Link to home
Start Free TrialLog in
Avatar of TED_UBB
TED_UBBFlag for United Kingdom of Great Britain and Northern Ireland

asked on

All USB Removable storage devices - "Access denied"

Hi,
I have a PC which does not allow me access to any removable storage device, USB memory stick, external hard or anything.
when I plug the device in it appears in my computer but when I double click on the device it says "Access denied"
this devices work fine on all other PC's and I have also tried it under a different profile on my PC but that does not work either.
It seems to me like a registry issue or some driver issue but not sure what and where to look.
Everything seems well in device manager.
Dont really want to re-image the PC with a fresh OS as I will have to spend a whole week just installing software and stuff.

Any ideas????
thanks
Avatar of Houssam Ballout
Houssam Ballout
Flag of Lebanon image

Its a spyware or virus
Try to scan your computer with malwarebyte
www.malwarebytes.org/mbam.php

and install combofix
www.bleepingcomputer.com/combofix/how-to-use-combofix
Avatar of shariff_pasha
shariff_pasha

http://forum.caithness.org/archive/index.php/t-20093.html

go through this link hope it solves u r problem
             
                                                                                                                        thanks
                                                                                                  http://shariffdotnet.blogspot.com
Please check out if your USB removable storage devices were not occasionally disabled in registry:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR]
"Start"=dword:00000004

**************************************************************************
The one below re-enables your USB pen drive
***************************************************************************
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR]
"Start"=dword:00000003
Avatar of TED_UBB

ASKER

Thanks for the swift reply people,
 
Houssam,
I ran both scans and a few things were found but the problem still exist so I below are the results of both scans (bottom of this post)
Shariff,
I found that post the other day and i have tried most of those thing - I do think is most like drivers or registry but not sure what I need to in order to fix this
this might be interesting - the USB drive does appear in the Computer management console under "Disk management"
When I check the hotplug.xml file in C:\windows\System32 nothing appears to have been detected - normally what should and used to happen is when you plug a device in an entry for the device is added in this file
here are the logs for both scans
MalwareBytes

Malwarebytes' Anti-Malware 1.34
Database version: 1814
Windows 5.1.2600 Service Pack 2
03/03/2009 09:47:22
mbam-log-2009-03-03 (09-47-22).txt
Scan type: Quick Scan
Objects scanned: 83263
Time elapsed: 5 minute(s), 21 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\drivers\etc\SERVICES.bk1 (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
ComboFix
 
