Question

Problem with XP after ANTIVIRUS2009

Asked by: GST-GRIDTECH

Hi,
I have an XP SP2 install  that went bad after a run in with "AntiVirus2009" and other BUGs
I am able to Boot and login(after UBCD4WIN / Virus scan).

One Local Admin group user can't run anything except taskmanager and 1 or 2 other Tasks from there. Administrator can run "exporer.exe" but can't run IExporer.exe, orstart any services, see details of eventviewer since the last time I was able to run "MSCONFIG".

So I have few services running and cant start any of the other services.
I've seen other postings that have similare issuses, I'm just not sure whats the best recover/repair method based on the current state of my system.
.
Should I do a Repair install and how will that effect the apps/data
or should i use the Recovery Console.
I've also came across a reference to FIXACL.exe that is suppose to Fix registry and file permission problems.

or should I manully reset permmissions on ALL %SystemRoot directories and files and manually edit the registry. Of course I'm am familre with rights and editing the Regisrty I am not an expert..
Or if someone is familer with "UBCD4Windows" or any other boot \ repair CD please elt me know.

Right now I think the systemis clean of viruses, b ut may be stuck in whatever state the virus left it in.  Permissions on the %SystemRoot folder/files isnt what you normally see on any XP install and cant run most programs or start any serives. So I really need some assistance in getting to the better solution to reveres this to make the system usable, short of a fromat/install.

Thank you......

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2009-09-03 at 12:26:04ID24705762
Tags

Repair install Recovery Console Fixacl.exe %SystemRoot Permissions changed

Topics

Windows XP Operating System

,

Anti-Spyware

,

Windows Registry Cleaners

Participating Experts
7
Points
500
Comments
50

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. msconfig will not open
    I can not open msconfig. I can not open system file checker. I booted up on the XP disk and did a repair. Then I started getting several messages and the computer got real quirky. I was not having any problems that I noticed. I wanted to look at msconfig and do something. Be...
  2. msconfig
    Sir/Madam I am running windows 2000 server I want to remove the taskbar icons like through the start,run,msconfig;Which command is used for win 2000. please help me
  3. msconfig
    Hi i need to know how can i remove(stop loading) the start up programs on boot that i can do using the msconfig command in XP. How do i do that in Windows 2000? If i cannot use msconfig then what is the way round it as i could not use it so far. Thanks a001
  4. msconfig will not run
    when typing from START/ RUN msconfig results in the following" "An access denied error was returned while attempting to change a service. You may need to log on using an administrator account to make the specified changes" My user account from CONTROL PANEL ...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: orangutangPosted on 2009-09-03 at 12:31:23ID: 25254104

Did you try scanning with Malwarebytes' Anti-Malware (http://www.malwarebytes.org/mbam.php)

 

by: GST-GRIDTECHPosted on 2009-09-03 at 12:41:09ID: 25254205

No,

I can and will do that now, But won't i stll have problems with permissions on the %Systemroot folders/files.....?

Also I can't run iexplorer.exe, unless I use the UBCD4windows LIVE\BOOT cd, to get to that site.
I will try with the boot cd, but my problem right now seem to be with permissions, perticularly on the
%systemRoot folders/files and maybe bad keys in the registry.......

 

by: souseranPosted on 2009-09-03 at 13:19:39ID: 25254521

Get out your OS media and put it in a drive.

Go to Start | Run.

Type SFC /purgecache

Press Enter and let it run.

After that's run, type SFC /scannow

Press Enter and let it run.

Report back.

 

by: jhyieslaPosted on 2009-09-03 at 13:21:53ID: 25254550

You know... there are times when your PC or server just gets so screwed up that the high road is to get your data off and just reload. I use all sorts of tools in my environment, but in the end, I'll almost always reload after stabilizing the box to a point where it's safe and possible to recover any  data that I need to.  Reloading Windows is usually just not that big a deal unless you've got an enterprise server that's running SQL or Exchange or the like.

 

by: Navid_rvlPosted on 2009-09-03 at 13:24:15ID: 25254574

You can also try Trojan remover its great for many system problem repairs and other many problems scan with it and click OK on every repair suggestion . u can download it from www.simplysup.com/tremover/download.html

Also for registry problems u can use this freeware :http://filehippo.com/download_ccleaner/

or better shareware registryfix.

 

by: GST-GRIDTECHPosted on 2009-09-03 at 13:34:38ID: 25254676

Hi,

SOUSERAN,
will give your suggestion a try right now and report back...

JHYIESLA,
of course you are ultimatly right,
I'm more looking at this as an opportunity to learn the capabilitites of repair beyond format/install.
That will be my last hope, i'm just hoping I can learn, repair and help a friend in the process...

 

by: orangutangPosted on 2009-09-03 at 13:35:53ID: 25254690

Also, try "Method 1: Reset the registry and the file permissions" from http://support.microsoft.com/kb/949377

 

by: GST-GRIDTECHPosted on 2009-09-03 at 13:39:53ID: 25254720

anyone heard of or familar with FIXACL.exe it is suppose to Fix registry and file permission problems

 

by: GST-GRIDTECHPosted on 2009-09-03 at 14:22:27ID: 25255091

souseran:
can't Run.  SFC /purgecache or /scannow from cd (only sfc.ex_ and sfc.dl_ on cd)
.I can run SFC /purgecache and  /scannow from local %systemroot (not in safemode)
is this ok to run???

 

by: rpggamergirlPosted on 2009-09-03 at 18:39:38ID: 25256383

You can't run any .exes or can't run security programs?

If you can't run any .exes.. then do this:

Download the following file and save to your desktop.
http://live.sysinternals.com/procexp.exe
Rename the file to "winlogon.exe" and then run it.(do not rename with a generic name)
Then look for any random numbers executables e.g.,3425631.exe, highlight any random.exe and rightclick and select "kill process".
Once the process is killed, scan the system as suggested MalwareBytes or Combofix.

If you can run .exes but security scanners are blocked, you can try renaming the tools before saving them to your desktop.

If even renaming the scanners before downloading still won't run, then run this diagnostic tool to check for a particular infection that blocks programs and mess up permissions.

Please download this tool and run it.
http://ad13.geekstogo.com/Win32kDiag.exe
Double-click on Win32Diag.exe to run it.
A black command prompt window shall appear.
It will now begin to scan. This may take a while, please be paitent until the scan is complete.
Once it's done, in the black screen it will say "Finished! Press any key to exit....

A log file called Win32KDiag.txt will be created on your desktop.
Please copy and paste the contents of that log file here in your next reply.

 

by: jhyieslaPosted on 2009-09-03 at 18:47:38ID: 25256406

You might take a look at Prevx.  Www.prevx.com.  It's an antimalware program that does a fairly good job of finding and nuking most malware. It's free to download and scan, but will cost to get the version that actually cleans.

 

by: ChiefITPosted on 2009-09-04 at 04:52:58ID: 25258590

Oh, 2009 is a buggar:

I had to completely reformat and start over. Even a repair install was messed up.

Get your important data onto a USB drive, if you can boot.

