TED_UBB
asked on
All USB Removable storage devices - "Access denied"
Hi,
I have a PC which does not allow me access to any removable storage device, USB memory stick, external hard or anything.
when I plug the device in it appears in my computer but when I double click on the device it says "Access denied"
this devices work fine on all other PC's and I have also tried it under a different profile on my PC but that does not work either.
It seems to me like a registry issue or some driver issue but not sure what and where to look.
Everything seems well in device manager.
Dont really want to re-image the PC with a fresh OS as I will have to spend a whole week just installing software and stuff.
Any ideas????
thanks
I have a PC which does not allow me access to any removable storage device, USB memory stick, external hard or anything.
when I plug the device in it appears in my computer but when I double click on the device it says "Access denied"
this devices work fine on all other PC's and I have also tried it under a different profile on my PC but that does not work either.
It seems to me like a registry issue or some driver issue but not sure what and where to look.
Everything seems well in device manager.
Dont really want to re-image the PC with a fresh OS as I will have to spend a whole week just installing software and stuff.
Any ideas????
thanks
http://forum.caithness.org/archive/index.php/t-20093.html
go through this link hope it solves u r problem
thanks
http://shariffdotnet.blogspot.com
go through this link hope it solves u r problem
thanks
http://shariffdotnet.blogspot.com
Please check out if your USB removable storage devices were not occasionally disabled in registry:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\US BSTOR]
"Start"=dword:00000004
************************** ********** ********** ********** ********** ********
The one below re-enables your USB pen drive
************************** ********** ********** ********** ********** *********
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\US BSTOR]
"Start"=dword:00000003
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM
"Start"=dword:00000004
**************************
The one below re-enables your USB pen drive
**************************
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM
"Start"=dword:00000003
ASKER
Thanks for the swift reply people,
Houssam,
I ran both scans and a few things were found but the problem still exist so I below are the results of both scans (bottom of this post)
Shariff,
I found that post the other day and i have tried most of those thing - I do think is most like drivers or registry but not sure what I need to in order to fix this
this might be interesting - the USB drive does appear in the Computer management console under "Disk management"
When I check the hotplug.xml file in C:\windows\System32 nothing appears to have been detected - normally what should and used to happen is when you plug a device in an entry for the device is added in this file
here are the logs for both scans
MalwareBytes
Malwarebytes' Anti-Malware 1.34
Database version: 1814
Windows 5.1.2600 Service Pack 2
03/03/2009 09:47:22
mbam-log-2009-03-03 (09-47-22).txt
Scan type: Quick Scan
Objects scanned: 83263
Time elapsed: 5 minute(s), 21 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\driver s\etc\SERV ICES.bk1 (Heuristics.Reserved.Word. Exploit) -> Quarantined and deleted successfully.
ComboFix
ComboFix 09-03-02.01 - nazir.valli 2009-03-03 9:50:15.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18 .999.521 [GMT 0:00]
Running from: c:\documents and settings\username\Desktop\ ComboFix.e xe
.
(((((((((((((((((((((((((( (((((((((( ((( Other Deletions )))))))))))))))))))))))))) )))))))))) )))))))))) )))
.
c:\windows\system32\MabryO bj.dll
c:\windows\system32\x64
.
((((((((((((((((((((((((( Files Created from 2009-02-03 to 2009-03-03 )))))))))))))))))))))))))) )))))
.
2009-03-03 09:37 . 2009-03-03 09:37 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-03 09:37 . 2009-03-03 09:37 <DIR> d-------- c:\documents and settings\username\Applicat ion Data\Malwarebytes
2009-03-03 09:37 . 2009-03-03 09:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-03 09:37 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\driver s\mbamswis sarmy.sys
2009-03-03 09:37 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\driver s\mbam.sys
2009-03-03 08:43 . 2009-03-03 08:43 48 --a------ c:\windows\system32\DevWal l.key
2009-03-02 17:54 . 2009-03-02 17:54 <DIR> d-------- c:\program files\Intel
2009-03-02 17:51 . 2009-03-02 17:51 <DIR> d-------- c:\program files\Realtek
2009-03-02 17:51 . 2008-03-05 18:07 520,192 --a------ c:\windows\RtlExUpd.dll
2009-03-02 17:51 . 2009-03-02 17:51 315,392 --a------ c:\windows\HideWin.exe
2009-03-02 17:51 . 2006-08-01 15:02 49,152 --a------ c:\windows\system32\ChCfg. exe
2009-03-02 17:51 . 2005-03-08 16:05 1,996 --a------ c:\windows\system32\driver s\HDACfg.d at
2009-03-02 17:51 . 2007-11-14 15:18 553 --a------ c:\windows\USetup.iss
2009-03-02 16:45 . 2009-03-02 16:45 <DIR> d-------- c:\documents and settings\nazir.valli\Appli cation Data\Windows Search
2009-03-02 16:22 . 2009-03-02 17:28 <DIR> d-------- c:\program files\Windows Desktop Search
2009-03-02 16:21 . 2009-03-02 16:21 <DIR> d-------- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-03-02 16:04 . 2009-03-02 16:14 <DIR> d-------- c:\windows\system32\CatRoo t_bak
2009-02-10 16:26 . 2009-02-10 16:26 <DIR> d-------- c:\program files\LivePerson
2009-02-10 10:27 . 2009-02-10 10:50 <DIR> d-------- C:\SoftPaqDownloadDirector y
2009-02-10 10:18 . 2009-02-10 10:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\HP
2009-02-10 10:17 . 2009-03-02 17:50 <DIR> d-------- C:\SWSETUP
.
(((((((((((((((((((((((((( (((((((((( (((( Find3M Report )))))))))))))))))))))))))) )))))))))) )))))))))) ))))))
.
2009-03-02 17:51 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-27 16:41 --------- d-----w c:\documents and settings\username\Applicat ion Data\dvdcss
2009-01-22 11:52 --------- d-----w c:\program files\Uniblue
2009-01-21 16:55 --------- d-----w c:\program files\WM Converter
2009-01-06 14:34 --------- d-----w c:\documents and settings\username\Applicat ion Data\Numara Software
2009-01-06 14:34 --------- d-----w c:\documents and settings\All Users\Application Data\Numara Software
2009-01-06 14:34 --------- d-----w c:\documents and settings\All Users\Application Data\Danware Data
2008-12-20 23:15 826,368 ----a-w c:\windows\system32\winine t.dll
2008-05-08 15:37 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.d ll
2008-05-08 15:37 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250 .dll
2008-05-08 15:37 34,952 ----a-w c:\program files\mozilla firefox\components\myspell .dll
2008-05-08 15:38 46,720 ----a-w c:\program files\mozilla firefox\components\spellch k.dll
2008-05-08 15:38 172,144 ----a-w c:\program files\mozilla firefox\components\xpinsta l.dll
2007-03-26 12:12 32,768 --sha-w c:\windows\system32\config \systempro file\Appli cation Data\Microsoft\Internet Explorer\UserData\index.da t
2007-03-26 12:12 32,768 --sha-w c:\windows\system32\config \systempro file\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
2007-03-26 11:51 32,768 --sha-w c:\windows\system32\config \systempro file\Local Settings\History\History.I E5\MSHist0 1200703192 0070326\in dex.dat
2007-03-20 10:28 32,768 --sha-w c:\windows\system32\config \systempro file\Local Settings\History\History.I E5\MSHist0 1200703202 0070321\in dex.dat
2007-03-26 12:19 32,768 --sha-w c:\windows\system32\config \systempro file\Local Settings\History\History.I E5\MSHist0 1200703262 0070327\in dex.dat
.
(((((((((((((((((((((((((( (((((((((( ( Reg Loading Points )))))))))))))))))))))))))) )))))))))) )))))))))) ))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWAR E\Microsof t\Windows\ CurrentVer sion\Run]
"ctfmon.exe"="c:\windows\s ystem32\ct fmon.exe" [2006-02-28 15360]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-06-20 1207080]
[HKEY_LOCAL_MACHINE\SOFTWA RE\Microso ft\Windows \CurrentVe rsion\Run]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2005-03-15 335872]
"msioctl.exe"="c:\windows\ System32\m sioctl.exe " [2007-11-16 245760]
"Synchronization Manager"="c:\windows\syste m32\mobsyn c.exe" [2006-02-28 143360]
"ASECard Monitor"="c:\program files\Athena\ASECard Crypto Toolkit\Utils\ASECard Monitor.exe" [2007-11-07 1224784]
"Persistence"="c:\windows\ system32\i gfxpers.ex e" [2007-01-13 135168]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe " [2007-06-29 286720]
"RTHDCPL"="RTHDCPL.EXE" [2008-06-13 c:\windows\RTHDCPL.exe]
[HKEY_USERS\.DEFAULT\Softw are\Micros oft\Window s\CurrentV ersion\Run ]
"CTFMON.EXE"="c:\windows\s ystem32\CT FMON.EXE" [2006-02-28 15360]
[HKEY_USERS\.DEFAULT\Softw are\Micros oft\Window s\CurrentV ersion\Run Once]
"WUAppSetup"="c:\program files\Common Files\logishrd\WUApp32.exe " [2008-07-26 439568]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Connect to Prologic Network.lnk - c:\windows\pronet.exe [2007-08-23 2191403]
[HKEY_CURRENT_USER\softwar e\microsof t\windows\ currentver sion\polic ies\system ]
"HideLogonScripts"= 0 (0x0)
[HKEY_USERS\.default\softw are\micros oft\window s\currentv ersion\pol icies\syst em]
"HideLogonScripts"= 0 (0x0)
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\poli cies\explo rer]
"NoWelcomeScreen"= 1 (0x1)
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows nt\currentversion\drivers3 2]
"vidc.ffds"= ffdshow.ax
"msacm.ac3filter"= ac3filter.acm
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\grou p policy\state\S-1-5-21-1843 968306-377 1541828-27 23311028-1 502\Script s\Logon\[u ]0[/u]\[u] 0[/u]]
"Script"=Office_User_Info. vbs
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\grou p policy\state\S-1-5-21-1843 968306-377 1541828-27 23311028-1 502\Script s\Logon\1\ [u]0[/u]]
"Script"=fixmapi.cmd
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\grou p policy\state\S-1-5-21-1843 968306-377 1541828-27 23311028-1 502\Script s\Logon\2\ [u]0[/u]]
"Script"=IT_Printers_New.v bs
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\grou p policy\state\S-1-5-21-1843 968306-377 1541828-27 23311028-1 502\Script s\Logon\3\ [u]0[/u]]
"Script"=ProshareDriveMapp ing.cmd
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\grou p policy\state\S-1-5-21-1843 968306-377 1541828-27 23311028-1 502\Script s\Logon\4\ [u]0[/u]]
"Script"=HomeDriveLogonScr ipt.bat
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\grou p policy\state\S-1-5-21-1843 968306-377 1541828-27 23311028-1 893\Script s\Logon\[u ]0[/u]\[u] 0[/u]]
"Script"=Office_User_Info. vbs
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\grou p policy\state\S-1-5-21-1843 968306-377 1541828-27 23311028-1 893\Script s\Logon\1\ [u]0[/u]]
"Script"=fixmapi.cmd
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\grou p policy\state\S-1-5-21-1843 968306-377 1541828-27 23311028-1 893\Script s\Logon\2\ [u]0[/u]]
"Script"=IT_Printers_New.v bs
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\grou p policy\state\S-1-5-21-1843 968306-377 1541828-27 23311028-1 893\Script s\Logon\3\ [u]0[/u]]
"Script"=ProshareDriveMapp ing.cmd
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\grou p policy\state\S-1-5-21-1843 968306-377 1541828-27 23311028-1 893\Script s\Logon\4\ [u]0[/u]]
"Script"=HomeDriveLogonScr ipt.bat
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\grou p policy\state\S-1-5-21-1843 968306-377 1541828-27 23311028-1 896\Script s\Logon\[u ]0[/u]\[u] 0[/u]]
"Script"=Office_User_Info. vbs
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\grou p policy\state\S-1-5-21-1843 968306-377 1541828-27 23311028-1 896\Script s\Logon\1\ [u]0[/u]]
"Script"=fixmapi.cmd
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\grou p policy\state\S-1-5-21-1843 968306-377 1541828-27 23311028-1 896\Script s\Logon\2\ [u]0[/u]]
"Script"=BrandComms_Printe rs_New.vbs
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\grou p policy\state\S-1-5-21-1843 968306-377 1541828-27 23311028-1 896\Script s\Logon\3\ [u]0[/u]]
"Script"=ProshareDriveMapp ing.cmd
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\grou p policy\state\S-1-5-21-1843 968306-377 1541828-27 23311028-1 896\Script s\Logon\4\ [u]0[/u]]
"Script"=HomeDriveLogonScr ipt.bat
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\grou p policy\state\S-1-5-21-1843 968306-377 1541828-27 23311028-2 972\Script s\Logon\[u ]0[/u]\[u] 0[/u]]
"Script"=Office_User_Info. vbs
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\grou p policy\state\S-1-5-21-1843 968306-377 1541828-27 23311028-2 972\Script s\Logon\1\ [u]0[/u]]
"Script"=ProshareDriveMapp ing.cmd
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\grou p policy\state\S-1-5-21-1843 968306-377 1541828-27 23311028-2 972\Script s\Logon\2\ [u]0[/u]]
"Script"=HomeDriveLogonScr ipt.bat
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\grou p policy\state\S-1-5-21-1843 968306-377 1541828-27 23311028-2 974\Script s\Logon\[u ]0[/u]\[u] 0[/u]]
"Script"=Office_User_Info. vbs
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\grou p policy\state\S-1-5-21-1843 968306-377 1541828-27 23311028-2 974\Script s\Logon\1\ [u]0[/u]]
"Script"=ProshareDriveMapp ing.cmd
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\grou p policy\state\S-1-5-21-1843 968306-377 1541828-27 23311028-2 974\Script s\Logon\2\ [u]0[/u]]
"Script"=HomeDriveLogonScr ipt.bat
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\grou p policy\state\S-1-5-21-1843 968306-377 1541828-27 23311028-2 975\Script s\Logon\[u ]0[/u]\[u] 0[/u]]
"Script"=Office_User_Info. vbs
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\grou p policy\state\S-1-5-21-1843 968306-377 1541828-27 23311028-2 975\Script s\Logon\1\ [u]0[/u]]
"Script"=ProshareDriveMapp ing.cmd
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\grou p policy\state\S-1-5-21-1843 968306-377 1541828-27 23311028-2 975\Script s\Logon\2\ [u]0[/u]]
"Script"=HomeDriveLogonScr ipt.bat
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\grou p policy\state\S-1-5-21-1843 968306-377 1541828-27 23311028-2 976\Script s\Logon\[u ]0[/u]\[u] 0[/u]]
"Script"=Office_User_Info. vbs
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\grou p policy\state\S-1-5-21-1843 968306-377 1541828-27 23311028-2 976\Script s\Logon\1\ [u]0[/u]]
"Script"=ProshareDriveMapp ing.cmd
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\grou p policy\state\S-1-5-21-1843 968306-377 1541828-27 23311028-2 976\Script s\Logon\2\ [u]0[/u]]
"Script"=HomeDriveLogonScr ipt.bat
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\grou p policy\state\S-1-5-21-1843 968306-377 1541828-27 23311028-2 979\Script s\Logon\[u ]0[/u]\[u] 0[/u]]
"Script"=Office_User_Info. vbs
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\grou p policy\state\S-1-5-21-1843 968306-377 1541828-27 23311028-2 979\Script s\Logon\1\ [u]0[/u]]
"Script"=ProshareDriveMapp ing.cmd
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\grou p policy\state\S-1-5-21-1843 968306-377 1541828-27 23311028-2 979\Script s\Logon\2\ [u]0[/u]]
"Script"=HomeDriveLogonScr ipt.bat
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\grou p policy\state\S-1-5-21-1843 968306-377 1541828-27 23311028-2 980\Script s\Logon\[u ]0[/u]\[u] 0[/u]]
"Script"=Office_User_Info. vbs
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\grou p policy\state\S-1-5-21-1843 968306-377 1541828-27 23311028-2 980\Script s\Logon\1\ [u]0[/u]]
"Script"=ProshareDriveMapp ing.cmd
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\grou p policy\state\S-1-5-21-1843 968306-377 1541828-27 23311028-2 980\Script s\Logon\2\ [u]0[/u]]
"Script"=HomeDriveLogonScr ipt.bat
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\grou p policy\state\S-1-5-21-1843 968306-377 1541828-27 23311028-2 982\Script s\Logon\[u ]0[/u]\[u] 0[/u]]
"Script"=Office_User_Info. vbs
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\grou p policy\state\S-1-5-21-1843 968306-377 1541828-27 23311028-2 982\Script s\Logon\1\ [u]0[/u]]
"Script"=ProshareDriveMapp ing.cmd
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\grou p policy\state\S-1-5-21-1843 968306-377 1541828-27 23311028-2 982\Script s\Logon\2\ [u]0[/u]]
"Script"=HomeDriveLogonScr ipt.bat
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\grou p policy\state\S-1-5-21-1843 968306-377 1541828-27 23311028-2 983\Script s\Logon\[u ]0[/u]\[u] 0[/u]]
"Script"=Office_User_Info. vbs
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\grou p policy\state\S-1-5-21-1843 968306-377 1541828-27 23311028-2 983\Script s\Logon\1\ [u]0[/u]]
"Script"=ProshareDriveMapp ing.cmd
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\grou p policy\state\S-1-5-21-1843 968306-377 1541828-27 23311028-2 983\Script s\Logon\2\ [u]0[/u]]
"Script"=HomeDriveLogonScr ipt.bat
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\grou p policy\state\S-1-5-21-1843 968306-377 1541828-27 23311028-2 985\Script s\Logon\[u ]0[/u]\[u] 0[/u]]
"Script"=Office_User_Info. vbs
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\grou p policy\state\S-1-5-21-1843 968306-377 1541828-27 23311028-2 985\Script s\Logon\1\ [u]0[/u]]
"Script"=ProshareDriveMapp ing.cmd
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\grou p policy\state\S-1-5-21-1843 968306-377 1541828-27 23311028-2 985\Script s\Logon\2\ [u]0[/u]]
"Script"=HomeDriveLogonScr ipt.bat
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\grou p policy\state\S-1-5-21-1843 968306-377 1541828-27 23311028-2 987\Script s\Logon\[u ]0[/u]\[u] 0[/u]]
"Script"=Office_User_Info. vbs
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\grou p policy\state\S-1-5-21-1843 968306-377 1541828-27 23311028-2 987\Script s\Logon\1\ [u]0[/u]]
"Script"=ProshareDriveMapp ing.cmd
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\grou p policy\state\S-1-5-21-1843 968306-377 1541828-27 23311028-2 987\Script s\Logon\2\ [u]0[/u]]
"Script"=HomeDriveLogonScr ipt.bat
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\grou p policy\state\S-1-5-21-1843 968306-377 1541828-27 23311028-2 995\Script s\Logon\[u ]0[/u]\[u] 0[/u]]
"Script"=Office_User_Info. vbs
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\grou p policy\state\S-1-5-21-1843 968306-377 1541828-27 23311028-2 995\Script s\Logon\1\ [u]0[/u]]
"Script"=ProshareDriveMapp ing.cmd
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\grou p policy\state\S-1-5-21-1843 968306-377 1541828-27 23311028-2 995\Script s\Logon\2\ [u]0[/u]]
"Script"=HomeDriveLogonScr ipt.bat
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\grou p policy\state\S-1-5-21-1843 968306-377 1541828-27 23311028-2 999\Script s\Logon\[u ]0[/u]\[u] 0[/u]]
"Script"=Office_User_Info. vbs
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\grou p policy\state\S-1-5-21-1843 968306-377 1541828-27 23311028-2 999\Script s\Logon\1\ [u]0[/u]]
"Script"=ProshareDriveMapp ing.cmd
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\grou p policy\state\S-1-5-21-1843 968306-377 1541828-27 23311028-2 999\Script s\Logon\2\ [u]0[/u]]
"Script"=HomeDriveLogonScr ipt.bat
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\grou p policy\state\S-1-5-21-1843 968306-377 1541828-27 23311028-3 236\Script s\Logon\[u ]0[/u]\[u] 0[/u]]
"Script"=Office_User_Info. vbs
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\grou p policy\state\S-1-5-21-1843 968306-377 1541828-27 23311028-3 236\Script s\Logon\1\ [u]0[/u]]
"Script"=ProshareDriveMapp ing.cmd
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\grou p policy\state\S-1-5-21-1843 968306-377 1541828-27 23311028-3 236\Script s\Logon\2\ [u]0[/u]]
"Script"=HomeDriveLogonScr ipt.bat
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\grou p policy\state\S-1-5-21-1843 968306-377 1541828-27 23311028-3 240\Script s\Logon\[u ]0[/u]\[u] 0[/u]]
"Script"=Office_User_Info. vbs
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\grou p policy\state\S-1-5-21-1843 968306-377 1541828-27 23311028-3 240\Script s\Logon\1\ [u]0[/u]]
"Script"=ProshareDriveMapp ing.cmd
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\grou p policy\state\S-1-5-21-1843 968306-377 1541828-27 23311028-3 240\Script s\Logon\2\ [u]0[/u]]
"Script"=HomeDriveLogonScr ipt.bat
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\grou p policy\state\S-1-5-21-1843 968306-377 1541828-27 23311028-3 241\Script s\Logon\[u ]0[/u]\[u] 0[/u]]
"Script"=Office_User_Info. vbs
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\grou p policy\state\S-1-5-21-1843 968306-377 1541828-27 23311028-3 241\Script s\Logon\1\ [u]0[/u]]
"Script"=ProshareDriveMapp ing.cmd
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\grou p policy\state\S-1-5-21-1843 968306-377 1541828-27 23311028-3 241\Script s\Logon\2\ [u]0[/u]]
"Script"=HomeDriveLogonScr ipt.bat
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\grou p policy\state\S-1-5-21-1843 968306-377 1541828-27 23311028-3 242\Script s\Logon\[u ]0[/u]\[u] 0[/u]]
"Script"=Office_User_Info. vbs
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\grou p policy\state\S-1-5-21-1843 968306-377 1541828-27 23311028-3 242\Script s\Logon\1\ [u]0[/u]]
"Script"=ProshareDriveMapp ing.cmd
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\grou p policy\state\S-1-5-21-1843 968306-377 1541828-27 23311028-3 242\Script s\Logon\2\ [u]0[/u]]
"Script"=HomeDriveLogonScr ipt.bat
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\grou p policy\state\S-1-5-21-1843 968306-377 1541828-27 23311028-3 244\Script s\Logon\[u ]0[/u]\[u] 0[/u]]
"Script"=Office_User_Info. vbs
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\grou p policy\state\S-1-5-21-1843 968306-377 1541828-27 23311028-3 244\Script s\Logon\1\ [u]0[/u]]
"Script"=ProshareDriveMapp ing.cmd
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\grou p policy\state\S-1-5-21-1843 968306-377 1541828-27 23311028-3 244\Script s\Logon\2\ [u]0[/u]]
"Script"=HomeDriveLogonScr ipt.bat
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\C ontrol\Saf eBoot\Mini mal\msiodr v1.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\C ontrol\Saf eBoot\Mini mal\msiodr v2.sys]
@="FSFilter Activity Monitor"
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\C ontrol\Saf eBoot\Mini mal\MSioSr v]
@="Service"
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ ctfmon.exe ]
--a------ 2006-02-28 12:00 15360 c:\windows\system32\ctfmon .exe
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ H/PC Connection Agent]
--a------ 2006-06-20 22:36 1207080 c:\program files\Microsoft ActiveSync\wcescomm.exe
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ HotKeysCmd s]
--a------ 2007-01-13 08:47 163840 c:\windows\system32\hkcmd. exe
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ IgfxTray]
--a------ 2007-01-13 08:47 131072 c:\windows\system32\igfxtr ay.exe
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ QuickTime Task]
--a------ 2007-06-29 05:24 286720 c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ SunJavaUpd ateSched]
--a------ 2008-06-10 03:27 144784 c:\program files\Java\jre1.6.0_07\bin \jusched.e xe
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
[HKLM\~\services\sharedacc ess\parame ters\firew allpolicy\ standardpr ofile\Auth orizedAppl ications\L ist]
"%windir%\\system32\\sessm gr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe" =
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169 .254.2.0/2 55.255.255 .0:Enabled :ActiveSyn c RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:16 9.254.2.0/ 255.255.25 5.0:Enable d:ActiveSy nc Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169 .254.2.0/2 55.255.255 .0:Enabled :ActiveSyn c Application
"c:\\Program Files\\Numara Software\\Remote\\Guest\\n gstw32.exe "=
[HKLM\~\services\sharedacc ess\parame ters\firew allpolicy\ standardpr ofile\Glob allyOpenPo rts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22 009
"26675:TCP"= 26675:TCP:169.254.2.0/255. 255.255.0: Enabled:Ac tiveSync Service
R0 MSioDrv2;MSioDrv2;c:\windo ws\system3 2\drivers\ msiodrv2.s ys [2007-11-16 55680]
R2 HealthService;OpsMgr Health Service;c:\program files\System Center Operations Manager 2007\HealthService.exe [2008-02-16 27696]
R2 MSioSrv;MSioSrv;c:\windows \system32\ msiosrv.ex e [2007-11-16 536576]
R2 TIRmtSvc;Track-It! Workstation Manager;c:\windows\TIREMOT E\TIRemote Service.ex e [2007-12-21 212480]
R2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\tmxpflt.sys [2005-11-09 183808]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\tmpreflt.sys [2005-11-09 25088]
R3 ASEKey;ASEKey;c:\windows\s ystem32\dr ivers\ASEK ey.sys [2007-05-21 71916]
R3 IFXTPM;IFXTPM;c:\windows\s ystem32\dr ivers\ifxt pm.sys [2007-03-07 36608]
R3 MSioDrv1;MSioDrv1;c:\windo ws\system3 2\drivers\ msiodrv1.s ys [2007-11-16 7040]
S0 MSioDrv3;MSioDrv3;c:\windo ws\system3 2\drivers\ msiodrv3.s ys [2007-11-16 51712]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32 \drivers\n pf.sys [2007-11-06 34064]
S4 AdtAgent;Operations Manager Audit Forwarding Service;c:\windows\system3 2\AdtAgent .exe [2008-02-16 264192]
--- Other Services/Drivers In Memory ---
*Deregistered* - uphcleanhlp
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
[HKEY_CURRENT_USER\softwar e\microsof t\windows\ currentver sion\explo rer\mountp oints2\{14 c99bba-b19 f-11dd-a26 f-000ffe7e 03e4}]
\Shell\AutoRun\command - e:\wd_windows_tools\WDEULA .exe
.
Contents of the 'Scheduled Tasks' folder
2009-02-16 c:\windows\Tasks\AppleSoft wareUpdate .job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-06-03 12:42]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.tedbaker.com
uInternet Settings,ProxyServer = 172.16.0.254:8080
uInternet Settings,ProxyOverride = 172.16.*.*;10.65.*.*;evser ver1;pki.t edbaker.co m;tbdc01.t edbaker.co m;tbdc02.t edbaker.co m;tbex01.t edbaker.co m;tbex02.t edbaker.co m;tbfp01.t edbaker.co m;tbbu01.t edbaker.co m;tbisa01. tedbaker.c om;tbsql01 .tedbaker. com;tbev01 .tedbaker. com;tbapp0 1.tedbaker .com;tbapp 02.tedbake r.com;tbpk i.tedbaker .com;tbcsm 01.tedbake r.com;*.pr ologic;<lo cal>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFIC E11\EXCEL. EXE/3000
Trusted Zone: microsoft.com\download
Trusted Zone: microsoft.com\windowsupdat e
Trusted Zone: stylesight.com\www
Trusted Zone: windowsupdate.com\download
TCP: {C934BFA7-BCEB-44B7-A32B-F D2DF1F99C6 F} = 172.16.0.11,172.16.0.12
DPF: iLO 2 Remote Console Applet - hxxps://172.16.0.157/dvc.c ab
DPF: {576756A1-D97C-45D0-A945-0 324019A131 E} - hxxp://tedmail:8081/tiweb7 0/download s/BOSIActi veXGrid.ca b
DPF: {6AF2E1A7-A16E-4503-A440-0 7CA49122CC E} - hxxp://tedmail:8081/tiweb7 0/download s/BOSIActi veXMemoCon trol.cab
FF - ProfilePath - c:\documents and settings\username\Applicat ion Data\Mozilla\Firefox\Profi les\vjblzn 8s.default \
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.ftp - 172.16.0.254
FF - prefs.js: network.proxy.ftp_port - 8080
FF - prefs.js: network.proxy.gopher - 172.16.0.254
FF - prefs.js: network.proxy.gopher_port - 8080
FF - prefs.js: network.proxy.http - 172.16.0.254
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.socks - 172.16.0.254
FF - prefs.js: network.proxy.socks_port - 8080
FF - prefs.js: network.proxy.ssl - 172.16.0.254
FF - prefs.js: network.proxy.ssl_port - 8080
FF - prefs.js: network.proxy.type - 1
FF - component: c:\program files\Mozilla Firefox\components\xpinsta l.dll
.
************************** ********** ********** ********** ********** ********
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-03 09:51:18
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************** ********** ********** ********** ********** ********
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(816)
c:\windows\system32\igfxde v.dll
.
Completion time: 2009-03-03 9:52:29
ComboFix-quarantined-files .txt 2009-03-03 09:52:27
Pre-Run: 145,772,498,944 bytes free
Post-Run: 145,902,395,392 bytes free
WindowsXP-KB310994-SP2-Pro -BootDisk- ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdi sk(0)parti tion(1)\WI NDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="M icrosoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)par tition(1)\ WINDOWS="M icrosoft Windows XP Professional" /noexecute=optin /fastdetect
326 --- E O F --- 2009-02-25 10:01:38
thanks guys
Houssam,
I ran both scans and a few things were found but the problem still exist so I below are the results of both scans (bottom of this post)
Shariff,
I found that post the other day and i have tried most of those thing - I do think is most like drivers or registry but not sure what I need to in order to fix this
this might be interesting - the USB drive does appear in the Computer management console under "Disk management"
When I check the hotplug.xml file in C:\windows\System32 nothing appears to have been detected - normally what should and used to happen is when you plug a device in an entry for the device is added in this file
here are the logs for both scans
MalwareBytes
Malwarebytes' Anti-Malware 1.34
Database version: 1814
Windows 5.1.2600 Service Pack 2
03/03/2009 09:47:22
mbam-log-2009-03-03 (09-47-22).txt
Scan type: Quick Scan
Objects scanned: 83263
Time elapsed: 5 minute(s), 21 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\driver
ComboFix
ComboFix 09-03-02.01 - nazir.valli 2009-03-03 9:50:15.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18
Running from: c:\documents and settings\username\Desktop\
.
((((((((((((((((((((((((((
.
c:\windows\system32\MabryO
c:\windows\system32\x64
.
((((((((((((((((((((((((( Files Created from 2009-02-03 to 2009-03-03 ))))))))))))))))))))))))))
.
2009-03-03 09:37 . 2009-03-03 09:37 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-03 09:37 . 2009-03-03 09:37 <DIR> d-------- c:\documents and settings\username\Applicat
2009-03-03 09:37 . 2009-03-03 09:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-03 09:37 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\driver
2009-03-03 09:37 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\driver
2009-03-03 08:43 . 2009-03-03 08:43 48 --a------ c:\windows\system32\DevWal
2009-03-02 17:54 . 2009-03-02 17:54 <DIR> d-------- c:\program files\Intel
2009-03-02 17:51 . 2009-03-02 17:51 <DIR> d-------- c:\program files\Realtek
2009-03-02 17:51 . 2008-03-05 18:07 520,192 --a------ c:\windows\RtlExUpd.dll
2009-03-02 17:51 . 2009-03-02 17:51 315,392 --a------ c:\windows\HideWin.exe
2009-03-02 17:51 . 2006-08-01 15:02 49,152 --a------ c:\windows\system32\ChCfg.
2009-03-02 17:51 . 2005-03-08 16:05 1,996 --a------ c:\windows\system32\driver
2009-03-02 17:51 . 2007-11-14 15:18 553 --a------ c:\windows\USetup.iss
2009-03-02 16:45 . 2009-03-02 16:45 <DIR> d-------- c:\documents and settings\nazir.valli\Appli
2009-03-02 16:22 . 2009-03-02 17:28 <DIR> d-------- c:\program files\Windows Desktop Search
2009-03-02 16:21 . 2009-03-02 16:21 <DIR> d-------- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-03-02 16:04 . 2009-03-02 16:14 <DIR> d-------- c:\windows\system32\CatRoo
2009-02-10 16:26 . 2009-02-10 16:26 <DIR> d-------- c:\program files\LivePerson
2009-02-10 10:27 . 2009-02-10 10:50 <DIR> d-------- C:\SoftPaqDownloadDirector
2009-02-10 10:18 . 2009-02-10 10:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\HP
2009-02-10 10:17 . 2009-03-02 17:50 <DIR> d-------- C:\SWSETUP
.
((((((((((((((((((((((((((
.
2009-03-02 17:51 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-27 16:41 --------- d-----w c:\documents and settings\username\Applicat
2009-01-22 11:52 --------- d-----w c:\program files\Uniblue
2009-01-21 16:55 --------- d-----w c:\program files\WM Converter
2009-01-06 14:34 --------- d-----w c:\documents and settings\username\Applicat
2009-01-06 14:34 --------- d-----w c:\documents and settings\All Users\Application Data\Numara Software
2009-01-06 14:34 --------- d-----w c:\documents and settings\All Users\Application Data\Danware Data
2008-12-20 23:15 826,368 ----a-w c:\windows\system32\winine
2008-05-08 15:37 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.d
2008-05-08 15:37 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250
2008-05-08 15:37 34,952 ----a-w c:\program files\mozilla firefox\components\myspell
2008-05-08 15:38 46,720 ----a-w c:\program files\mozilla firefox\components\spellch
2008-05-08 15:38 172,144 ----a-w c:\program files\mozilla firefox\components\xpinsta
2007-03-26 12:12 32,768 --sha-w c:\windows\system32\config
2007-03-26 12:12 32,768 --sha-w c:\windows\system32\config
2007-03-26 11:51 32,768 --sha-w c:\windows\system32\config
2007-03-20 10:28 32,768 --sha-w c:\windows\system32\config
2007-03-26 12:19 32,768 --sha-w c:\windows\system32\config
.
((((((((((((((((((((((((((
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWAR
"ctfmon.exe"="c:\windows\s
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-06-20 1207080]
[HKEY_LOCAL_MACHINE\SOFTWA
"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2005-03-15 335872]
"msioctl.exe"="c:\windows\
"Synchronization Manager"="c:\windows\syste
"ASECard Monitor"="c:\program files\Athena\ASECard Crypto Toolkit\Utils\ASECard Monitor.exe" [2007-11-07 1224784]
"Persistence"="c:\windows\
"QuickTime Task"="c:\program files\QuickTime\qttask.exe
"RTHDCPL"="RTHDCPL.EXE" [2008-06-13 c:\windows\RTHDCPL.exe]
[HKEY_USERS\.DEFAULT\Softw
"CTFMON.EXE"="c:\windows\s
[HKEY_USERS\.DEFAULT\Softw
"WUAppSetup"="c:\program files\Common Files\logishrd\WUApp32.exe
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Connect to Prologic Network.lnk - c:\windows\pronet.exe [2007-08-23 2191403]
[HKEY_CURRENT_USER\softwar
"HideLogonScripts"= 0 (0x0)
[HKEY_USERS\.default\softw
"HideLogonScripts"= 0 (0x0)
[HKEY_LOCAL_MACHINE\softwa
"NoWelcomeScreen"= 1 (0x1)
[HKEY_LOCAL_MACHINE\softwa
"vidc.ffds"= ffdshow.ax
"msacm.ac3filter"= ac3filter.acm
[HKEY_LOCAL_MACHINE\softwa
"Script"=Office_User_Info.
[HKEY_LOCAL_MACHINE\softwa
"Script"=fixmapi.cmd
[HKEY_LOCAL_MACHINE\softwa
"Script"=IT_Printers_New.v
[HKEY_LOCAL_MACHINE\softwa
"Script"=ProshareDriveMapp
[HKEY_LOCAL_MACHINE\softwa
"Script"=HomeDriveLogonScr
[HKEY_LOCAL_MACHINE\softwa
"Script"=Office_User_Info.
[HKEY_LOCAL_MACHINE\softwa
"Script"=fixmapi.cmd
[HKEY_LOCAL_MACHINE\softwa
"Script"=IT_Printers_New.v
[HKEY_LOCAL_MACHINE\softwa
"Script"=ProshareDriveMapp
[HKEY_LOCAL_MACHINE\softwa
"Script"=HomeDriveLogonScr
[HKEY_LOCAL_MACHINE\softwa
"Script"=Office_User_Info.
[HKEY_LOCAL_MACHINE\softwa
"Script"=fixmapi.cmd
[HKEY_LOCAL_MACHINE\softwa
"Script"=BrandComms_Printe
[HKEY_LOCAL_MACHINE\softwa
"Script"=ProshareDriveMapp
[HKEY_LOCAL_MACHINE\softwa
"Script"=HomeDriveLogonScr
[HKEY_LOCAL_MACHINE\softwa
"Script"=Office_User_Info.
[HKEY_LOCAL_MACHINE\softwa
"Script"=ProshareDriveMapp
[HKEY_LOCAL_MACHINE\softwa
"Script"=HomeDriveLogonScr
[HKEY_LOCAL_MACHINE\softwa
"Script"=Office_User_Info.
[HKEY_LOCAL_MACHINE\softwa
"Script"=ProshareDriveMapp
[HKEY_LOCAL_MACHINE\softwa
"Script"=HomeDriveLogonScr
[HKEY_LOCAL_MACHINE\softwa
"Script"=Office_User_Info.
[HKEY_LOCAL_MACHINE\softwa
"Script"=ProshareDriveMapp
[HKEY_LOCAL_MACHINE\softwa
"Script"=HomeDriveLogonScr
[HKEY_LOCAL_MACHINE\softwa
"Script"=Office_User_Info.
[HKEY_LOCAL_MACHINE\softwa
"Script"=ProshareDriveMapp
[HKEY_LOCAL_MACHINE\softwa
"Script"=HomeDriveLogonScr
[HKEY_LOCAL_MACHINE\softwa
"Script"=Office_User_Info.
[HKEY_LOCAL_MACHINE\softwa
"Script"=ProshareDriveMapp
[HKEY_LOCAL_MACHINE\softwa
"Script"=HomeDriveLogonScr
[HKEY_LOCAL_MACHINE\softwa
"Script"=Office_User_Info.
[HKEY_LOCAL_MACHINE\softwa
"Script"=ProshareDriveMapp
[HKEY_LOCAL_MACHINE\softwa
"Script"=HomeDriveLogonScr
[HKEY_LOCAL_MACHINE\softwa
"Script"=Office_User_Info.
[HKEY_LOCAL_MACHINE\softwa
"Script"=ProshareDriveMapp
[HKEY_LOCAL_MACHINE\softwa
"Script"=HomeDriveLogonScr
[HKEY_LOCAL_MACHINE\softwa
"Script"=Office_User_Info.
[HKEY_LOCAL_MACHINE\softwa
"Script"=ProshareDriveMapp
[HKEY_LOCAL_MACHINE\softwa
"Script"=HomeDriveLogonScr
[HKEY_LOCAL_MACHINE\softwa
"Script"=Office_User_Info.
[HKEY_LOCAL_MACHINE\softwa
"Script"=ProshareDriveMapp
[HKEY_LOCAL_MACHINE\softwa
"Script"=HomeDriveLogonScr
[HKEY_LOCAL_MACHINE\softwa
"Script"=Office_User_Info.
[HKEY_LOCAL_MACHINE\softwa
"Script"=ProshareDriveMapp
[HKEY_LOCAL_MACHINE\softwa
"Script"=HomeDriveLogonScr
[HKEY_LOCAL_MACHINE\softwa
"Script"=Office_User_Info.
[HKEY_LOCAL_MACHINE\softwa
"Script"=ProshareDriveMapp
[HKEY_LOCAL_MACHINE\softwa
"Script"=HomeDriveLogonScr
[HKEY_LOCAL_MACHINE\softwa
"Script"=Office_User_Info.
[HKEY_LOCAL_MACHINE\softwa
"Script"=ProshareDriveMapp
[HKEY_LOCAL_MACHINE\softwa
"Script"=HomeDriveLogonScr
[HKEY_LOCAL_MACHINE\softwa
"Script"=Office_User_Info.
[HKEY_LOCAL_MACHINE\softwa
"Script"=ProshareDriveMapp
[HKEY_LOCAL_MACHINE\softwa
"Script"=HomeDriveLogonScr
[HKEY_LOCAL_MACHINE\softwa
"Script"=Office_User_Info.
[HKEY_LOCAL_MACHINE\softwa
"Script"=ProshareDriveMapp
[HKEY_LOCAL_MACHINE\softwa
"Script"=HomeDriveLogonScr
[HKEY_LOCAL_MACHINE\softwa
"Script"=Office_User_Info.
[HKEY_LOCAL_MACHINE\softwa
"Script"=ProshareDriveMapp
[HKEY_LOCAL_MACHINE\softwa
"Script"=HomeDriveLogonScr
[HKEY_LOCAL_MACHINE\softwa
"Script"=Office_User_Info.
[HKEY_LOCAL_MACHINE\softwa
"Script"=ProshareDriveMapp
[HKEY_LOCAL_MACHINE\softwa
"Script"=HomeDriveLogonScr
[HKEY_LOCAL_MACHINE\softwa
"Script"=Office_User_Info.
[HKEY_LOCAL_MACHINE\softwa
"Script"=ProshareDriveMapp
[HKEY_LOCAL_MACHINE\softwa
"Script"=HomeDriveLogonScr
[HKEY_LOCAL_MACHINE\SYSTEM
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM
@="FSFilter Activity Monitor"
[HKEY_LOCAL_MACHINE\SYSTEM
@="Service"
[HKEY_LOCAL_MACHINE\softwa
--a------ 2006-02-28 12:00 15360 c:\windows\system32\ctfmon
[HKEY_LOCAL_MACHINE\softwa
--a------ 2006-06-20 22:36 1207080 c:\program files\Microsoft ActiveSync\wcescomm.exe
[HKEY_LOCAL_MACHINE\softwa
--a------ 2007-01-13 08:47 163840 c:\windows\system32\hkcmd.
[HKEY_LOCAL_MACHINE\softwa
--a------ 2007-01-13 08:47 131072 c:\windows\system32\igfxtr
[HKEY_LOCAL_MACHINE\softwa
--a------ 2007-06-29 05:24 286720 c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\softwa
--a------ 2008-06-10 03:27 144784 c:\program files\Java\jre1.6.0_07\bin
[HKEY_LOCAL_MACHINE\softwa
"WMPNetworkSvc"=3 (0x3)
[HKLM\~\services\sharedacc
"%windir%\\system32\\sessm
"%windir%\\Network Diagnostic\\xpnetdiag.exe"
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:16
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169
"c:\\Program Files\\Numara Software\\Remote\\Guest\\n
[HKLM\~\services\sharedacc
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22
"26675:TCP"= 26675:TCP:169.254.2.0/255.
R0 MSioDrv2;MSioDrv2;c:\windo
R2 HealthService;OpsMgr Health Service;c:\program files\System Center Operations Manager 2007\HealthService.exe [2008-02-16 27696]
R2 MSioSrv;MSioSrv;c:\windows
R2 TIRmtSvc;Track-It! Workstation Manager;c:\windows\TIREMOT
R2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\tmxpflt.sys [2005-11-09 183808]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\tmpreflt.sys [2005-11-09 25088]
R3 ASEKey;ASEKey;c:\windows\s
R3 IFXTPM;IFXTPM;c:\windows\s
R3 MSioDrv1;MSioDrv1;c:\windo
S0 MSioDrv3;MSioDrv3;c:\windo
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32
S4 AdtAgent;Operations Manager Audit Forwarding Service;c:\windows\system3
--- Other Services/Drivers In Memory ---
*Deregistered* - uphcleanhlp
[HKEY_LOCAL_MACHINE\softwa
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
[HKEY_CURRENT_USER\softwar
\Shell\AutoRun\command - e:\wd_windows_tools\WDEULA
.
Contents of the 'Scheduled Tasks' folder
2009-02-16 c:\windows\Tasks\AppleSoft
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-06-03 12:42]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.tedbaker.com
uInternet Settings,ProxyServer = 172.16.0.254:8080
uInternet Settings,ProxyOverride = 172.16.*.*;10.65.*.*;evser
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFIC
Trusted Zone: microsoft.com\download
Trusted Zone: microsoft.com\windowsupdat
Trusted Zone: stylesight.com\www
Trusted Zone: windowsupdate.com\download
TCP: {C934BFA7-BCEB-44B7-A32B-F
DPF: iLO 2 Remote Console Applet - hxxps://172.16.0.157/dvc.c
DPF: {576756A1-D97C-45D0-A945-0
DPF: {6AF2E1A7-A16E-4503-A440-0
FF - ProfilePath - c:\documents and settings\username\Applicat
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.ftp - 172.16.0.254
FF - prefs.js: network.proxy.ftp_port - 8080
FF - prefs.js: network.proxy.gopher - 172.16.0.254
FF - prefs.js: network.proxy.gopher_port - 8080
FF - prefs.js: network.proxy.http - 172.16.0.254
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.socks - 172.16.0.254
FF - prefs.js: network.proxy.socks_port - 8080
FF - prefs.js: network.proxy.ssl - 172.16.0.254
FF - prefs.js: network.proxy.ssl_port - 8080
FF - prefs.js: network.proxy.type - 1
FF - component: c:\program files\Mozilla Firefox\components\xpinsta
.
**************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-03 09:51:18
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(816)
c:\windows\system32\igfxde
.
Completion time: 2009-03-03 9:52:29
ComboFix-quarantined-files
Pre-Run: 145,772,498,944 bytes free
Post-Run: 145,902,395,392 bytes free
WindowsXP-KB310994-SP2-Pro
[boot loader]
timeout=2
default=multi(0)disk(0)rdi
[operating systems]
c:\cmdcons\BOOTSECT.DAT="M
multi(0)disk(0)rdisk(0)par
326 --- E O F --- 2009-02-25 10:01:38
thanks guys
ASKER
Hi Igor-1965,
I couldnt find those 2 keys in the registry - could this be the issue that they dont exist.
How do I add them in (I mean where exactly) - if both these keys are needed could you provide step by step instructions on how to add them.
thanks for the reply
Regards
I couldnt find those 2 keys in the registry - could this be the issue that they dont exist.
How do I add them in (I mean where exactly) - if both these keys are needed could you provide step by step instructions on how to add them.
thanks for the reply
Regards
Open the attached file
copy its content to a new text document save it with extension .vbs
Double Click on it
Good Luck
kill-amvo-virus-usb-en.txt
copy its content to a new text document save it with extension .vbs
Double Click on it
Good Luck
kill-amvo-virus-usb-en.txt
First, you want to rule out any problems with the device itself. A good way to do this is to plug the USB device into a different computer to see if it works there. If it does not work in a different computer, then the problem is with the device itself. USB devices, although very handy and portable can fail just like any other device.
However, if the USB device works in another computer system, then the problem lies with the configuration of the computer where the device did not work.
Follow the steps below to troubleshoot this scenario and make your USB device work again.
1) If you are using a USB cable with your device, check the cable to make sure it matches the speed of the device. Use USB 2.0 cables with USB 2.0 devices and USB 1.1 cables with USB 1.1 devices. Swap cables and check the device, if this does not work, proceed to Step 2.
2) Next, open Device Manager and look under the heading for USB Serial Bus Controllers. If there is a device with a yellow exclamation mark next to it such as USB Mass Storage Device. Double-click on the entry and check the Device Status. If the status shows something like
"This device cannot start. (Code 10)"
proceed to Step 3.
3) The easiest way to solve a USB error code 10 in Windows XP is to follow the steps below to remove and reinstall all USB controllers.
A. Click on Start
B. Right Click on My Computer, click on Properties
C.Click on the Hardware tab
D. Click the Device Manager button.
E. Expand Universal Serial Bus controllers section.
F. Right-click every device under the Universal Serial Bus controllers node, and then click Uninstall to remove them one at a time.
G. Restart the computer, and allow the computer to reinstall the USB controllers.
H. Plug in the removable USB storage device, and then test to make sure that the issue is resolved.
I also have heard of confilct issues (however rare) with drive letter assignment but you mentioned that the usb is not present in the device manager? I still think that there is a MoBo usb controller/driver issue but you may wnat to look around in the Bios settings for usb devices/ports and management. GOOD LUCK =)
ASKER
wow - really appreciate all the help,
Houssam - I ran the script but still getting the access denied message - what does happen is USB stick are detected faster than they used to be which is a good thing but still "access denied"
Micheal MCDST
The USB's do work on other Computers so that is definately not the issue here - everything points to my local system#
all these devices used to work about a month ago - and then I started getting problems but never really got time to work on it. most of the devices plug directly into a usb port without a cable
I also uninstalled all the usb host controller and restarted but still getting "Access deinied message"
I am aware of the drive letter assignment issue but this is not the case as a drive letter is assigned to the memory stick/s
My suspitions are also on the drivers or a corrupt/missing registry key but not sure where to look
Regards
Hi TED_UBB,
The absence of the USBSTOR registry values might the indication of the problem.
I am attaching the screenshot of the key how it looks like on my computer.
In case if it's just a Start value missing you could copy the following lines to notepad and save it with .reg extension, then double-click on the file and this value will be entered to the registry.
However, if all of the values are missing you might enter it in the registry by hand, based on the screenshot.
Hope it will help
USBSTOR.jpg
The absence of the USBSTOR registry values might the indication of the problem.
I am attaching the screenshot of the key how it looks like on my computer.
In case if it's just a Start value missing you could copy the following lines to notepad and save it with .reg extension, then double-click on the file and this value will be entered to the registry.
However, if all of the values are missing you might enter it in the registry by hand, based on the screenshot.
Hope it will help
USBSTOR.jpg
Ops, forgot to add the lines to enable USBSTOR:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\US BSTOR]
"Start"=dword:00000003
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM
"Start"=dword:00000003
ASKER
H iigor-1965,
After uninstalling all the USB host controllers and restarting it seems like UBSSROR has come back and it looks exactly as the pic you have attached.
Once thing though - in your earler post with the entry
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\US BSTOR]
"Start"=dword:00000004
I couldnt see this in your pic or in my pic anywhere - do I need to add this in, if I do - should it do it manaully by right clicking\New\Key or by adding the lines into a a notepad files - save as .reg and double click?????
thanks
After uninstalling all the USB host controllers and restarting it seems like UBSSROR has come back and it looks exactly as the pic you have attached.
Once thing though - in your earler post with the entry
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM
"Start"=dword:00000004
I couldnt see this in your pic or in my pic anywhere - do I need to add this in, if I do - should it do it manaully by right clicking\New\Key or by adding the lines into a a notepad files - save as .reg and double click?????
thanks
"Start"=dword:00000004 will DISABLE USB storage device. Don't use it.
Igor
Igor
ASKER
OK - so at the moment, what I have in my registry is the same as what you posted.
I have scanned for viruses and malware - but that didnt fix it
I am still getting access denied on all USB storage devices
Any further suggestions?
Regards
I have scanned for viruses and malware - but that didnt fix it
I am still getting access denied on all USB storage devices
Any further suggestions?
Regards
Hi TED_UBB,
Any chance you are the "victim" of group policies or local security settings?
You mentioned that the attached USB is visible in Disk Management. Could you provide the screenshot? Ideally, if it will also show the exact error you got.
Thanks
Any chance you are the "victim" of group policies or local security settings?
You mentioned that the attached USB is visible in Disk Management. Could you provide the screenshot? Ideally, if it will also show the exact error you got.
Thanks
ASKER
here you go - screen shot has been attached
Hope that helps
I didnt think of group policy - I shouldnt be as I am a member of Administrators group and other admin can access USB stick and they are using the same model PC's
DISKmnmt.JPG
Hope that helps
I didnt think of group policy - I shouldnt be as I am a member of Administrators group and other admin can access USB stick and they are using the same model PC's
DISKmnmt.JPG
Per the screenshot USB was recognized and mounted as E: drive. I presume you were trying to access it in Windows Explorer, correct?
Have you tried to access E: drive from the command prompt? If not, could you try?
Have you tried to access E: drive from the command prompt? If not, could you try?
ASKER
Nope - unforetunately Access is denied even in command promp.
Are there any other registry settings that I need to check maybe?
Are there any other registry settings that I need to check maybe?
In Computer Management, expand Removable Storage, then Libraries, right-click on the USB disk and select Properties. Check if the Enable Drive is checked, then switch to Security and verify there is no any restriction you might be effected by.
ASKER
everything was fine on that side as well
1. Could you check if this registry key is NOT present:
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\C ontrol\Sto rageDevice Policies]
2. Have you tried to reformat the attached USB?
2. Any software present that might be locking down the access to USB?
To discover if a problem is caused by 3rd party software first start XP in Safe Mode. If the problem is gone then, boot again normal. Go to Start -> Run, msconfig, Tab 'Services', check 'Hide All Microsoft Services'. Disable them all, reboot and check if the problem is gone again. If yes, then enable them one by one (reboot each time) until the problem is back again. Then you have the culprit...
[HKEY_LOCAL_MACHINE\SYSTEM
2. Have you tried to reformat the attached USB?
2. Any software present that might be locking down the access to USB?
To discover if a problem is caused by 3rd party software first start XP in Safe Mode. If the problem is gone then, boot again normal. Go to Start -> Run, msconfig, Tab 'Services', check 'Hide All Microsoft Services'. Disable them all, reboot and check if the problem is gone again. If yes, then enable them one by one (reboot each time) until the problem is back again. Then you have the culprit...
ASKER
Hi Igor-1965,
here the the replies to you Q's
1. this key does not exist in my registry
2. Its not a problem with the key as all 3 work in my colleagues PC - who has admin privelages myself
3 There is software we use to block access to certain devices for certain groups of users. We us Device Wall Control - however - I am a member of Admin and have full permission for all devices so I dont think it is - just to make 100 % sure, I removed my network cable and restarted the machine - logged in local admin and it still didnt work.
I also did what you suggested and started in safe mode - but the USB wasnt detected at all - I dont know if safe mode completely disable the USB services and drivers???? I also restarted and disabled all non microsoft services but this didnt solve it either.
thanks once again - I really appreciate your help
Regards
here the the replies to you Q's
1. this key does not exist in my registry
2. Its not a problem with the key as all 3 work in my colleagues PC - who has admin privelages myself
3 There is software we use to block access to certain devices for certain groups of users. We us Device Wall Control - however - I am a member of Admin and have full permission for all devices so I dont think it is - just to make 100 % sure, I removed my network cable and restarted the machine - logged in local admin and it still didnt work.
I also did what you suggested and started in safe mode - but the USB wasnt detected at all - I dont know if safe mode completely disable the USB services and drivers???? I also restarted and disabled all non microsoft services but this didnt solve it either.
thanks once again - I really appreciate your help
Regards
ASKER
Hi Igor-1965,
A very interesting and strange thing just happened - I was trying a few things and started the PC in safe mode - As nothing was appearing in My computer - I checed the Disk management console and saw the USB stick mapped to the E drive so I thought let me try and open it using the Run dialog box and what do you know - it worked :)
So then I logged in as normal and put the same USB key into the PC and hey presto - it opened through both the run dialog box and my Computer. So here I am jumping out and down thinking the problem has been solved. So I tried another USB stick and that didnt work - thinking it might be the stick now I tried the one the worked previously and that stopped working as well.
this now has mee really baffled
any ideas???????
Regards
Naz
A very interesting and strange thing just happened - I was trying a few things and started the PC in safe mode - As nothing was appearing in My computer - I checed the Disk management console and saw the USB stick mapped to the E drive so I thought let me try and open it using the Run dialog box and what do you know - it worked :)
So then I logged in as normal and put the same USB key into the PC and hey presto - it opened through both the run dialog box and my Computer. So here I am jumping out and down thinking the problem has been solved. So I tried another USB stick and that didnt work - thinking it might be the stick now I tried the one the worked previously and that stopped working as well.
this now has mee really baffled
any ideas???????
Regards
Naz
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Good point - I didnt think of the corrupt client installation
i will check that out and get back to you - also I noticed another strange thing - I have a removable Western digital hard drive - when I plug it in I doesnt show up in the disk management cosole and when I check device manager - there is an exclamation mark again one of the HID compaint devices - when I right click and the status says "no driver".
but this used to work fine a month or 2 ago - it crashes when I try to uninstall it and after removing the WD hard drvie the PC doesnt even detect any other USB memory stick until I restart
Thanks once again
Regards
i will check that out and get back to you - also I noticed another strange thing - I have a removable Western digital hard drive - when I plug it in I doesnt show up in the disk management cosole and when I check device manager - there is an exclamation mark again one of the HID compaint devices - when I right click and the status says "no driver".
but this used to work fine a month or 2 ago - it crashes when I try to uninstall it and after removing the WD hard drvie the PC doesnt even detect any other USB memory stick until I restart
Thanks once again
Regards
ASKER
Top marks my good sir - I removed the client service from my PC and all is good and well.
I will try and re-deply the service to see what happens but atleast now I know the root cause and have learnts loads more teqhniques from your posts
Thanks for all your help
I will try and re-deply the service to see what happens but atleast now I know the root cause and have learnts loads more teqhniques from your posts
Thanks for all your help
ASKER
very helppful and appreaciate all the help
You are welcome :)
Glad we managed to find a culprit.
Best regards,
Igor
Glad we managed to find a culprit.
Best regards,
Igor
Try to scan your computer with malwarebyte
www.malwarebytes.org/mbam.php
and install combofix
www.bleepingcomputer.com/combofix/how-to-use-combofix