Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Weird Shortcut in C: (snqn) and suspected Ramnit?


  • Please log in to reply

#31
roadran

roadran

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 142 posts
Yes... It read the folder as unsigned? xD

All files are there.
  • 0

Advertisements


#32
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,788 posts
  • MVP
Sounds to me like player.exe is still there and hiding. Did you do the:

Start, All Programs, Accessories, right click on Command Prompt and Run as Administrator, Continue. Type with an Enter after each line:

cd "\program files\apoint"

attrib -r -h -s *.exe

dir /a *.exe




(Do you see player.exe ? If so see if you can submit it now. If not let's see if it is really there but hiding)

mkdir player.exe



Does it create the folder or say that it can't because there is already a folder or file of the same name?
  • 0

#33
roadran

roadran

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 142 posts
Well, the file already exists. But after making that player.exe folder, I'd reckon it's that...
  • 0

#34
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,788 posts
  • MVP
You can't change a file into a folder. You have to delete the file first then make a folder of the same name. If it let's you make the folder then the file is not there.
  • 0

#35
roadran

roadran

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 142 posts
At first it let me make a folder named player.exe

I now removed the folder, and it still shows up in sigverif...
  • 0

#36
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,788 posts
  • MVP
It must be a mistake in the drive table.

1. Double-click My Computer, and then right-click the hard disk that you want to check. C:
2. Click Properties, and then click Tools.
3. Under Error-checking, click Check Now. A dialog box that shows the Check disk options is displayed,
4. Check both boxes and then click Start.
You will receive the following message:
The disk check could not be performed because the disk check utility needs exclusive access to some Windows files on the disk. These files can be accessed by restarting Windows. Do you want to schedule the disk check to occur the next time you restart the computer?
Click Yes to schedule the disk check.

Reboot. The disk check will run and will probably take an hour or more to finish.

Then run sigverif and see if it still sees player.exe.

The file is part of Alps Pointing-device Driver so you may want to try redownloading and installing the driver for the Alps Pointing-device.
  • 0

#37
roadran

roadran

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 142 posts
And sigverif can not find player.exe anymore! :)
  • 0

#38
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,788 posts
  • MVP
So how is it running now?
  • 0

#39
roadran

roadran

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 142 posts
Everything seems great! :)

Now my time is messed up, and I can't update my internet time sync. If I press update now, it says "An error occurred, your changes changes could not be saved"

Edited by roadran, 13 March 2012 - 06:03 AM.

  • 0

#40
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,788 posts
  • MVP
Open regedit and make sure that you have "Full Control" permissions to these keys (right click each key, Permissions, then select Adminstrators):

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\DateTime
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\DateTime\Servers
  • 0

Advertisements


#41
roadran

roadran

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 142 posts
Yes, yes I do.
  • 0

#42
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,788 posts
  • MVP
Copy the next 6 lines of text:

reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DateTime\Servers /v 0 /t REG_SZ /d tick.usno.navy.mil
yes
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DateTime\Servers /v 1 /t REG_SZ /d time-b.nist.gov
yes
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DateTime\Servers /v 2 /t REG_SZ /d time.windows.com
yes


Start, All Programs, Accessories, right click on Command Prompt and Run as Administrator, Continue. Type with an Enter after each line:

net  stop  w32time

right click and Paste or Edit then Paste and the copied lines should appear. Hit Enter. If you see an error please report it.

net  start  w32time

w32tm  /resync

If that doesn't work then copy these 2 lines:

reg query HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time /s > \junk.txt
reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DateTime /s >> \junk.txt


Start, All Programs, Accessories, right click on Command Prompt and Run as Administrator, Continue.

right click and Paste or Edit then Paste and the copied lines should appear. Hit Enter.
notepad  \junk.txt

Copy and paste the text from notepad into a reply.

Ron
  • 0

#43
roadran

roadran

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 142 posts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time
Type REG_DWORD 0x20
Start REG_DWORD 0x2
ErrorControl REG_DWORD 0x1
ImagePath REG_EXPAND_SZ %SystemRoot%\system32\svchost.exe -k LocalService
DisplayName REG_SZ @%SystemRoot%\system32\w32time.dll,-200
ObjectName REG_SZ NT AUTHORITY\LocalService
Description REG_SZ @%SystemRoot%\system32\w32time.dll,-201
FailureActions REG_BINARY 80510100000000000000000003000000140000000100000060EA000001000000C0D401000000000000000000
ServiceSidType REG_DWORD 0x1
RequiredPrivileges REG_MULTI_SZ SeAuditPrivilege\0SeChangeNotifyPrivilege\0SeCreateGlobalPrivilege\0SeSystemTimePrivilege

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\Config
FrequencyCorrectRate REG_DWORD 0x4
PollAdjustFactor REG_DWORD 0x5
LargePhaseOffset REG_DWORD 0x2faf080
SpikeWatchPeriod REG_DWORD 0x384
HoldPeriod REG_DWORD 0x5
LocalClockDispersion REG_DWORD 0xa
EventLogFlags REG_DWORD 0x2
TimeJumpAuditOffset REG_DWORD 0x7080
PhaseCorrectRate REG_DWORD 0x1
MinPollInterval REG_DWORD 0xa
MaxPollInterval REG_DWORD 0xf
UpdateInterval REG_DWORD 0x57e40
MaxNegPhaseCorrection REG_DWORD 0xd2f0
MaxPosPhaseCorrection REG_DWORD 0xd2f0
AnnounceFlags REG_DWORD 0xa
MaxAllowedPhaseOffset REG_DWORD 0x1

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\Parameters
ServiceDllUnloadOnStop REG_DWORD 0x1
ServiceMain REG_SZ SvchostEntry_W32Time
ServiceDll REG_EXPAND_SZ C:\Windows\system32\w32time.DLL
NtpServer REG_SZ time.nist.gov,0x9
Type REG_SZ NTP

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient
Enabled REG_DWORD 0x1
InputProvider REG_DWORD 0x1
AllowNonstandardModeCombinations REG_DWORD 0x1
CrossSiteSyncFlags REG_DWORD 0x2
ResolvePeerBackoffMinutes REG_DWORD 0xf
ResolvePeerBackoffMaxTimes REG_DWORD 0x7
CompatibilityFlags REG_DWORD 0x80000000
EventLogFlags REG_DWORD 0x1
LargeSampleSkew REG_DWORD 0x3
DllName REG_EXPAND_SZ C:\Windows\system32\w32time.DLL
SpecialPollTimeRemaining REG_MULTI_SZ time.nist.gov,0
SpecialPollInterval REG_DWORD 0x93a80

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer
InputProvider REG_DWORD 0x0
AllowNonstandardModeCombinations REG_DWORD 0x1
EventLogFlags REG_DWORD 0x0
DllName REG_EXPAND_SZ C:\Windows\system32\w32time.DLL
Enabled REG_DWORD 0x0

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\VMICTimeProvider
Enabled REG_DWORD 0x1
InputProvider REG_DWORD 0x1
DllName REG_EXPAND_SZ %SystemRoot%\System32\vmictimeprovider.dll

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\VMICTimeProvider\Parameters

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TriggerInfo

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TriggerInfo\0
Type REG_DWORD 0x3
Action REG_DWORD 0x1
Guid REG_BINARY BA0AE21C5198214494301DDEB766E809

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TriggerInfo\1
Type REG_DWORD 0x3
Action REG_DWORD 0x2
Guid REG_BINARY 6E51AFDDC25866489574C3B615D42EA1


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DateTime\Servers
(Default) REG_SZ 2
1 REG_SZ time-b.nist.gov
2 REG_SZ time.windows.com
3 REG_SZ time-nw.nist.gov
4 REG_SZ time-a.nist.gov
5 REG_SZ time-b.nist.gov
0 REG_SZ tick.usno.navy.mil
  • 0

#44
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,788 posts
  • MVP
Attached is a file called w32sec.zip. Download and save it then right click on it and Extract All. Find w32sec.reg and right click on it and Merge.

This should replace the missing security info. Perhaps now it will work?
  • 0

#45
roadran

roadran

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 142 posts
Nope... It still says settings can't be saved?
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP