Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.



Windows 7: gpedit.msc failing on me.

11 Dec 2010   #1

Windows 7 Ultimate 32bit
 
 
gpedit.msc failing on me.

I think I have been attacked by some kind of malware, which is very clever.

1) Registry editing has been disabled by your admin
2) Task manager has been disabled by your admin

I am the real person who uses my computer, I am the admin and the only 'virtual user' I have is the hidden vmware user.

I have run Malwarebytes FULL scan twice and deleted 11 infected items, Task manager works! Yay, I restart, task manager is disabled, alongside regedit.

I use gpedit.msc and set the CTRL+ALT+DLT values to DISABLED.

In run I type gpupdate /force Taskmanager is enabled for 3 seconds, regedit stays disabled.

I just ran a quick scan now and got the following details that FULL SCAN didn't get:

Code:
Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org

Database version: 5285

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

11/12/2010 7:09:19 pm
mbam-log-2010-12-11 (19-09-19).txt

Scan type: Quick scan
Objects scanned: 144707
Time elapsed: 7 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (PUM.Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
I have just deleted it now...

regedit and taskmanager is still disabled upon reboot.

Help me please!

My System SpecsSystem Spec
.

11 Dec 2010   #2

Windows 7 x64 pro/ Windows 7 x86 Pro/ XP SP3 x86
 
 

I'm not sure exactly what you are enabling in gpedit. Try doing it this way.

Click Start, Run.Type GPEDIT.MSC and Press Enter. Go to the following location

User Configuration- Administrative Templates- System

In the Settings Window, find the option "Prevent Access to Registry Editing Tools" and double-click on it to change. Select Disabled or Not Configured and choose OK. Close gpeditor and restart your computer.Try opening REGEDIT again.
My System SpecsSystem Spec
11 Dec 2010   #3

Windows 7 Ultimate 32bit
 
 

Bill2, I did exactly what you said.
On reboot the settings were the same (in gpedit) but still taskmanager and regedit is disabled
Then i did gpupdate /force
Taskmanager was temporarily enabled, and regedit remained disabled... :/
After another test I got this:
Code:
Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org

Database version: 5285

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

11/12/2010 7:47:50 pm
mbam-log-2010-12-11 (19-47-50).txt

Scan type: Quick scan
Objects scanned: 144974
Time elapsed: 7 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (PUM.Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\piffv.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
My System SpecsSystem Spec
.


11 Dec 2010   #4

Windows 7 x64 pro/ Windows 7 x86 Pro/ XP SP3 x86
 
 

If malwarebytes says it has cleaned the infections and on reboot, the same infections are detected all over again, you have a problem. While one could try scanning with multiple security software, I would not be very optimistic. I'll refer this to Jacee but I've seen this before and reinstalling was the only way out.
My System SpecsSystem Spec
11 Dec 2010   #5
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

Download DDS from one of these links:
Mirror 1 Mirror 2 Mirror 3
  • Disable any script blocking protection
  • Double click the dds icon to run the tool.
  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt
  • Save both reports to your desktop.
Include the contents of both logs in your new topic.
The scan will instruct you to post Attach.txt as an attachment.
My System SpecsSystem Spec
11 Dec 2010   #6

Windows 7 Ultimate 32bit
 
 
*

Here it is, tell me if I still need to copy attach:
DDS.tt

Code:
DDS (Ver_10-12-05.01) - NTFSx86  
Run by Qais at 23:10:13.08 on Sat 11/12/2010
Internet Explorer: 8.0.7600.16385

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\spoolsv.exe
C:\Abyss Web Server\abyssws.exe
C:\Abyss Web Server\abyssws.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
D:\Program Files\Dokan\DokanLibrary\mounter.exe
C:\Program Files\Windows Live\Family Safety\fsssvc.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
D:\Program Files\LogMeIn Hamachi\hamachi-2.exe
D:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
D:\Program Files\VMware\VMware Player\hqtray.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
D:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe
D:\Program Files\Xfire\Xfire.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe
C:\Windows\system32\vmnat.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\vmnetdhcp.exe
D:\Program Files\VMware\VMware Player\vmware-authd.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
D:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe
C:\Windows\system32\taskmgr.exe
C:\Windows\system32\DllHost.exe
C:\Windows\TEMP\winbtgx.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Windows\TEMP\w2785db.exe
C:\Windows\System32\osk.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Common Files\Corel\Standby\Standby.exe
C:\Users\Qais\AppData\Local\RockMelt\Application\rockmelt.exe
C:\Users\Qais\AppData\Local\RockMelt\Application\rockmelt.exe
C:\Users\Qais\AppData\Local\RockMelt\Application\rockmelt.exe
C:\Users\Qais\AppData\Local\RockMelt\Application\rockmelt.exe
C:\Users\Qais\AppData\Local\RockMelt\Application\rockmelt.exe
C:\Users\Qais\AppData\Local\RockMelt\Application\rockmelt.exe
C:\Users\Qais\AppData\Local\RockMelt\Application\rockmelt.exe
C:\Users\Qais\AppData\Local\RockMelt\Application\rockmelt.exe
C:\Users\Qais\AppData\Local\RockMelt\Application\rockmelt.exe
D:\Program Files\MTA San Andreas\Multi Theft Auto.exe
D:\Program Files\Rockstar Games\GTA San Andreas\gta_sa.exe
C:\Users\Qais\Downloads\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\svchost.exe -k Akamai
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\System32\svchost.exe -k WerSvcGroup

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.daemon-search.com/startpage
uInternet Settings,ProxyOverride = *.local
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office14\GROOVEEX.DLL
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - c:\program files\windows live\companion\companioncore.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - d:\progra~1\micros~1\office14\URLREDIR.DLL
BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - d:\program files\free download manager\iefdm2.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
uRun: [OfficeSyncProcess] "c:\program files\microsoft office\office14\MSOSYNC.EXE"
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [VirtualCloneDrive] "c:\program files\elaborate bytes\virtualclonedrive\VCDDaemon.exe" /s
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [Standby] "c:\program files\common files\corel\standby\Standby.exe" -START
mRun: [QuickTime Task] "d:\program files\quicktime\QTTask.exe" -atboottime
mRun: [fssui] "c:\program files\windows live\family safety\fsui.exe" -autorun
mRun: [VMware hqtray] "d:\program files\vmware\vmware player\hqtray.exe"
mRun: [LogMeIn Hamachi Ui] "d:\program files\logmein hamachi\hamachi-2-ui.exe" --auto-start
uPolicies-explorer: NoWindowsUpdate = 0 (0x0)
uPolicies-system: DisableRegistryTools = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Download all with Free Download Manager - file://d:\program files\free download manager\dlall.htm
IE: Download selected with Free Download Manager - file://d:\program files\free download manager\dlselected.htm
IE: Download video with Free Download Manager - file://d:\program files\free download manager\dlfvideo.htm
IE: Download with Free Download Manager - file://d:\program files\free download manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - c:\program files\windows live\companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
LSP: d:\program files\vmware\vmware player\vsocklib.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office14\GROOVEEX.DLL
Hosts: 127.0.0.1	www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R? b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0
R? cpuz134;cpuz134
R? Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service
R? netr73;RT73 USB Wireless LAN Card Driver for Vista
R? osppsvc;Office Software Protection Platform
S? AbyssWebServer;Abyss Web Server
S? Akamai;Akamai NetSession Interface
S? Dokan;Dokan
S? DokanMounter;DokanMounter
S? fssfltr;fssfltr
S? fsssvc;Windows Live Family Safety Service
S? Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine
S? mv2;mv2
S? TuneUp.UtilitiesSvc;TuneUp Utilities Service
S? TuneUpUtilitiesDrv;TuneUpUtilitiesDrv
S? uvnc_service;uvnc_service
S? VMUSBArbService;VMware USB Arbitration Service
S? vwififlt;Virtual WiFi Filter Driver
S? vwifimp;Microsoft Virtual WiFi Miniport Service

=============== Created Last 30 ================

2010-12-11 15:17:49	103140	----a-w-	C:\piffv.exe
2010-12-10 15:23:35	26176	---ha-w-	c:\windows\system32\hamachi.sys
2010-12-10 11:20:34	--------	d-----w-	c:\users\qais\appdata\roaming\Malwarebytes
2010-12-10 11:20:10	38224	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-10 11:20:09	--------	d-----w-	c:\progra~2\Malwarebytes
2010-12-10 11:20:04	20952	----a-w-	c:\windows\system32\drivers\mbam.sys
2010-12-10 11:20:04	--------	d-----w-	c:\program files\Malwarebytes' Anti-Malware
2010-12-08 14:38:26	737280	----a-w-	c:\windows\iun6002.exe
2010-12-08 09:49:17	--------	d-----w-	c:\program files\EA GAMES
2010-12-08 09:49:13	445504	----a-r-	c:\windows\system32\vp6vfw.dll
2010-12-07 12:31:57	--------	d-----w-	C:\The Sims 2
2010-12-01 11:05:05	--------	d-----w-	c:\users\qais\appdata\local\RockMelt
2010-11-30 14:09:04	--------	d-----w-	C:\Abyss Web Server
2010-11-27 12:52:14	--------	d-----w-	C:\ERDNT
2010-11-27 12:52:13	--------	d-----w-	c:\windows\ERUNT
2010-11-27 12:51:53	--------	d-----w-	C:\!FixIEDef
2010-11-27 08:59:49	--------	d-----w-	c:\program files\Rockstar Games
2010-11-22 14:28:39	--------	d-----w-	c:\program files\common files\Steam
2010-11-22 13:25:02	--------	d-----w-	c:\progra~2\IObit
2010-11-15 08:06:48	90624	----a-w-	c:\windows\system32\spool\prtprocs\w32x86\HPZPPWN7.DLL
2010-11-14 12:21:47	--------	d-----w-	c:\program files\common files\Symantec Shared
2010-11-14 12:06:45	--------	d-----w-	c:\progra~2\Symantec
2010-11-14 12:06:45	--------	d-----w-	c:\progra~2\Norton
2010-11-14 12:06:40	--------	d-----w-	c:\progra~2\NortonInstaller
2010-11-13 16:12:40	--------	d-----w-	c:\windows\USB Vibration
2010-11-13 16:11:56	634880	----a-w-	c:\program files\common files\installshield\professional\runtime\0700\intel32\iKernel.dll
2010-11-13 16:11:56	57344	----a-w-	c:\program files\common files\installshield\professional\runtime\0700\intel32\ctor.dll
2010-11-13 16:11:56	5632	----a-w-	c:\program files\common files\installshield\professional\runtime\0700\intel32\DotNetInstaller.exe
2010-11-13 16:11:56	32768	----a-w-	c:\program files\common files\installshield\professional\runtime\Objectps.dll
2010-11-13 16:11:56	237568	----a-w-	c:\program files\common files\installshield\professional\runtime\0700\intel32\iscript.dll
2010-11-13 16:11:56	151552	----a-w-	c:\program files\common files\installshield\professional\runtime\0700\intel32\iuser.dll
2010-11-13 16:11:55	159876	----a-w-	c:\program files\common files\installshield\professional\runtime\0700\intel32\IGdi.dll
2010-11-13 16:11:54	270468	----a-w-	c:\program files\common files\installshield\professional\runtime\0700\intel32\Setup.dll
2010-11-13 16:11:51	--------	d-----w-	c:\program files\USB Vibration
2010-11-12 17:37:08	--------	d-----w-	c:\users\qais\appdata\roaming\GetRightToGo

==================== Find3M  ====================

2010-11-20 20:04:42	5642	--sha-w-	c:\progra~2\KGyGaAvL.sys
2010-09-22 19:17:28	49016	----a-w-	c:\windows\system32\sirenacm.dll
2010-09-22 19:02:56	301936	----a-w-	c:\windows\WLXPGSS.SCR
2010-09-21 08:33:14	208768	----a-w-	c:\windows\system32\LIVESSP.DLL
2010-09-20 21:11:56	760368	----a-w-	c:\windows\system32\vnetlib.dll
2010-09-20 21:11:38	334384	----a-w-	c:\windows\system32\vmnetdhcp.exe
2010-09-20 21:11:34	404016	----a-w-	c:\windows\system32\vmnat.exe
2010-09-20 19:45:54	252464	----a-w-	c:\windows\system32\vmnc.dll
2010-09-20 17:48:14	59952	----a-w-	c:\windows\system32\vnetinst.dll
2010-09-20 17:48:14	51248	----a-w-	c:\windows\system32\vmnetbridge.dll
2010-09-14 23:20:37	472808	----a-w-	c:\windows\system32\deployJava1.dll

============= FINISH: 23:18:11.31 ===============
Why does it say I must not post attach.txt?
I am aware piffv.exe is a virus...it appeared on the fifth malwarebytes quick scan, and is still there apparently
My System SpecsSystem Spec
11 Dec 2010   #7
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

Tell me about this item rockmelt.exe
My System SpecsSystem Spec
11 Dec 2010   #8

Windows7 Pro 64bit SP-1; Windows XP Pro 32bit
 
 

Jacee

It is a browser built for Face book and Twitter. Just Googled it.


http://www.google.com/search?q=rockm...rlz=1I7ADSA_en


http://www.rockmelt.com/
My System SpecsSystem Spec
11 Dec 2010   #9
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

Yes, I see that ... is it still in Beta?

anyway, qaisjp ---> utorrent
I see a few things going on here. First of all Please read this on P2P applications:
US-CERT Cyber Security Tip ST05-007 -- Risks of File-Sharing Technology
Quote:
Risks of File-Sharing Technology
File-sharing technology is a popular way for users to exchange, or "share," files. However, using this technology makes you susceptible to risks such as infection, attack, or exposure of personal information.
Do you have someone, or are you accessing someone else's machine?

Please download TFC by Old Timer TFC - Temp File Cleaner by OldTimer - Geeks to Go Forums and save it to your desktop.

Save any unsaved work. TFC will close ALL open programs including your browser!

Double-click on TFC.exe to run it. If you are using Vista/Windows 7 right-click on the file and choose Run As Administrator.
Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.

Next, I'd like you to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
My System SpecsSystem Spec
11 Dec 2010   #10

Windows 7 Ultimate 32bit
 
 

Code:
###Added by qaisjp
Infected files: 294
Scanned Files: 128407
Scan duration: 04:39:47
CLEANED files : 293
##/Added by qaisjp







C:\autorun.inf	INF/Autorun.gen trojan	cleaned by deleting (after the next restart) - quarantined
C:\piffv.exe	Win32/Sality.NBA virus	cleaned by deleting - quarantined
C:\Abyss Web Server\abysssc.exe	Win32/Sality.NBA virus	cleaned - quarantined
C:\Abyss Web Server\uninstall.exe	Win32/Sality.NBA virus	cleaned - quarantined
C:\ATI\Support\10-02_legacy_vista32-64_dd_ccc\Setup.exe	Win32/Sality.NBA virus	cleaned - quarantined
C:\ATI\Support\10-02_legacy_vista32-64_dd_ccc\Bin\ATISetup.exe	Win32/Sality.NBA virus	cleaned - quarantined
C:\ATI\Support\10-02_legacy_vista32-64_dd_ccc\Bin\InstallManagerApp.exe	Win32/Sality.NBA virus	cleaned - quarantined
C:\ATI\Support\10-02_legacy_vista32-64_dd_ccc\Bin\Setup.exe	Win32/Sality.NBA virus	cleaned - quarantined
C:\ATI\Support\10-11_vista32_win7_32_dd_ccc_enu\Setup.exe	Win32/Sality.NBA virus	cleaned - quarantined
C:\ATI\Support\10-11_vista32_win7_32_dd_ccc_enu\Bin\ATISetup.exe	Win32/Sality.NBA virus	cleaned - quarantined
C:\ATI\Support\10-11_vista32_win7_32_dd_ccc_enu\Bin\InstallManagerApp.exe	Win32/Sality.NBA virus	cleaned - quarantined
C:\ATI\Support\10-11_vista32_win7_32_dd_ccc_enu\Bin\Setup.exe	Win32/Sality.NBA virus	cleaned - quarantined
C:\ERDNT\FixIEDef\ERDNT.EXE	Win32/Sality.NBA virus	cleaned - quarantined
C:\Program Files\Apple Software Update\SoftwareUpdate.exe	Win32/Sality.NBA virus	cleaned - quarantined
C:\Program Files\ATI\CIM\Bin\ATISetup.exe	Win32/Sality.NBA virus	cleaned - quarantined
C:\Program Files\ATI\CIM\Bin\InstallManagerApp.exe	Win32/Sality.NBA virus	cleaned - quarantined
C:\Program Files\ATI\CIM\Bin\SetACL.exe	Win32/Sality.NBA virus	cleaned - quarantined
C:\Program Files\ATI\CIM\Bin\Setup.exe	Win32/Sality.NBA virus	cleaned - quarantined
C:\Program Files\CCleaner\CCleaner.exe	Win32/Sality.NBA virus	cleaned - quarantined
C:\Program Files\Common Files\Adobe\OOBE\PDApp\core\PDapp.exe	Win32/Sality.NBA virus	cleaned - quarantined
C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\LogTransport2.exe	Win32/Sality.NBA virus	cleaned - quarantined
C:\Program Files\Common Files\Akamai\AdminTool.exe	Win32/Sality.NBA virus	cleaned - quarantined
C:\Program Files\Common Files\Akamai\rswinui.exe	Win32/Sality.NBA virus	cleaned - quarantined
C:\Program Files\Common Files\Akamai\uninstall.exe	Win32/Sality.NBA virus	cleaned - quarantined
C:\Program Files\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe	Win32/Sality.NBA virus	cleaned - quarantined
C:\Program Files\Common Files\Java\Java Update\jucheck.exe	Win32/Sality.NBA virus	cleaned - quarantined
C:\Program Files\Common Files\Java\Java Update\jusched.exe	Win32/Sality.NBA virus	cleaned - quarantined
C:\Program Files\Common Files\logishrd\WUApp32.exe	Win32/Sality.NBA virus	cleaned - quarantined
C:\Program Files\Common Files\microsoft shared\VS7DEBUG\vs7jit.exe	Win32/Sality.NBA virus	cleaned - quarantined
C:\Program Files\Common Files\PX Storage Engine\drvins64.exe	Win32/Sality.NBA virus	cleaned - quarantined
C:\Program Files\Common Files\PX Storage Engine\pxhpinst.exe	Win32/Sality.NBA virus	cleaned - quarantined
C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe	Win32/Sality.NBA virus	cleaned - quarantined
C:\Program Files\Common Files\Steam\SteamService.exe	Win32/Sality.NBA virus	cleaned - quarantined
C:\Program Files\Common Files\Steam\SteamServiceTmp.exe	Win32/Sality.NBA virus	cleaned - quarantined
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe	Win32/Sality.NBA virus	cleaned - quarantined
C:\Program Files\Common Files\VMware\USB\vnetlib.exe	Win32/Sality.NBA virus	cleaned - quarantined
C:\Program Files\Corel\MLE\MetadataMgr.exe	Win32/Sality.NBA virus	cleaned - quarantined
C:\Program Files\Corel\MLE\MLEMonitor.exe	Win32/Sality.NBA virus	cleaned - quarantined
C:\Program Files\DAEMON Tools Lite\DTLite.exe	Win32/Sality.NBA virus	cleaned - quarantined
C:\Program Files\DAEMON Tools Lite\DTLiteHlp.exe	Win32/Sality.NBA virus	cleaned - quarantined
C:\Program Files\DAEMON Tools Lite\DTShellHlp.exe	Win32/Sality.NBA virus	cleaned - quarantined
C:\Program Files\DAEMON Tools Lite\uninst.exe	Win32/Sality.NBA virus	cleaned - quarantined
C:\Program Files\DivX\DivX Control Panel\DivXControlPanelLauncher.exe	Win32/Sality.NBA virus	cleaned - quarantined
C:\Program Files\DivX\DivX Control Panel\dplreg.exe	Win32/Sality.NBA virus	cleaned - quarantined
C:\Program Files\DivX\DivX Update\DivXUpdate.exe	Win32/Sality.NBA virus	cleaned - quarantined
C:\Program Files\uTorrent\uTorrent.exe	Win32/Sality.NBA virus	error while cleaning
C:\Users\Qais\AppData\Local\RockMelt\Update\RockMeltUpdate.exe	Win32/Sality.NBA virus	cleaned - quarantined
C:\Users\Qais\AppData\Local\Temp\wintghuta.exe	probably a variant of Win32/Agent.HLU trojan	cleaned by deleting - quarantined
D:\autorun.inf	INF/Autorun.gen trojan	cleaned by deleting (after the next restart) - quarantined
D:\auue.exe	Win32/Sality.NBA virus	cleaned by deleting - quarantined
D:\Fraps 3.2.2 Build 11496 Retail-[HB]\fo-fr322.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\MTA San Andreas\Multi Theft Auto.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\MTA San Andreas\Uninstall.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\MTA San Andreas\server\MTA Server.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\Notepad++\nppIExplorerShell.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\Notepad++\uninstall.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\Notepad++\updater\gpup.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\Notepad++\updater\GUP.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\Peggle Nights Deluxe\Peggle Nights Deluxe v1.0 Trainer.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\Plants vs. Zombies\Plants vs. Zombies\PlantsVsZombies.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\Rockstar Games\GTA San Andreas\GTA_SA.EXE	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\Rockstar Games\GTA San Andreas\mod\enb\configenv_sa.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\Sony\Media Go\CreateMinidumpx86.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\Sony\Media Go\ErrorReportClient.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\Sony\Media Go\ErrorReportLauncher.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\Sony\Media Go\MediaGo.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\Sony\Vegas Pro 9.0\ApplicationRegistration.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\Sony\Vegas Pro 9.0\CreateMinidumpx86.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\Sony\Vegas Pro 9.0\ErrorReportClient.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\Sony\Vegas Pro 9.0\ErrorReportLauncher.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\Sony\Vegas Pro 9.0\FileIOSurrogate.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\Sony\Vegas Pro 9.0\sfvstserver.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\Sony\Vegas Pro 9.0\vegas90.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\Sony\Vegas Pro 9.0\vidcap60.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\Sony\Vegas Pro 9.0\FileIO Plug-Ins\ac3plug\ac3market\ApplicationRegistration.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\TechSmith\Camtasia Studio 7\CamMenuMaker.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\TechSmith\Camtasia Studio 7\CamMenuPlayer.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\TechSmith\Camtasia Studio 7\CamPlay.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\TechSmith\Camtasia Studio 7\CamtasiaStudio.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\TechSmith\Camtasia Studio 7\Setup_EnSharpen_Decoder.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\TechSmith\Camtasia Studio 7\TSCC.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\TechSmith\Camtasia Studio 7\TscHelp.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\TechSmith\Camtasia Studio 7\TSMSIhlp.EXE	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\TuneUp Utilities 2010\TuneUpDefragService.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\VMware\VMware Player\farexec-service.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\VMware\VMware Player\hqtray.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\VMware\VMware Player\mkisofs.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\VMware\VMware Player\unzip.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\VMware\VMware Player\vixDiskMountServer.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\VMware\VMware Player\vmnat.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\VMware\VMware Player\VMnetDHCP.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\VMware\VMware Player\vmplayer-service.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\VMware\VMware Player\vmplayer.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\VMware\VMware Player\vmUpdateLauncher.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\VMware\VMware Player\vmware-acetool.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\VMware\VMware Player\vmware-remotemks-debug.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\VMware\VMware Player\vmware-remotemks.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\VMware\VMware Player\vmware-ufad.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\VMware\VMware Player\vmware-unity-helper.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\VMware\VMware Player\vmware-vmx.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\VMware\VMware Player\vnetlib.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\VMware\VMware Player\vnetsniffer.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\VMware\VMware Player\vnetstats.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\VMware\VMware Player\vprintproxy.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\VMware\VMware Player\OVFTool\ovftool.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\VMware\VMware Player\OVFTool\vcredist_x86.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\VMware\VMware Player\Resources\bootrun.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\VMware\VMware Player\Resources\customize.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\VMware\VMware Player\Resources\deployPkg.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\VMware\VMware Player\Resources\guestcustutil.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\VMware\VMware Player\Resources\StorePwd.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\VMware\VMware Player\tools-upgraders\VMwareToolsUpgrader.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\VMware\VMware Player\tools-upgraders\VMwareToolsUpgrader9x.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\VMware\VMware Player\tools-upgraders\VMwareToolsUpgraderNT.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\VMware\VMware Player\vmware-tools\upgrader.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\WBFS\WBFS Manager 3.0\uninstall.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\Xfire\uninst.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\Xfire\xfencoder.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\Xfire\xfire_exception.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\Xvid\AviC.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\Xvid\MiniCalc.exe	a variant of Win32/Kryptik.AOH trojan	cleaned by deleting - quarantined
D:\Program Files\Xvid\OGMCalc.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\Xvid\StatsReader.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\Xvid\vidccleaner.exe	Win32/Sality.NBA virus	cleaned - quarantined
E:\gpmbs.exe	Win32/Sality.NBA virus	cleaned by deleting - quarantined
After rebooting and Task Manager was still unavailable, i used gpupdate /force and now it's allowed permanently

I just tried regedit - It's not allowed again :O

I installed Panda-Cloud-Antivirus and it has neutralized a few more viruses, again, thanks Jacee!


Again PandaCloud has found some more viruses, uTorrent has been infected for some reason D:
A few more Sality stuff has been found (and neutralized)

Sality.AK.drp
Sality.AA
Suspicious! ( official trial adobe downloader) (/commonfiles/akamai/admintool.exe)
My System SpecsSystem Spec
Reply

 gpedit.msc failing on me.





Thread Tools



Similar help and support threads for2: gpedit.msc failing on me.
Thread Forum
GPEDIT Lock down help Network & Sharing
Solved gpedit.msc General Discussion
Solved gpedit and system services General Discussion
gpedit.msi for Win 7 Home Prem. x64? Software
HELP!!! Can't find gpedit.msc General Discussion
gpedit.msc backup/restore Customization
Solved Gpedit Customization

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 04:47 PM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App
  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33