• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1311
  • Last Modified:

How can I delete a file which I believe is a virus when I cannot delete in either safe or normal mode in XP media center and I do not have a boot cd

Hi experts,
I have been given an XP media center pc by a friend which has a pile of viruses on it. I have erased almost everything, but I am still having issues.

The infection had caused the Administrator access rights to be altered which prevented me from removing certain items from the startup in msconfig and in fact had deleted the msconfig program but I got that back. I think I have fixed the msconfig entries now by running a microsoft tool to recover the default permissions for the Administrator account

I have identified that it had Antivirus 2009 on it and that this was in itself a trojan, so I think that has now gone too as no more pop ups of fake viruses and fake blue screens

PMROPN seemed to be in there and I think this has caused a program folder to be created in program files called PremierOpinion which has a file in it that I cannot remove called pmls.dll as it is always locked. I have tried in safe mode and normal mode and with the Administrator account.

I do not have the XP media center cd and the bloody dvd drive is broken even if I did have it!
I have tried to install the recovery console by copying the i386 folder form the XPSP2 cd but it told me that the XP Pro SP2 cd that I got my hands on was too old fro media center so it offered to go to the microsoft site to download it. It did this and the boot.ini was successfully changed but now when I select the recovery console option it just hangs so perhaps it was not the correct download as it thought I was after the XP Pro SP2

Can you suggest something to help me please

0
Grover247
Asked:
Grover247
  • 12
  • 8
1 Solution
 
Donald StewartNetwork AdministratorCommented:
0
 
Grover247Author Commented:
I have downloaded this and it has installed in safe mode and has worked!
What a great piece of freeware. Thanks very much for the help.

I will keep this open for the next day or so in case I have related issues, but thanks a lot for the help.

If this virus doesn't come back due to this, then the points are yours!!
0
 
Donald StewartNetwork AdministratorCommented:
Glad it worked for you
 
You probably should run Malwarebytes from www.malwarebytes.org
 
and then combofix http://www.bleepingcomputer.com/combofix/how-to-use-combofix
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
Grover247Author Commented:
I'm glad you mentioned that.
 I have got both but the outbreak was so virulent it seems to have prevented me from running them

It can take six or seven minutes to start the machine after the the Administrator login screen

I can load but not run Super Antispyware - it tells me windows encountered a problem
I can double click  and get egg timer for a few seconds for the following
malwarebytes setup (but i get no further than an initial egg timer)
combofix (but it won't load)
 
I have tried different download locations for these on at least two occasions in case the downloads had been corrupted

Sophos anti rootkit tells me that it cannot get access to the list of users and that I may not have complete access to the registry

I have run the microsoft registry permissions return to default program mentioned earlier but still no change

Safe mode gives me a speedy-ish startup, so I also disabled all non microsoft services and unchecked all the startup items in the msconfig list. This made the machine a tiny bit faster but still slower than the change from Winter to Spring

I did however see that the PMROPN..EXE is gone from processes and the premieropinion folder and it's contents have been deleted

Any other ideas please, anybody?
0
 
Grover247Author Commented:
In case it helps, I can run hijack this and attached is the log file from what i explained just a moment ago


hijackthis.log
0
 
Donald StewartNetwork AdministratorCommented:
Download subinacl and run the following
 
save as resetacl.cmd

subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=administrators=f 
subinacl /subkeyreg HKEY_CURRENT_USER /grant=administrators=f 
subinacl /subkeyreg HKEY_CLASSES_ROOT /grant=administrators=f 
subinacl /subdirectories %SystemDrive% /grant=administrators=f 
subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=system=f 
subinacl /subkeyreg HKEY_CURRENT_USER /grant=system=f 
subinacl /subkeyreg HKEY_CLASSES_ROOT /grant=system=f 
subinacl /subdirectories %SystemDrive% /grant=system=f

Open in new window

0
 
Donald StewartNetwork AdministratorCommented:
BTW, hijackthis looked clean
0
 
Grover247Author Commented:
Here is a screenshot of my desktop which shows all of the stuff I have tried so far on the right.
I have enabled some of the services at this point as it seems to make no difference whether they run or not- still snaily
screenshot.doc
0
 
Donald StewartNetwork AdministratorCommented:
subinacl will fix your permissions problem
0
 
Grover247Author Commented:
I downloaded it and ran the setup. and it has installed.
I am reading the info file and it all looks a bit beyond me I'm embarrassed to say.
Are you able to tell me how to achieve what you suggest in a bit more detail please?
I am happy to try it
0
 
Donald StewartNetwork AdministratorCommented:
open notepad and copy paste the 8 lines above and then save as  resetacl.cmd
 
Then double click on resetacl.cmd and watch it go to work...... :-)
0
 
Grover247Author Commented:
Doh!
I placed the newly created file from your script into the subinacl folder and ran it via a cmd prompt to capture the actions, but it flew past and I only got the last of the commands for some reason. I noticed that on a couple of passes it encountered 3 failures and to be honest it was so fast I didnt get all of the info but it was something like it was unable to access a hive called "secret" somewhere.

Anyway, here's the contents of what I have from the run, but I did what you suggested. Do i need to reboot and try reloading everything now or can I go from this point without a 15 minute reboot?


yt.CacheLoader : delete Perm. ACE 1 nt authority\system
yt.CacheLoader : new ace for nt authority\system
HKEY_CLASSES_ROOT\yt.CacheLoader : 2 change(s)
yt.CacheLoader\CLSID : delete Perm. ACE 1 nt authority\system
yt.CacheLoader\CLSID : new ace for nt authority\system
HKEY_CLASSES_ROOT\yt.CacheLoader\CLSID : 2 change(s)
yt.CacheLoader\CurVer : delete Perm. ACE 1 nt authority\system
yt.CacheLoader\CurVer : new ace for nt authority\system
HKEY_CLASSES_ROOT\yt.CacheLoader\CurVer : 2 change(s)
yt.CacheLoader.1 : delete Perm. ACE 1 nt authority\system
yt.CacheLoader.1 : new ace for nt authority\system
HKEY_CLASSES_ROOT\yt.CacheLoader.1 : 2 change(s)
yt.CacheLoader.1\CLSID : delete Perm. ACE 1 nt authority\system
yt.CacheLoader.1\CLSID : new ace for nt authority\system
HKEY_CLASSES_ROOT\yt.CacheLoader.1\CLSID : 2 change(s)
yt.Clickstream : delete Perm. ACE 1 nt authority\system
yt.Clickstream : new ace for nt authority\system
HKEY_CLASSES_ROOT\yt.Clickstream : 2 change(s)
yt.Clickstream\CLSID : delete Perm. ACE 1 nt authority\system
yt.Clickstream\CLSID : new ace for nt authority\system
HKEY_CLASSES_ROOT\yt.Clickstream\CLSID : 2 change(s)
yt.Clickstream\CurVer : delete Perm. ACE 1 nt authority\system
yt.Clickstream\CurVer : new ace for nt authority\system
HKEY_CLASSES_ROOT\yt.Clickstream\CurVer : 2 change(s)
yt.Clickstream.1 : delete Perm. ACE 1 nt authority\system
yt.Clickstream.1 : new ace for nt authority\system
HKEY_CLASSES_ROOT\yt.Clickstream.1 : 2 change(s)
yt.Clickstream.1\CLSID : delete Perm. ACE 1 nt authority\system
yt.Clickstream.1\CLSID : new ace for nt authority\system
HKEY_CLASSES_ROOT\yt.Clickstream.1\CLSID : 2 change(s)
yt.YTHelper : delete Perm. ACE 1 nt authority\system
yt.YTHelper : new ace for nt authority\system
HKEY_CLASSES_ROOT\yt.YTHelper : 2 change(s)
yt.YTHelper\CLSID : delete Perm. ACE 1 nt authority\system
yt.YTHelper\CLSID : new ace for nt authority\system
HKEY_CLASSES_ROOT\yt.YTHelper\CLSID : 2 change(s)
yt.YTHelper\CurVer : delete Perm. ACE 1 nt authority\system
yt.YTHelper\CurVer : new ace for nt authority\system
HKEY_CLASSES_ROOT\yt.YTHelper\CurVer : 2 change(s)
yt.YTHelper.2 : delete Perm. ACE 1 nt authority\system
yt.YTHelper.2 : new ace for nt authority\system
HKEY_CLASSES_ROOT\yt.YTHelper.2 : 2 change(s)
yt.YTHelper.2\CLSID : delete Perm. ACE 1 nt authority\system
yt.YTHelper.2\CLSID : new ace for nt authority\system
HKEY_CLASSES_ROOT\yt.YTHelper.2\CLSID : 2 change(s)
yt.YToolbarBand : delete Perm. ACE 1 nt authority\system
yt.YToolbarBand : new ace for nt authority\system
HKEY_CLASSES_ROOT\yt.YToolbarBand : 2 change(s)
yt.YToolbarBand\CLSID : delete Perm. ACE 1 nt authority\system
yt.YToolbarBand\CLSID : new ace for nt authority\system
HKEY_CLASSES_ROOT\yt.YToolbarBand\CLSID : 2 change(s)
yt.YToolbarBand\CurVer : delete Perm. ACE 1 nt authority\system
yt.YToolbarBand\CurVer : new ace for nt authority\system
HKEY_CLASSES_ROOT\yt.YToolbarBand\CurVer : 2 change(s)
yt.YToolbarBand.1 : delete Perm. ACE 1 nt authority\system
yt.YToolbarBand.1 : new ace for nt authority\system
HKEY_CLASSES_ROOT\yt.YToolbarBand.1 : 2 change(s)
yt.YToolbarBand.1\CLSID : delete Perm. ACE 1 nt authority\system
yt.YToolbarBand.1\CLSID : new ace for nt authority\system
HKEY_CLASSES_ROOT\yt.YToolbarBand.1\CLSID : 2 change(s)
YTabBar.YTabBarControl : delete Perm. ACE 1 nt authority\system
YTabBar.YTabBarControl : new ace for nt authority\system
HKEY_CLASSES_ROOT\YTabBar.YTabBarControl : 2 change(s)
YTabBar.YTabBarControl\CLSID : delete Perm. ACE 1 nt authority\system
YTabBar.YTabBarControl\CLSID : new ace for nt authority\system
HKEY_CLASSES_ROOT\YTabBar.YTabBarControl\CLSID : 2 change(s)
YTabBar.YTabBarControl\CurVer : delete Perm. ACE 1 nt authority\system
YTabBar.YTabBarControl\CurVer : new ace for nt authority\system
HKEY_CLASSES_ROOT\YTabBar.YTabBarControl\CurVer : 2 change(s)
YTabBar.YTabBarControl.1 : delete Perm. ACE 1 nt authority\system
YTabBar.YTabBarControl.1 : new ace for nt authority\system
HKEY_CLASSES_ROOT\YTabBar.YTabBarControl.1 : 2 change(s)
YTabBar.YTabBarControl.1\CLSID : delete Perm. ACE 1 nt authority\system
YTabBar.YTabBarControl.1\CLSID : new ace for nt authority\system
HKEY_CLASSES_ROOT\YTabBar.YTabBarControl.1\CLSID : 2 change(s)
ytbbroker.YTBCustomizerAssistant : delete Perm. ACE 1 nt authority\system
ytbbroker.YTBCustomizerAssistant : new ace for nt authority\system
HKEY_CLASSES_ROOT\ytbbroker.YTBCustomizerAssistant : 2 change(s)
ytbbroker.YTBCustomizerAssistant\CLSID : delete Perm. ACE 1 nt authority\system
ytbbroker.YTBCustomizerAssistant\CLSID : new ace for nt authority\system
HKEY_CLASSES_ROOT\ytbbroker.YTBCustomizerAssistant\CLSID : 2 change(s)
ytbbroker.YTBCustomizerAssistant\CurVer : delete Perm. ACE 1 nt authority\system

ytbbroker.YTBCustomizerAssistant\CurVer : new ace for nt authority\system
HKEY_CLASSES_ROOT\ytbbroker.YTBCustomizerAssistant\CurVer : 2 change(s)
ytbbroker.YTBCustomizerAssistant.1 : delete Perm. ACE 1 nt authority\system
ytbbroker.YTBCustomizerAssistant.1 : new ace for nt authority\system
HKEY_CLASSES_ROOT\ytbbroker.YTBCustomizerAssistant.1 : 2 change(s)
ytbbroker.YTBCustomizerAssistant.1\CLSID : delete Perm. ACE 1 nt authority\syste
m
ytbbroker.YTBCustomizerAssistant.1\CLSID : new ace for nt authority\system
HKEY_CLASSES_ROOT\ytbbroker.YTBCustomizerAssistant.1\CLSID : 2 change(s)
ytbbroker.YTBMessengerAssistant : delete Perm. ACE 1 nt authority\system
ytbbroker.YTBMessengerAssistant : new ace for nt authority\system
HKEY_CLASSES_ROOT\ytbbroker.YTBMessengerAssistant : 2 change(s)
ytbbroker.YTBMessengerAssistant\CLSID : delete Perm. ACE 1 nt authority\system
ytbbroker.YTBMessengerAssistant\CLSID : new ace for nt authority\system
HKEY_CLASSES_ROOT\ytbbroker.YTBMessengerAssistant\CLSID : 2 change(s)
ytbbroker.YTBMessengerAssistant\CurVer : delete Perm. ACE 1 nt authority\system
ytbbroker.YTBMessengerAssistant\CurVer : new ace for nt authority\system
HKEY_CLASSES_ROOT\ytbbroker.YTBMessengerAssistant\CurVer : 2 change(s)
ytbbroker.YTBMessengerAssistant.1 : delete Perm. ACE 1 nt authority\system
ytbbroker.YTBMessengerAssistant.1 : new ace for nt authority\system
HKEY_CLASSES_ROOT\ytbbroker.YTBMessengerAssistant.1 : 2 change(s)
ytbbroker.YTBMessengerAssistant.1\CLSID : delete Perm. ACE 1 nt authority\system

ytbbroker.YTBMessengerAssistant.1\CLSID : new ace for nt authority\system
HKEY_CLASSES_ROOT\ytbbroker.YTBMessengerAssistant.1\CLSID : 2 change(s)
YTBM.YTBMButton : delete Perm. ACE 1 nt authority\system
YTBM.YTBMButton : new ace for nt authority\system
HKEY_CLASSES_ROOT\YTBM.YTBMButton : 2 change(s)
YTBM.YTBMButton\CLSID : delete Perm. ACE 1 nt authority\system
YTBM.YTBMButton\CLSID : new ace for nt authority\system
HKEY_CLASSES_ROOT\YTBM.YTBMButton\CLSID : 2 change(s)
YTBM.YTBMButton\CurVer : delete Perm. ACE 1 nt authority\system
YTBM.YTBMButton\CurVer : new ace for nt authority\system
HKEY_CLASSES_ROOT\YTBM.YTBMButton\CurVer : 2 change(s)
YTBM.YTBMButton.1 : delete Perm. ACE 1 nt authority\system
YTBM.YTBMButton.1 : new ace for nt authority\system
HKEY_CLASSES_ROOT\YTBM.YTBMButton.1 : 2 change(s)
YTBM.YTBMButton.1\CLSID : delete Perm. ACE 1 nt authority\system
YTBM.YTBMButton.1\CLSID : new ace for nt authority\system
HKEY_CLASSES_ROOT\YTBM.YTBMButton.1\CLSID : 2 change(s)
YTNavAssist.NameSpaceCF : delete Perm. ACE 1 nt authority\system
YTNavAssist.NameSpaceCF : new ace for nt authority\system
HKEY_CLASSES_ROOT\YTNavAssist.NameSpaceCF : 2 change(s)
YTNavAssist.NameSpaceCF\CLSID : delete Perm. ACE 1 nt authority\system
YTNavAssist.NameSpaceCF\CLSID : new ace for nt authority\system
HKEY_CLASSES_ROOT\YTNavAssist.NameSpaceCF\CLSID : 2 change(s)
YTNavAssist.NameSpaceCF\CurVer : delete Perm. ACE 1 nt authority\system
YTNavAssist.NameSpaceCF\CurVer : new ace for nt authority\system
HKEY_CLASSES_ROOT\YTNavAssist.NameSpaceCF\CurVer : 2 change(s)
YTNavAssist.NameSpaceCF.1 : delete Perm. ACE 1 nt authority\system
YTNavAssist.NameSpaceCF.1 : new ace for nt authority\system
HKEY_CLASSES_ROOT\YTNavAssist.NameSpaceCF.1 : 2 change(s)
YTNavAssist.NameSpaceCF.1\CLSID : delete Perm. ACE 1 nt authority\system
YTNavAssist.NameSpaceCF.1\CLSID : new ace for nt authority\system
HKEY_CLASSES_ROOT\YTNavAssist.NameSpaceCF.1\CLSID : 2 change(s)
YTNavAssist.NameSpacePP : delete Perm. ACE 1 nt authority\system
YTNavAssist.NameSpacePP : new ace for nt authority\system
HKEY_CLASSES_ROOT\YTNavAssist.NameSpacePP : 2 change(s)
YTNavAssist.NameSpacePP\CLSID : delete Perm. ACE 1 nt authority\system
YTNavAssist.NameSpacePP\CLSID : new ace for nt authority\system
HKEY_CLASSES_ROOT\YTNavAssist.NameSpacePP\CLSID : 2 change(s)
YTNavAssist.NameSpacePP\CurVer : delete Perm. ACE 1 nt authority\system
YTNavAssist.NameSpacePP\CurVer : new ace for nt authority\system
HKEY_CLASSES_ROOT\YTNavAssist.NameSpacePP\CurVer : 2 change(s)
YTNavAssist.NameSpacePP.1 : delete Perm. ACE 1 nt authority\system
YTNavAssist.NameSpacePP.1 : new ace for nt authority\system
HKEY_CLASSES_ROOT\YTNavAssist.NameSpacePP.1 : 2 change(s)
YTNavAssist.NameSpacePP.1\CLSID : delete Perm. ACE 1 nt authority\system
YTNavAssist.NameSpacePP.1\CLSID : new ace for nt authority\system
HKEY_CLASSES_ROOT\YTNavAssist.NameSpacePP.1\CLSID : 2 change(s)
YTNavAssist.YTNavAssistPlugin : delete Perm. ACE 1 nt authority\system
YTNavAssist.YTNavAssistPlugin : new ace for nt authority\system
HKEY_CLASSES_ROOT\YTNavAssist.YTNavAssistPlugin : 2 change(s)
YTNavAssist.YTNavAssistPlugin\CLSID : delete Perm. ACE 1 nt authority\system
YTNavAssist.YTNavAssistPlugin\CLSID : new ace for nt authority\system
HKEY_CLASSES_ROOT\YTNavAssist.YTNavAssistPlugin\CLSID : 2 change(s)
YTNavAssist.YTNavAssistPlugin\CurVer : delete Perm. ACE 1 nt authority\system
YTNavAssist.YTNavAssistPlugin\CurVer : new ace for nt authority\system
HKEY_CLASSES_ROOT\YTNavAssist.YTNavAssistPlugin\CurVer : 2 change(s)
YTNavAssist.YTNavAssistPlugin.1 : delete Perm. ACE 1 nt authority\system
YTNavAssist.YTNavAssistPlugin.1 : new ace for nt authority\system
HKEY_CLASSES_ROOT\YTNavAssist.YTNavAssistPlugin.1 : 2 change(s)
YTNavAssist.YTNavAssistPlugin.1\CLSID : delete Perm. ACE 1 nt authority\system
YTNavAssist.YTNavAssistPlugin.1\CLSID : new ace for nt authority\system
HKEY_CLASSES_ROOT\YTNavAssist.YTNavAssistPlugin.1\CLSID : 2 change(s)
YTSingleInstance.SingleInstance : delete Perm. ACE 1 nt authority\system
YTSingleInstance.SingleInstance : new ace for nt authority\system
HKEY_CLASSES_ROOT\YTSingleInstance.SingleInstance : 2 change(s)
YTSingleInstance.SingleInstance\CLSID : delete Perm. ACE 1 nt authority\system
YTSingleInstance.SingleInstance\CLSID : new ace for nt authority\system
HKEY_CLASSES_ROOT\YTSingleInstance.SingleInstance\CLSID : 2 change(s)
YTSingleInstance.SingleInstance\CurVer : delete Perm. ACE 1 nt authority\system
YTSingleInstance.SingleInstance\CurVer : new ace for nt authority\system
HKEY_CLASSES_ROOT\YTSingleInstance.SingleInstance\CurVer : 2 change(s)
YTSingleInstance.SingleInstance.1 : delete Perm. ACE 1 nt authority\system
YTSingleInstance.SingleInstance.1 : new ace for nt authority\system
HKEY_CLASSES_ROOT\YTSingleInstance.SingleInstance.1 : 2 change(s)
YTSingleInstance.SingleInstance.1\CLSID : delete Perm. ACE 1 nt authority\system

