Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Hijackers, Keyloggers, and Worms oh my!


  • Please log in to reply

#46
Sarous

Sarous

    Member

  • Topic Starter
  • Member
  • PipPip
  • 84 posts
Making me more and more glad that my desktop is Win7. Never did let me rename it, but it deleted smooth enough.
  • 0

Advertisements


#47
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,788 posts
  • MVP
Did it help with sfc?
  • 0

#48
Sarous

Sarous

    Member

  • Topic Starter
  • Member
  • PipPip
  • 84 posts
No change. Same errors to delete and sfc.
  • 0

#49
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,788 posts
  • MVP
There is a registry entry: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\FileRenameOperations

On mine it just has Default with no value. See if yours has something in it.

Run VEW and post its logs. Perhaps one of the errors will tell us what is going on.
  • 0

#50
Sarous

Sarous

    Member

  • Topic Starter
  • Member
  • PipPip
  • 84 posts
FileRenameOperations default/reg_sz/no value set

System & App Error Logs VEW:

Vino's Event Viewer v01c run on Windows Vista in English
Report run at 11/05/2012 11:07:14 PM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  • 0

#51
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,788 posts
  • MVP
rename c:\windows\logs\cbs\cbs.old to cbs.txt and then attach it to your next post.
I will look through that. Perhaps it will say something.

Going to have to quit for a while. Wife wants me to watch TV with her.
  • 0

#52
Sarous

Sarous

    Member

  • Topic Starter
  • Member
  • PipPip
  • 84 posts
1 of 2
Apologies, but it is the only way I can send you a 175mb file given the restrictions. I narrowly failed reaching the 1mb limit.

Inventory:
disk1.gsd.txt
disk2.gsd.txt (in following post)
disk1.exe.txt

Delete the .txt of the three files. Use the .exe to rejoin the two .gsd into a single compressed .7z file. Decompress the .7z into the original .txt file you requested.

Attached Files


  • 0

#53
Sarous

Sarous

    Member

  • Topic Starter
  • Member
  • PipPip
  • 84 posts
Part 2 of 2

Attached Files


  • 0

#54
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,788 posts
  • MVP
Let's check this key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\UpdateExeVolatile

We want it to be either blank or 0

Open a registry editor, such as Regedit.exe or Regedt32.exe.

Navigate to HKLM\SOFTWARE\Microsoft\Updates\

In the right navigation pane, double-click the UpdateExeVolatile key.

Configure the key with a value of 0

Close Registry Editor.


Then see if SFC /scannow will run.
  • 0

#55
Sarous

Sarous

    Member

  • Topic Starter
  • Member
  • PipPip
  • 84 posts
There does not appear to be a Registry value by that name. Even searched with the 'find' and couldn't find it. Should I create one?
  • 0

Advertisements


#56
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,788 posts
  • MVP
No. Just want to make sure that neither

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\UpdateExeVolatile

Note: This key might not exist if there are no pending EXE updates

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations

Note: This key might not exist if there are no pending filename operations needed after the reboot


I think we need to try MBSA:

http://www.microsoft...ls.aspx?id=7558

You want the one that says:

MBSASetup-x86-EN.msi

Download, Save and Install it. Accept all of the defaults. Once you install it. Close all programs and Look in Start, Programs for Microsoft Baseline Security Analyzer. Scan a Computer. Start Scan. It should eventually tell you that something similar about the pending filename but it should have an option "show me how to correct this" See if that tells you anything.
  • 0

#57
Sarous

Sarous

    Member

  • Topic Starter
  • Member
  • PipPip
  • 84 posts
Security Update Scan Results

Score Issue Result
Security Updates
Cannot load security CAB file.

Score Issue Result
Windows Firewall
Windows Firewall tests cannot be done due to an error. (0x00000001)

Only two noteworthy errors. The link it supplied was less than helpful. http://technet.micro...y/cc184922.aspx
  • 0

#58
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,788 posts
  • MVP
Is your firewall working?

See if the steps suggested here help with the security cab error:

http://www.mombu.com...ors-610702.html

Perhaps we need to reset registry permissions. Spybot's tea timer messes with them and it may not have put them back.

Download SubInACL.exe

http://www.microsoft...&displaylang=en

By default it installs the tool in C:\Program Files\Windows Resource Kits\Tools\

Please allow it to do so.


Download and Save the attached file, reset2.zip, right click on it and Extract all and copy the reset2.cmd file to C:\Program Files\Windows Resource Kits\Tools\.
Start, All Programs, Accessories, right click on Command Prompt and Run as Administrator, Continue. Type with an Enter after each line:

cd  "\Program Files\Windows Resource Kits\Tools"

reset2.cmd


  • 0

#59
Sarous

Sarous

    Member

  • Topic Starter
  • Member
  • PipPip
  • 84 posts
Windows Firewall claims it is working, yes. Completed resets. Baseline and sfc both have the same results as earlier.

Did a little research today on the nature of pre-installed Internet Explorers (and how you can't remove them), and it appears (to me, at least) that the problem exists in an unknown shared group of files between IE, Windows, and Windows Update. On this hunch, I attempted resetting Windows Update Components (omitting step 4, as instructed) http://support.microsoft.com/kb/971058

To my surprise, a number of the components it says to re-register were either missing or disabled:

Attached Thumbnails

  • Snapshot_2012-05-13_125857.png
  • Snapshot_2012-05-13_125921.png
  • Snapshot_2012-05-13_125943.png
  • Snapshot_2012-05-13_130001.png
  • Snapshot_2012-05-13_130044.png
  • Snapshot_2012-05-13_130058.png
  • Snapshot_2012-05-13_130114.png
  • Snapshot_2012-05-13_130129.png
  • Snapshot_2012-05-13_130144.png
  • Snapshot_2012-05-13_130200.png
  • Snapshot_2012-05-13_130212.png
  • Snapshot_2012-05-13_130234.png
  • Snapshot_2012-05-13_130248.png

Edited by Sarous, 13 May 2012 - 12:31 PM.

  • 0

#60
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,788 posts
  • MVP
Are the files really missing? If so you can run OTL with a list of the missing or suspect files between /md5start and /md5stop as in the following example.

Copy the text in the code box:

/md5start
atl.dll
urlmon.dll
mshtml.dll
shdocvw.dll
browseui.dll
jscript.dll
vbscript.dll
scrrun.dll
msxml.dll
msxml3.dll
msxml6.dll
actxprxy.dll
softpub.dll
wintrust.dll
dssenh.dll
rsaenh.dll
gpkcsp.dll
sccbase.dll
slbcsp.dll
cryptdlg.dll
oleaut32.dll
ole32.dll
shell32.dll
initpki.dll
wuapi.dll
wuaueng.dll
wuaueng1.dll
wucltui.dll
wups.dll
wups2.dll
wuweb.dll
qmgr.dll
qmgrprxy.dll
wucltux.dll
muweb.dll
wuwebv.dll
/md5stop


Run OTL (Vista or Win 7 => right click and Run As Administrator)


The log will show you if there are other copies of each file in the list and also give their md5 value so we can see if they have been compromised.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP