Jump to content

Quizzical

Honorary Members
  • Posts

    40
  • Joined

  • Last visited

Reputation

0 Neutral
  1. OK, just a huge thankyou for all your patience and support over these last few months. And good luck with the exams! (At this point I will reveal that I'm a teacher!)
  2. OK, done all that. OTC removed the ComboFix.exe file. How did you know that System Restore points were infected?? After restarting, done full scans with AVG, SpyBotSD and MBAM, none of which report anything amiss.
  3. Hi, Right, done all that. But same result with ComboFix - it launched and showed the progress bar then nothing happened after that, and the .exe file is still on the desktop. (I'm kind of assuming that part of the desired outcome is that it removes itself...?) Have reinstalled AVG and it stalled because of the same registry access problem, but it pointed me to an AVG utility which solved the problem so that the installation then worked.
  4. Thanks. Well, this is all getting very frustrating again. The AVG Uninstall failed early on because the program wanted to create a registry key. The message was as follows. Local machine: installation failed Installation: Error: Action failed for registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows: creating registry key.... Access is denied. I navigated to the specified key (I'm nearing the edge of my comfort zone here) and sure enough I could not access it. Experimenting with right-click produced this message: You do not have permission to view the current permission settings for Windows, but you can make permission changes. Further in I found this: Current Owner of this item: Unable to display current owner. I then managed somehow to give myself permission and found that the contents of Windows became visible - the only entry reads as follows: [ab] (default) REG_SZ (value not set) I've tried again to uninstall ComboFix but the same things happen as described in last post. I have to go away again and will be able to post again on Friday. This thread is turning out to be a marathon!
  5. OK, thanks, done all that. ComboFix reminded me that the AVG scanner should be disabled so i rebooted and did that then went back into safe mode and did your Start --Run instruction again. ComboFix announced itself with the box containing the blue progress bar in the middle of the screen - but then there was nothing further visible, definitely no pop-up to say it had finished. The ComboFix.exe file remained on the desktop so I have deleted it manually and left it in recycle in case you want to do anything further with it. I'm not aware of any further issues remaining. AVG full scan shows nothing untoward. How about that new edition of AdAware though? Much more tedious and intrusive than previously - makes me far less inclined to keep using it. Q
  6. Hi, First of all, I was away from my PC for a little while yesterday, came back to find a blue screen with KERNEL_DATA_INPAGE_ERROR and something about the file atapi.sys. Rebooted OK, though, and all has seemed to be well since then. I followed your suggestions in last post, but had to move the ComboFix.exe file to a different directory other than my desktop before the command "Combofix /uninstall" recognised it. I disabled AVG scanner when prompted and ComboFix did its thing, I guess, but nothing visible happened. ComboFix.exe is still there so I guess I should now delete it manually. Ran your security check, and the log produced was as follows... Results of screen317's Security Check version 0.99.1 Windows XP Service Pack 3 `````````````````````````````` Antivirus/Firewall Check: Windows Firewall Enabled! AVG Free 9.0 `````````````````````````````` Anti-malware/Other Utilities Check: Ad-Aware Spybot - Search & Destroy HijackThis 2.0.2 CCleaner Java 6 Update 17 Java 6 Update 3 Out of date Java installed! Adobe Flash Player 10 Adobe Atmosphere Player for Acrobat and Adobe Reader Adobe Reader 9.2 `````````````````````````````` Process Check: objlist.exe by Laurent Ad-Aware AAWService.exe is disabled! Ad-Aware AAWTray.exe is disabled! AVG avgwdsvc.exe AVG avgtray.exe AVG avgrsx.exe AVG avgnsx.exe AVG avgemc.exe `````````````````````````````` DNS Vulnerability Check: Request Timed Out (Wireless Internet connection/Disconnected Internet/Proxy?) Aside from the scary moment with the Blue Screen, everything appears to be well. AVG shows no problems and I've also done a scan with SpyBotSD and with AdAware, both come up clean, and run the cleanup utilities in CCleaner. And, just in case you can see anything untoward, here's the log from HJT... Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 23:46:13, on 27/12/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\AVG\AVG9\avgchsvx.exe C:\Program Files\AVG\AVG9\avgrsx.exe C:\Program Files\AVG\AVG9\avgcsrvx.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\AVG\AVG9\avgwdsvc.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\AVG\AVG9\avgnsx.exe C:\Program Files\CDBurnerXP\NMSAccess.exe C:\windows\system\hpsysdrv.exe C:\WINDOWS\AGRSMMSG.exe C:\WINDOWS\system32\ps2.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\PROGRA~1\AVG\AVG9\avgtray.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\MsPMSPSv.exe C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE C:\Program Files\Canon\CAL\CALMAIN.exe C:\Program Files\Outlook Express\msimn.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.com"); (C:\Documents and Settings\COMPAQ_OWNER\Application Data\Mozilla\Profiles\default\qy4mtwbp.slt\prefs.js) N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CNetscape_UK.src"); (C:\Documents and Settings\COMPAQ_OWNER\Application Data\Mozilla\Profiles\default\qy4mtwbp.slt\prefs.js) O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-18\..\RunOnce: [WUAppSetup] C:\Program Files\Common Files\logishrd\WUApp32.exe -v 0x046d -p 0x08c1 -f video -m logitech -d 11.0.0.1217 (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [WUAppSetup] C:\Program Files\Common Files\logishrd\WUApp32.exe -v 0x046d -p 0x08c1 -f video -m logitech -d 11.0.0.1217 (User 'Default user') O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/Dcode/ActiveX/MSDcode.cab O16 - DPF: {076169AA-8C3D-4CFC-AC23-3ACA88FC21B5} (F-Secure Online Scanner Launcher) - http://download.sp.f-secure.com/ols/f-secu.../fslauncher.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/as...rl/LSSupCtl.cab O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) - O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) - O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab O16 - DPF: {FE8FE5F0-E1EE-4ACD-81E0-2A6CFECB8431} (ePenClientSpec.ucEPenClientspec) - http://downloads.exam2score.com/ePenClientSpec.ocx O17 - HKLM\System\CCS\Services\Tcpip\..\{08422DD0-F4AF-4740-8A75-0201C59D6AC5}: NameServer = 192.168.2.1 O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe O23 - Service: NMSAccess - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccess.exe O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\rthlpsvc.exe O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/COMPAQ~1/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg -- End of file - 8231 bytes BTW - Happy Christmas
  7. Hi. This seems to have done the trick - many thanks. chkdsk found and repaired "1 or more errors" "avenger files" directory can now be listed and the contents are EditorialImages[2].js desktop.ini disabled_access[1].htm discountedtheatre[1].gif dithshadow[1].gif DONS_sister[1].gif dot[1].gif dref=http%3A%2F%2Fwww.aim.com%2Fredirects%2Finclient%2FAIM_UAC_v2[1].adp%3Fmagic%3D93236874%26width%3D120%26height%3D90%26sn% DSC_1356[1].jpg DSC_1427[1].jpg DSC_1626[1].jpg editor_rosette[1].gif editor_tail_r2_c7[1].gif I can now delete this folder - I have done so but left the contents in Recycle, just in case there's anything you want me to do with any of the files. They all seem inoccuous to me and I don't know why Avenger would have isolated them. Phew!!
  8. Thanks Chris, sorry for delay, been away for a few days - will get to this tomorrow. Q
  9. Hi, Back in business it seems. I don't really understand what the problem was but apparently all is running smoothly and Windows loads and logs in without ahitch. Techie colleague (used to work for MacAfee) suggested that running Avira and Kerio at startup might have been an issue....? So for the time being I'm using AVGFree and Windows own firewall. Trouble is I'm reasonably computer literate but also I'm pretty much completely non-technical so I don't know what to make of that. Anyway, I've followed your suggestion a couple of posts ago. Yes, I could move the folder into C:\Windows, (but still can't delete it) and then from recovery console the contents of the directory appeared thus: Quote 10/08/09 11:32p d------- 0. 10/08/09 11:32p d------- 0.. 08/27/09 09:49a -a------ 67desktop.ini An error occurred during directory enumeration Unquote So, that's the closest we've been to actually identifying the contents of this mystery folder - I hope some of that makes sense to you. And I hope the exams went well
  10. Currently my machine's being looked at by kind techie colleagues at work. They'll let me know if they can see any remedy other than reinstalling Windows. Your reaction suggests that you think I may have to do that. Compaq built in a recovery partition on the HD so if I need to I'll use that and get back to you as soon asI can. Good luck with the exams
  11. Hi, Just back from weekend away only to find I have a major problem I don't know how to deal with. I can't log in to Windows on my computer. Aaaaarggh! All was apprently well when i left it on Friday but now, once the black screen with the windows logo has appeared, everything goes black and the blue log-in-to-windows screen never appears. F8 gives the expected safe mode options, but nothing works -not safe mode, with or without command prompt, not recovery console, not "last known good configuration". In all the safe mode options i get a scrolling list of drivers, as usual, but then that freezes and nothing else happens. Someone, somewhere seems to have it in for me. I'm currently coming to you via another computer and will check back when I can to see if you can suggest any way of coping with this. It quite possibly [probably (??)] has nothing to do with the problem you've been helping me with, so I shall quite understand if you want to see the back of me and tell me, politely of course! , to go away. but I hope not
  12. Still no luck! Tried deleting the folder directly, and also from recovery console. The first still reports Cannot delete - the directory is not empty. The second still reports Access is denied. Contents of notepad report follows.... SteelWerX Extended Configuration Access Control Lists Written by Bobbi Flekman 2006 © Ownerchange for "C:\avenger files" to "Compaq_Owner" was successful SteelWerX Extended Configuration Access Control Lists Written by Bobbi Flekman 2006 © File: "C:\avenger files" Granting NTFS rights (F access for This Folder and Files) for "Compaq_Owner" C:\avenger files exists
  13. OK, thanks Chris. Here's that report... SteelWerX Extended Configuration Access Control Lists Written by Bobbi Flekman 2006 © File/Folder: C:\Avenger does not exist SteelWerX Extended Configuration Access Control Lists Written by Bobbi Flekman 2006 © ******************************************************************************* Folder: C:\avenger files Permissions: ******************************************************************************* Username Type Permissions Inheritance ******************************************************************************* STARSKY\Administrators Allowed Full Control This Folder/File Only (Inherited) \CREATOR OWNER Allowed Full Control Subfolders and Files only (Inherited) NT AUTHORITY\SYSTEM Allowed Full Control This Folder/File Only (Inherited) NT AUTHORITY\SYSTEM Allowed Special (Unknown) Subfolders and Files only (Inherited) STARSKY\Compaq_Owner Allowed Full Control This Folder/File Only (Inherited) STARSKY\Compaq_Owner Allowed Special (Unknown) Subfolders and Files only (Inherited) No Auditing set Owner: Administrators (STARSKY\Administrators)
  14. No, hasn't shifted it. The message was "Access denied" I've experimented a bit more using Unlocker to rename / move the offending folder. I found that I could rename the krcbu1sn folder - renamed it "avenger files" - and then found I could move the folder so I've moved the Avenger stuff out of OTM, separated out the individual folders, deleted everything I could, so now I'm just left with the "avenger files" folder. Last 2 stages of that are preserved on the attached screenshots. Trying a regular delete operation (just for the heck of it) still produces the same message as before. I've also tried again your idea of trying to delete from the Recovery Console. Access denied. Avenger4.doc
  15. No, still no joy. It deleted OTM.exe which I used yesterday, then asked for a reboot, and deleted itself - but the OTM folder containing the Avenger folders remains intact as on most recent screenshot.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.