desot issues

View previous topic View next topic Go down

desot issues

Post by peacefulone on 16th August 2009, 10:10 am

I am having problems with desot. Originally it launched numerous dos windows when I booted up. It is now redirecting me when I am on the internet (I google something and when I try to use any of the links offered I am redirected). In addition to this I may be able to download software but then I can not install it. I have included the hijack log below. I was not able to install the newest verison of Java or Adobe. Thanks for any help on this!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:43:39 AM, on 8/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\java.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee\Anti-Theft\McPvTray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Documents and Settings\Jaclyn Hoyt\Local Settings\temp\nbi-cleaner2021113181899032518.exe
C:\WINDOWS\system32\cmd.exe
C:\Documents and Settings\Jaclyn Hoyt\Desktop\Hijack\winlogon.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [McPvTray] C:\Program Files\McAfee\Anti-Theft\McPvTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-861567501-1637723038-839522115-1004\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (User '?')
O4 - HKUS\S-1-5-21-861567501-1637723038-839522115-1004\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background (User '?')
O4 - HKUS\S-1-5-21-861567501-1637723038-839522115-1004\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User '?')
O4 - HKUS\S-1-5-21-861567501-1637723038-839522115-1004\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User '?')
O4 - HKUS\S-1-5-21-861567501-1637723038-839522115-1004\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: [You must be registered and logged in to see this link.]
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - [You must be registered and logged in to see this link.]
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - [You must be registered and logged in to see this link.]
O23 - Service: AntipyProex (AntipPro2009_100) - Unknown owner - C:\WINDOWS\svchast.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O24 - Desktop Component 0: tets - (no file)

--
End of file - 8632 bytes

peacefulone
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-08-16
OS OS : XP
Points Points : 26752
# Likes # Likes : 0

View user profile

Back to top Go down

Re: desot issues

Post by Belahzur on 16th August 2009, 6:43 pm

Hello.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O23 - Service: AntipyProex (AntipPro2009_100) - Unknown owner - C:\WINDOWS\svchast.exe (file missing)
    O24 - Desktop Component 0: tets - (no file)


  • Press "Fix Checked"
  • Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: desot issues

Post by peacefulone on 16th August 2009, 8:03 pm

I wanted to let you know that I did a full scan with Malwarebytes software before I received this email. There were three files removed- I could not find a log for that though. I then did as you instructed with HiJack and then the Quick scan with Malwarebytes and copied the log. There were no viruses found. I will know test my system and update you as to whether this has worked - it seems good so far! Thanks.


Malwarebytes' Anti-Malware 1.40
Database version: 2636
Windows 5.1.2600 Service Pack 3

8/16/2009 3:59:51 PM
mbam-log-2009-08-16 (15-59-51).txt

Scan type: Quick Scan
Objects scanned: 99167
Time elapsed: 5 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

peacefulone
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-08-16
OS OS : XP
Points Points : 26752
# Likes # Likes : 0

View user profile

Back to top Go down

Re: desot issues

Post by peacefulone on 16th August 2009, 8:53 pm

s New Roman]I had previously run WMI and part of the log for this is shown below. I can still not successfully download Mcafee protection for my computer - I get "a cannot continue from McAfee".


15853 03:36:16 (0) ** WMIDiag v2.0 started on Sunday, August 16, 2009 at 03:32.
15854 03:36:16 (0) **
15855 03:36:16 (0) ** Copyright (c) Microsoft Corporation. All rights reserved - January 2007.
15856 03:36:16 (0) **
15857 03:36:16 (0) ** This script is not supported under any Microsoft standard support program or service.
15858 03:36:16 (0) ** The script is provided AS IS without warranty of any kind. Microsoft further disclaims all
15859 03:36:16 (0) ** implied warranties including, without limitation, any implied warranties of merchantability
15860 03:36:16 (0) ** or of fitness for a particular purpose. The entire risk arising out of the use or performance
15861 03:36:16 (0) ** of the scripts and documentation remains with you. In no event shall Microsoft, its authors,
15862 03:36:16 (0) ** or anyone else involved in the creation, production, or delivery of the script be liable for
15863 03:36:16 (0) ** any damages whatsoever (including, without limitation, damages for loss of business profits,
15864 03:36:16 (0) ** business interruption, loss of business information, or other pecuniary loss) arising out of
15865 03:36:16 (0) ** the use of or inability to use the script or documentation, even if Microsoft has been advised
15866 03:36:16 (0) ** of the possibility of such damages.
15867 03:36:16 (0) **
15868 03:36:16 (0) **
15869 03:36:16 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
15870 03:36:16 (0) ** ----------------------------------------------------- WMI REPORT: BEGIN ----------------------------------------------------------
15871 03:36:16 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
15872 03:36:16 (0) **
15873 03:36:16 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
15874 03:36:16 (0) ** Windows XP - No service pack - 32-bit (2600) - User 'JACLYN\JACLYN HOYT' on computer 'JACLYN'.
15875 03:36:16 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
15876 03:36:16 (0) ** Environment: ........................................................................................................ OK..
15877 03:36:16 (1) !! ERROR: The following WMI system file(s) is/are missing: ............................................................. 1 ERROR(S)!
15878 03:36:16 (0) ** - C:\WINDOWS\System32\WBEM\wmiprvse.exe
15879 03:36:16 (0) ** => Recopy from a working system the missing WMI system files to 'C:\WINDOWS\SYSTEM32\WBEM\'
15880 03:36:16 (0) **
15881 03:36:16 (0) ** There are no missing WMI repository files: .......................................................................... OK.
15882 03:36:16 (0) ** WMI repository state: ............................................................................................... N/A.
15883 03:36:16 (0) ** BEFORE running WMIDiag:
15884 03:36:16 (0) ** The WMI repository has a size of: ................................................................................... 7 MB.
15885 03:36:16 (0) ** - Disk free space on 'C:': .......................................................................................... 43249 MB.
15886 03:36:16 (0) ** - INDEX.BTR, 1236992 bytes, 8/16/2009 12:58:57 AM
15887 03:36:16 (0) ** - INDEX.MAP, 640 bytes, 8/16/2009 12:58:57 AM
15888 03:36:16 (0) ** - OBJECTS.DATA, 5783552 bytes, 8/16/2009 12:58:56 AM
15889 03:36:16 (0) ** - OBJECTS.MAP, 2872 bytes, 8/16/2009 12:58:57 AM
15890 03:36:16 (0) ** AFTER running WMIDiag:
15891 03:36:16 (0) ** The WMI repository has a size of: ................................................................................... 7 MB.
15892 03:36:16 (0) ** - Disk free space on 'C:': .......................................................................................... 43247 MB.
15893 03:36:16 (0) ** - INDEX.BTR, 1236992 bytes, 8/16/2009 12:58:57 AM
15894 03:36:16 (0) ** - INDEX.MAP, 640 bytes, 8/16/2009 12:58:57 AM
15895 03:36:16 (0) ** - OBJECTS.DATA, 5783552 bytes, 8/16/2009 12:58:56 AM
15896 03:36:16 (0) ** - OBJECTS.MAP, 2872 bytes, 8/16/2009 12:58:57 AM
15897 03:36:16 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
15898 03:36:16 (0) ** Windows Firewall: ................................................................................................... NOT INSTALLED.
15899 03:36:16 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
15900 03:36:16 (0) ** DCOM Status: ........................................................................................................ OK.
15901 03:36:16 (0) ** WMI registry setup: ................................................................................................. OK.
15902 03:36:16 (0) ** WMI Service has no dependents: ...................................................................................... OK.
15903 03:36:16 (0) ** RPCSS service: ...................................................................................................... OK (Already started).
15904 03:36:16 (0) ** WINMGMT service: .................................................................................................... OK (Already started).
15905 03:36:16 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
15906 03:36:16 (0) ** WMI service DCOM setup: ............................................................................................. OK.
15907 03:36:16 (0) ** WMI components DCOM registrations: .................................................................................. OK.
15908 03:36:16 (0) ** WMI ProgID registrations: ........................................................................................... OK.
15909 03:36:16 (2) !! WARNING: WMI provider DCOM registrations missing for the following provider(s): ..................................... 3 WARNING(S)!
15910 03:36:16 (0) ** - ROOT/MSAPPS10, OffProv10 ({9E30754B-29A9-41CE-8892-70E9E07D15DC}) (i.e. WMI Class 'Win32_ExcelComAddins')
15911 03:36:16 (0) ** Provider DLL: 'WMI information not available (This could be the case for an external application or a third party WMI provider)'
15912 03:36:16 (0) ** - ROOT/DEFAULT, PDProvider ({3079C13E-8C8B-4629-BC9D-1EC5E5A890BD})
15913 03:36:16 (0) ** Provider DLL: 'WMI information not available (This could be the case for an external application or a third party WMI provider)'
15914 03:36:16 (0) ** - ROOT/DEFAULT, PDEventsProvider ({9FDD5BF8-CE81-49F5-B4B4-6AAA527087AF})
15915 03:36:16 (0) ** Provider DLL: 'WMI information not available (This could be the case for an external application or a third party WMI provider)'
15916 03:36:16 (0) ** => This is an issue because there are still some WMI classes referencing this list of providers
15917 03:36:16 (0) ** while the DCOM registration is wrong or missing. This can be due to:
15918 03:36:16 (0) ** - a de-installation of the software.
15919 03:36:16 (0) ** - a deletion of some registry key data.
15920 03:36:16 (0) ** - a registry corruption.
15921 03:36:16 (0) ** => You can correct the DCOM configuration by:
15922 03:36:16 (0) ** - Executing the 'REGSVR32.EXE <Provider.DLL>' command.
15923 03:36:16 (0) ** Note: You can build a list of classes in relation with their WMI provider and MOF file with WMIDiag.
15924 03:36:16 (0) ** (This list can be built on a similar and working WMI Windows installation)
15925 03:36:16 (0) ** The following command line must be used:
15926 03:36:16 (0) ** i.e. 'WMIDiag CorrelateClassAndProvider'
15927 03:36:16 (2) !! WARNING: Re-registering with REGSVR32.EXE all DLL from 'C:\WINDOWS\SYSTEM32\WBEM\'
15928 03:36:16 (0) ** may not solve the problem as the DLL supporting the WMI class(es)
15929 03:36:16 (0) ** can be located in a different folder.
15930 03:36:16 (0) ** You must refer to the class name to determine the software delivering the related DLL.
15931 03:36:16 (0) ** => If the software has been de-installed intentionally, then this information must be
15932 03:36:16 (0) ** removed from the WMI repository. You can use the 'WMIC.EXE' command to remove
15933 03:36:16 (0) ** the provider registration data.
15934 03:36:16 (0) ** i.e. 'WMIC.EXE /NAMESPACE:\\ROOT\DEFAULT path __Win32Provider Where Name='PDEventsProvider' DELETE'
15935 03:36:16 (0) ** => If the namespace was ENTIRELY dedicated to the intentionally de-installed software,
15936 03:36:16 (0) ** the namespace and ALL its content can be ENTIRELY deleted.
15937 03:36:16 (0) ** i.e. 'WMIC.EXE /NAMESPACE:\\ROOT path __NAMESPACE Where Name='DEFAULT' DELETE'
15938 03:36:16 (0) ** - Re-installing the software.
15939 03:36:16 (0) **
15940 03:36:16 (0) ** WMI provider CIM registrations: ..................................................................................... OK.
15941 03:36:16 (0) ** WMI provider CLSIDs: ................................................................................................ OK.
15942 03:36:16 (0) ** WMI providers EXE/DLL availability: ................................................................................. OK.
15943 03:36:16 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
15944 03:36:16 (0) ** DCOM security for 'Microsoft WBEM UnSecured Apartment' (Launch & Activation Permissions): ........................... MODIFIED.
15945 03:36:16 (1) !! ERROR: Default trustee 'BUILTIN\ADMINISTRATORS' has been REMOVED!
15946 03:36:16 (0) ** - REMOVED ACE:
15947 03:36:16 (0) ** ACEType: &h0
15948 03:36:16 (0) ** ACCESS_ALLOWED_ACE_TYPE
15949 03:36:16 (0) ** ACEFlags: &h0
15950 03:36:16 (0) ** ACEMask: &h1
15951 03:36:16 (0) ** DCOM_RIGHT_EXECUTE

peacefulone
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-08-16
OS OS : XP
Points Points : 26752
# Likes # Likes : 0

View user profile

Back to top Go down

desot issues

Post by peacefulone on 16th August 2009, 8:54 pm

Here is the second part and the last part will be coming next

15952 03:36:16 (0) **
15953 03:36:16 (0) ** => The REMOVED ACE was part of the DEFAULT setup for the trustee.
15954 03:36:16 (0) ** Removing default security will cause some operations to fail!
15955 03:36:16 (0) ** It is possible to fix this issue by editing the security descriptor and adding the ACE.
15956 03:36:16 (0) ** For DCOM objects, this can be done with 'DCOMCNFG.EXE'.
15957 03:36:16 (0) **
15958 03:36:16 (0) ** DCOM security for 'Microsoft WBEM UnSecured Apartment' (Launch & Activation Permissions): ........................... MODIFIED.
15959 03:36:16 (1) !! ERROR: Default trustee 'NT AUTHORITY\INTERACTIVE' has been REMOVED!
15960 03:36:16 (0) ** - REMOVED ACE:
15961 03:36:16 (0) ** ACEType: &h0
15962 03:36:16 (0) ** ACCESS_ALLOWED_ACE_TYPE
15963 03:36:16 (0) ** ACEFlags: &h0
15964 03:36:16 (0) ** ACEMask: &h1
15965 03:36:16 (0) ** DCOM_RIGHT_EXECUTE
15966 03:36:16 (0) **
15967 03:36:16 (0) ** => The REMOVED ACE was part of the DEFAULT setup for the trustee.
15968 03:36:16 (0) ** Removing default security will cause some operations to fail!
15969 03:36:16 (0) ** It is possible to fix this issue by editing the security descriptor and adding the ACE.
15970 03:36:16 (0) ** For DCOM objects, this can be done with 'DCOMCNFG.EXE'.
15971 03:36:16 (0) **
15972 03:36:16 (0) ** DCOM security for 'Microsoft WBEM UnSecured Apartment' (Launch & Activation Permissions): ........................... MODIFIED.
15973 03:36:16 (1) !! ERROR: Default trustee 'NT AUTHORITY\SYSTEM' has been REMOVED!
15974 03:36:16 (0) ** - REMOVED ACE:
15975 03:36:16 (0) ** ACEType: &h0
15976 03:36:16 (0) ** ACCESS_ALLOWED_ACE_TYPE
15977 03:36:16 (0) ** ACEFlags: &h0
15978 03:36:16 (0) ** ACEMask: &h1
15979 03:36:16 (0) ** DCOM_RIGHT_EXECUTE
15980 03:36:16 (0) **
15981 03:36:16 (0) ** => The REMOVED ACE was part of the DEFAULT setup for the trustee.
15982 03:36:16 (0) ** Removing default security will cause some operations to fail!
15983 03:36:16 (0) ** It is possible to fix this issue by editing the security descriptor and adding the ACE.
15984 03:36:16 (0) ** For DCOM objects, this can be done with 'DCOMCNFG.EXE'.
15985 03:36:16 (0) **
15986 03:36:16 (0) ** WMI namespace security for 'ROOT/SERVICEMODEL': ..................................................................... MODIFIED.
15987 03:36:16 (1) !! ERROR: Actual trustee 'NT AUTHORITY\NETWORK SERVICE' DOES NOT match corresponding expected trustee rights (Actual->Default)
15988 03:36:16 (0) ** - ACTUAL ACE:
15989 03:36:16 (0) ** ACEType: &h0
15990 03:36:16 (0) ** ACCESS_ALLOWED_ACE_TYPE
15991 03:36:16 (0) ** ACEFlags: &h2
15992 03:36:16 (0) ** CONTAINER_INHERIT_ACE
15993 03:36:16 (0) ** ACEMask: &h1
15994 03:36:16 (0) ** WBEM_ENABLE
15995 03:36:16 (0) ** - EXPECTED ACE:
15996 03:36:16 (0) ** ACEType: &h0
15997 03:36:16 (0) ** ACCESS_ALLOWED_ACE_TYPE
15998 03:36:16 (0) ** ACEFlags: &h12
15999 03:36:16 (0) ** CONTAINER_INHERIT_ACE
16000 03:36:16 (0) ** INHERITED_ACE
16001 03:36:16 (0) ** ACEMask: &h13
16002 03:36:16 (0) ** WBEM_ENABLE
16003 03:36:16 (0) ** WBEM_METHOD_EXECUTE
16004 03:36:16 (0) ** WBEM_WRITE_PROVIDER
16005 03:36:16 (0) **
16006 03:36:16 (0) ** => The actual ACE has the right(s) '&h12 WBEM_METHOD_EXECUTE WBEM_WRITE_PROVIDER' removed!
16007 03:36:16 (0) ** This will cause some operations to fail!
16008 03:36:16 (0) ** It is possible to fix this issue by editing the security descriptor and adding the removed right.
16009 03:36:16 (0) ** For WMI namespaces, this can be done with 'WMIMGMT.MSC'.
16010 03:36:16 (0) ** Note: WMIDiag has no specific knowledge of this WMI namespace.
16011 03:36:16 (0) ** The security diagnostic is based on the WMI namespace expected defaults.
16012 03:36:16 (0) ** A specific WMI application can always require a security setup different
16013 03:36:16 (0) ** than the WMI security defaults.
16014 03:36:16 (0) **
16015 03:36:16 (0) ** WMI namespace security for 'ROOT/SERVICEMODEL': ..................................................................... MODIFIED.
16016 03:36:16 (1) !! ERROR: Actual trustee 'NT AUTHORITY\LOCAL SERVICE' DOES NOT match corresponding expected trustee rights (Actual->Default)
16017 03:36:16 (0) ** - ACTUAL ACE:
16018 03:36:16 (0) ** ACEType: &h0
16019 03:36:16 (0) ** ACCESS_ALLOWED_ACE_TYPE
16020 03:36:16 (0) ** ACEFlags: &h2
16021 03:36:16 (0) ** CONTAINER_INHERIT_ACE
16022 03:36:16 (0) ** ACEMask: &h1
16023 03:36:16 (0) ** WBEM_ENABLE
16024 03:36:16 (0) ** - EXPECTED ACE:
16025 03:36:16 (0) ** ACEType: &h0
16026 03:36:16 (0) ** ACCESS_ALLOWED_ACE_TYPE
16027 03:36:16 (0) ** ACEFlags: &h12
16028 03:36:16 (0) ** CONTAINER_INHERIT_ACE
16029 03:36:16 (0) ** INHERITED_ACE
16030 03:36:16 (0) ** ACEMask: &h13
16031 03:36:16 (0) ** WBEM_ENABLE
16032 03:36:16 (0) ** WBEM_METHOD_EXECUTE
16033 03:36:16 (0) ** WBEM_WRITE_PROVIDER
16034 03:36:16 (0) **
16035 03:36:16 (0) ** => The actual ACE has the right(s) '&h12 WBEM_METHOD_EXECUTE WBEM_WRITE_PROVIDER' removed!
16036 03:36:16 (0) ** This will cause some operations to fail!
16037 03:36:16 (0) ** It is possible to fix this issue by editing the security descriptor and adding the removed right.
16038 03:36:16 (0) ** For WMI namespaces, this can be done with 'WMIMGMT.MSC'.
16039 03:36:16 (0) ** Note: WMIDiag has no specific knowledge of this WMI namespace.
16040 03:36:16 (0) ** The security diagnostic is based on the WMI namespace expected defaults.
16041 03:36:16 (0) ** A specific WMI application can always require a security setup different
16042 03:36:16 (0) ** than the WMI security defaults.
16043 03:36:16 (0) **
16044 03:36:16 (0) ** WMI namespace security for 'ROOT/SERVICEMODEL': ..................................................................... MODIFIED.
16045 03:36:16 (1) !! ERROR: Default trustee 'EVERYONE' has been REMOVED!
16046 03:36:16 (0) ** - REMOVED ACE:
16047 03:36:16 (0) ** ACEType: &h0
16048 03:36:16 (0) ** ACCESS_ALLOWED_ACE_TYPE
16049 03:36:16 (0) ** ACEFlags: &h12
16050 03:36:16 (0) ** CONTAINER_INHERIT_ACE
16051 03:36:16 (0) ** INHERITED_ACE
16052 03:36:16 (0) ** ACEMask: &h13
16053 03:36:16 (0) ** WBEM_ENABLE
16054 03:36:16 (0) ** WBEM_METHOD_EXECUTE
16055 03:36:16 (0) ** WBEM_WRITE_PROVIDER
16056 03:36:16 (0) **
16057 03:36:16 (0) ** => The REMOVED ACE was part of the DEFAULT setup for the trustee.
16058 03:36:16 (0) ** Removing default security will cause some operations to fail!
16059 03:36:16 (0) ** It is possible to fix this issue by editing the security descriptor and adding the ACE.
16060 03:36:16 (0) ** For WMI namespaces, this can be done with 'WMIMGMT.MSC'.
16061 03:36:16 (0) ** Note: WMIDiag has no specific knowledge of this WMI namespace.
16062 03:36:16 (0) ** The security diagnostic is based on the WMI namespace expected defaults.
16063 03:36:16 (0) ** A specific WMI application can always require a security setup different
16064 03:36:16 (0) ** than the WMI security defaults.
16065 03:36:16 (0) **
16066 03:36:16 (0) **
16067 03:36:16 (0) ** DCOM security warning(s) detected: .................................................................................. 0.
16068 03:36:16 (0) ** DCOM security error(s) detected: .................................................................................... 3.
16069 03:36:16 (0) ** WMI security warning(s) detected: ................................................................................... 0.
16070 03:36:16 (0) ** WMI security error(s) detected: ..................................................................................... 3.
16071 03:36:16 (0) **
16072 03:36:16 (1) !! ERROR: Overall DCOM security status: ................................................................................ ERROR!
16073 03:36:16 (1) !! ERROR: Overall WMI security status: ................................................................................. ERROR!
16074 03:36:16 (0) ** - Started at 'Root' --------------------------------------------------------------------------------------------------------------
16075 03:36:16 (0) ** INFO: WMI permanent SUBSCRIPTION(S): ................................................................................ 2.
16076 03:36:16 (0) ** - ROOT/SUBSCRIPTION, MSFT_UCScenarioControl.Name="Microsoft WMI Updating Consumer Scenario Control".
16077 03:36:16 (0) ** 'SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'MSFT_UCScenario''
16078 03:36:16 (0) ** - ROOT/SUBSCRIPTION, NTEventLogEventConsumer.Name="SCM Event Log Consumer".
16079 03:36:16 (0) ** 'select * from MSFT_SCMEventLogEvent'
16080 03:36:16 (0) **
16081 03:36:16 (0) ** WMI TIMER instruction(s): ........................................................................................... NONE.
16082 03:36:16 (0) ** INFO: WMI ADAP status: .............................................................................................. 2.
16083 03:36:16 (0) ** => The WMI ADAP process is processing a performance library (2).
16084 03:36:16 (0) ** Some WMI performance classes could be missing at the time WMIDiag was executed.
16085 03:36:16 (0) ** INFO: WMI namespace(s) requiring PACKET PRIVACY: .................................................................... 1 NAMESPACE(S)!
16086 03:36:16 (0) ** - ROOT/SERVICEMODEL.
16087 03:36:16 (0) ** => When remotely connecting, the namespace(s) listed require(s) the WMI client to
16088 03:36:16 (0) ** use an encrypted connection by specifying the PACKET PRIVACY authentication level.
16089 03:36:16 (0) ** (RPC_C_AUTHN_LEVEL_PKT_PRIVACY or PktPrivacy flags)
16090 03:36:16 (0) ** i.e. 'WMIC.EXE /NODE:"JACLYN" /AUTHLEVEL:Pktprivacy /NAMESPACE:\\ROOT\SERVICEMODEL Class __SystemSecurity'
16091 03:36:16 (0) **

peacefulone
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-08-16
OS OS : XP
Points Points : 26752
# Likes # Likes : 0

View user profile

Back to top Go down

Re: desot issues

Post by peacefulone on 16th August 2009, 8:57 pm

Here is the rest of it.

16092 03:36:16 (0) ** WMI MONIKER CONNECTIONS: ............................................................................................ OK.
16093 03:36:16 (0) ** WMI CONNECTIONS: .................................................................................................... OK.
16094 03:36:16 (1) !! ERROR: WMI GET operation errors reported: ........................................................................... 4 ERROR(S)!
16095 03:36:16 (0) ** - Root/CIMv2, Win32_Process.Handle=920, 0x80070005 - Access is denied..
16096 03:36:16 (0) ** MOF Registration: 'C:\\\\WINDOWS\\\\SYSTEM32\\\\WBEM\\\\CIMWIN32.MOF / C:\\\\WINDOWS\\\\SYSTEM32\\\\WBEM\\\\SECRCW32.MOF'
16097 03:36:16 (0) ** - Root/CIMv2, Win32_Process.Handle=920, 0x80070005 - Access is denied..
16098 03:36:16 (0) ** MOF Registration: 'C:\\\\WINDOWS\\\\SYSTEM32\\\\WBEM\\\\CIMWIN32.MOF / C:\\\\WINDOWS\\\\SYSTEM32\\\\WBEM\\\\SECRCW32.MOF'
16099 03:36:16 (0) ** - Root/CIMv2, Win32_Process.Handle=920, 0x80070005 - Access is denied..
16100 03:36:16 (0) ** MOF Registration: 'C:\\\\WINDOWS\\\\SYSTEM32\\\\WBEM\\\\CIMWIN32.MOF / C:\\\\WINDOWS\\\\SYSTEM32\\\\WBEM\\\\SECRCW32.MOF'
16101 03:36:16 (0) ** - Root/CIMv2, Win32_Process.Handle=920, 0x80070005 - Access is denied..
16102 03:36:16 (0) ** MOF Registration: 'C:\\\\WINDOWS\\\\SYSTEM32\\\\WBEM\\\\CIMWIN32.MOF / C:\\\\WINDOWS\\\\SYSTEM32\\\\WBEM\\\\SECRCW32.MOF'
16103 03:36:16 (0) **
16104 03:36:16 (0) ** WMI MOF representations: ............................................................................................ OK.
16105 03:36:16 (0) ** WMI QUALIFIER access operations: .................................................................................... OK.
16106 03:36:16 (1) !! ERROR: WMI ENUMERATION operation errors reported: ................................................................... 33 ERROR(S)!
16107 03:36:16 (0) ** - ROOT/WMI, InstancesOfAsync, 'MSMouse', 0x80070005 - .
16108 03:36:16 (0) ** MOF Registration: 'WMI information not available (This could be the case for an external application or a third party WMI provider)'
16109 03:36:16 (0) ** - ROOT/CIMV2, InstancesOfAsync, 'CIM_USBDevice', 0x80070005 - .
16110 03:36:16 (0) ** MOF Registration: 'WMI information not available (This could be the case for an external application or a third party WMI provider)'
16111 03:36:16 (0) ** - ROOT/CIMV2, InstancesOfAsync, 'CIM_USBHub', 0x80070005 - .
16112 03:36:16 (0) ** MOF Registration: 'WMI information not available (This could be the case for an external application or a third party WMI provider)'
16113 03:36:16 (0) ** - Root/Default, InstancesOf, 'SystemRestore', 0x80070005 - Access is denied..
16114 03:36:16 (0) ** MOF Registration: 'C:\\\\WINDOWS\\\\SYSTEM32\\\\WBEM\\\\SR.MOF'
16115 03:36:16 (0) ** - Root/CIMv2, InstancesOf, 'Win32_Process', 0x80070005 - Access is denied..
16116 03:36:16 (0) ** MOF Registration: 'C:\\\\WINDOWS\\\\SYSTEM32\\\\WBEM\\\\CIMWIN32.MOF / C:\\\\WINDOWS\\\\SYSTEM32\\\\WBEM\\\\SECRCW32.MOF'
16117 03:36:16 (0) ** - Root/CIMv2, InstancesOf, 'Win32_OperatingSystem', 0x80070005 - Access is denied..
16118 03:36:16 (0) ** MOF Registration: 'C:\\\\WINDOWS\\\\SYSTEM32\\\\WBEM\\\\CIMWIN32.MOF / C:\\\\WINDOWS\\\\SYSTEM32\\\\WBEM\\\\SECRCW32.MOF'
16119 03:36:16 (0) ** - Root/CIMv2, InstancesOf, 'Win32_ComputerSystem', 0x80070005 - Access is denied..
16120 03:36:16 (0) ** MOF Registration: 'C:\\\\WINDOWS\\\\SYSTEM32\\\\WBEM\\\\CIMWIN32.MOF / C:\\\\WINDOWS\\\\SYSTEM32\\\\WBEM\\\\SECRCW32.MOF'
16121 03:36:16 (0) ** - Root/CIMv2, InstancesOf, 'Win32_Service', 0x80070005 - Access is denied..
16122 03:36:16 (0) ** MOF Registration: 'C:\\\\WINDOWS\\\\SYSTEM32\\\\WBEM\\\\CIMWIN32.MOF / C:\\\\WINDOWS\\\\SYSTEM32\\\\WBEM\\\\SECRCW32.MOF'
16123 03:36:16 (0) ** - Root/CIMv2, InstancesOf, 'Win32_Bios', 0x80070005 - Access is denied..
16124 03:36:16 (0) ** MOF Registration: 'C:\\\\WINDOWS\\\\SYSTEM32\\\\WBEM\\\\CIMWIN32.MOF / C:\\\\WINDOWS\\\\SYSTEM32\\\\WBEM\\\\SECRCW32.MOF'
16125 03:36:16 (0) ** - Root/CIMv2, InstancesOf, 'Win32_PerfRawData_Tcpip_IP', 0x80070005 - Access is denied..
16126 03:36:16 (0) ** MOF Registration: 'No located MOF file (exception)'
16127 03:36:16 (0) ** - Root/CIMv2, InstancesOf, 'Win32_PerfRawData_Tcpip_TCP', 0x80070005 - Access is denied..
16128 03:36:16 (0) ** MOF Registration: 'No located MOF file (exception)'
16129 03:36:16 (0) ** - Root/CIMv2, InstancesOf, 'Win32_PerfRawData_Tcpip_UDP', 0x80070005 - Access is denied..
16130 03:36:16 (0) ** MOF Registration: 'No located MOF file (exception)'
16131 03:36:16 (0) ** - Root/CIMv2, InstancesOf, 'Win32_PerfRawData_Tcpip_ICMP', 0x80070005 - Access is denied..
16132 03:36:16 (0) ** MOF Registration: 'No located MOF file (exception)'
16133 03:36:16 (0) ** - Root/CIMv2, InstancesOf, 'Win32_PerfRawData_PerfOS_Cache', 0x80070005 - Access is denied..
16134 03:36:16 (0) ** MOF Registration: 'No located MOF file (exception)'
16135 03:36:16 (0) ** - Root/CIMv2, InstancesOf, 'Win32_PerfRawData_PerfOS_Memory', 0x80070005 - Access is denied..
16136 03:36:16 (0) ** MOF Registration: 'No located MOF file (exception)'
16137 03:36:16 (0) ** - Root/CIMv2, InstancesOf, 'Win32_PerfRawData_PerfOS_Objects', 0x80070005 - Access is denied..
16138 03:36:16 (0) ** MOF Registration: 'No located MOF file (exception)'
16139 03:36:16 (0) ** - Root/CIMv2, InstancesOf, 'Win32_PerfRawData_PerfOS_PagingFile', 0x80070005 - Access is denied..
16140 03:36:16 (0) ** MOF Registration: 'No located MOF file (exception)'
16141 03:36:16 (0) ** - Root/CIMv2, InstancesOf, 'Win32_PerfRawData_PerfOS_Processor', 0x80070005 - Access is denied..
16142 03:36:16 (0) ** MOF Registration: 'No located MOF file (exception)'
16143 03:36:16 (0) ** - Root/CIMv2, InstancesOf, 'Win32_PerfRawData_PerfOS_System', 0x80070005 - Access is denied..
16144 03:36:16 (0) ** MOF Registration: 'No located MOF file (exception)'
16145 03:36:16 (0) ** - Root/CIMv2, InstancesOf, 'Win32_PerfRawData_PerfProc_Process', 0x80070005 - Access is denied..
16146 03:36:16 (0) ** MOF Registration: 'No located MOF file (exception)'
16147 03:36:16 (0) ** - Root/CIMv2, InstancesOf, 'Win32_PerfRawData_PerfProc_Thread', 0x80070005 - Access is denied..
16148 03:36:16 (0) ** MOF Registration: 'No located MOF file (exception)'
16149 03:36:16 (0) ** - Root/CIMv2, InstancesOf, 'Win32_PerfFormattedData_Tcpip_IP', 0x80070005 - Access is denied..
16150 03:36:16 (0) ** MOF Registration: 'C:\\\\WINDOWS\\\\SYSTEM32\\\\WBEM\\\\WMI.MOF'
16151 03:36:16 (0) ** - Root/CIMv2, InstancesOf, 'Win32_PerfFormattedData_Tcpip_TCP', 0x80070005 - Access is denied..
16152 03:36:16 (0) ** MOF Registration: 'C:\\\\WINDOWS\\\\SYSTEM32\\\\WBEM\\\\WMI.MOF'
16153 03:36:16 (0) ** - Root/CIMv2, InstancesOf, 'Win32_PerfFormattedData_Tcpip_UDP', 0x80070005 - Access is denied..
16154 03:36:16 (0) ** MOF Registration: 'C:\\\\WINDOWS\\\\SYSTEM32\\\\WBEM\\\\WMI.MOF'
16155 03:36:16 (0) ** - Root/CIMv2, InstancesOf, 'Win32_PerfFormattedData_Tcpip_ICMP', 0x80070005 - Access is denied..
16156 03:36:16 (0) ** MOF Registration: 'C:\\\\WINDOWS\\\\SYSTEM32\\\\WBEM\\\\WMI.MOF'
16157 03:36:16 (0) ** - Root/CIMv2, InstancesOf, 'Win32_PerfFormattedData_PerfOS_Cache', 0x80070005 - Access is denied..
16158 03:36:16 (0) ** MOF Registration: 'C:\\\\WINDOWS\\\\SYSTEM32\\\\WBEM\\\\WMI.MOF'
16159 03:36:16 (0) ** - Root/CIMv2, InstancesOf, 'Win32_PerfFormattedData_PerfOS_Memory', 0x80070005 - Access is denied..
16160 03:36:16 (0) ** MOF Registration: 'C:\\\\WINDOWS\\\\SYSTEM32\\\\WBEM\\\\WMI.MOF'
16161 03:36:16 (0) ** - Root/CIMv2, InstancesOf, 'Win32_PerfFormattedData_PerfOS_Objects', 0x80070005 - Access is denied..
16162 03:36:16 (0) ** MOF Registration: 'C:\\\\WINDOWS\\\\SYSTEM32\\\\WBEM\\\\WMI.MOF'
16163 03:36:16 (0) ** - Root/CIMv2, InstancesOf, 'Win32_PerfFormattedData_PerfOS_PagingFile', 0x80070005 - Access is denied..
16164 03:36:16 (0) ** MOF Registration: 'C:\\\\WINDOWS\\\\SYSTEM32\\\\WBEM\\\\WMI.MOF'
16165 03:36:16 (0) ** - Root/CIMv2, InstancesOf, 'Win32_PerfFormattedData_PerfOS_Processor', 0x80070005 - Access is denied..
16166 03:36:16 (0) ** MOF Registration: 'C:\\\\WINDOWS\\\\SYSTEM32\\\\WBEM\\\\WMI.MOF'
16167 03:36:16 (0) ** - Root/CIMv2, InstancesOf, 'Win32_PerfFormattedData_PerfOS_System', 0x80070005 - Access is denied..
16168 03:36:16 (0) ** MOF Registration: 'C:\\\\WINDOWS\\\\SYSTEM32\\\\WBEM\\\\WMI.MOF'
16169 03:36:16 (0) ** - Root/CIMv2, InstancesOf, 'Win32_PerfFormattedData_PerfProc_Process', 0x80070005 - Access is denied..
16170 03:36:16 (0) ** MOF Registration: 'C:\\\\WINDOWS\\\\SYSTEM32\\\\WBEM\\\\WMI.MOF'
16171 03:36:16 (0) ** - Root/CIMv2, InstancesOf, 'Win32_PerfFormattedData_PerfProc_Thread', 0x80070005 - Access is denied..
16172 03:36:16 (0) ** MOF Registration: 'C:\\\\WINDOWS\\\\SYSTEM32\\\\WBEM\\\\WMI.MOF'
16173 03:36:16 (0) **
16174 03:36:16 (1) !! ERROR: WMI EXECQUERY operation errors reported: ..................................................................... 20 ERROR(S)!
16175 03:36:16 (0) ** - Root/Default, Select * From SystemRestore, 0x80070005 - Access is denied..
16176 03:36:16 (0) ** - Root/CIMv2, Select * From Win32_LogicalDisk WHERE FreeSpace > 10000000 AND DriveType = 3, 0x80070005 - Access is denied..
16177 03:36:16 (0) ** - Root/CIMv2, Select DriveType From Win32_LogicalDisk WHERE Name='C:', 0x80070005 - Access is denied..
16178 03:36:16 (0) ** - Root/CIMv2, Select * From Win32_Service, 0x80070005 - Access is denied..
16179 03:36:16 (0) ** - Root/CIMv2, Select * From Win32_PageFileUsage, 0x80070005 - Access is denied..
16180 03:36:16 (0) ** - Root/CIMv2, Select * From Win32_BIOS WHERE Version IS NOT NULL, 0x80070005 - Access is denied..
16181 03:36:16 (0) ** - Root/CIMv2, Select * From Win32_NetworkAdapter WHERE AdapterType IS NOT NULL AND AdapterType != "Wide Area Network (WAN)" AND Description != "Packet Scheduler Miniport", 0x80070005 - Access is denied..
16182 03:36:16 (0) ** - Root/CIMv2, Select * From Win32_Processor WHERE Name IS NOT NULL, 0x80070005 - Access is denied..
16183 03:36:16 (0) ** - Root/CIMv2, Select * From Win32_DiskDrive, 0x80070005 - Access is denied..
16184 03:36:16 (0) ** - Root/CIMv2, Select * From Win32_ComputerSystem, 0x80070005 - Access is denied..
16185 03:36:16 (0) ** - Root/CIMv2, Select * From Win32_DiskPartition, 0x80070005 - Access is denied..
16186 03:36:16 (0) ** - Root/CIMv2, Select * From Win32_LogicalDisk WHERE Description != "Network Connection", 0x80070005 - Access is denied..
16187 03:36:16 (0) ** - Root/CIMv2, Select * From Win32_SoundDevice, 0x80070005 - Access is denied..
16188 03:36:16 (0) ** - Root/CIMv2, Select * From Win32_VideoController, 0x80070005 - Access is denied..
16189 03:36:16 (0) ** - Root/CIMv2, Select * From Win32_USBController, 0x80070005 - Access is denied..
16190 03:36:16 (0) ** - Root/CIMv2, Select * From Win32_DesktopMonitor, 0x80070005 - Access is denied..
16191 03:36:16 (0) ** - Root/CIMv2, Select * From Win32_PointingDevice WHERE Status = "OK", 0x80070005 - Access is denied..
16192 03:36:16 (0) ** - Root/CIMv2, Select * From Win32_Keyboard, 0x80070005 - Access is denied..
16193 03:36:16 (0) ** - Root/CIMv2, Select * From Win32_SystemDriver WHERE StartMode != "Disabled", 0x80070005 - Access is denied..
16194 03:36:16 (0) ** - Root/WMI, Select * From MSNdis_MediaConnectStatus, 0x80070005 - Access is denied..
16195 03:36:16 (0) **
16196 03:36:16 (0) ** WMI GET VALUE operations: ........................................................................................... OK.
16197 03:36:16 (0) ** WMI WRITE operations: ............................................................................................... NOT TESTED.
16198 03:36:16 (0) ** WMI PUT operations: ................................................................................................. NOT TESTED.
16199 03:36:16 (0) ** WMI DELETE operations: .............................................................................................. NOT TESTED.
16200 03:36:16 (0) ** WMI static instances retrieved: ..................................................................................... 613.
16201 03:36:16 (0) ** WMI dynamic instances retrieved: .................................................................................... 0.
16202 03:36:16 (0) ** WMI instance request cancellations (to limit performance impact): ................................................... 0.
16203 03:36:16 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
16204 03:36:16 (0) ** # of Event Log events BEFORE WMIDiag execution since the last 20 day(s):
16205 03:36:16 (0) ** DCOM: ............................................................................................................. ERROR!
16206 03:36:16 (0) ** WINMGMT: .......................................................................................................... ERROR!
16207 03:36:16 (0) ** WMIADAPTER: ....................................................................................................... ERROR!
16208 03:36:16 (0) **
16209 03:36:16 (0) ** # of additional Event Log events AFTER WMIDiag execution:
16210 03:36:16 (0) ** DCOM: ............................................................................................................. ERROR!
16211 03:36:16 (0) ** WINMGMT: .......................................................................................................... ERROR!
16212 03:36:16 (0) ** WMIADAPTER: **

peacefulone
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-08-16
OS OS : XP
Points Points : 26752
# Likes # Likes : 0

View user profile

Back to top Go down

Re: desot issues

Post by Belahzur on 16th August 2009, 9:16 pm

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: desot issues

Post by peacefulone on 18th August 2009, 2:56 am

Here are the results from Combofix. (This is the first part)

ComboFix 09-08-10.06 - Jaclyn Hoyt 08/17/2009 18:26.3.1 - NTFSx86
Running from: c:\\documents and settings\\Jaclyn Hoyt\\Desktop\\Hijack\\Combo-Fix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\\windows\\system32\\proquota.exe was missing
Restored copy from - c:\\windows\\ServicePackFiles\\i386\\proquota.exe
.
((((((((((((((((((((((((( Files Created from 2009-07-18 to 2009-08-18 )))))))))))))))))))))))))))))))
.
2009-08-17 22:39 . 2008-04-14 00:12 50176 -c--a-w- c:\\windows\\system32\\dllcache\\proquota.exe
2009-08-17 22:39 . 2008-04-14 00:12 50176 ----a-w- c:\\windows\\system32\\proquota.exe
2009-08-16 18:08 . 2009-08-03 17:36 38160 ----a-w- c:\\windows\\system32\\drivers\\mbamswissarmy.sys
2009-08-16 18:08 . 2009-08-03 17:36 19096 ----a-w- c:\\windows\\system32\\drivers\\mbam.sys
2009-08-16 18:01 . 2009-08-16 19:50 -------- d-----w- c:\\program files\\Malwarebytes' Anti-Malware
2009-08-16 09:06 . 2009-08-16 09:06 -------- d-----w- c:\\documents and settings\\Jaclyn Hoyt\\.netbeans
2009-08-16 09:06 . 2009-08-16 09:06 -------- d-----w- c:\\documents and settings\\Jaclyn Hoyt\\.netbeans-registration
2009-08-16 08:54 . 2009-08-16 09:05 -------- d-----w- c:\\program files\\NetBeans 6.7
2009-08-16 08:35 . 2009-08-16 09:41 -------- d-----w- c:\\documents and settings\\Jaclyn Hoyt\\.nbi
2009-08-16 08:00 . 2009-08-16 08:34 -------- d-----w- c:\\documents and settings\\Jaclyn Hoyt\\.SunDownloadManager
2009-08-16 07:57 . 2009-08-16 07:57 1078 ----a-r- c:\\documents and settings\\Jaclyn Hoyt\\Application Data\\Microsoft\\Installer\\{25A13826-8E4A-4FBF-AD2B-776447FE9646}\\_fbf2f14.exe
2009-08-16 07:57 . 2009-08-16 07:57 1078 ----a-r- c:\\documents and settings\\Jaclyn Hoyt\\Application Data\\Microsoft\\Installer\\{25A13826-8E4A-4FBF-AD2B-776447FE9646}\\_6ad647e.exe
2009-08-16 07:57 . 2009-08-16 07:57 1078 ----a-r- c:\\documents and settings\\Jaclyn Hoyt\\Application Data\\Microsoft\\Installer\\{25A13826-8E4A-4FBF-AD2B-776447FE9646}\\_5c673cd6.exe
2009-08-16 07:57 . 2009-08-16 07:57 1078 ----a-r- c:\\documents and settings\\Jaclyn Hoyt\\Application Data\\Microsoft\\Installer\\{25A13826-8E4A-4FBF-AD2B-776447FE9646}\\_422d54dc.exe
2009-08-16 07:57 . 2009-08-16 07:57 1078 ----a-r- c:\\documents and settings\\Jaclyn Hoyt\\Application Data\\Microsoft\\Installer\\{25A13826-8E4A-4FBF-AD2B-776447FE9646}\\_368ed66.exe
2009-08-16 07:56 . 2009-08-16 07:56 -------- d-----w- c:\\program files\\WMI Tools
2009-08-16 05:08 . 2009-08-16 05:08 -------- d-----w- c:\\documents and settings\\Jaclyn Hoyt\\Application Data\\Graboid Inc
2009-08-15 23:41 . 2009-08-15 23:57 85495048 ----a-w- c:\\documents and settings\\Jaclyn Hoyt\\Application Data\\Verizon\\VSP\\downloads\\Setup-Verizon_Internet_Security_Suite_8.0.27.35772_Consumer.41.exe.dir\\Setup-Verizon_Internet_Security_Suite_8.0.27.35772_Consumer.exe
2009-08-15 22:59 . 2009-08-15 23:00 -------- d-----w- c:\\documents and settings\\Jaclyn Hoyt\\Local Settings\\Application Data\\McAfee Anti-Theft
2009-08-15 22:57 . 2009-08-15 23:00 -------- d-----w- c:\\docume~1\\ALLUSE~1\\APPLIC~1\\McAfee Anti-Theft
2009-08-15 19:42 . 2009-08-17 20:14 664 ----a-w- c:\\windows\\system32\\d3d9caps.dat
2009-08-15 07:07 . 2009-08-15 07:07 -------- d-----w- c:\\windows\\system32\\XPSViewer
2009-08-15 07:07 . 2009-08-15 07:07 -------- d-----w- c:\\program files\\MSBuild
2009-08-15 07:06 . 2009-08-15 07:06 -------- d-----w- c:\\program files\\Reference Assemblies
2009-08-15 07:06 . 2008-07-06 12:06 89088 -c----w- c:\\windows\\system32\\dllcache\\filterpipelineprintproc.dll
2009-08-15 07:06 . 2008-07-06 12:06 575488 -c----w- c:\\windows\\system32\\dllcache\\xpsshhdr.dll
2009-08-15 07:06 . 2008-07-06 12:06 575488 ------w- c:\\windows\\system32\\xpsshhdr.dll
2009-08-15 07:06 . 2008-07-06 12:06 117760 ------w- c:\\windows\\system32\\prntvpt.dll
2009-08-15 07:06 . 2008-07-06 10:50 597504 -c----w- c:\\windows\\system32\\dllcache\\printfilterpipelinesvc.exe
2009-08-15 07:06 . 2009-08-15 07:06 -------- d-----w- C:\\b827c0b8d1babe5a7f
2009-08-15 07:06 . 2008-07-06 12:06 1676288 -c----w- c:\\windows\\system32\\dllcache\\xpssvcs.dll
2009-08-15 07:06 . 2008-07-06 12:06 1676288 ------w- c:\\windows\\system32\\xpssvcs.dll
2009-08-13 06:22 . 2009-07-10 13:27 1315328 -c----w- c:\\windows\\system32\\dllcache\\msoe.dll
2009-08-12 22:20 . 2004-08-04 12:00 407040 -c--a-w- c:\\windows\\system32\\dllcache\\netlogon.dll
2009-08-12 22:20 . 2004-08-04 12:00 407040 ----a-w- c:\\windows\\system32\\netlogon.dll
2009-08-12 22:18 . 2004-08-04 12:00 180224 -c--a-w- c:\\windows\\system32\\dllcache\\scecli.dll
2009-08-12 22:18 . 2004-08-04 12:00 180224 ----a-w- c:\\windows\\system32\\scecli.dll
2009-08-12 22:11 . 2009-08-09 09:16 2278 ----a-w- C:\\command.reg
2009-08-12 22:11 . 2006-02-26 03:28 130048 ----a-w- C:\\avenger.exe
2009-08-12 22:11 . 2001-08-23 21:30 72192 ----a-w- C:\\taskkill.exe
2009-08-12 22:08 . 2009-08-12 22:08 -------- d-----w- c:\\documents and settings\\Jaclyn Hoyt\\Application Data\\Malwarebytes
2009-08-12 22:08 . 2009-08-12 22:08 -------- d-----w- c:\\docume~1\\ALLUSE~1\\APPLIC~1\\Malwarebytes
2009-08-12 02:37 . 2009-08-12 02:37 -------- d-sh--w- c:\\windows\\system32\\config\\systemprofile\\IETldCache
2009-08-11 22:11 . 2009-08-11 22:11 -------- d-----w- C:\\!KillBox
2009-08-11 21:39 . 2009-08-11 21:39 -------- d-----w- c:\\program files\\Citrix
2009-08-11 21:38 . 2009-08-11 21:38 -------- d-----w- c:\\documents and settings\\Jaclyn Hoyt\\Local Settings\\Application Data\\Citrix
2009-08-11 21:38 . 2009-08-11 21:38 61224 ----a-w- c:\\documents and settings\\Jaclyn Hoyt\\GoToAssistDownloadHelper.exe
2009-08-11 19:30 . 2009-07-13 05:42 286880 ----a-r- c:\\documents and settings\\Jaclyn Hoyt\\Application Data\\McAfee\\Supportability\\MVTLogs\\Results\\detect.dll
2009-08-11 19:28 . 2009-08-11 19:28 -------- d-----w- c:\\documents and settings\\Jaclyn Hoyt\\Application Data\\McAfee
2009-08-11 19:24 . 2009-08-11 19:24 49152 ----a-r- c:\\documents and settings\\Jaclyn Hoyt\\Application Data\\Microsoft\\Installer\\{FCC07EEA-FA18-4A21-9105-9666603C6885}\\IconFCC07EEA1.exe
2009-08-11 19:24 . 2009-08-11 19:24 49152 ----a-r- c:\\documents and settings\\Jaclyn Hoyt\\Application Data\\Microsoft\\Installer\\{FCC07EEA-FA18-4A21-9105-9666603C6885}\\IconFCC07EEA.exe
2009-08-11 19:24 . 2009-08-13 14:25 -------- d-----w- c:\\docume~1\\ALLUSE~1\\APPLIC~1\\McAfee
2009-08-11 19:24 . 2009-08-15 22:54 -------- d-----w- c:\\program files\\McAfee
2009-08-09 02:27 . 2009-08-15 22:32 -------- d-sh--w- C:\\found.001
2009-08-08 07:22 . 2008-11-27 22:47 -------- d---a-w- c:\\windows\\system32\\images
2009-08-08 07:05 . 2009-08-08 07:05 -------- d-sh--w- c:\\documents and settings\\NetworkService\\IETldCache
2009-08-08 07:02 . 2009-08-08 07:02 -------- d-----w- C:\\6f45e708df215fa03043088349bc2299
2009-08-08 07:02 . 2009-08-08 07:02 -------- d-----w- C:\\2f16ca2e397df58a56151a5246333783
2009-08-05 09:01 . 2009-08-05 09:01 204800 -c----w- c:\\windows\\system32\\dllcache\\mswebdvd.dll
2009-07-30 13:52 . 2009-07-30 13:52 410984 ----a-w- c:\\windows\\system32\\deploytk.dll
2009-07-30 13:51 . 2009-07-30 13:51 152576 ----a-w- c:\\documents and settings\\Jaclyn Hoyt\\Application Data\\Sun\\Java\\jre1.6.0_13\\lzma.dll
2009-07-23 07:01 . 2009-07-23 07:01 -------- d-----w- c:\\windows\\ie8updates
2009-07-22 17:01 . 2009-07-03 17:09 12800 -c----w- c:\\windows\\system32\\dllcache\\xpshims.dll
2009-07-22 17:01 . 2009-07-03 17:09 246272 -c----w- c:\\windows\\system32\\dllcache\\ieproxy.dll
2009-07-22 03:54 . 2009-07-22 03:54 -------- d-sh--w- c:\\documents and settings\\Jaclyn Hoyt\\IECompatCache
2009-07-22 03:53 . 2009-07-22 03:53 -------- d-sh--w- c:\\documents and settings\\Jaclyn Hoyt\\PrivacIE
2009-07-22 03:52 . 2009-07-22 03:52 -------- d-sh--w- c:\\documents and settings\\Jaclyn Hoyt\\IETldCache
2009-07-22 03:33 . 2009-07-22 03:35 -------- dc-h--w- c:\\windows\\ie8
2009-07-20 23:53 . 2009-07-22 03:13 -------- d-----w- c:\\docume~1\\ALLUSE~1\\APPLIC~1\\NOS
2009-07-20 23:53 . 2009-07-22 03:13 -------- d-----w- c:\\program files\\NOS
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-17 20:00 . 2009-05-03 04:56 -------- d-----w- c:\\program files\\VideoLAN
2009-08-16 09:32 . 2007-10-27 14:29 -------- d-----w- c:\\program files\\Java
2009-08-16 04:57 . 2007-04-15 22:59 -------- d-----w- c:\\program files\\Verizon
2009-08-16 01:09 . 2007-11-17 23:24 -------- d-----w- c:\\docume~1\\ALLUSE~1\\APPLIC~1\\Verizon
2009-08-16 00:41 . 2007-05-28 12:46 -------- d---a-w- c:\\docume~1\\ALLUSE~1\\APPLIC~1\\TEMP
2009-08-15 23:59 . 2007-04-15 21:00 -------- d-----w- c:\\program files\\InstallShield Installation Information
2009-08-15 21:55 . 2007-06-08 11:12 87304 ----a-w- c:\\documents and settings\\Jaclyn Hoyt\\Local Settings\\Application Data\\GDIPFONTCACHEV1.DAT
2009-08-15 21:52 . 2007-04-17 23:18 -------- d-----w- c:\\program files\\Windows Live Toolbar
2009-08-15 21:50 . 2009-03-03 03:00 -------- d-----w- c:\\program files\\Windows Live
2009-08-15 21:46 . 2007-04-18 01:06 -------- d-----w- c:\\docume~1\\ALLUSE~1\\APPLIC~1\\AOL
2009-08-15 19:52 . 2007-05-21 01:24 -------- d-----w- c:\\program files\\Common Files\\Symantec Shared
2009-08-15 19:49 . 2009-07-17 22:02 -------- d-----w- c:\\docume~1\\ALLUSE~1\\APPLIC~1\\NortonInstaller
2009-08-15 19:44 . 2009-02-17 21:47 -------- d-----w- c:\\program files\\Common Files\\Wise Installation Wizard
2009-08-15 19:44 . 2009-07-17 22:03 -------- d-----w- c:\\docume~1\\ALLUSE~1\\APPLIC~1\\Norton
2009-08-15 19:44 . 2008-02-11 19:50 -------- d-----w- c:\\program files\\Norton Security Scan
2009-08-15 07:22 . 2009-04-11 12:09 117760 ----a-w- c:\\documents and settings\\Jaclyn Hoyt\\Application Data\\SUPERAntiSpyware.com\\SUPERAntiSpyware\\SDDLLS\\UIREPAIR.DLL
2009-08-05 09:01 . 2002-09-03 16:46 204800 ----a-w- c:\\windows\\system32\\mswebdvd.dll
2009-07-17 19:31 . 2009-07-17 19:30 -------- d-----w- c:\\program files\\iTunes
2009-07-17 19:31 . 2007-04-15 21:34 -------- d-----w- c:\\program files\\iPod
2009-07-17 19:31 . 2008-02-20 00:05 -------- d-----w- c:\\program files\\Common Files\\Apple
2009-07-17 19:28 . 2007-04-15 21:37 -------- d-----w- c:\\program files\\QuickTime
2009-07-17 19:01 . 2002-09-03 16:27 58880 ----a-w- c:\\windows\\system32\\atl.dll
2009-07-12 16:21 . 2004-08-04 07:56 233472 ------w- c:\\windows\\system32\\wmpdxm.dll
2009-07-03 17:09 . 2006-06-23 15:33 915456 ----a-w- c:\\windows\\system32\\wininet.dll
2009-06-16 14:36 . 2002-09-03 17:06 119808 ----a-w- c:\\windows\\system32\\t2embed.dll
2009-06-16 14:36 . 2002-09-03 16:33 81920 ----a-w- c:\\windows\\system32\\fontsub.dll
2009-06-12 12:31 . 2002-09-03 17:06 76288 ----a-w- c:\\windows\\system32\\telnet.exe
2009-06-10 14:13 . 2002-09-03 16:27 84992 ----a-w- c:\\windows\\system32\\avifil32.dll
2009-06-10 13:19 . 2007-04-15 20:40 2066432 ----a-w- c:\\windows\\system32\\mstscax.dll
2009-06-10 06:14 . 2002-09-03 17:12 132096 ----a-w- c:\\windows\\system32\\wkssvc.dll
2009-06-03 19:09 . 2005-08-30 04:02 1291264 ----a-w- c:\\windows\\system32\\quartz.dll
2009-05-28 00:45 . 2008-07-12 04:07 34 ----a-w- c:\\documents and settings\\Jaclyn Hoyt\\jagex_runescape_preferences.dat
2002-09-03 17:07 . 2002-09-03 17:07 94784 --sh--w- c:\\windows\\twain.dll
2008-04-14 00:12 . 2002-09-03 17:07 50688 --sh--w- c:\\windows\\twain_32.dll
2008-04-14 00:11 . 2002-09-03 16:41 1028096 --sha-w- c:\\windows\\system32\\mfc42.dll
2008-04-14 00:12 . 2002-09-03 16:46 57344 --sh--w- c:\\windows\\system32\\msvcirt.dll
2008-04-14 00:12 . 2002-09-03 16:46 413696 --sha-w- c:\\windows\\system32\\msvcp60.dll
2008-04-14 00:12 . 2002-09-03 16:46 343040 --sha-w- c:\\windows\\system32\\msvcrt.dll
2008-04-14 00:12 . 2002-09-03 16:51 551936 --sh--w- c:\\windows\\system32\\oleaut32.dll
2008-04-14 00:12 . 2002-09-03 16:51 84992 --sha-w- c:\\windows\\system32\\olepro32.dll
2008-04-14 00:12 . 2002-09-03 16:56 11776 --sh--w- c:\\windows\\system32\\regsvr32.exe
2009-04-27 01:57 . 2009-04-05 02:03 20878624 --sha-w- c:\\windows\\system32\\drivers\\fidbox.dat
2009-04-27 01:57 . 2009-04-05 02:03 365856 --sha-w- c:\\windows\\system32\\drivers\\fidbox2.dat

peacefulone
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-08-16
OS OS : XP
Points Points : 26752
# Likes # Likes : 0

View user profile

Back to top Go down

Re: desot issues

Post by peacefulone on 18th August 2009, 2:57 am

Here is the second part of the Combo-fix log.

------- Sigcheck -------
[-] 2005-03-02 00:34 2056832 81013F36B21C7F72CF784CC6731E0002 c:\windows\$hf_mig$\KB890859\SP2GDR\ntkrnlpa.exe
[-] 2005-03-02 00:36 2056832 D8ABA3EAB509627E707A3B14F00FBB6B c:\windows\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
[-] 2007-02-28 09:15 2059392 4D3DBDCCBF97F5BA1E74F322B155C3BA c:\windows\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe
[7] 2009-02-06 10:30 2066176 607352B9CB3D708C67F6039097801B5A c:\windows\$hf_mig$\KB956572\SP3QFE\ntkrnlpa.exe
[7] 2008-08-14 09:18 2062976 63EC865DFF6CCFC7BEF94B5C50297CAD c:\windows\$hf_mig$\KB956841\SP2QFE\ntkrnlpa.exe
[7] 2008-08-14 09:33 2066048 4AC58F03EB94A72809949D757FC39D80 c:\windows\$hf_mig$\KB956841\SP3GDR\ntkrnlpa.exe
[7] 2008-08-14 19:39 2066048 A25E9B86EFFB2AF33BF51E676B68BFB0 c:\windows\$hf_mig$\KB956841\SP3QFE\ntkrnlpa.exe
[7] 2008-08-14 09:22 2057728 BA002228743B6824D87F0551DBC86D45 c:\windows\$NtServicePackUninstall$\ntkrnlpa.exe
[-] 2002-09-03 17:04 1947904 0E8EFB15746878A9B256E75267337233 c:\windows\$NtUninstallKB885835_0$\ntkrnlpa.exe
[7] 2004-08-04 05:58 2056832 947FB1D86D14AFCFFDB54BF837EC25D0 c:\windows\$NtUninstallKB890859$\ntkrnlpa.exe
[-] 2004-10-22 07:29 1955840 EFA7883018F42295D927121808AE6CEE c:\windows\$NtUninstallKB890859_0$\ntkrnlpa.exe
[-] 2005-03-02 00:34 2056832 81013F36B21C7F72CF784CC6731E0002 c:\windows\$NtUninstallKB931784$\ntkrnlpa.exe
[7] 2008-08-14 09:33 2066048 4AC58F03EB94A72809949D757FC39D80 c:\windows\$NtUninstallKB956572$\ntkrnlpa.exe
[7] 2008-04-13 18:31 2065792 109F8E3E3C82E337BB71B6BC9B895D61 c:\windows\$NtUninstallKB956841$\ntkrnlpa.exe
[-] 2007-02-28 08:38 2057600 515D30E2C90A3665A2739309334C9283 c:\windows\$NtUninstallKB956841_0$\ntkrnlpa.exe
[7] 2009-02-07 23:02 2066048 5BA7F2141BC6DB06100D0E5A732C617A c:\windows\Driver Cache\i386\ntkrnlpa.exe
[7] 2008-04-13 18:31 2065792 109F8E3E3C82E337BB71B6BC9B895D61 c:\windows\ServicePackFiles\i386\ntkrnlpa.exe
[7] 2009-02-06 16:49 2057728 3006410E24772CC6953F0B5C01BEB35F c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP2GDR\ntkrnlpa.exe
[7] 2009-02-06 09:49 2062976 9D832AF3FD1917DB0E1E8B2F000A2E3A c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP2QFE\ntkrnlpa.exe
[7] 2009-02-07 23:02 2066048 5BA7F2141BC6DB06100D0E5A732C617A c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP3GDR\ntkrnlpa.exe
[7] 2009-02-06 10:30 2066176 607352B9CB3D708C67F6039097801B5A c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP3QFE\ntkrnlpa.exe
[-] 2009-02-07 23:02 2066048 D41D8CD98F00B204E9800998ECF8427E c:\windows\system32\ntkrnlpa.exe
[7] 2009-02-07 23:02 2066048 5BA7F2141BC6DB06100D0E5A732C617A c:\windows\system32\dllcache\ntkrnlpa.exe
[-] 2005-03-02 00:59 2179328 4D4CF2C14550A4B7718E94A6E581856E c:\windows\$hf_mig$\KB890859\SP2GDR\ntoskrnl.exe
[-] 2005-03-02 01:04 2179456 28187802B7C368C0D3AEF7D4C382AABB c:\windows\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
[-] 2007-02-28 09:55 2182144 5A5C8DB4AA962C714C8371FBDF189FC9 c:\windows\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe
[7] 2009-02-07 23:35 2189184 EFE8EACE83EAAD5849A7A548FB75B584 c:\windows\$hf_mig$\KB956572\SP3QFE\ntoskrnl.exe
[7] 2008-08-14 09:57 2185984 CE69DBD54221F2D40E49FF6DB77C6507 c:\windows\$hf_mig$\KB956841\SP2QFE\ntoskrnl.exe
[7] 2008-08-14 10:11 2189184 EEAF32F8E15A24F62BECB1BD403BB5C5 c:\windows\$hf_mig$\KB956841\SP3GDR\ntoskrnl.exe
[7] 2008-08-14 20:11 2189184 31914172342BFF330063F343AC6958FE c:\windows\$hf_mig$\KB956841\SP3QFE\ntoskrnl.exe
[7] 2008-08-14 10:00 2180352 21C91DA9CB53AA8A37041BA9684A8458 c:\windows\$NtServicePackUninstall$\ntoskrnl.exe
[-] 2002-09-03 16:50 2042240 B9080D97DBD631AADF9128F7316958D2 c:\windows\$NtUninstallKB885835_0$\ntoskrnl.exe
[7] 2004-08-04 06:19 2180992 CE218BC7088681FAA06633E218596CA7 c:\windows\$NtUninstallKB890859$\ntoskrnl.exe
[-] 2004-10-22 08:33 2088448 5A7EB0C9F96917B7ECF5ADF70C4B1BAE c:\windows\$NtUninstallKB890859_0$\ntoskrnl.exe
[-] 2005-03-02 00:59 2179328 4D4CF2C14550A4B7718E94A6E581856E c:\windows\$NtUninstallKB931784$\ntoskrnl.exe
[7] 2008-08-14 10:11 2189184 EEAF32F8E15A24F62BECB1BD403BB5C5 c:\windows\$NtUninstallKB956572$\ntoskrnl.exe
[7] 2008-04-13 19:27 2188928 0C89243C7C3EE199B96FCC16990E0679 c:\windows\$NtUninstallKB956841$\ntoskrnl.exe
[-] 2007-02-28 09:10 2180352 582A8DBAA58C3B1F176EB2817DAEE77C c:\windows\$NtUninstallKB956841_0$\ntoskrnl.exe
[7] 2009-02-06 11:08 2189056 7A95B10A73737EBF24139AAA63F5212B c:\windows\Driver Cache\i386\ntoskrnl.exe
[7] 2008-04-13 19:27 2188928 0C89243C7C3EE199B96FCC16990E0679 c:\windows\ServicePackFiles\i386\ntoskrnl.exe
[7] 2009-02-06 17:24 2180480 FACEBB0CA3154F77009CDFEE78A00BBB c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP2GDR\ntoskrnl.exe
[7] 2009-02-06 10:32 2186112 6A936E9D7BADAF3CAAEED1E1966EC1B0 c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP2QFE\ntoskrnl.exe
[7] 2009-02-06 11:08 2189056 7A95B10A73737EBF24139AAA63F5212B c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP3GDR\ntoskrnl.exe
[7] 2009-02-07 23:35 2189184 EFE8EACE83EAAD5849A7A548FB75B584 c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP3QFE\ntoskrnl.exe
[-] 2009-02-06 11:08 2189056 D41D8CD98F00B204E9800998ECF8427E c:\windows\system32\ntoskrnl.exe
[7] 2009-02-06 11:08 2189056 7A95B10A73737EBF24139AAA63F5212B c:\windows\system32\dllcache\ntoskrnl.exe

c:\windows\system32\appmgmts.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\System32\NVMCTRAY.DLL" [2003-10-06 49152]
"MSMSGS"="c:\program files\Messenger\MSMSGS.EXE" [2008-04-14 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-17 68856]
"MoneyAgent"="c:\program files\Microsoft Money\System\Money Express.exe" [2001-07-25 184376]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WorksFUD"="c:\program files\Microsoft Works\wkfud.exe" [2001-10-06 24576]
"Microsoft Works Portfolio"="c:\program files\Microsoft Works\WksSb.exe" [2001-08-23 331830]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2001-08-17 28738]
"MoneyStartUp10.0"="c:\program files\Microsoft Money\System\Activation.exe" [2001-07-25 241714]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 57344]
"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-10-06 5058560]
"VerizonServicepoint.exe"="c:\program files\Verizon\VSP\VerizonServicepoint.exe" [2009-03-12 2303216]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"McPvTray"="c:\program files\McAfee\Anti-Theft\McPvTray.exe" [2008-05-28 655360]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2003-10-06 741376]
c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-4-15 45056]
HPAiODevice(hp psc 700 series) - 1.lnk - c:\program files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe [2002-4-24 487484]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-6-21 282624]
Kodak software updater.lnk - c:\program files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-2-13 16423]
Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2001-8-7 24633]
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [x]
R2 AntipPro2009_100;AntipyProex;c:\windows\svchast.exe [x]
R3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\DRIVERS\gan_adapter.sys [2006-10-19 10664]
S0 McPvDrv;McPvDrv; [x]
S2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [2008-01-15 204800]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: DirectAnimation Java Classes - [You must be registered and logged in to see this link.]
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - [You must be registered and logged in to see this link.]
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-08-17 22:39
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files:
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'lsass.exe'(576)
c:\windows\system32\WININET.dll
- - - - - - - > 'explorer.exe'(648)
c:\windows\system32\WININET.dll
c:\docume~1\JACLYN~1\LOCALS~1\Temp\IadHide5.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\java.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\progra~1\Yahoo!\browser\ycommon.exe
c:\progra~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
c:\windows\system32\hpoipm07.exe
c:\program files\Hewlett-Packard\AiO\Shared\Bin\hposts07.exe
.
**************************************************************************
.
Completion time: 2009-08-18 22:47 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-18 02:46
ComboFix2.txt 2009-08-15 21:35
Pre-Run: 44,923,736,064 bytes free
Post-Run: 45,001,687,040 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
299 --- E O F --- 2009-08-15 07:14

peacefulone
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-08-16
OS OS : XP
Points Points : 26752
# Likes # Likes : 0

View user profile

Back to top Go down

Re: desot issues

Post by Belahzur on 18th August 2009, 3:34 pm

Please download SystemLook from one of the links below and save it to your Desktop.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code:

    :filefind
    appmgmts.dll

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: desot issues

Post by peacefulone on 18th August 2009, 5:57 pm

Here is the result of the scan.

SystemLook v1.0 by jpshortstuff (22.05.09)
Log created at 13:56 on 18/08/2009 by Jaclyn Hoyt (Administrator - Elevation successful)
No Context: filefind
No Context: appmgmts.dll
-=End Of File=-

peacefulone
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-08-16
OS OS : XP
Points Points : 26752
# Likes # Likes : 0

View user profile

Back to top Go down

Re: desot issues

Post by Belahzur on 18th August 2009, 8:38 pm

Hello.
You missed the colon before "filefind"

:filefind


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: desot issues

Post by peacefulone on 19th August 2009, 7:40 pm

OK - here are the actual results - it couldn't find the file.

SystemLook v1.0 by jpshortstuff (22.05.09)
Log created at 15:07 on 19/08/2009 by Jaclyn Hoyt (Administrator - Elevation successful)
========== filefind ==========
Searching for "appmgmts.dll"
No files found.
-=End Of File=-

peacefulone
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-08-16
OS OS : XP
Points Points : 26752
# Likes # Likes : 0

View user profile

Back to top Go down

Re: desot issues

Post by Belahzur on 19th August 2009, 7:43 pm

Hello.

Please download the missing file from here:
[You must be registered and logged in to see this link.]

Download it to your Desktop.
Now right click the file, select Cut.

Now lets put it in the system32 folder. Using Windows Explorer (Windows key + E), navigate to this folder:

C:\Windows\system32

Go inside it and right click anywhere, select Paste.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: desot issues

Post by peacefulone on 22nd August 2009, 11:31 pm

Thank you so much! My computer is working great except for one area and that is of redirection. If I google a topic and select one of the options it redirects me to an ad. I really want to acknowledge everything you have done so far! I can't thank you enough and I plan on making a donation!!

peacefulone
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-08-16
OS OS : XP
Points Points : 26752
# Likes # Likes : 0

View user profile

Back to top Go down

Re: desot issues

Post by Origin on 25th August 2009, 3:40 pm

Please download GooredFix from one of the locations below and save it to your Desktop
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31533
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum