gpedit.msc failing on me.

Page 1 of 2 12 LastLast

  1. qaisjp
    Posts : 19
    Windows 7 Ultimate 32bit
       New #1

    gpedit.msc failing on me.


    I think I have been attacked by some kind of malware, which is very clever.

    1) Registry editing has been disabled by your admin
    2) Task manager has been disabled by your admin

    I am the real person who uses my computer, I am the admin and the only 'virtual user' I have is the hidden vmware user.

    I have run Malwarebytes FULL scan twice and deleted 11 infected items, Task manager works! Yay, I restart, task manager is disabled, alongside regedit.

    I use gpedit.msc and set the CTRL+ALT+DLT values to DISABLED.

    In run I type gpupdate /force Taskmanager is enabled for 3 seconds, regedit stays disabled.

    I just ran a quick scan now and got the following details that FULL SCAN didn't get:

    Code:
    Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org

Database version: 5285

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

11/12/2010 7:09:19 pm
mbam-log-2010-12-11 (19-09-19).txt

Scan type: Quick scan
Objects scanned: 144707
Time elapsed: 7 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (PUM.Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
    I have just deleted it now...

    regedit and taskmanager is still disabled upon reboot.

    Help me please!
      My Computer
    Quote Quote

  3. Bill2
    Posts : 5,056
    Windows 7 x64 pro/ Windows 7 x86 Pro/ XP SP3 x86
       New #2

    I'm not sure exactly what you are enabling in gpedit. Try doing it this way.

    Click Start, Run.Type GPEDIT.MSC and Press Enter. Go to the following location

    User Configuration- Administrative Templates- System

    In the Settings Window, find the option "Prevent Access to Registry Editing Tools" and double-click on it to change. Select Disabled or Not Configured and choose OK. Close gpeditor and restart your computer.Try opening REGEDIT again.
      My Computer
    Quote Quote

  4. qaisjp
    Posts : 19
    Windows 7 Ultimate 32bit
    Thread Starter
       New #3

    Bill2, I did exactly what you said.
    On reboot the settings were the same (in gpedit) but still taskmanager and regedit is disabled
    Then i did gpupdate /force
    Taskmanager was temporarily enabled, and regedit remained disabled... :/
    After another test I got this:
    Code:
    Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org

Database version: 5285

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

11/12/2010 7:47:50 pm
mbam-log-2010-12-11 (19-47-50).txt

Scan type: Quick scan
Objects scanned: 144974
Time elapsed: 7 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (PUM.Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\piffv.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
      My Computer
    Quote Quote

  6. Bill2
    Posts : 5,056
    Windows 7 x64 pro/ Windows 7 x86 Pro/ XP SP3 x86
       New #4

    If malwarebytes says it has cleaned the infections and on reboot, the same infections are detected all over again, you have a problem. While one could try scanning with multiple security software, I would not be very optimistic. I'll refer this to Jacee but I've seen this before and reinstalling was the only way out.
      My Computer
    Quote Quote

  7. Jacee
    Posts : 8,608
    Windows 7 Ultimate 32bit SP1
       New #5

    Download DDS from one of these links:
    Mirror 1 Mirror 2 Mirror 3
    • Disable any script blocking protection
    • Double click the dds icon to run the tool.
    • When done, DDS will open two (2) logs:
      1. DDS.txt
      2. Attach.txt
    • Save both reports to your desktop.

    Include the contents of both logs in your new topic.
    The scan will instruct you to post Attach.txt as an attachment.
      My Computer
    Quote Quote

  8. qaisjp
    Posts : 19
    Windows 7 Ultimate 32bit
    Thread Starter
       New #6

    *


    Here it is, tell me if I still need to copy attach:
    DDS.tt

    Code:
    DDS (Ver_10-12-05.01) - NTFSx86  
Run by Qais at 23:10:13.08 on Sat 11/12/2010
Internet Explorer: 8.0.7600.16385

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\spoolsv.exe
C:\Abyss Web Server\abyssws.exe
C:\Abyss Web Server\abyssws.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
D:\Program Files\Dokan\DokanLibrary\mounter.exe
C:\Program Files\Windows Live\Family Safety\fsssvc.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
D:\Program Files\LogMeIn Hamachi\hamachi-2.exe
D:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
D:\Program Files\VMware\VMware Player\hqtray.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
D:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe
D:\Program Files\Xfire\Xfire.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe
C:\Windows\system32\vmnat.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\vmnetdhcp.exe
D:\Program Files\VMware\VMware Player\vmware-authd.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
D:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe
C:\Windows\system32\taskmgr.exe
C:\Windows\system32\DllHost.exe
C:\Windows\TEMP\winbtgx.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Windows\TEMP\w2785db.exe
C:\Windows\System32\osk.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Common Files\Corel\Standby\Standby.exe
C:\Users\Qais\AppData\Local\RockMelt\Application\rockmelt.exe
C:\Users\Qais\AppData\Local\RockMelt\Application\rockmelt.exe
C:\Users\Qais\AppData\Local\RockMelt\Application\rockmelt.exe
C:\Users\Qais\AppData\Local\RockMelt\Application\rockmelt.exe
C:\Users\Qais\AppData\Local\RockMelt\Application\rockmelt.exe
C:\Users\Qais\AppData\Local\RockMelt\Application\rockmelt.exe
C:\Users\Qais\AppData\Local\RockMelt\Application\rockmelt.exe
C:\Users\Qais\AppData\Local\RockMelt\Application\rockmelt.exe
C:\Users\Qais\AppData\Local\RockMelt\Application\rockmelt.exe
D:\Program Files\MTA San Andreas\Multi Theft Auto.exe
D:\Program Files\Rockstar Games\GTA San Andreas\gta_sa.exe
C:\Users\Qais\Downloads\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\svchost.exe -k Akamai
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\System32\svchost.exe -k WerSvcGroup

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.daemon-search.com/startpage
uInternet Settings,ProxyOverride = *.local
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office14\GROOVEEX.DLL
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - c:\program files\windows live\companion\companioncore.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - d:\progra~1\micros~1\office14\URLREDIR.DLL
BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - d:\program files\free download manager\iefdm2.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
uRun: [OfficeSyncProcess] "c:\program files\microsoft office\office14\MSOSYNC.EXE"
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [VirtualCloneDrive] "c:\program files\elaborate bytes\virtualclonedrive\VCDDaemon.exe" /s
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [Standby] "c:\program files\common files\corel\standby\Standby.exe" -START
mRun: [QuickTime Task] "d:\program files\quicktime\QTTask.exe" -atboottime
mRun: [fssui] "c:\program files\windows live\family safety\fsui.exe" -autorun
mRun: [VMware hqtray] "d:\program files\vmware\vmware player\hqtray.exe"
mRun: [LogMeIn Hamachi Ui] "d:\program files\logmein hamachi\hamachi-2-ui.exe" --auto-start
uPolicies-explorer: NoWindowsUpdate = 0 (0x0)
uPolicies-system: DisableRegistryTools = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Download all with Free Download Manager - file://d:\program files\free download manager\dlall.htm
IE: Download selected with Free Download Manager - file://d:\program files\free download manager\dlselected.htm
IE: Download video with Free Download Manager - file://d:\program files\free download manager\dlfvideo.htm
IE: Download with Free Download Manager - file://d:\program files\free download manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - c:\program files\windows live\companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
LSP: d:\program files\vmware\vmware player\vsocklib.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office14\GROOVEEX.DLL
Hosts: 127.0.0.1	www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R? b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0
R? cpuz134;cpuz134
R? Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service
R? netr73;RT73 USB Wireless LAN Card Driver for Vista
R? osppsvc;Office Software Protection Platform
S? AbyssWebServer;Abyss Web Server
S? Akamai;Akamai NetSession Interface
S? Dokan;Dokan
S? DokanMounter;DokanMounter
S? fssfltr;fssfltr
S? fsssvc;Windows Live Family Safety Service
S? Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine
S? mv2;mv2
S? TuneUp.UtilitiesSvc;TuneUp Utilities Service
S? TuneUpUtilitiesDrv;TuneUpUtilitiesDrv
S? uvnc_service;uvnc_service
S? VMUSBArbService;VMware USB Arbitration Service
S? vwififlt;Virtual WiFi Filter Driver
S? vwifimp;Microsoft Virtual WiFi Miniport Service

=============== Created Last 30 ================

2010-12-11 15:17:49	103140	----a-w-	C:\piffv.exe
2010-12-10 15:23:35	26176	---ha-w-	c:\windows\system32\hamachi.sys
2010-12-10 11:20:34	--------	d-----w-	c:\users\qais\appdata\roaming\Malwarebytes
2010-12-10 11:20:10	38224	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-10 11:20:09	--------	d-----w-	c:\progra~2\Malwarebytes
2010-12-10 11:20:04	20952	----a-w-	c:\windows\system32\drivers\mbam.sys
2010-12-10 11:20:04	--------	d-----w-	c:\program files\Malwarebytes' Anti-Malware
2010-12-08 14:38:26	737280	----a-w-	c:\windows\iun6002.exe
2010-12-08 09:49:17	--------	d-----w-	c:\program files\EA GAMES
2010-12-08 09:49:13	445504	----a-r-	c:\windows\system32\vp6vfw.dll
2010-12-07 12:31:57	--------	d-----w-	C:\The Sims 2
2010-12-01 11:05:05	--------	d-----w-	c:\users\qais\appdata\local\RockMelt
2010-11-30 14:09:04	--------	d-----w-	C:\Abyss Web Server
2010-11-27 12:52:14	--------	d-----w-	C:\ERDNT
2010-11-27 12:52:13	--------	d-----w-	c:\windows\ERUNT
2010-11-27 12:51:53	--------	d-----w-	C:\!FixIEDef
2010-11-27 08:59:49	--------	d-----w-	c:\program files\Rockstar Games
2010-11-22 14:28:39	--------	d-----w-	c:\program files\common files\Steam
2010-11-22 13:25:02	--------	d-----w-	c:\progra~2\IObit
2010-11-15 08:06:48	90624	----a-w-	c:\windows\system32\spool\prtprocs\w32x86\HPZPPWN7.DLL
2010-11-14 12:21:47	--------	d-----w-	c:\program files\common files\Symantec Shared
2010-11-14 12:06:45	--------	d-----w-	c:\progra~2\Symantec
2010-11-14 12:06:45	--------	d-----w-	c:\progra~2\Norton
2010-11-14 12:06:40	--------	d-----w-	c:\progra~2\NortonInstaller
2010-11-13 16:12:40	--------	d-----w-	c:\windows\USB Vibration
2010-11-13 16:11:56	634880	----a-w-	c:\program files\common files\installshield\professional\runtime\0700\intel32\iKernel.dll
2010-11-13 16:11:56	57344	----a-w-	c:\program files\common files\installshield\professional\runtime\0700\intel32\ctor.dll
2010-11-13 16:11:56	5632	----a-w-	c:\program files\common files\installshield\professional\runtime\0700\intel32\DotNetInstaller.exe
2010-11-13 16:11:56	32768	----a-w-	c:\program files\common files\installshield\professional\runtime\Objectps.dll
2010-11-13 16:11:56	237568	----a-w-	c:\program files\common files\installshield\professional\runtime\0700\intel32\iscript.dll
2010-11-13 16:11:56	151552	----a-w-	c:\program files\common files\installshield\professional\runtime\0700\intel32\iuser.dll
2010-11-13 16:11:55	159876	----a-w-	c:\program files\common files\installshield\professional\runtime\0700\intel32\IGdi.dll
2010-11-13 16:11:54	270468	----a-w-	c:\program files\common files\installshield\professional\runtime\0700\intel32\Setup.dll
2010-11-13 16:11:51	--------	d-----w-	c:\program files\USB Vibration
2010-11-12 17:37:08	--------	d-----w-	c:\users\qais\appdata\roaming\GetRightToGo

==================== Find3M  ====================

2010-11-20 20:04:42	5642	--sha-w-	c:\progra~2\KGyGaAvL.sys
2010-09-22 19:17:28	49016	----a-w-	c:\windows\system32\sirenacm.dll
2010-09-22 19:02:56	301936	----a-w-	c:\windows\WLXPGSS.SCR
2010-09-21 08:33:14	208768	----a-w-	c:\windows\system32\LIVESSP.DLL
2010-09-20 21:11:56	760368	----a-w-	c:\windows\system32\vnetlib.dll
2010-09-20 21:11:38	334384	----a-w-	c:\windows\system32\vmnetdhcp.exe
2010-09-20 21:11:34	404016	----a-w-	c:\windows\system32\vmnat.exe
2010-09-20 19:45:54	252464	----a-w-	c:\windows\system32\vmnc.dll
2010-09-20 17:48:14	59952	----a-w-	c:\windows\system32\vnetinst.dll
2010-09-20 17:48:14	51248	----a-w-	c:\windows\system32\vmnetbridge.dll
2010-09-14 23:20:37	472808	----a-w-	c:\windows\system32\deployJava1.dll

============= FINISH: 23:18:11.31 ===============
    Why does it say I must not post attach.txt?
    I am aware piffv.exe is a virus...it appeared on the fifth malwarebytes quick scan, and is still there apparently
      My Computer
    Quote Quote

  10. Jacee
    Posts : 8,608
    Windows 7 Ultimate 32bit SP1
       New #7

    Tell me about this item rockmelt.exe
      My Computer
    Quote Quote

  11. Hopalong X
    Posts : 6,349
    Windows7 Pro 64bit SP-1; Windows XP Pro 32bit
       New #8

    Jacee

    It is a browser built for Face book and Twitter. Just Googled it.


    http://www.google.com/search?q=rockm...rlz=1I7ADSA_en


    http://www.rockmelt.com/
      My Computer
    Quote Quote

  12. Jacee
    Posts : 8,608
    Windows 7 Ultimate 32bit SP1
       New #9

    Yes, I see that ... is it still in Beta?

    anyway, qaisjp ---> utorrent
    I see a few things going on here. First of all Please read this on P2P applications:
    US-CERT Cyber Security Tip ST05-007 -- Risks of File-Sharing Technology
    Risks of File-Sharing Technology
    File-sharing technology is a popular way for users to exchange, or "share," files. However, using this technology makes you susceptible to risks such as infection, attack, or exposure of personal information.
    Do you have someone, or are you accessing someone else's machine?

    Please download TFC by Old Timer TFC - Temp File Cleaner by OldTimer - Geeks to Go Forums and save it to your desktop.

    Save any unsaved work. TFC will close ALL open programs including your browser!

    Double-click on TFC.exe to run it. If you are using Vista/Windows 7 right-click on the file and choose Run As Administrator.
    Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
    Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.

    Next, I'd like you to scan your machine with ESET OnlineScan
    1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESET OnlineScan
    2. Click the button.
    3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      1. Click on to download the ESET Smart Installer. Save it to your desktop.
      2. Double click on the icon on your desktop.
    4. Check
    5. Click the button.
    6. Accept any security warnings from your browser.
    7. Check
    8. Push the Start button.
    9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    10. When the scan completes, push
    11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    12. Push the button.
    13. Push
      My Computer
    Quote Quote

  13. qaisjp
    Posts : 19
    Windows 7 Ultimate 32bit
    Thread Starter
       New #10

    Code:
    ###Added by qaisjp
Infected files: 294
Scanned Files: 128407
Scan duration: 04:39:47
CLEANED files : 293
##/Added by qaisjp







C:\autorun.inf	INF/Autorun.gen trojan	cleaned by deleting (after the next restart) - quarantined
C:\piffv.exe	Win32/Sality.NBA virus	cleaned by deleting - quarantined
C:\Abyss Web Server\abysssc.exe	Win32/Sality.NBA virus	cleaned - quarantined
C:\Abyss Web Server\uninstall.exe	Win32/Sality.NBA virus	cleaned - quarantined
C:\ATI\Support\10-02_legacy_vista32-64_dd_ccc\Setup.exe	Win32/Sality.NBA virus	cleaned - quarantined
C:\ATI\Support\10-02_legacy_vista32-64_dd_ccc\Bin\ATISetup.exe	Win32/Sality.NBA virus	cleaned - quarantined
C:\ATI\Support\10-02_legacy_vista32-64_dd_ccc\Bin\InstallManagerApp.exe	Win32/Sality.NBA virus	cleaned - quarantined
C:\ATI\Support\10-02_legacy_vista32-64_dd_ccc\Bin\Setup.exe	Win32/Sality.NBA virus	cleaned - quarantined
C:\ATI\Support\10-11_vista32_win7_32_dd_ccc_enu\Setup.exe	Win32/Sality.NBA virus	cleaned - quarantined
C:\ATI\Support\10-11_vista32_win7_32_dd_ccc_enu\Bin\ATISetup.exe	Win32/Sality.NBA virus	cleaned - quarantined
C:\ATI\Support\10-11_vista32_win7_32_dd_ccc_enu\Bin\InstallManagerApp.exe	Win32/Sality.NBA virus	cleaned - quarantined
C:\ATI\Support\10-11_vista32_win7_32_dd_ccc_enu\Bin\Setup.exe	Win32/Sality.NBA virus	cleaned - quarantined
C:\ERDNT\FixIEDef\ERDNT.EXE	Win32/Sality.NBA virus	cleaned - quarantined
C:\Program Files\Apple Software Update\SoftwareUpdate.exe	Win32/Sality.NBA virus	cleaned - quarantined
C:\Program Files\ATI\CIM\Bin\ATISetup.exe	Win32/Sality.NBA virus	cleaned - quarantined
C:\Program Files\ATI\CIM\Bin\InstallManagerApp.exe	Win32/Sality.NBA virus	cleaned - quarantined
C:\Program Files\ATI\CIM\Bin\SetACL.exe	Win32/Sality.NBA virus	cleaned - quarantined
C:\Program Files\ATI\CIM\Bin\Setup.exe	Win32/Sality.NBA virus	cleaned - quarantined
C:\Program Files\CCleaner\CCleaner.exe	Win32/Sality.NBA virus	cleaned - quarantined
C:\Program Files\Common Files\Adobe\OOBE\PDApp\core\PDapp.exe	Win32/Sality.NBA virus	cleaned - quarantined
C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\LogTransport2.exe	Win32/Sality.NBA virus	cleaned - quarantined
C:\Program Files\Common Files\Akamai\AdminTool.exe	Win32/Sality.NBA virus	cleaned - quarantined
C:\Program Files\Common Files\Akamai\rswinui.exe	Win32/Sality.NBA virus	cleaned - quarantined
C:\Program Files\Common Files\Akamai\uninstall.exe	Win32/Sality.NBA virus	cleaned - quarantined
C:\Program Files\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe	Win32/Sality.NBA virus	cleaned - quarantined
C:\Program Files\Common Files\Java\Java Update\jucheck.exe	Win32/Sality.NBA virus	cleaned - quarantined
C:\Program Files\Common Files\Java\Java Update\jusched.exe	Win32/Sality.NBA virus	cleaned - quarantined
C:\Program Files\Common Files\logishrd\WUApp32.exe	Win32/Sality.NBA virus	cleaned - quarantined
C:\Program Files\Common Files\microsoft shared\VS7DEBUG\vs7jit.exe	Win32/Sality.NBA virus	cleaned - quarantined
C:\Program Files\Common Files\PX Storage Engine\drvins64.exe	Win32/Sality.NBA virus	cleaned - quarantined
C:\Program Files\Common Files\PX Storage Engine\pxhpinst.exe	Win32/Sality.NBA virus	cleaned - quarantined
C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe	Win32/Sality.NBA virus	cleaned - quarantined
C:\Program Files\Common Files\Steam\SteamService.exe	Win32/Sality.NBA virus	cleaned - quarantined
C:\Program Files\Common Files\Steam\SteamServiceTmp.exe	Win32/Sality.NBA virus	cleaned - quarantined
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe	Win32/Sality.NBA virus	cleaned - quarantined
C:\Program Files\Common Files\VMware\USB\vnetlib.exe	Win32/Sality.NBA virus	cleaned - quarantined
C:\Program Files\Corel\MLE\MetadataMgr.exe	Win32/Sality.NBA virus	cleaned - quarantined
C:\Program Files\Corel\MLE\MLEMonitor.exe	Win32/Sality.NBA virus	cleaned - quarantined
C:\Program Files\DAEMON Tools Lite\DTLite.exe	Win32/Sality.NBA virus	cleaned - quarantined
C:\Program Files\DAEMON Tools Lite\DTLiteHlp.exe	Win32/Sality.NBA virus	cleaned - quarantined
C:\Program Files\DAEMON Tools Lite\DTShellHlp.exe	Win32/Sality.NBA virus	cleaned - quarantined
C:\Program Files\DAEMON Tools Lite\uninst.exe	Win32/Sality.NBA virus	cleaned - quarantined
C:\Program Files\DivX\DivX Control Panel\DivXControlPanelLauncher.exe	Win32/Sality.NBA virus	cleaned - quarantined
C:\Program Files\DivX\DivX Control Panel\dplreg.exe	Win32/Sality.NBA virus	cleaned - quarantined
C:\Program Files\DivX\DivX Update\DivXUpdate.exe	Win32/Sality.NBA virus	cleaned - quarantined
C:\Program Files\uTorrent\uTorrent.exe	Win32/Sality.NBA virus	error while cleaning
C:\Users\Qais\AppData\Local\RockMelt\Update\RockMeltUpdate.exe	Win32/Sality.NBA virus	cleaned - quarantined
C:\Users\Qais\AppData\Local\Temp\wintghuta.exe	probably a variant of Win32/Agent.HLU trojan	cleaned by deleting - quarantined
D:\autorun.inf	INF/Autorun.gen trojan	cleaned by deleting (after the next restart) - quarantined
D:\auue.exe	Win32/Sality.NBA virus	cleaned by deleting - quarantined
D:\Fraps 3.2.2 Build 11496 Retail-[HB]\fo-fr322.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\MTA San Andreas\Multi Theft Auto.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\MTA San Andreas\Uninstall.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\MTA San Andreas\server\MTA Server.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\Notepad++\nppIExplorerShell.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\Notepad++\uninstall.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\Notepad++\updater\gpup.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\Notepad++\updater\GUP.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\Peggle Nights Deluxe\Peggle Nights Deluxe v1.0 Trainer.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\Plants vs. Zombies\Plants vs. Zombies\PlantsVsZombies.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\Rockstar Games\GTA San Andreas\GTA_SA.EXE	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\Rockstar Games\GTA San Andreas\mod\enb\configenv_sa.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\Sony\Media Go\CreateMinidumpx86.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\Sony\Media Go\ErrorReportClient.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\Sony\Media Go\ErrorReportLauncher.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\Sony\Media Go\MediaGo.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\Sony\Vegas Pro 9.0\ApplicationRegistration.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\Sony\Vegas Pro 9.0\CreateMinidumpx86.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\Sony\Vegas Pro 9.0\ErrorReportClient.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\Sony\Vegas Pro 9.0\ErrorReportLauncher.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\Sony\Vegas Pro 9.0\FileIOSurrogate.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\Sony\Vegas Pro 9.0\sfvstserver.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\Sony\Vegas Pro 9.0\vegas90.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\Sony\Vegas Pro 9.0\vidcap60.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\Sony\Vegas Pro 9.0\FileIO Plug-Ins\ac3plug\ac3market\ApplicationRegistration.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\TechSmith\Camtasia Studio 7\CamMenuMaker.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\TechSmith\Camtasia Studio 7\CamMenuPlayer.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\TechSmith\Camtasia Studio 7\CamPlay.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\TechSmith\Camtasia Studio 7\CamtasiaStudio.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\TechSmith\Camtasia Studio 7\Setup_EnSharpen_Decoder.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\TechSmith\Camtasia Studio 7\TSCC.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\TechSmith\Camtasia Studio 7\TscHelp.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\TechSmith\Camtasia Studio 7\TSMSIhlp.EXE	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\TuneUp Utilities 2010\TuneUpDefragService.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\VMware\VMware Player\farexec-service.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\VMware\VMware Player\hqtray.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\VMware\VMware Player\mkisofs.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\VMware\VMware Player\unzip.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\VMware\VMware Player\vixDiskMountServer.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\VMware\VMware Player\vmnat.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\VMware\VMware Player\VMnetDHCP.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\VMware\VMware Player\vmplayer-service.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\VMware\VMware Player\vmplayer.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\VMware\VMware Player\vmUpdateLauncher.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\VMware\VMware Player\vmware-acetool.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\VMware\VMware Player\vmware-remotemks-debug.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\VMware\VMware Player\vmware-remotemks.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\VMware\VMware Player\vmware-ufad.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\VMware\VMware Player\vmware-unity-helper.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\VMware\VMware Player\vmware-vmx.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\VMware\VMware Player\vnetlib.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\VMware\VMware Player\vnetsniffer.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\VMware\VMware Player\vnetstats.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\VMware\VMware Player\vprintproxy.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\VMware\VMware Player\OVFTool\ovftool.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\VMware\VMware Player\OVFTool\vcredist_x86.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\VMware\VMware Player\Resources\bootrun.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\VMware\VMware Player\Resources\customize.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\VMware\VMware Player\Resources\deployPkg.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\VMware\VMware Player\Resources\guestcustutil.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\VMware\VMware Player\Resources\StorePwd.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\VMware\VMware Player\tools-upgraders\VMwareToolsUpgrader.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\VMware\VMware Player\tools-upgraders\VMwareToolsUpgrader9x.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\VMware\VMware Player\tools-upgraders\VMwareToolsUpgraderNT.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\VMware\VMware Player\vmware-tools\upgrader.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\WBFS\WBFS Manager 3.0\uninstall.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\Xfire\uninst.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\Xfire\xfencoder.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\Xfire\xfire_exception.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\Xvid\AviC.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\Xvid\MiniCalc.exe	a variant of Win32/Kryptik.AOH trojan	cleaned by deleting - quarantined
D:\Program Files\Xvid\OGMCalc.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\Xvid\StatsReader.exe	Win32/Sality.NBA virus	cleaned - quarantined
D:\Program Files\Xvid\vidccleaner.exe	Win32/Sality.NBA virus	cleaned - quarantined
E:\gpmbs.exe	Win32/Sality.NBA virus	cleaned by deleting - quarantined
    After rebooting and Task Manager was still unavailable, i used gpupdate /force and now it's allowed permanently :)

    I just tried regedit - It's not allowed again :O

    I installed Panda-Cloud-Antivirus and it has neutralized a few more viruses, again, thanks Jacee!


    Again PandaCloud has found some more viruses, uTorrent has been infected for some reason D:
    A few more Sality stuff has been found (and neutralized)

    Sality.AK.drp
    Sality.AA
    Suspicious! ( official trial adobe downloader) (/commonfiles/akamai/admintool.exe)
    Last edited by qaisjp; 22 Jul 2013 at 17:22. Reason: ^^
      My Computer
    Quote Quote

 
Page 1 of 2 12 LastLast

  Related Discussions
I have a Windows 7 home premium system and tried to access the gpedit.msc and guess they didnt put it on this system, is there another way to access the group policys , I trying to create a policy to stop a standard user from installing software on the system from downloading or with the drives...
How can i disable a gpedit?
in General Discussion

How can i disable a gpedit?:rolleyes::rolleyes::rolleyes:
gpedit.msc
in General Discussion

Hi there! I was following tips from Restrict or prevent users from running programs in Windows and everything works well apart that gpedit.msc itself getting blocked even that I am logged as an administrator. When I have chosen just couple of programs to be allowed I cannot start gpedit.msc as...
HELP!!! Can't find gpedit.msc
in General Discussion

I just reinstalled Win 7 RTM. I decided that since I had ordered the Home Pro version, I would do a clean install (I have been running Ultimate). I am running an M-Audio Audiophile 2496 and have been using the shutdown "fix" posted some while ago. I have never had any difficulty in using this...
Gpedit
in Customization

I ran a search in the Start Menu's Search window, but it found nothing. I checked in the Services.msc and it shows the Group Policy Client set to automatic and is started, so how do I access gpedit?
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

 © Designer Media Ltd
All times are GMT -5. The time now is 19:03.
Find Us