComboFix log:



ComboFix 09-09-30.06 - Katie 10/01/2009 10:43.2.1 - NTFSx86
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2009-09-01 to 2009-10-01 )))))))))))))))))))))))))))))))
.
2009-09-29 21:45 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-09-29 15:52 . 2009-09-29 15:52 -------- d-----w- c:\program files\ESET
2009-09-24 19:33 . 2009-09-29 22:09 120 ----a-w- c:\windows\Rgugitulo.dat
2009-09-24 19:33 . 2009-09-24 19:33 -------- d-----w- c:\documents and settings\Katie\Local Settings\Application Data\{502F6885-21DD-489F-8843-E40236F69A7C}
2009-09-21 21:40 . 2009-09-21 21:43 -------- d-----w- c:\program files\Rhapsody
2009-09-21 21:14 . 2009-09-21 21:14 36192 ---ha-w- c:\windows\system32\mlfcache.dat
2009-09-21 20:49 . 2009-05-18 19:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-09-21 20:49 . 2008-04-17 18:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-09-21 20:46 . 2009-09-21 20:46 -------- d-----w- c:\program files\iPod
2009-09-21 20:44 . 2009-09-21 20:48 -------- d-----w- c:\program files\iTunes
2009-09-21 20:44 . 2009-09-21 20:48 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-21 20:43 . 2009-09-21 20:43 -------- d-----w- c:\program files\Bonjour
2009-09-21 20:41 . 2009-09-21 20:43 -------- d-----w- c:\program files\QuickTime
2009-09-21 20:40 . 2009-09-21 20:40 -------- d-----w- c:\documents and settings\Katie\Local Settings\Application Data\Apple
2009-09-21 20:40 . 2009-09-21 20:40 -------- d-----w- c:\program files\Apple Software Update
2009-09-21 20:38 . 2009-09-21 20:45 -------- d-----w- c:\program files\Common Files\Apple
2009-09-21 20:38 . 2009-09-21 20:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-09-12 21:10 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-09-02 05:02 . 2009-09-02 16:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-01 15:50 . 2009-08-07 00:21 681226272 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-10-01 15:49 . 2009-08-04 19:37 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-01 15:36 . 2006-09-04 18:43 -------- d-----w- c:\documents and settings\Katie\Application Data\stickies
2009-10-01 15:26 . 2009-08-07 00:21 7979300 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-09-30 15:42 . 2006-09-04 18:34 -------- d-----w- c:\program files\Lavasoft
2009-09-30 15:42 . 2008-12-08 21:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-09-29 23:46 . 2009-08-07 00:11 -------- d-----w- c:\program files\UnHackMe
2009-09-29 22:39 . 2009-08-04 19:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-29 22:15 . 2009-08-07 03:02 24416 ----a-w- c:\windows\system32\drivers\regguard.sys
2009-09-29 14:44 . 2009-08-04 21:44 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-09-29 14:36 . 2009-09-24 19:33 0 ----a-r- c:\windows\Bjepofowacehezu.bin
2009-09-28 18:38 . 2009-09-28 18:38 -------- d-----w- c:\program files\Windows Live Safety Center
2009-09-28 18:20 . 2009-09-28 18:20 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer
2009-09-28 15:15 . 2006-09-04 18:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-28 14:21 . 2009-09-28 14:21 53136 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-24 23:49 . 2008-12-08 21:29 -------- d-----w- c:\documents and settings\Katie\Application Data\MSNInstaller
2009-09-24 23:33 . 2009-08-14 19:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-09-24 21:00 . 2009-08-04 18:53 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-24 20:45 . 2006-01-19 04:38 -------- d-----w- c:\program files\Java
2009-09-24 20:23 . 2009-09-24 20:23 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-09-22 19:57 . 2009-08-14 19:43 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-09-21 21:28 . 2006-01-19 04:48 -------- d-----w- c:\program files\Real
2009-09-21 20:54 . 2006-09-04 17:39 53136 ----a-w- c:\documents and settings\Katie\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-21 20:54 . 2006-12-25 13:22 -------- d-----w- c:\documents and settings\Katie\Application Data\Apple Computer
2009-09-21 20:41 . 2006-12-25 13:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-09-16 07:28 . 2009-08-07 00:11 34760 ----a-w- c:\windows\system32\drivers\Partizan.sys
2009-09-16 07:28 . 2009-08-07 00:11 35040 ----a-w- c:\windows\system32\Partizan.exe
2009-09-10 19:54 . 2009-08-04 19:49 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53 . 2009-08-04 19:49 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-02 05:02 . 2007-02-13 21:37 -------- d-----w- c:\documents and settings\All Users\Application Data\yahoo!
2009-09-02 05:02 . 2006-01-19 04:53 -------- d-----w- c:\program files\Yahoo!
2009-09-02 05:02 . 2007-02-14 00:01 -------- d--h--r- c:\documents and settings\Katie\Application Data\yahoo!
2009-08-24 21:10 . 2009-08-24 21:09 -------- d-----w- c:\documents and settings\Katie\Application Data\Snapfish
2009-08-14 19:16 . 2009-08-14 19:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-08-14 19:16 . 2009-08-14 19:16 -------- d-----w- c:\program files\NortonInstaller
2009-08-14 19:16 . 2009-08-14 19:16 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-08-09 04:27 . 2009-08-09 04:27 -------- d-----w- c:\program files\MSBuild
2009-08-09 04:27 . 2009-08-09 04:27 -------- d-----w- c:\program files\Reference Assemblies
2009-08-07 16:52 . 2009-08-05 22:08 -------- d-----w- c:\program files\CCleaner
2009-08-07 00:11 . 2009-08-07 00:11 2 --shatr- c:\windows\winstart.bat
2009-08-06 22:06 . 2009-08-06 22:05 15 ----a-w- c:\documents and settings\Administrator\settings.dat
2009-08-05 09:01 . 2006-01-19 02:02 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 04:19 . 2009-08-05 04:19 -------- d-----w- c:\program files\Trend Micro
2009-08-05 02:43 . 2009-08-05 02:43 1152 ----a-w- c:\windows\system32\windrv.sys
2009-08-05 02:28 . 2007-10-12 15:50 -------- d-----w- c:\program files\Outspark
2009-08-04 23:13 . 2006-09-04 18:39 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-04 23:08 . 2009-08-04 23:08 -------- d-----w- c:\documents and settings\Administrator\Application Data\AdobeUM
2009-08-04 21:45 . 2009-09-24 22:04 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-08-04 21:24 . 2009-08-04 21:24 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-08-04 21:16 . 2009-08-04 21:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-08-04 20:41 . 2009-08-04 20:41 -------- d-----w- c:\program files\Alwil Software
2009-08-04 19:49 . 2009-08-04 19:49 -------- d-----w- c:\documents and settings\Katie\Application Data\Malwarebytes
2009-08-04 19:49 . 2009-08-04 19:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-04 19:37 . 2009-08-04 19:37 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-08-04 19:37 . 2009-08-04 19:37 -------- d-----w- c:\documents and settings\Katie\Application Data\SUPERAntiSpyware.com
2009-08-04 19:37 . 2009-08-04 19:37 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-04 18:52 . 2009-08-04 18:52 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-08-03 21:09 . 2006-01-19 03:49 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-28 00:51 . 2009-08-07 00:11 12728 ----a-w- c:\windows\system32\drivers\UnHackMeDrv.sys
2009-07-17 19:01 . 2006-01-19 02:01 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 04:43 . 2006-01-19 02:03 286208 ----a-w- c:\windows\system32\wmpdxm.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-09-29_21.47.47 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-01-19 03:50 . 2008-07-09 07:38 26488 c:\windows\system32\spupdsvc.exe
- 2006-01-19 03:50 . 2007-07-27 15:41 26488 c:\windows\system32\spupdsvc.exe
+ 2008-12-09 03:23 . 2008-07-09 07:38 17272 c:\windows\system32\spmsg.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UnHackMe Monitor"="c:\program files\UnHackMe\hackmon.exe" [2009-09-25 238304]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-09-20 1998576]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2005-11-30 73728]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1343488]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-24 149280]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-27 122880]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-18 151552]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2004-08-18 184320]
"IVPServiceMgr"="c:\toshiba\ivp\ism\ivpsvmgr.exe" [2003-10-20 475136]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 602182]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-28 98304]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 118784]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-10-06 122940]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"TPSMain"="TPSMain.exe" - c:\windows\system32\TPSMain.exe [2005-06-01 282624]
"TFncKy"="TFncKy.exe" [BU]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-05-05 16206848]
"NDSTray.exe"="NDSTray.exe" [BU]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\agrsmmsg.exe [2005-10-15 88203]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]
c:\documents and settings\Katie\Start Menu\Programs\Startup\
Stickies.lnk - c:\program files\stickies\stickies.exe [2008-8-28 765952]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2006-1-18 155648]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-20 18:51 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0Partizan
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\stickies\\stickies.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Rhapsody\\rhapsody.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
R0 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [2009-09-16 34760]
R3 RegGuard;RegGuard;c:\windows\system32\Drivers\regguard.sys [2009-09-29 24416]
R3 rspSanity;rspSanity;c:\windows\system32\DRIVERS\rspSanity32.sys [2009-03-08 30136]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-07-28 7408]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-06-19 28544]
S1 is-MIETPdrv;is-MIETPdrv;c:\windows\system32\DRIVERS\45939495.sys [2008-07-08 148496]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-07-28 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-08-07 74480]
.
Contents of the 'Scheduled Tasks' folder
2009-09-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-01 10:51
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
@DACL=(02 0000)
@SACL=
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(848)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
- - - - - - - > 'explorer.exe'(2824)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
.
Completion time: 2009-10-01 10:54
ComboFix-quarantined-files.txt 2009-10-01 15:54
ComboFix2.txt 2009-09-29 21:52
Pre-Run: 35,609,038,848 bytes free
Post-Run: 35,651,022,848 bytes free
222 --- E O F --- 2009-10-01 15:18

[lissaleone]

Ah, I found an executable HijackThis download at Trend Micro. Here's the HJT log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:31:41 PM, on 10/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\imapi.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\toshiba\ivp\ism\ivpsvmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\UnHackMe\hackmon.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\stickies\stickies.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\ie7\iexplore.exe
C:\WINDOWS\ie7\iexplore.exe
C:\Documents and Settings\Katie\Desktop\mls.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Tvs] "C:\Program Files\Toshiba\Tvs\TvsTray.exe"
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SmoothView] "C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Pinger] "c:\toshiba\ivp\ism\pinger.exe" /run
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [LtMoh] "C:\Program Files\ltmoh\Ltmoh.exe"
O4 - HKLM\..\Run: [IVPServiceMgr] C:\toshiba\ivp\ism\ivpsvmgr.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [UnHackMe Monitor] C:\Program Files\UnHackMe\hackmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-2971816022-3065055828-2609218775-1006\..\Run: [UnHackMe Monitor] C:\Program Files\UnHackMe\hackmon.exe (User '?')
O4 - HKUS\S-1-5-21-2971816022-3065055828-2609218775-1006\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (User '?')
O4 - HKUS\S-1-5-21-2971816022-3065055828-2609218775-1006\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User '?')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - S-1-5-21-2971816022-3065055828-2609218775-1006 Startup: Stickies.lnk = C:\Program Files\stickies\stickies.exe (User '?')
O4 - Startup: Stickies.lnk = C:\Program Files\stickies\stickies.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo2.walgre...eensActivia.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase6796.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1228771528787
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset...lineScanner.cab
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.c...driveragent.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
--
End of file - 8945 bytes

[sjpritch25]

how is everything running???

[lissaleone]

Still get the "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item" error whenever I try to access most programs.

I can only access the internet by going through Windows Explorer and finding the IE icon... icons on the desktop don't appear to do anything. And the only way I can download anything from the internet is by renaming it.

There's still something diabolical lurking inside that confounded machine.

[sjpritch25]

• Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK.
  
• When it's finished, there will be a log called Win32kDiag.txt on your desktop.
  
• Please open it with notepad and post the contents here.

"%userprofile%\desktop\win32kdiag.exe" -f -r



================================================


Using Internet Explorer or Firefox, visit Kaspersky Online Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.

2. To optimize scanning time and produce a more sensible report for review:

• Close any open programs
  
• Turn off the real time scanner of any existing antivirus program while performing the online scan. Click HERE to see how to disable the most common antivirus programs.

3. Click Run at the Security prompt.

The program will then begin downloading and installing and will also update the database.
Please be patient as this can take quite a long time to download.

• Once the update is complete, click on Settings.
  
• Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  
  
  • Spyware, adware, dialers, and other riskware
    
  • Archives
    
  • E-mail databases
• Click on My Computer under the green Scan bar to the left to start the scan.
  
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  
• Click View report... at the bottom.
  
• Click the Save report... button.
  
  
  
  
  
• Change the Files of type dropdown box to Text file (.txt) and name the file KasReport.txt to save the file to your desktop so that you may post it in your next reply

[lissaleone]

I'll attempt the Kaspersky run in just a minute. Here's the current Win32kDiag log:



Running from: C:\Documents and Settings\Katie\desktop\win32kdiag.exe

Log file at : C:\Documents and Settings\Katie\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Cannot access: C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe

Attempting to restore permissions of : C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe

Cannot access: C:\WINDOWS\system32\MRT.exe

Attempting to restore permissions of : C:\WINDOWS\system32\MRT.exe

Cannot access: C:\WINDOWS\system32\wbem\SET10.tmp

Attempting to restore permissions of : C:\WINDOWS\system32\wbem\SET10.tmp

Cannot access: C:\WINDOWS\system32\wbem\SET11.tmp

Attempting to restore permissions of : C:\WINDOWS\system32\wbem\SET11.tmp

Cannot access: C:\WINDOWS\system32\wbem\SET12.tmp

Attempting to restore permissions of : C:\WINDOWS\system32\wbem\SET12.tmp

Cannot access: C:\WINDOWS\system32\wbem\SET14.tmp

Attempting to restore permissions of : C:\WINDOWS\system32\wbem\SET14.tmp

Cannot access: C:\WINDOWS\system32\wbem\SET1498.tmp

Attempting to restore permissions of : C:\WINDOWS\system32\wbem\SET1498.tmp

Cannot access: C:\WINDOWS\system32\wbem\SET20.tmp

Attempting to restore permissions of : C:\WINDOWS\system32\wbem\SET20.tmp

Cannot access: C:\WINDOWS\system32\wbem\SET28.tmp

Attempting to restore permissions of : C:\WINDOWS\system32\wbem\SET28.tmp

Cannot access: C:\WINDOWS\system32\wbem\SET2F.tmp

Attempting to restore permissions of : C:\WINDOWS\system32\wbem\SET2F.tmp

Cannot access: C:\WINDOWS\system32\wbem\SET6F.tmp

Attempting to restore permissions of : C:\WINDOWS\system32\wbem\SET6F.tmp

Cannot access: C:\WINDOWS\system32\wbem\SETE.tmp

Attempting to restore permissions of : C:\WINDOWS\system32\wbem\SETE.tmp

Cannot access: C:\WINDOWS\system32\wbem\wmiprvse.exe

Attempting to restore permissions of : C:\WINDOWS\system32\wbem\wmiprvse.exe



Finished!

[lissaleone]

Kaspersky didn't find any problems. It opened up a page as if to save a log file, but it was blank.

I still get the "Windows cannot access the specified device, path, or file..." error when I attempt to load applications (except for the new versions of some like MalwareBytes that I've been able to download). I get the same error when attempting to access certain web pages, but after I click "ok" on the error window, the web page loads anyway. Weird.

Also, the computer keeps trying to install IE8 (current is IE7 sp3). It says it downloaded, but after every install attempt it says failed.

[sjpritch25]

okay

Please download the attached file fix.zip, extract junction.bat to your desktop. Do not run it yet.


Please download Junction.exe from here by Mark Russinovich. Extract Junction.exe to your desktop.

Double-click on junction.bat and agree to the license agreement. In your next reply, please post the log that appears. Thanks

Attached Files

•  fix.zip   204bytes   13 downloads

[lissaleone]

I can only download these two files in safe mode but Junction says it can't run in safe mode. When I try to run it in normal mode, a black screen comes up briefly but quickly disappears.

[sjpritch25]

did you place junction.bat on your desktop?

did you save junction.exe on your desktop?

It may take few minutes for junction.bat to run. After you double-click on Junction.bat a log should appear.

Yes i need everything run in normal mode.

[lissaleone]

Thank you, but nothing could be downloaded or run in regular mode. Several other problems started popping up as well, so last night I gave up and restored the computer to original settings.

I've been asked to fix a lot of computers by friends and family, but have never seen one this bad. I hope the sick perverts that cause such ruin and headache realize how proud their parents would be of their accomplishments. I know how I'd feel if I found out one of my kids wrote computer viruses for kicks.

Muchas gracias, mi amigo.

Melissa