ComboFix 09-03-02.01 - nazir.valli 2009-03-03  9:50:15.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.44.1033.18.999.521 [GMT 0:00]
Running from: c:\documents and settings\username\Desktop\ComboFix.exe
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\MabryObj.dll
c:\windows\system32\x64
.
(((((((((((((((((((((((((   Files Created from 2009-02-03 to 2009-03-03  )))))))))))))))))))))))))))))))
.
2009-03-03 09:37 . 2009-03-03 09:37 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-03 09:37 . 2009-03-03 09:37 <DIR> d-------- c:\documents and settings\username\Application Data\Malwarebytes
2009-03-03 09:37 . 2009-03-03 09:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-03 09:37 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-03 09:37 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-03 08:43 . 2009-03-03 08:43 48 --a------ c:\windows\system32\DevWall.key
2009-03-02 17:54 . 2009-03-02 17:54 <DIR> d-------- c:\program files\Intel
2009-03-02 17:51 . 2009-03-02 17:51 <DIR> d-------- c:\program files\Realtek
2009-03-02 17:51 . 2008-03-05 18:07 520,192 --a------ c:\windows\RtlExUpd.dll
2009-03-02 17:51 . 2009-03-02 17:51 315,392 --a------ c:\windows\HideWin.exe
2009-03-02 17:51 . 2006-08-01 15:02 49,152 --a------ c:\windows\system32\ChCfg.exe
2009-03-02 17:51 . 2005-03-08 16:05 1,996 --a------ c:\windows\system32\drivers\HDACfg.dat
2009-03-02 17:51 . 2007-11-14 15:18 553 --a------ c:\windows\USetup.iss
2009-03-02 16:45 . 2009-03-02 16:45 <DIR> d-------- c:\documents and settings\nazir.valli\Application Data\Windows Search
2009-03-02 16:22 . 2009-03-02 17:28 <DIR> d-------- c:\program files\Windows Desktop Search
2009-03-02 16:21 . 2009-03-02 16:21 <DIR> d-------- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-03-02 16:04 . 2009-03-02 16:14 <DIR> d-------- c:\windows\system32\CatRoot_bak
2009-02-10 16:26 . 2009-02-10 16:26 <DIR> d-------- c:\program files\LivePerson
2009-02-10 10:27 . 2009-02-10 10:50 <DIR> d-------- C:\SoftPaqDownloadDirectory
2009-02-10 10:18 . 2009-02-10 10:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\HP
2009-02-10 10:17 . 2009-03-02 17:50 <DIR> d-------- C:\SWSETUP
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-02 17:51 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-27 16:41 --------- d-----w c:\documents and settings\username\Application Data\dvdcss
2009-01-22 11:52 --------- d-----w c:\program files\Uniblue
2009-01-21 16:55 --------- d-----w c:\program files\WM Converter
2009-01-06 14:34 --------- d-----w c:\documents and settings\username\Application Data\Numara Software
2009-01-06 14:34 --------- d-----w c:\documents and settings\All Users\Application Data\Numara Software
2009-01-06 14:34 --------- d-----w c:\documents and settings\All Users\Application Data\Danware Data
2008-12-20 23:15 826,368 ----a-w c:\windows\system32\wininet.dll
2008-05-08 15:37 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-05-08 15:37 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-05-08 15:37 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-05-08 15:38 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-05-08 15:38 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2007-03-26 12:12 32,768 --sha-w c:\windows\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\UserData\index.dat
2007-03-26 12:12 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
2007-03-26 11:51 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012007031920070326\index.dat
2007-03-20 10:28 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012007032020070321\index.dat
2007-03-26 12:19 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012007032620070327\index.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-02-28 15360]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-06-20 1207080]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2005-03-15 335872]
"msioctl.exe"="c:\windows\System32\msioctl.exe" [2007-11-16 245760]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2006-02-28 143360]
"ASECard Monitor"="c:\program files\Athena\ASECard Crypto Toolkit\Utils\ASECard Monitor.exe" [2007-11-07 1224784]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-01-13 135168]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"RTHDCPL"="RTHDCPL.EXE" [2008-06-13 c:\windows\RTHDCPL.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2006-02-28 15360]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"WUAppSetup"="c:\program files\Common Files\logishrd\WUApp32.exe" [2008-07-26 439568]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Connect to Prologic Network.lnk - c:\windows\pronet.exe [2007-08-23 2191403]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLogonScripts"= 0 (0x0)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"HideLogonScripts"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= ffdshow.ax
"msacm.ac3filter"= ac3filter.acm
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1843968306-3771541828-2723311028-1502\Scripts\Logon\[u]0[/u]\[u]0[/u]]
"Script"=Office_User_Info.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1843968306-3771541828-2723311028-1502\Scripts\Logon\1\[u]0[/u]]
"Script"=fixmapi.cmd
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1843968306-3771541828-2723311028-1502\Scripts\Logon\2\[u]0[/u]]
"Script"=IT_Printers_New.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1843968306-3771541828-2723311028-1502\Scripts\Logon\3\[u]0[/u]]
"Script"=ProshareDriveMapping.cmd
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1843968306-3771541828-2723311028-1502\Scripts\Logon\4\[u]0[/u]]
"Script"=HomeDriveLogonScript.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1843968306-3771541828-2723311028-1893\Scripts\Logon\[u]0[/u]\[u]0[/u]]
"Script"=Office_User_Info.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1843968306-3771541828-2723311028-1893\Scripts\Logon\1\[u]0[/u]]
"Script"=fixmapi.cmd
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1843968306-3771541828-2723311028-1893\Scripts\Logon\2\[u]0[/u]]
"Script"=IT_Printers_New.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1843968306-3771541828-2723311028-1893\Scripts\Logon\3\[u]0[/u]]
"Script"=ProshareDriveMapping.cmd
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1843968306-3771541828-2723311028-1893\Scripts\Logon\4\[u]0[/u]]
"Script"=HomeDriveLogonScript.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1843968306-3771541828-2723311028-1896\Scripts\Logon\[u]0[/u]\[u]0[/u]]
"Script"=Office_User_Info.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1843968306-3771541828-2723311028-1896\Scripts\Logon\1\[u]0[/u]]
"Script"=fixmapi.cmd
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1843968306-3771541828-2723311028-1896\Scripts\Logon\2\[u]0[/u]]
"Script"=BrandComms_Printers_New.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1843968306-3771541828-2723311028-1896\Scripts\Logon\3\[u]0[/u]]
"Script"=ProshareDriveMapping.cmd
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1843968306-3771541828-2723311028-1896\Scripts\Logon\4\[u]0[/u]]
"Script"=HomeDriveLogonScript.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1843968306-3771541828-2723311028-2972\Scripts\Logon\[u]0[/u]\[u]0[/u]]
"Script"=Office_User_Info.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1843968306-3771541828-2723311028-2972\Scripts\Logon\1\[u]0[/u]]
"Script"=ProshareDriveMapping.cmd
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1843968306-3771541828-2723311028-2972\Scripts\Logon\2\[u]0[/u]]
"Script"=HomeDriveLogonScript.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1843968306-3771541828-2723311028-2974\Scripts\Logon\[u]0[/u]\[u]0[/u]]
"Script"=Office_User_Info.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1843968306-3771541828-2723311028-2974\Scripts\Logon\1\[u]0[/u]]
"Script"=ProshareDriveMapping.cmd
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1843968306-3771541828-2723311028-2974\Scripts\Logon\2\[u]0[/u]]
"Script"=HomeDriveLogonScript.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1843968306-3771541828-2723311028-2975\Scripts\Logon\[u]0[/u]\[u]0[/u]]
"Script"=Office_User_Info.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1843968306-3771541828-2723311028-2975\Scripts\Logon\1\[u]0[/u]]
"Script"=ProshareDriveMapping.cmd
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1843968306-3771541828-2723311028-2975\Scripts\Logon\2\[u]0[/u]]
"Script"=HomeDriveLogonScript.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1843968306-3771541828-2723311028-2976\Scripts\Logon\[u]0[/u]\[u]0[/u]]
"Script"=Office_User_Info.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1843968306-3771541828-2723311028-2976\Scripts\Logon\1\[u]0[/u]]
"Script"=ProshareDriveMapping.cmd
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1843968306-3771541828-2723311028-2976\Scripts\Logon\2\[u]0[/u]]
"Script"=HomeDriveLogonScript.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1843968306-3771541828-2723311028-2979\Scripts\Logon\[u]0[/u]\[u]0[/u]]
"Script"=Office_User_Info.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1843968306-3771541828-2723311028-2979\Scripts\Logon\1\[u]0[/u]]
"Script"=ProshareDriveMapping.cmd
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1843968306-3771541828-2723311028-2979\Scripts\Logon\2\[u]0[/u]]
"Script"=HomeDriveLogonScript.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1843968306-3771541828-2723311028-2980\Scripts\Logon\[u]0[/u]\[u]0[/u]]
"Script"=Office_User_Info.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1843968306-3771541828-2723311028-2980\Scripts\Logon\1\[u]0[/u]]
"Script"=ProshareDriveMapping.cmd