 

by: GST-GRIDTECHPosted on 2009-09-05 at 19:22:15ID: 25268554

I WAS able to run SFC /purgecache and  /scannow.
/scannow to a Very long time and didn't seem to do anything, So I Guess that Should means the
"WINDOWS FILE PROTECTION" scan was ok...

after some additional research,...I ALSO ran the "SECURITY CONFIGURATION & ANALYSIS" SNAP-IN.
This DID rest the permissions on the %SYSTEMROOT, which was my initial problem.
I have SCANNED for viruses/Malware a few times in between, can't find any new ones..
THE MAJOR PROBLEM I'M HAVING NOW IS GEETING OUT OF WHATEVER STATE THE VIRUS LEFT THE PC IN.
IF I GOT TO LOCAL USERS & GROUPS,
I CAN'T SEE THE PROPERTIES FOR  OR MAKE ANY CHANGES TO THE "ADMINISTRATORS" GROUP.
ANYONE KNOW WHAT WOULD LOOK ME OUT OF THAT??????? OR HOW I COULKD FIX???

I THINK MY PROBLEM "MAY"BE MOSTLY WITH THE REGISTRY....????????

THANK YOU ALL FOR YOUR COMMENTS, SUGGESTIONS AND ASSISTANCE...

 

by: GST-GRIDTECHPosted on 2009-09-05 at 19:26:54ID: 25268564

ChiefIT
repair install was my last hope BEFORE REFORMATING/REINSTALLING.
I'M HOPING I MIGHT, MIGHT BE ABLE TO AVOID THAT........


......sorry for the poor typing skills above.......:

 

by: rpggamergirlPosted on 2009-09-05 at 19:38:56ID: 25268581

Can you please run the Win32kdiag.exe and attach the log? so we can replace what file is patched and you can then run scanners to remove the infection.

 

by: GST-GRIDTECHPosted on 2009-09-05 at 20:17:48ID: 25268647


..... ALSO, I AM STILL UNABLE TO START OR STOP ANY SERVICES......
also noticed that the list of services in the "EXTENDED" tab is blocked out .
I CAN see the list of services in the"STANDARD" tab..  having problesm NOW, but can send a "PIC" of the services window/s to show you what I mean and how  the services window NOW looks like..

also,while doing some additional reseach, I came across some one mentioning "SC.exe"
ANYONE familiar with using sc.exe to reset security and logins on any service...??

THANK YOU.....

 

by: GST-GRIDTECHPosted on 2009-09-05 at 20:20:05ID: 25268652

rpggamergirl
I'll  run the Win32kdiag.exe NOW and attach the log when completed.........

 

by: GST-GRIDTECHPosted on 2009-09-05 at 21:41:35ID: 25268752

rpggamergirl
HERE ARE THE RESULTS FROM..... Win32kdiag.exe...
Log file is located at: D:\Documents and Settings\Administrator\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'D:\WINDOWS'...



Found mount point       : D:\WINDOWS\$hf_mig$\KB939653\KB939653

Mount point destination : \Device\__max++>\^

Found mount point       : D:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Found mount point       : D:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPB44.tmp\ZAPB44.tmp

Mount point destination : \Device\__max++>\^

Found mount point       : D:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPC28.tmp\ZAPC28.tmp

Mount point destination : \Device\__max++>\^

Found mount point       : D:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPC47.tmp\ZAPC47.tmp

Mount point destination : \Device\__max++>\^

Found mount point       : D:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point       : D:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point       : D:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point       : D:\WINDOWS\CSC\d1\d1

Mount point destination : \Device\__max++>\^

Found mount point       : D:\WINDOWS\CSC\d2\d2

Mount point destination : \Device\__max++>\^

Found mount point       : D:\WINDOWS\CSC\d3\d3

Mount point destination : \Device\__max++>\^

Found mount point       : D:\WINDOWS\CSC\d4\d4

Mount point destination : \Device\__max++>\^

Found mount point       : D:\WINDOWS\CSC\d5\d5

Mount point destination : \Device\__max++>\^

Found mount point       : D:\WINDOWS\CSC\d6\d6

Mount point destination : \Device\__max++>\^

Found mount point       : D:\WINDOWS\CSC\d7\d7

Mount point destination : \Device\__max++>\^

Found mount point       : D:\WINDOWS\CSC\d8\d8

Mount point destination : \Device\__max++>\^

Found mount point       : D:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point       : D:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point       : D:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point       : D:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point       : D:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point       : D:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point       : D:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Found mount point       : D:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Found mount point       : D:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Found mount point       : D:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Found mount point       : D:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point       : D:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point       : D:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point       : D:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point       : D:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point       : D:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point       : D:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Found mount point       : D:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point       : D:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point       : D:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point       : D:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point       : D:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM

Mount point destination : \Device\__max++>\^

Found mount point       : D:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point       : D:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point       : D:\WINDOWS\repair\Backup\ServiceState\ServiceState

Mount point destination : \Device\__max++>\^

Found mount point       : D:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs

Mount point destination : \Device\__max++>\^

Found mount point       : D:\WINDOWS\SoftwareDistribution\Download\07a96de176867bc25b7dc839d22b07e2\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point       : D:\WINDOWS\SoftwareDistribution\Download\0dd0244816ffb4b094c1caba4c3b1178\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point       : D:\WINDOWS\SoftwareDistribution\Download\0eaed8d713d78954a90c813a5e2c5934\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point       : D:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point       : D:\WINDOWS\SoftwareDistribution\Download\555558d2c7916b118ad5baef62b18136\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point       : D:\WINDOWS\SoftwareDistribution\Download\6913c676e5d33978934caa46c49fdc75\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point       : D:\WINDOWS\SoftwareDistribution\Download\730e45fefcdf343b61704b89c95d7cca\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point       : D:\WINDOWS\SoftwareDistribution\Download\a855eed5ad28db3548ad40195130e787\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point       : D:\WINDOWS\SoftwareDistribution\Download\b7f0b2892b21211a5630518d058f48d9\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point       : D:\WINDOWS\SoftwareDistribution\Download\d48a3b967ba5709df048e8f2a49cf8a6\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point       : D:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Found mount point       : D:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Mount point destination : \Device\__max++>\^

Found mount point       : D:\WINDOWS\system32\1025\1025

Mount point destination : \Device\__max++>\^

Found mount point       : D:\WINDOWS\system32\1028\1028

Mount point destination : \Device\__max++>\^

Found mount point       : D:\WINDOWS\system32\1031\1031

Mount point destination : \Device\__max++>\^

Found mount point       : D:\WINDOWS\system32\1037\1037

Mount point destination : \Device\__max++>\^

Found mount point       : D:\WINDOWS\system32\1041\1041

Mount point destination : \Device\__max++>\^

Found mount point       : D:\WINDOWS\system32\1042\1042

Mount point destination : \Device\__max++>\^

Found mount point       : D:\WINDOWS\system32\1054\1054

Mount point destination : \Device\__max++>\^

Found mount point       : D:\WINDOWS\system32\2052\2052

Mount point destination : \Device\__max++>\^

Found mount point       : D:\WINDOWS\system32\3076\3076

Mount point destination : \Device\__max++>\^

Found mount point       : D:\WINDOWS\system32\3com_dmi\3com_dmi

Mount point destination : \Device\__max++>\^

Found mount point       : D:\WINDOWS\system32\appmgmt\MACHINE\MACHINE

Mount point destination : \Device\__max++>\^

Found mount point       : D:\WINDOWS\system32\appmgmt\S-1-5-21-761365104-1534018964-2864452992-1151\S-1-5-21-761365104-1534018964-2864452992-1151

Mount point destination : \Device\__max++>\^

Found mount point       : D:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player

Mount point destination : \Device\__max++>\^

Found mount point       : D:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Found mount point       : D:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Found mount point       : D:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Found mount point       : D:\WINDOWS\system32\config\systemprofile\Favorites\Favorites

Mount point destination : \Device\__max++>\^

Found mount point       : D:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point       : D:\WINDOWS\system32\config\systemprofile\My Documents\My Documents

Mount point destination : \Device\__max++>\^

Found mount point       : D:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Mount point destination : \Device\__max++>\^

Found mount point       : D:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Mount point destination : \Device\__max++>\^

Found mount point       : D:\WINDOWS\system32\config\systemprofile\Recent\Recent

Mount point destination : \Device\__max++>\^

Found mount point       : D:\WINDOWS\system32\dhcp\dhcp

Mount point destination : \Device\__max++>\^

Found mount point       : D:\WINDOWS\system32\drivers\disdn\disdn

Mount point destination : \Device\__max++>\^

Found mount point       : D:\WINDOWS\system32\export\export

Mount point destination : \Device\__max++>\^

Found mount point       : D:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point       : D:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point       : D:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point       : D:\WINDOWS\system32\inetsrv\inetsrv

Mount point destination : \Device\__max++>\^

Found mount point       : D:\WINDOWS\system32\mui\dispspec\dispspec

Mount point destination : \Device\__max++>\^

Found mount point       : D:\WINDOWS\system32\NtmsData\Export\Export

Mount point destination : \Device\__max++>\^

Found mount point       : D:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Mount point destination : \Device\__max++>\^

Found mount point       : D:\WINDOWS\system32\oobe\html\oemcust\oemcust

Mount point destination : \Device\__max++>\^

Found mount point       : D:\WINDOWS\system32\oobe\html\oemhw\oemhw

Mount point destination : \Device\__max++>\^

Found mount point       : D:\WINDOWS\system32\oobe\html\oemreg\oemreg

Mount point destination : \Device\__max++>\^

Found mount point       : D:\WINDOWS\system32\oobe\sample\sample

Mount point destination : \Device\__max++>\^

Found mount point       : D:\WINDOWS\system32\ShellExt\ShellExt

Mount point destination : \Device\__max++>\^

Found mount point       : D:\WINDOWS\system32\wbem\mof\bad\bad

Mount point destination : \Device\__max++>\^

Found mount point       : D:\WINDOWS\system32\wbem\mof\good\good

Mount point destination : \Device\__max++>\^

Found mount point       : D:\WINDOWS\system32\wbem\snmp\snmp

Mount point destination : \Device\__max++>\^

Found mount point       : D:\WINDOWS\system32\wins\wins

Mount point destination : \Device\__max++>\^

Found mount point       : D:\WINDOWS\system32\xircom\xircom

Mount point destination : \Device\__max++>\^

Found mount point       : D:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^



Finished!

HOPE THIS HELPS.....THANK YOU.............

 

by: GST-GRIDTECHPosted on 2009-09-05 at 21:46:48ID: 25268756

souseran:
WHERE WOULD I FIND THE RESULTS FROM THE ....  SFC /scannow??
IS A LOG FILE CREATED?????...
 

 

by: rpggamergirlPosted on 2009-09-05 at 23:09:39ID: 25268855

Thanks for the log.

Run Win32kdiag.exe using this command plese.
Click on Start-> Run, and copy-paste the following command into the "Open:" box, and click OK.

"%userprofile%\desktop\win32kdiag.exe" -f -r
 

 

Afterwards, see if you can run a renamed Combofix or renamed MalwareBytes(renaming the file before saving to the desktop) not after.

Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
(If it doesn't run, re-download but rename before saving to your desktop)

Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
 
If needed, here's the Combofix tutorial which includes the installation of the Recovery Console:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
 

 

by: ChiefITPosted on 2009-09-06 at 08:25:06ID: 25270279

I know that reinstall is your last resort. In my experience with AV2009, 2008, 2007, they give a false alert that warns the user they have a virus and need to download Microsoft's AV to clean it. After infected, the virus goes in and totally hoses up the OS, as you are seeing. I tried real hard to recover from  two instances and ended up slicking the PC and reinstalling the OS on both. This is why I recommend you take your data and put it on another media as soon as possible.

Continuing to mess with the OS, with SFC, checkdsk, and a bunch of other utilities may prove futile to your data, as in my case. A repair install for me was a bust as well. I don't know what this virus does to the OS, but even a repair install didn't work for me.

If you have access to any data, get your data while you can. This virus progressively gets worse over time. With the two I worked with, I couldn't recover, so I wish you luck where I didn't succeed.

For the folks that downloaded the virus, they should immediately contact the credit card protection company and put a credit fraud alert on their credit reports. You have seen the commercials where the guy displays his "true" social security number on the truck. That's a legitimate business that calls all three major credit card bureaus on your behalf and puts a fraud alert on your credit. Then, the credit card bureaus are obligated to call you when someone is trying to fill out any credit apps. The users can do this on their own. The three credit bureaus are Equifax, Experian, and TransUnion.

For this virus, there is a phone number that is provided to "license the software". If any personal Identifiable information is leaked out, like a credit card number, they could and will end up victims of computer fraud. That was the intent of this virus is to call you with credit card numbers and other Personal Information. Your coworkers don't want to go there. The site and phone number have been banned by the FBI on a MS AV 2007, but this hasn't stopped the use of this virus.

The folks who created this virus have been arrested and prosecuted. That doesn' t mean this hasn't been modified and passed from another source. In other words, this could be a variant that's passed from what's called a script kiddie. A script kiddie is one who takes known viruses, maybe changes it a little, and sends them on to infect others and take advantage of another's virus creating works. It's estimated about 98% of all viruses are now sent on through script kiddies.

If so, the FBI should have an on-line report filled out on their site for Computer fraud, to alert them of this incident.

I really do wish you luck on this. This virus is a real nightmare. Rampagegirl has always been very good at helping people clean house. But, I haven't seen too many removal tools for this virus or anything that gets to the root registry keys and effects on the OS for this virus. Usually Symantec provides good removal tools for viruses that explain how to fix the registry and completely remove the effects as well as clean the machine. Not in this case.

This particular virus could have been prevented in the first place with Least User Authorization. This means if the user didn't have download and install capability, or the run executables authority, the virus would have never made it to the computer. Even for home users, you could exercise Least user authorization. My daughter has no access to running scripts or any content from a remote location without me helping her as an administrator of the home computer.

Also educating your users on this virus is very important. Let your users know about Microsoft Antivirus 2007, 2008, 2009 being a deceiving virus with false alerts that tell them to download an antivirus package to clean their systems. Let your users know, as a precaution, to google search things they are downloading from remote sites. If they were to google search "Antivirus 2009 scam", this is what they would come up with.

Here's an article called "Pay to be infected" on AV 2009:
http://www.articlesbase.com/security-articles/pay-to-be-infected-the-xp-antivirus-2009-scam-580872.html

Another site the FBI recommended to me when I was a victim of ID fraud is this:
http://www.lookstoogoodtobetrue.com/

 

by: GST-GRIDTECHPosted on 2009-09-06 at 15:11:35ID: 25271782

rpggamergirl:
had some problems running  - "%userprofile%\desktop\win32kdiag.exe" -f -r
 

I noticed a strange file in taskmgr NirCMDC.cfxxe... IS THIS COMBOFIX.

IT WAS IN THE FOLLOWING DIRECTORY.  IS THIS COMBOFIX.

IT HAS ACOPY OF IEXPLORER.EXE, .VBS FILES A REGISTRY FILES..

D:\32788R22FWJFW>dir /s
Volume in drive D has no label.
Volume Serial Number is CC42-FF1C
Directory of D:\32788R22FWJFW
09/06/2009  09:15 PM    <DIR>          .
09/06/2009  09:15 PM    <DIR>          ..
05/25/2009  09:25 AM            38,866 023.dat
08/31/2000  12:00 PM             2,126 023v.dat
09/06/2009  09:15 PM                 2 AbortP
08/31/2000  12:00 PM             6,760 appinit.bad
07/14/2009  03:09 AM               602 asp.str
12/04/2006  03:09 PM            13,312 AspackDie.cfxxe
07/29/2009  06:34 AM             3,282 Assoc.cmd
07/29/2009  06:46 AM             3,034 Auto-RC.cmd
09/02/2009  07:38 AM             1,509 av.cmd
05/13/2009  10:09 PM             1,464 av.vbs
04/29/2009  08:41 PM               629 AWF.cmd
09/07/2009  04:46 AM           788,124 badclsid.c
08/31/2009  05:11 AM             2,136 Boot-Rk.cmd
09/05/2009  11:45 PM             7,785 Boot.bat
08/31/2000  12:00 PM             7,680 BootSect.dll
09/05/2009  11:48 PM            49,456 c.bat
08/10/2009  06:22 AM               736 Catch-sub.cmd
04/17/2009  09:37 PM           147,456 catchme.cfxxe
09/05/2009  11:48 PM            25,539 CF-Script.cmd
09/06/2009  09:15 PM                 0 CFVersionOld
09/06/2009  09:15 PM                16 CHCP.bat
09/07/2009  04:46 AM           237,724 clsid.c
08/31/2000  12:00 PM             1,024 Combo-Fix.sys
09/05/2009  11:48 PM             7,659 Combobatch.bat
08/31/2000  12:00 PM           141,312 ComboFix-Download.cfxxe
08/25/2009  07:17 AM             6,723 Create.cmd
09/07/2009  03:16 AM           630,927 Creg.dat
09/03/2009  01:09 AM             2,896 CregC.cmd
08/15/2009  10:58 AM               406 CregC.dat
05/25/2009  02:08 PM             1,688 CSet.cmd
08/31/2000  12:00 PM           101,376 dd.cfxxe
05/25/2009  01:59 PM             7,983 ddsDo.sed
08/21/2009  10:26 PM             1,644 DelClsid.bat
08/31/2000  12:00 PM               746 DPF.str
08/31/2000  12:00 PM            51,200 dumphive.cfxxe
08/31/2000  12:00 PM               303 embedded.sed
10/21/2005  12:02 AM           163,328 ERDNT.e_e
08/31/2000  12:00 PM             2,815 ERDNTDOS.LOC
08/31/2000  12:00 PM             3,275 ERDNTWIN.LOC
10/21/2005  12:00 AM           157,696 ERUNT.cfxxe
08/31/2000  12:00 PM             4,090 ERUNT.LOC
08/31/2009  11:20 PM            13,697 Exe.reg
08/31/2000  12:00 PM            52,736 extract.cfxxe
09/07/2009  04:44 AM             3,315 FD-SV.cmd
09/01/2009  06:54 AM            36,903 ffdefstr.dll
09/07/2009  04:46 AM             2,207 files.pif
08/12/2009  07:54 AM               660 Fin.dat
09/05/2009  11:51 PM            29,084 FIND3M.bat
07/20/2009  01:21 PM             4,668 FIXLSP.bat
05/25/2009  02:05 PM             1,095 FKMGen.cmd
02/15/2001  07:03 PM            10,240 ForceLibrary.dll
08/12/2009  07:43 AM             5,412 GetHive.cmd
08/31/2000  12:00 PM            80,412 grep.cfxxe
08/31/2000  12:00 PM            15,360 gsar.cfxxe
08/31/2000  12:00 PM           181,776 handle.cfxxe
08/16/2005  05:54 AM             1,536 hidec.exe
08/12/2009  07:43 AM               908 history.bat
04/20/2009  04:56 PM            31,232 iexplore.exe
08/31/2000  12:00 PM             1,057 image001.gif
09/05/2009  11:52 PM             5,658 Install-RC.cmd
08/01/2009  08:17 AM               761 katch.cmd
07/13/2009  11:31 AM             1,588 Kill-All.cmd
08/12/2009  07:44 AM             3,453 Kollect.bat
08/31/2009  05:11 AM           194,486 Lang.bat
08/30/2009  09:59 AM    <DIR>          License
09/07/2009  01:48 AM            39,212 List-B.bat
09/07/2009  03:10 AM           230,639 List-C.bat
09/02/2009  08:16 AM            92,966 List-D.bat
09/07/2009  02:19 AM           623,250 List.bat
08/31/2000  12:00 PM             2,428 lnkread.vbs
08/31/2000  12:00 PM               225 LocalService.dat
08/31/2000  12:00 PM                91 LocalServiceNetworkRestricted.dat
08/31/2000  12:00 PM               198 LocalSystemNetworkRestricted.dat
09/07/2009  04:46 AM             4,794 md5sum.pif
08/12/2009  07:47 AM             2,367 MoveIt.bat
08/31/2000  12:00 PM            11,264 mtee.cfxxe
08/31/2000  12:00 PM                 0 mynul.dat
04/20/2009  04:56 PM            31,232 n.pif
08/23/2009  09:31 AM               662 ncmd.cfxxe
08/31/2000  12:00 PM               287 ndis_combofix.dat
09/05/2009  11:55 PM            28,205 ND_.bat
09/02/2009  09:04 PM               482 netsvc.bad.dat
08/31/2000  12:00 PM               159 netsvc.dat
08/31/2000  12:00 PM               481 netsvc.vista.dat
08/31/2000  12:00 PM               525 netsvc.xp.dat
08/31/2000  12:00 PM                88 NetworkService.dat
09/06/2009  09:15 PM                 2 NewCFUser
04/20/2009  04:56 PM            31,232 NirCmd.cfxxe
08/31/2000  12:00 PM            32,317 NirCmd.chm
04/20/2009  04:56 PM            31,232 NircmdB.exe
04/20/2009  04:56 PM            30,720 NirCmdC.cfxxe
09/06/2009  09:15 PM                 6 NlsLanguageDefault
09/02/2009  05:20 AM            14,397 NT-OS.cmd
09/06/2009  09:15 PM    <DIR>          N_
08/31/2000  12:00 PM               977 OSid.vbs
09/06/2009  09:15 PM                43 OsVer
09/07/2009  04:46 AM            14,727 P.cmd
09/04/2009  02:25 AM           230,912 PEV.cfxxe
09/04/2009  02:25 AM           230,912 pev.exe
07/06/2009  07:51 AM             2,992 Policies.dat
09/06/2009  09:15 PM                 3 prep.done
08/14/2009  08:54 AM             2,374 Prep.inf
08/31/2000  12:00 PM               404 Purity.dat
03/03/2006  03:42 AM            73,728 PV.cfxxe
03/03/2006  03:42 AM            73,728 pv.com
08/31/2000  12:00 PM             7,478 RCLink.dat
08/31/2000  12:00 PM             3,558 REGDACL.sed
08/31/2000  12:00 PM             9,203 RegDo.sed
05/23/2009  06:29 AM             1,149 region.dat
08/28/2009  05:21 PM            62,053 RegScan.cmd
05/02/2009  02:26 AM               587 restore_pt.vbs
08/31/2000  12:00 PM               241 Rkey.cmd
08/31/2000  12:00 PM               820 rogues.dat
08/31/2000  12:00 PM               287 run2.sed
06/10/2009  03:38 PM                30 Rust.str
08/31/2000  12:00 PM               329 safeboot.dat
06/10/2009  06:25 AM             1,464 safeboot.def.dat
08/31/2000  12:00 PM               463 safeboot.def.vista.dat
08/31/2000  12:00 PM            98,816 sed.cfxxe
09/05/2009  11:55 PM            14,723 SetEnvmt.bat
08/12/2009  08:35 AM            30,222 setpath.cfxxe
09/07/2009  04:17 AM             3,440 SnapShot.cmd
08/30/2009  08:32 PM             2,135 SRestore.cmd
09/07/2009  02:49 AM            48,314 srizbi.md5
07/28/2009  05:06 AM            19,200 SuppScan.cmd
08/31/2000  12:00 PM             2,176 SvcDrv.vbs
08/31/2000  12:00 PM               555 svchost.dat
08/31/2000  12:00 PM               668 svchost.vista.dat
05/23/2009  05:52 AM            12,065 svc_wht.dat
08/31/2000  12:00 PM           161,792 swreg.exe
08/31/2000  12:00 PM           136,704 swsc.cfxxe
08/31/2000  12:00 PM           212,480 swxcacls.cfxxe
08/31/2000  12:00 PM               276 system_ini.dat
11/10/1999  12:00 PM            35,328 tail.cfxxe
08/31/2000  12:00 PM               413 toolbar.sed
07/29/2009  07:01 AM             2,722 Update-CF.cmd
09/06/2009  09:15 PM                27 VerCF.bat
09/06/2009  05:11 AM             5,178 VInfo
09/03/2009  10:24 AM            13,492 vistareg.dat
08/18/2009  05:26 PM            37,721 w2kreg.dat
06/21/2009  07:34 PM            90,202 w2k_sock.dll
05/14/2009  05:08 AM               592 Wmi_rem.vbs
06/21/2009  06:45 PM            98,948 w_sock.dll
09/06/2009  09:15 PM                40 XP.mac
09/03/2009  10:23 AM            53,130 xpreg.dat
08/31/2000  12:00 PM            23,773 zDomain.dat
09/07/2009  03:08 AM            34,456 zhsvc.dat
08/31/2000  12:00 PM            68,096 zip.cfxxe
            146 File(s)      6,439,180 bytes
Directory of D:\32788R22FWJFW\License
08/30/2009  09:59 AM    <DIR>          .
08/30/2009  09:59 AM    <DIR>          ..
04/01/2009  12:19 PM             1,070 Curl - license.txt
04/01/2009  03:38 PM               383 dumphive-license.txt
08/19/1996  06:10 AM             7,385 EXTRACT.TXT
11/15/2007  07:36 AM               212 FI - license.txt
10/31/2006  03:06 PM               850 mtee.txt.txt
04/13/2006  06:06 PM            39,183 pv_5_2_2.zip
04/01/2009  02:34 PM            75,425 streamtools.zip
04/02/2009  06:38 AM            26,383 UnxUtilsDist.html
04/01/2009  12:40 PM             3,412 Zip - license.txt
              9 File(s)        154,303 bytes
Directory of D:\32788R22FWJFW\N_
09/06/2009  09:15 PM    <DIR>          .
09/06/2009  09:15 PM    <DIR>          ..
09/06/2009  09:15 PM               201 11787
09/06/2009  09:15 PM             1,544 9917
              2 File(s)          1,745 bytes
    Total Files Listed:
            157 File(s)      6,595,228 bytes
              8 Dir(s)  15,851,581,440 bytes free
D:\32788R22FWJFW>

 

by: rpggamergirlPosted on 2009-09-06 at 17:48:17ID: 25272189

Looks like a Combofix folder, though when I run it  just now it didn't create that random folder but I've seen it in some users pc.

Did you run Combofix from the D:\?
Did Combofix run and did it create a logfile?

 

by: GST-GRIDTECHPosted on 2009-09-06 at 18:01:09ID: 25272218

rpggamergirl
I had some problems running it..
at times it seemed slow & not doing anything.
i'm running it now.
How long does it take and does it matter if in SAFE MODE or NOT..????


THANK YOU.....

 

by: GST-GRIDTECHPosted on 2009-09-06 at 18:15:57ID: 25272252

rpggamergirl

When I run the ComboFix, I can't tell if its running. NOT in TASKMGR.
a lot of activity from svchost w/ many differnt PID's.
IS this COMBOFIX or the MALWARE KILLING combofix at start up....?
Where would I find combofix logs..?

 

by: Tiras25Posted on 2009-09-06 at 18:20:02ID: 25272260

I always follow these steps with great success:
PART 1  RUN AVENGER
1. Download and run Avenger
http://swandog46.geekstogo.com/avenger2/download.php
2. Ensure both boxes pertaining to 'ROOTKITS' have a check
3. Select EXECUTE and YES to all prompts, PC will reboot.
4. After rebooting, there will be a notepad file open with The Avenger's log file. Send us this log.


PART 2  Run MalwareBytes
1. Download, install, then run this free utility.
http://www.malwarebytes.org (mbam-setup.exe)
2. Perform Quick Scan, then click Scan.
3. When the scan is complete, click OK, then Show Results to view the results.
4. Make sure that everything is checked, and click Remove Selected.
5. When completed log will open in Notepad and you may be prompted to Restart.(See Extra Note)
6. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
7. Copy and paste report in your next reply.

PART 3 - Run Combofix follow these instructions.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix
 Let me know if helps.

 

by: rpggamergirlPosted on 2009-09-06 at 18:21:53ID: 25272268

<<<"I can't tell if its running.">>>

There should be a DOS window open while Combofix is running showing you its status, stages during the scan, in which you shouldn't do anything nor click on that window.

The log should be at --> C:\Combofix.txt

Did you at all pass and click OK on the Combofix Disclaimer when it started?

 

by: GST-GRIDTECHPosted on 2009-09-06 at 19:51:49ID: 25272520

rpggamergirl:
YES, the disclaimer came up, clicked YES, then nothing.
I'm downloading again and will RUN again and I WILL post  back when done.

I will also download AVENGER and MALWAREBYTES sugested by Tiras25

AFTER THAT.....after a week on this, I WILL REFORMAT and REINSTALL.
this is proving to be WAY TOO MUCH.
intially, I thought, ANYTHING that was DONE,by the MALWARE, should be able to be UNDONE, thru the regisrty, service or permissions.  NOTHING seems to work.
I've even put the drive in another computer and ran SCANS, NAV CORP picked up NOTHING........

I will POST back RESULTS.....THANK YOU ALL VERY MUCH.........................

 

by: GST-GRIDTECHPosted on 2009-09-07 at 21:00:28ID: 25278525


 
...MADE SOME PROGRESS.


Got DESKTOP BACK and SOME Services..
still can't see EVENT VIEWER or NETWORK  properties
 
THE MAJOR PROBLEM NOW IS WITH SERVICE'S, PARTICULARLY GETTING
"REMOTE PROCEDURE CALL"  WORKING PROPERLY...

right now, its greyed out. so I can't start sevices that depend on RPC or get to event viewer or Network properties
 
Below is a list of the steps taken, in order, so far.
(logs for MALWAREBYTES, COMBOFIX, AVENGER, WIN32DIAG32 & HIJACKTHIS attached )
 
RAN NAV Net Scan on the PC\Drive with UBCD4WIN Live XP cd.. FOUND the following...
 
 
http://www.symantec.com/security_response/writeup.jsp?docid=2008-091809-0911-99&tabid=2
 
Backdoor.Tidserv
in kbiwkmkbsbeolw.dll,  kbiwkmqfulspmm.dll  and  kbiwkmrmfvxvpu.sys
   
and found
 
http://www.symantec.com/business/security_response/writeup.jsp?docid=2008-082521-2037-99&tabid=3
 
Symantec.com - AntiVirus2009 - Removal
in onhelp.htm
 
 
Got DESKTOP BACK and SOME Services..
still can see EVENT VIEWER / Net props
 
log from "Security Configuration and Analysis"
shows mismatches
 
 
AVENGER LOG.....
 
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com
Platform:  Windows XP
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at D:\Avenger
*******************
Beginning to process script file:
Rootkit scan active.
No rootkits found!

Completed script processing.
*******************
Finished!  Terminate.

 
MALWAREBYTES...  
couldn't run Malwarebytes.
Running Malware bytes in SAFE-MODE reported missing device.
Running Malware Bytes in Normal mode reported "ACCESS denied"
 
 
Ran SECOND NAV Net Scan NOW on the PC\Drives with UBCD4WIN Live XP cd.. FOUND Nothing...
 
Also RAN Avira Antivirus personal-Free Ed. SCAN on PC\ lcl Drive  with UBCD4WIN Live XP cd.. FOUND Nothing...
 
FOUND OUT "SYSTEM RESTORE" has been disabled by group policy....  
 
COMBOFIX  stalled after 2 dialog boxes...

 
Was able to get MALWAREBYTES running and it found & corrected a FEW things..
 
 
THE MAJOR PROBLEM NOW IS WITH SERVICE'S, PARTICULARLY GETTING
"REMOTE PROCEDURE CALL" WORKING PROPERLY... right now, its greyed out. so I can't start sevices that depend on RPC or get to event viewer or Network properties etc....

(logs for MALWAREBYTES, COMBOFIX, AVENGER, WIN32DIAG32 & HIJACKTHIS attached )  

will probably run Combofix again and look at CCLEANER?????


THANK YOU VERY MUCH FOR YOUR ASSISTANCE....

 

by: GST-GRIDTECHPosted on 2009-09-07 at 21:09:47ID: 25278538

ATTACHED ARE THE LOGS FROM THE
MMC.EXE SNAP-IN "SECURITY CONFIGURATION & ANALYSIS"......

 

by: rpggamergirlPosted on 2009-09-07 at 22:42:35ID: 25278914

Thanks for the logs:

* Combofix didn't run properly.
* Hijackthis log shows that it's running in diagnostic mode so it doesn't help us.
* MBAM, I assume took care of those flagges "no action taken"
* Win32kdiag.txt looks weird, as if it didn't run properly.


Can you please run Win32kdiag.exe again and this time in safe mode without the switch but by just doubleclicking on the .exe.

Does Combofix run if you rename it and also the extension to .com?

Also run RootRepeal please.
Download RootRepeal from the following location and save it to your desktop.
Zip Mirrors: (Recommended)
http://rootrepeal.googlepages.com/RootRepeal.zip
http://ad13.geekstogo.com/RootRepeal.zip

Rar Mirror:
http://ad13.geekstogo.com/RootRepeal.rar

Extract RootRepeal.exe from the archive.
Open RootRepeal on your desktop.
Click the "Report" tab.
Click the "Scan" button.
Check all seven boxes:

o Drivers
o Files
o Processes
o SSDT
o Stealth Objects
o Hidden Services
o Shadow SSDT

Push Yes
Check the box for your main system drive (Usually C:), and press Ok.
Allow RootRepeal to run a scan of your system. This may take some time.
Once the scan completes, push the "Save Report" button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.


 

by: rpggamergirlPosted on 2009-09-07 at 23:00:01ID: 25278982

This might also help to make tools run properly.

* Download Fixswen and save it to your desktop
* Right-click on the file and choose "install"
http://download.nai.com/products/mcafee-avert/Fixswen.inf



Here's another option we can try to make Combofix to run properly.

Delete the Combofix that you already have there, and download a new one.
Save it to your desktop as File name: CF.bat
Make sure that the "Save as type:" is *All Files

Then double click on the CF.bat to run it.

 

by: GST-GRIDTECHPosted on 2009-09-08 at 10:57:54ID: 25284431

FOUND THESE STRANGE FILES ON THE SYSTEM THAT'S INFECTED.

they are exe's with a comand promt icon, every time I  r-click for properties.

MSI pops up pointing to another servers NAV install cd I have there....

I have also attached screenshot........


D:\Documents and Settings\Administrator>dir d:\windows\system32\cf*.*
Volume in drive D has no label.
Volume Serial Number is CC42-FF1C

Directory of d:\windows\system32

09/06/2009 05:14 PM 388,608 CF10351.exe
09/06/2009 04:36 PM 388,608 CF1086.exe
09/06/2009 09:08 PM 388,608 CF1931.exe
09/07/2009 09:02 PM 388,608 CF21841.exe
09/06/2009 09:06 PM 388,608 CF2391.exe
09/06/2009 05:06 PM 388,608 CF29506.exe
09/07/2009 09:21 PM 388,608 CF3001.exe
09/06/2009 09:07 PM 388,608 CF3207.exe
09/07/2009 08:38 PM 388,608 CF7203.exe
09/07/2009 08:12 PM 388,608 CF929.exe
08/04/2004 12:56 AM 38,912 cfgbkend.dll
08/04/2004 12:56 AM 16,896 cfgmgr32.dll
12 File(s) 3,941,888 bytes
0 Dir(s) 13,888,585,728 bytes free

D:\Documents and Settings\Administrator>

 

by: GST-GRIDTECHPosted on 2009-09-08 at 12:28:45ID: 25285304

ET "PATH=D:\32788R22FWJFW;D:\WINDOWS\system32;D:\WINDOWS;D:\WINDOWS\system32\wbem;D:\WINDOWS\system32;D:\WINDOWS;D:\WINDOWS\System32\Wbem;D:\Program Files\Common Files\Intuit\QBPOSSDKRuntime"
  Killing 'runonce.exe'
 Killing 'grpconv.exe'
 Killing 'procmon.exe'
 Killing 'ANDRE.EXE'
 Killing 'TOLO.exe'
 Killing 'Merlin.scr'
 Killing 'jalang.exe'
 Killing 'jalangkung.exe'
 Killing 'jantungan.exe'
 Killing 'DOSEN.exe'
 Killing 'C3W3K4MPUS.exe'
pv: No matching processes fou

 

by: GST-GRIDTECHPosted on 2009-09-08 at 12:32:14ID: 25285340

rpggamergirl:

combo -fix seemed to pick up the strange PID before it stopped

it seems to be having problems finding the bat file it puts in the root dir...

ET "PATH=D:\32788R22FWJFW;D:\WINDOWS\system32;D:\WINDOWS;D:\WINDOWS\system32\wbem;D:\WINDOWS\system32;D:\WINDOWS;D:\WINDOWS\System32\Wbem;D:\Program Files\Common Files\Intuit\QBPOSSDKRuntime"
  Killing 'runonce.exe'
Killing 'grpconv.exe'
Killing 'procmon.exe'
Killing 'ANDRE.EXE'
Killing 'TOLO.exe'
Killing 'Merlin.scr'
Killing 'jalang.exe'
Killing 'jalangkung.exe'
Killing 'jantungan.exe'
Killing 'DOSEN.exe'
Killing 'C3W3K4MPUS.exe'
pv: No matching processes fou  

 

 

by: rpggamergirlPosted on 2009-09-08 at 16:09:19ID: 25286946

Those random strange files with CF* is to do with Combofix.

Found this thread about on using the Recovery Console to start the Remote procedure Call(RPC) service, try it.

You will need to use your XP CD to boot the computer into the Recovery Console, then type
the command:    Enable RPCSS Service_Auto_Start

Now press the Enter key to submit the command.

Now type: exit  and press Enter to restart the computer.
http://www.derkeiler.com/Newsgroups/microsoft.public.windowsxp.security_admin/2003-09/4736.html


If you are unfamiliar with the Recovery Console check the MS link below:
Windows XP REcovery Console:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;314058


 

by: GST-GRIDTECHPosted on 2009-09-08 at 17:35:24ID: 25287381

rpggamergirl
Thank you for the info.

One quick Q

before I can get to Recovery I'll need  the SATA drivers when it asks for them
Can I copy these from the %systemRoot\
Not even sure what they would be. looking on line now...

THANK YOU......

 

by: GST-GRIDTECHPosted on 2009-09-08 at 18:08:10ID: 25287524

rpggamergirl

Never Mind, I think I found the SATA DRV for XP recover Consol.
Working on your last suggestion NOW..

 

by: GST-GRIDTECHPosted on 2009-09-09 at 13:08:44ID: 25295079

rpggamergirl

Thank you for the "Enable RPCSS Service_Auto_Start "
I was able to get in RC and enable a lot of services.

How ever, I'm still getting "ACCESS DENIED" on some services.
Particularly System type services, So I'm looking into some way,
either by Group Policy, Reg Hack, some MMC Snap-in, More RC
to reset ALL of the system permissions to what they should be.

Win32Diag still has problems getting "WARNING: Could not get backup privileges!"
This might be related to the Service/Rights/Access denied issue/problem I'm having...

----


Did some research and came accross this site..
http://www.kellys-korner-xp.com/xp_tweaks.htm

They seem to have REgistry Hacks that might be able to help
One of them  #278  "Restore/Enable System Restore - Undo", really caught my attemtion, I've dowloadedand will review to see what it does.. and have it attached as a .txt  file

I have problems viewing the folowing  key in NIT's Regview 1.0, not sure why..?

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\LocalMachine\Software\Policies\Microsoft\Windows NT\SystemRestore]
"DisableConfig"=dword:00000000

----

I've taken a little time to get a FULL system back-up done, in prep for possible, last option reformat.

Also,  reseach got me here: http://www.compulink.co.uk/~davedorn/computing/windows/xprepair5.htm

They recomend..
FIXBOOT  Use the fixboot command to re-write the boot sector code. For this option to work, youll need to start the Recovery Console from the Windows CD.

Which makes sense because I could have some Boot Sector Malware/Virus

and another Avira Rescue Boot  CD said it could access the BOOT Sectors on Both PARTitions

But Didn't Find anything. So I'm also looking into some sort of Boot sector Analyzer or hope FIXBOOT will work, But I'll probablly still have the PERMISSIONS/RIGHTS issue.

http://www.avira.com/en/support/support_downloads.html



Thanks for your HELP.........

 

by: GST-GRIDTECHPosted on 2009-09-11 at 15:43:39ID: 25314086

I'M STARTING TO THINK MY PROBLEM MAY NOW BE RELATED TO

EITHER A PROBLEM WITH COM+ (dcomcnfg.msc) IMAGE ATTACHED

OR POSSIBLY WITH RESULTANT SET OF PROPERTIES (rsop.msc) IMAGE ATTCHED.

I, OF COURSE, AM TOTALY UNABLE TO TROUBLESHOOT THOSE TYPES OF ISSUSES,

JUST BEYOND ME...

\\NYBC.LOCAL DOES REFER TO A MS-SBSERVER WHICH THIS PC LOGS ONTO..

THANK YOU,,,,

wuau.adm
Location - "\\nybc.local\SysVol\nybc.local\Policies\{FB93D2B5-1C6D-4E08-8F4D-CC93650BCC07}\Adm\wuau.adm"
Error - The network location cannot be reached. For information about network troubleshooting, see Windows Hsystem.adm
Location - "\\nybc.local\SysVol\nybc.local\Policies\{FB93D2B5-1C6D-4E08-8F4D-CC93650BCC07}\Adm\system.adm"
Error - The network location cannot be reached. For information about network troubleshooting, see Windows Hconf.adm
Location - "\\nybc.local\SysVol\nybc.local\Policies\{BF338408-C0CD-413B-B5CA-CA771AAEB028}\Adm\conf.adm"
Error - The network location cannot be reached. For information about network troubleshooting, see Windows Hwmplayer.adm
Location - "\\nybc.local\SysVol\nybc.local\Policies\{FB93D2B5-1C6D-4E08-8F4D-CC93650BCC07}\Adm\wmplayer.adm"
Error - The network location cannot be reached. For information about network troubleshooting, see Windows Hinetres.adm
Location - "\\nybc.local\SysVol\nybc.local\Policies\{BF338408-C0CD-413B-B5CA-CA771AAEB028}\Adm\inetres.adm"
Error - The network location cannot be reached. For information about network troubleshooting, see Windows H

 

 

by: GST-GRIDTECHPosted on 2009-09-11 at 19:14:20ID: 25314775

After some tweaking, was able to get Win32Diag Working A LITTLE BIT.
Combofix still doesn't complete

 

by: rpggamergirlPosted on 2009-09-11 at 19:31:02ID: 25314811

You've really done a lot of troubleshooting there, good job.

These rogues can really messed up a system, and still Combofix is not running properly. There's another way of trying to make Combofix run but not sure if even that will work.

I'm wondering if Gmer is able to run, it should find if  an MBR rootkits is present.
GMER:
http://www.geekstogo.com/forum/redirect.php?url=http%3A%2F%2Fwww.gmer.net%2Ffiles.php

Unzip it to the desktop.
Open the program and click on the Rootkit tab.
Make sure all the boxes on the right of the screen are checked, EXCEPT for "Show All".
Click on Scan.

 

by: GST-GRIDTECHPosted on 2009-09-12 at 12:37:33ID: 25317610

After
netsh int ip reset "log-file-name.log"
I was able to get the internet working some how.

Still can't  see / change Network properties
RESEULTS -LOG..
reset   SYSTEM\CurrentControlSet\Services\Dhcp\Parameters\Options\15\RegLocation
            old REG_MULTI_SZ =
                SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\?\DhcpDomain
                SYSTEM\CurrentControlSet\Services\TcpIp\Parameters\DhcpDomain

added   SYSTEM\CurrentControlSet\Services\Netbt\Parameters\Interfaces\Tcpip_{31F1D5F8-5CCD-4D0D-8D7A-7F4E3E1CDF1C}\NetbiosOptions
added   SYSTEM\CurrentControlSet\Services\Netbt\Parameters\Interfaces\Tcpip_{D572645D-8508-49AE-94AC-5FD2E0B2E120}\NetbiosOptions
deleted SYSTEM\CurrentControlSet\Services\Netbt\Parameters\EnableLmhosts
reset   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5B8FB945-A9BE-4232-A4D6-605E4E2FEDBE}\DefaultGateway
            old REG_MULTI_SZ =
                192.168.102.1

reset   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5B8FB945-A9BE-4232-A4D6-605E4E2FEDBE}\DefaultGatewayMetric
            old REG_MULTI_SZ =
                0

added   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5B8FB945-A9BE-4232-A4D6-605E4E2FEDBE}\DisableDynamicUpdate
reset   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5B8FB945-A9BE-4232-A4D6-605E4E2FEDBE}\EnableDhcp
            old REG_DWORD = 0

reset   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5B8FB945-A9BE-4232-A4D6-605E4E2FEDBE}\IpAddress
            old REG_MULTI_SZ =
                192.168.102.106

deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5B8FB945-A9BE-4232-A4D6-605E4E2FEDBE}\IpAutoconfigurationAddress
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5B8FB945-A9BE-4232-A4D6-605E4E2FEDBE}\IpAutoconfigurationMask
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5B8FB945-A9BE-4232-A4D6-605E4E2FEDBE}\IpAutoconfigurationSeed
added   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5B8FB945-A9BE-4232-A4D6-605E4E2FEDBE}\NameServer
reset   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5B8FB945-A9BE-4232-A4D6-605E4E2FEDBE}\RawIpAllowedProtocols
            old REG_MULTI_SZ =
                0

reset   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5B8FB945-A9BE-4232-A4D6-605E4E2FEDBE}\SubnetMask
            old REG_MULTI_SZ =
                255.255.255.0

reset   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5B8FB945-A9BE-4232-A4D6-605E4E2FEDBE}\TcpAllowedPorts
            old REG_MULTI_SZ =
                0

reset   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5B8FB945-A9BE-4232-A4D6-605E4E2FEDBE}\UdpAllowedPorts
            old REG_MULTI_SZ =
                0

deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DontAddDefaultGatewayDefault
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableIcmpRedirect
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableSecurityFilters
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\SearchList
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\UseDomainNameDevolution
reset   Linkage\UpperBind for PCI\VEN_8086&DEV_1076&SUBSYS_01831028&REV_05\5&13ADAA24&0&380210.  bad value was:
            REG_MULTI_SZ =
                PSched

reset   Linkage\UpperBind for ROOT\MS_NDISWANIP\0000.  bad value was:
            REG_MULTI_SZ =
                PSched

<completed>

 

by: GST-GRIDTECHPosted on 2009-09-12 at 12:53:50ID: 25317650

rpggamergirl:
When you have the chance, let me know the other way of trying to make combo-fix work.

I was also very suprized that Win32Diag was able to WORK a little better after all of the tweaks.

its still haveing problems with rihghts, so i tryed to seach to see what rights Win32Diag needs, but found no info......Win32Diag log posted above......

 

by: rpggamergirlPosted on 2009-09-12 at 16:49:56ID: 25318418

There is a new version of win32kdiag.exe today, but I think Win32kdiag.exe didn't crash or something as the log showed "finished". The only thing that surprised me on the win32kdiag logs is the patched file didn't show even though the mountpoints were.

The  -f -r switch removes the mount points so that could be why the last 2 logs are empty, though the system still have rights problems.

It's also possible that the Combofix file has been corrupted,  happened before so please delete the one you already have and download a new copy of Combofix.

I asked if you could run Gmer because oftentimes Gmer runs when MBAM and Combofix failed. Most of the recent rootkit infections also shows up in Gmer.


Let's try using AVZ.exe to run Combofix,
You can also run AVZ to check for bad files/rootkits in the system. It will not delete anything, this tool will only delete files using a script(will post a script if I find anything nasty in the log).


Download avz4.zip from here http://z-oleg.com/avz4.zip
Unzip it to your desktop to a folder named avz4

1. Double click on AVZ.exe to run it.
2. Run an update by clicking the Auto Update button on the Right of the Log window:  
3. Click Start to begin the update

Note: If you receive an error message, chose a different source, then click Start again

After the update,
4. from the "File" menu, choose "Standard Scripts"
5. Put a check next to item 2: Advanced System Analysis
6. Click "Execute selected scripts"
7. At the next prompt, click the Yes button

8. Let the scan run and click "OK" when the completion prompt pops up
9. Now Close out of the Standard Scripts window, and exit AVZ
10. Navigate to the avz4 folder and locate the folder LOG

Inside the LOG folder you will find virusinfo_syscheck.htm, virusinfo_syscheck.xml and virusinfo_syscheck.zip
Attach the Compressed file, virusinfo_syscheck.zip.

----------------------------------------

Using AVZ to run Combofix:

1. Start AVZ.
2. Choose from the menu "AVZGuard" => "Enable AVZGuard ".
3. Choose from the menu "AVZGuard" => "Run application as trusted".
4. The "Run a trusted process" window will appear:
5. For Application:, select the Folder icon and select ComboFix.exe from your desktop.
6. Copy and paste the following line(below) into the Command Line:

/killall

7. Click OK.
8. Once complete, ComboFix should reboot your computer. Please post back the C:\ComboFix.txt log.




 

by: GST-GRIDTECHPosted on 2009-09-12 at 16:56:57ID: 25318448

 



Gmer was able to run.
It displayed a lot of the services but I could save that list of services to a log.
The Other logs are attached.
Also ran there MBR.exe and it found nothing.

I Notice another Strange issue with my pc,
after being able to get onto the WEB,
I have issues with downloading / using
stuff from MICROSOFT or  SYMANTEC websites.

 

by: GST-GRIDTECHPosted on 2009-09-13 at 11:36:56ID: 25321268

rpggamergirl:

HI.

Ran AVZ couldn't send zip/htm/xml or renamed zip to Text with htm inside so I sent each individualy, renaming them  to Text files..


Combo-Fix still didn't work, even as Trusted app with AVX
Also ran Win32Diag as Trusted App ...log attached.
The "Standard Script" wouldn't let me scan the D: drive, so I ran a manual scan. This is a 2 partitions/dual boot system SBS2003 on C: (not really used) and XP SP2 on D:

NOTICED really strange entry in the Registry.


Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mbr]
"Type"=dword:00000001
"ErrorControl"=dword:00000001
"Start"=dword:00000003
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,44,00,3a,00,5c,00,44,00,4f,00,43,00,\
 55,00,4d,00,45,00,7e,00,31,00,5c,00,41,00,44,00,4d,00,49,00,4e,00,49,00,7e,\
 00,31,00,5c,00,4c,00,4f,00,43,00,41,00,4c,00,53,00,7e,00,31,00,5c,00,54,00,\
 65,00,6d,00,70,00,5c,00,6d,00,62,00,72,00,2e,00,73,00,79,00,73,00,00,00
"Group"=hex(2):42,00,61,00,73,00,65,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mbr\Enum]
"0"="Root\\LEGACY_MBR\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001
ImagePath = \??\D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mbr.sys
----------------------------------
The directory exists, with recent temp and 3 LOG files
but MBR.SYS can't be found.
 
 
Thank YOU FOR ALL YOU HELP AND SUGGESTIONS....

 

by: rpggamergirlPosted on 2009-09-13 at 17:18:26ID: 25322390

Good catch... you can have AVZ remove the service and file, though the service status is not started.
Combofix still unable to run properly.

1. Double click on AVZ.exe
  2. Click File > Custom scripts
  3. Copy & paste the bolded text below in the box in the program (start with begin and end with end )
     
begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
DeleteService('mbr');
BC_DeleteFile('D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mbr.sys');
RebootWindows(true);
BC_Activate;
end.


  4. Note: When you run the script, your PC will be restarted
  5. Click Run
  6. Restart your PC if it doesn't do it automatically.


 

by: GST-GRIDTECHPosted on 2009-09-13 at 19:48:29ID: 31624614

Thank you
PC/server working great - repair install worked, but probably because the system was 85% back the the DEAD..

THank you

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...