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1843968306-3771541828-2723311028-2980\Scripts\Logon\2\[u]0[/u]]
"Script"=HomeDriveLogonScript.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1843968306-3771541828-2723311028-2982\Scripts\Logon\[u]0[/u]\[u]0[/u]]
"Script"=Office_User_Info.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1843968306-3771541828-2723311028-2982\Scripts\Logon\1\[u]0[/u]]
"Script"=ProshareDriveMapping.cmd
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1843968306-3771541828-2723311028-2982\Scripts\Logon\2\[u]0[/u]]
"Script"=HomeDriveLogonScript.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1843968306-3771541828-2723311028-2983\Scripts\Logon\[u]0[/u]\[u]0[/u]]
"Script"=Office_User_Info.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1843968306-3771541828-2723311028-2983\Scripts\Logon\1\[u]0[/u]]
"Script"=ProshareDriveMapping.cmd
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1843968306-3771541828-2723311028-2983\Scripts\Logon\2\[u]0[/u]]
"Script"=HomeDriveLogonScript.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1843968306-3771541828-2723311028-2985\Scripts\Logon\[u]0[/u]\[u]0[/u]]
"Script"=Office_User_Info.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1843968306-3771541828-2723311028-2985\Scripts\Logon\1\[u]0[/u]]
"Script"=ProshareDriveMapping.cmd
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1843968306-3771541828-2723311028-2985\Scripts\Logon\2\[u]0[/u]]
"Script"=HomeDriveLogonScript.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1843968306-3771541828-2723311028-2987\Scripts\Logon\[u]0[/u]\[u]0[/u]]
"Script"=Office_User_Info.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1843968306-3771541828-2723311028-2987\Scripts\Logon\1\[u]0[/u]]
"Script"=ProshareDriveMapping.cmd
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1843968306-3771541828-2723311028-2987\Scripts\Logon\2\[u]0[/u]]
"Script"=HomeDriveLogonScript.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1843968306-3771541828-2723311028-2995\Scripts\Logon\[u]0[/u]\[u]0[/u]]
"Script"=Office_User_Info.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1843968306-3771541828-2723311028-2995\Scripts\Logon\1\[u]0[/u]]
"Script"=ProshareDriveMapping.cmd
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1843968306-3771541828-2723311028-2995\Scripts\Logon\2\[u]0[/u]]
"Script"=HomeDriveLogonScript.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1843968306-3771541828-2723311028-2999\Scripts\Logon\[u]0[/u]\[u]0[/u]]
"Script"=Office_User_Info.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1843968306-3771541828-2723311028-2999\Scripts\Logon\1\[u]0[/u]]
"Script"=ProshareDriveMapping.cmd
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1843968306-3771541828-2723311028-2999\Scripts\Logon\2\[u]0[/u]]
"Script"=HomeDriveLogonScript.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1843968306-3771541828-2723311028-3236\Scripts\Logon\[u]0[/u]\[u]0[/u]]
"Script"=Office_User_Info.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1843968306-3771541828-2723311028-3236\Scripts\Logon\1\[u]0[/u]]
"Script"=ProshareDriveMapping.cmd
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1843968306-3771541828-2723311028-3236\Scripts\Logon\2\[u]0[/u]]
"Script"=HomeDriveLogonScript.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1843968306-3771541828-2723311028-3240\Scripts\Logon\[u]0[/u]\[u]0[/u]]
"Script"=Office_User_Info.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1843968306-3771541828-2723311028-3240\Scripts\Logon\1\[u]0[/u]]
"Script"=ProshareDriveMapping.cmd
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1843968306-3771541828-2723311028-3240\Scripts\Logon\2\[u]0[/u]]
"Script"=HomeDriveLogonScript.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1843968306-3771541828-2723311028-3241\Scripts\Logon\[u]0[/u]\[u]0[/u]]
"Script"=Office_User_Info.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1843968306-3771541828-2723311028-3241\Scripts\Logon\1\[u]0[/u]]
"Script"=ProshareDriveMapping.cmd
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1843968306-3771541828-2723311028-3241\Scripts\Logon\2\[u]0[/u]]
"Script"=HomeDriveLogonScript.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1843968306-3771541828-2723311028-3242\Scripts\Logon\[u]0[/u]\[u]0[/u]]
"Script"=Office_User_Info.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1843968306-3771541828-2723311028-3242\Scripts\Logon\1\[u]0[/u]]
"Script"=ProshareDriveMapping.cmd
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1843968306-3771541828-2723311028-3242\Scripts\Logon\2\[u]0[/u]]
"Script"=HomeDriveLogonScript.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1843968306-3771541828-2723311028-3244\Scripts\Logon\[u]0[/u]\[u]0[/u]]
"Script"=Office_User_Info.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1843968306-3771541828-2723311028-3244\Scripts\Logon\1\[u]0[/u]]
"Script"=ProshareDriveMapping.cmd
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1843968306-3771541828-2723311028-3244\Scripts\Logon\2\[u]0[/u]]
"Script"=HomeDriveLogonScript.bat
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\msiodrv1.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\msiodrv2.sys]
@="FSFilter Activity Monitor"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSioSrv]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2006-02-28 12:00 15360 c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2006-06-20 22:36 1207080 c:\program files\Microsoft ActiveSync\wcescomm.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2007-01-13 08:47 163840 c:\windows\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2007-01-13 08:47 131072 c:\windows\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 05:24 286720 c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-06-10 03:27 144784 c:\program files\Java\jre1.6.0_07\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Numara Software\\Remote\\Guest\\ngstw32.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
R0 MSioDrv2;MSioDrv2;c:\windows\system32\drivers\msiodrv2.sys [2007-11-16 55680]
R2 HealthService;OpsMgr Health Service;c:\program files\System Center Operations Manager 2007\HealthService.exe [2008-02-16 27696]
R2 MSioSrv;MSioSrv;c:\windows\system32\msiosrv.exe [2007-11-16 536576]
R2 TIRmtSvc;Track-It! Workstation Manager;c:\windows\TIREMOTE\TIRemoteService.exe [2007-12-21 212480]
R2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\tmxpflt.sys [2005-11-09 183808]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\tmpreflt.sys [2005-11-09 25088]
R3 ASEKey;ASEKey;c:\windows\system32\drivers\ASEKey.sys [2007-05-21 71916]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2007-03-07 36608]
R3 MSioDrv1;MSioDrv1;c:\windows\system32\drivers\msiodrv1.sys [2007-11-16 7040]
S0 MSioDrv3;MSioDrv3;c:\windows\system32\drivers\msiodrv3.sys [2007-11-16 51712]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-06 34064]
S4 AdtAgent;Operations Manager Audit Forwarding Service;c:\windows\system32\AdtAgent.exe [2008-02-16 264192]
--- Other Services/Drivers In Memory ---
*Deregistered* - uphcleanhlp
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ    Pml Driver HPZ12 Net Driver HPZ12
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{14c99bba-b19f-11dd-a26f-000ffe7e03e4}]
\Shell\AutoRun\command - e:\wd_windows_tools\WDEULA.exe
.
Contents of the 'Scheduled Tasks' folder
2009-02-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-06-03 12:42]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.tedbaker.com
uInternet Settings,ProxyServer = 172.16.0.254:8080
uInternet Settings,ProxyOverride = 172.16.*.*;10.65.*.*;evserver1;pki.tedbaker.com;tbdc01.tedbaker.com;tbdc02.tedbaker.com;tbex01.tedbaker.com;tbex02.tedbaker.com;tbfp01.tedbaker.com;tbbu01.tedbaker.com;tbisa01.tedbaker.com;tbsql01.tedbaker.com;tbev01.tedbaker.com;tbapp01.tedbaker.com;tbapp02.tedbaker.com;tbpki.tedbaker.com;tbcsm01.tedbaker.com;*.prologic;<local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: microsoft.com\download
Trusted Zone: microsoft.com\windowsupdate
Trusted Zone: stylesight.com\www
Trusted Zone: windowsupdate.com\download
TCP: {C934BFA7-BCEB-44B7-A32B-FD2DF1F99C6F} = 172.16.0.11,172.16.0.12
DPF: iLO 2 Remote Console Applet - hxxps://172.16.0.157/dvc.cab
DPF: {576756A1-D97C-45D0-A945-0324019A131E} - hxxp://tedmail:8081/tiweb70/downloads/BOSIActiveXGrid.cab
DPF: {6AF2E1A7-A16E-4503-A440-07CA49122CCE} - hxxp://tedmail:8081/tiweb70/downloads/BOSIActiveXMemoControl.cab
FF - ProfilePath - c:\documents and settings\username\Application Data\Mozilla\Firefox\Profiles\vjblzn8s.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.ftp - 172.16.0.254
FF - prefs.js: network.proxy.ftp_port - 8080
FF - prefs.js: network.proxy.gopher - 172.16.0.254
FF - prefs.js: network.proxy.gopher_port - 8080
FF - prefs.js: network.proxy.http - 172.16.0.254
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.socks - 172.16.0.254
FF - prefs.js: network.proxy.socks_port - 8080
FF - prefs.js: network.proxy.ssl - 172.16.0.254
FF - prefs.js: network.proxy.ssl_port - 8080
FF - prefs.js: network.proxy.type - 1
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-03 09:51:18
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...  
scanning hidden autostart entries ...
scanning hidden files ...  
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(816)
c:\windows\system32\igfxdev.dll
.
Completion time: 2009-03-03  9:52:29
ComboFix-quarantined-files.txt  2009-03-03 09:52:27
Pre-Run: 145,772,498,944 bytes free
Post-Run: 145,902,395,392 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
326 --- E O F --- 2009-02-25 10:01:38

 thanks guys
Avatar of TED_UBB

ASKER

Hi Igor-1965,
I couldnt find those 2 keys in the registry - could this be the issue that they dont exist.
How do I add them in (I mean where exactly) - if both these keys are needed could you provide step by step instructions on how to add them.
thanks for the reply
Regards
Open the attached file
copy its content to a new text document save it  with extension  .vbs
Double Click on it
Good Luck

kill-amvo-virus-usb-en.txt

First, you want to rule out any problems with the device itself. A good way to do this is to plug the USB device into a different computer to see if it works there. If it does not work in a different computer, then the problem is with the device itself. USB devices, although very handy and portable can fail just like any other device.
However, if the USB device works in another computer system, then the problem lies with the configuration of the computer where the device did not work.
Follow the steps below to troubleshoot this scenario and make your USB device work again.
1) If you are using a USB cable with your device, check the cable to make sure it matches the speed of the device. Use USB 2.0 cables with USB 2.0 devices and USB 1.1 cables with USB 1.1 devices. Swap cables and check the device, if this does not work, proceed to Step 2.
2) Next, open Device Manager and look under the heading for USB Serial Bus Controllers. If there is a device with a yellow exclamation mark next to it such as USB Mass Storage Device. Double-click on the entry and check the Device Status. If the status shows something like
"This device cannot start. (Code 10)"
proceed to Step 3.
3) The easiest way to solve a USB error code 10 in Windows XP is to follow the steps below to remove and reinstall all USB controllers.
A. Click on Start
B. Right Click on My Computer, click on Properties
C.Click on the Hardware tab
D. Click the Device Manager button.
E. Expand Universal Serial Bus controllers section.
F. Right-click every device under the Universal Serial Bus controllers node, and then click Uninstall to remove them one at a time.
G. Restart the computer, and allow the computer to reinstall the USB controllers.
H. Plug in the removable USB storage device, and then test to make sure that the issue is resolved.
I also have heard of confilct issues (however rare) with drive letter assignment but you mentioned that the usb is not present in the device manager? I still think that there is a MoBo usb controller/driver issue but you may wnat to look around in the Bios settings for usb devices/ports and management. GOOD LUCK =)
Avatar of TED_UBB

ASKER


wow - really appreciate all the help,

Houssam - I ran the script but  still getting the access denied message - what does happen is USB stick are detected faster than they used to be which is a good thing but still "access denied"

Micheal MCDST
The USB's do work on other Computers so that is definately not the issue here - everything points to my local system#
all these devices used to work about a month ago - and then I started getting problems but never really got time to work on it. most of the devices plug directly into a usb port without a cable
I also uninstalled all the usb host controller and restarted but still getting "Access deinied message"
I am aware of the drive letter assignment issue but this is not the case as a drive letter is assigned to the memory stick/s
My suspitions are also on the drivers or a corrupt/missing registry key but not sure where to look
Regards
 
Hi TED_UBB,

The absence of the USBSTOR registry values might the indication of the problem.
I am attaching the screenshot of the key how it looks like on my computer.

In case if it's just a Start value missing you could copy the following lines to notepad and save it with .reg extension, then double-click on the file and this value will be entered to the registry.

However, if all of the values are missing you might enter it in the registry by hand, based on the screenshot.

Hope it will help

USBSTOR.jpg
Ops, forgot to add the lines to enable USBSTOR:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR]
"Start"=dword:00000003


Avatar of TED_UBB

ASKER

H iigor-1965,
After uninstalling all the USB host controllers and restarting it seems like UBSSROR has come back and it looks exactly as the pic you have attached.
Once thing though - in your earler post with the entry
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR]
"Start"=dword:00000004
I couldnt see this in your pic or in my pic anywhere - do I need to add this in, if I do - should it do it manaully by right clicking\New\Key or by adding the lines into a a notepad files - save as .reg and double click?????
thanks
 
"Start"=dword:00000004 will DISABLE USB storage device. Don't use it.

Igor
Avatar of TED_UBB

ASKER

OK - so at the moment, what I have in my registry is the same as what you posted.
I have scanned for viruses and malware - but that didnt fix it
I am still getting access denied on all USB storage devices
Any further suggestions?
Regards
 
Hi TED_UBB,

Any chance you are the "victim" of group policies or local security settings?

You mentioned that the attached USB is visible in Disk Management. Could you provide the screenshot? Ideally, if it will also show the exact error you got.

Thanks
Avatar of TED_UBB

ASKER

here you go - screen shot has been attached
Hope that helps
I didnt think of group policy - I shouldnt be as I am a member of Administrators group and other admin can access USB stick and they are using the same model PC's

DISKmnmt.JPG
Per the screenshot USB was recognized and mounted as E: drive. I presume you were trying to access it in Windows Explorer,  correct?

Have you tried to access E: drive from the command prompt? If not, could you try?
Avatar of TED_UBB

ASKER

Nope - unforetunately Access is denied even in command promp.
Are there any other registry settings that I need to check maybe?
In Computer Management, expand Removable Storage, then Libraries, right-click on the USB disk and select Properties. Check if the Enable Drive is checked, then switch to Security and verify there is no any restriction you might be effected by.
Avatar of TED_UBB

ASKER

everything was fine on that side as well
1. Could you check if this registry key is NOT present:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies]

2. Have you tried to reformat the attached USB?

2. Any software present that might be locking down the access to USB?
To discover if a problem is caused by 3rd party software first start XP in Safe Mode. If the problem is gone then, boot again normal. Go to Start -> Run, msconfig, Tab 'Services', check 'Hide All Microsoft Services'. Disable them all, reboot and check if the problem is gone again. If yes, then enable them one by one (reboot each time) until the problem is back again. Then you have the culprit...
Avatar of TED_UBB

ASKER

Hi Igor-1965,
here the the replies to you Q's
1.  this key does not exist in my registry
2. Its not a problem with the key as all 3 work in my colleagues PC - who has admin privelages myself
3  There is software we use to block access to certain devices for certain groups of users.  We us Device Wall Control - however - I am a member of Admin and have full permission for all devices so I dont think it is - just to make 100 % sure, I removed my network cable and restarted the machine - logged in local admin and it still didnt work.
I also did what you suggested and started in safe mode - but the USB wasnt detected at all - I dont know if safe mode completely disable the USB services and drivers????   I also restarted and disabled all non microsoft services but this didnt solve it either.
thanks once again - I really appreciate your help
Regards
Avatar of TED_UBB

ASKER

Hi Igor-1965,
A very interesting and strange thing just happened - I was trying a few things and started the PC in safe mode - As nothing was appearing in My computer - I checed the Disk management console and saw the USB stick mapped to the E drive so I thought let me try and open it using the Run dialog box and what do you know - it worked :)
So then I logged in as normal and put the same USB key into the PC and hey presto - it opened through both the run dialog box and my Computer.  So here I am jumping out and down thinking the problem has been solved.  So I tried another USB stick and that didnt work - thinking it might be the stick now I tried the one the worked previously and that stopped working as well.
this now has mee really baffled
any ideas???????
Regards
Naz
ASKER CERTIFIED SOLUTION
Avatar of igor-1965
igor-1965
Flag of Czechia image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of TED_UBB

ASKER

Good point - I didnt think of the corrupt client installation
i will check that out and get back to you - also I noticed another strange thing - I have a removable Western digital hard drive - when I plug it in I doesnt show up in the disk management cosole and when I check device manager - there is an exclamation mark again one of the HID compaint devices - when I right click and the status says "no driver".
but this used to work fine a month or 2 ago - it crashes when I try to uninstall it and after removing the WD hard drvie the PC doesnt even detect any other USB memory stick until I restart
Thanks once again
Regards
Avatar of TED_UBB

ASKER

Top marks my good sir - I removed the client service from my PC and all is good and well.
I will try and re-deply the service to see what happens but atleast now I know the root cause and have learnts loads more teqhniques from your posts
Thanks for all your help
Avatar of TED_UBB

ASKER

very helppful and appreaciate all the help
You are welcome :)
Glad we managed to find a culprit.

Best regards,
Igor