YTSingleInstance.SingleInstance.1\CLSID : new ace for nt authority\system
HKEY_CLASSES_ROOT\YTSingleInstance.SingleInstance.1\CLSID : 2 change(s)
ZAMailSafe : delete Perm. ACE 1 nt authority\system
ZAMailSafe : new ace for nt authority\system
HKEY_CLASSES_ROOT\ZAMailSafe : 2 change(s)
ZAMailSafe\DefaultIcon : delete Perm. ACE 1 nt authority\system
ZAMailSafe\DefaultIcon : new ace for nt authority\system
HKEY_CLASSES_ROOT\ZAMailSafe\DefaultIcon : 2 change(s)
ZAMailSafe\Shell : delete Perm. ACE 1 nt authority\system
ZAMailSafe\Shell : new ace for nt authority\system
HKEY_CLASSES_ROOT\ZAMailSafe\Shell : 2 change(s)
ZAMailSafe\Shell\open : delete Perm. ACE 1 nt authority\system
ZAMailSafe\Shell\open : new ace for nt authority\system
HKEY_CLASSES_ROOT\ZAMailSafe\Shell\open : 2 change(s)
ZAMailSafe\Shell\open\command : delete Perm. ACE 1 nt authority\system
ZAMailSafe\Shell\open\command : new ace for nt authority\system
HKEY_CLASSES_ROOT\ZAMailSafe\Shell\open\command : 2 change(s)
zapfile : delete Perm. ACE 1 nt authority\system
zapfile : new ace for nt authority\system
HKEY_CLASSES_ROOT\zapfile : 2 change(s)
zapfile\DefaultIcon : delete Perm. ACE 1 nt authority\system
zapfile\DefaultIcon : new ace for nt authority\system
HKEY_CLASSES_ROOT\zapfile\DefaultIcon : 2 change(s)
zapfile\shell : delete Perm. ACE 1 nt authority\system
zapfile\shell : new ace for nt authority\system
HKEY_CLASSES_ROOT\zapfile\shell : 2 change(s)
zapfile\shell\open : delete Perm. ACE 1 nt authority\system
zapfile\shell\open : new ace for nt authority\system
HKEY_CLASSES_ROOT\zapfile\shell\open : 2 change(s)
zapfile\shell\open\command : delete Perm. ACE 1 nt authority\system
zapfile\shell\open\command : new ace for nt authority\system
HKEY_CLASSES_ROOT\zapfile\shell\open\command : 2 change(s)
zapfile\shell\print : delete Perm. ACE 1 nt authority\system
zapfile\shell\print : new ace for nt authority\system
HKEY_CLASSES_ROOT\zapfile\shell\print : 2 change(s)
zapfile\shell\print\command : delete Perm. ACE 1 nt authority\system
zapfile\shell\print\command : new ace for nt authority\system
HKEY_CLASSES_ROOT\zapfile\shell\print\command : 2 change(s)
zapfile\shell\printto : delete Perm. ACE 1 nt authority\system
zapfile\shell\printto : new ace for nt authority\system
HKEY_CLASSES_ROOT\zapfile\shell\printto : 2 change(s)
zapfile\shell\printto\command : delete Perm. ACE 1 nt authority\system
zapfile\shell\printto\command : new ace for nt authority\system
HKEY_CLASSES_ROOT\zapfile\shell\printto\command : 2 change(s)
ZIPBuilder.ZIPBuilder : delete Perm. ACE 1 nt authority\system
ZIPBuilder.ZIPBuilder : new ace for nt authority\system
HKEY_CLASSES_ROOT\ZIPBuilder.ZIPBuilder : 2 change(s)
ZIPBuilder.ZIPBuilder\CLSID : delete Perm. ACE 1 nt authority\system
ZIPBuilder.ZIPBuilder\CLSID : new ace for nt authority\system
HKEY_CLASSES_ROOT\ZIPBuilder.ZIPBuilder\CLSID : 2 change(s)
ZIPBuilder.ZIPBuilder\CurVer : delete Perm. ACE 1 nt authority\system
ZIPBuilder.ZIPBuilder\CurVer : new ace for nt authority\system
HKEY_CLASSES_ROOT\ZIPBuilder.ZIPBuilder\CurVer : 2 change(s)
ZIPBuilder.ZIPBuilder.1 : delete Perm. ACE 1 nt authority\system
ZIPBuilder.ZIPBuilder.1 : new ace for nt authority\system
HKEY_CLASSES_ROOT\ZIPBuilder.ZIPBuilder.1 : 2 change(s)
ZIPBuilder.ZIPBuilder.1\CLSID : delete Perm. ACE 1 nt authority\system
ZIPBuilder.ZIPBuilder.1\CLSID : new ace for nt authority\system
HKEY_CLASSES_ROOT\ZIPBuilder.ZIPBuilder.1\CLSID : 2 change(s)
Zlavscan.ZLAVShExt : delete Perm. ACE 1 nt authority\system
Zlavscan.ZLAVShExt : new ace for nt authority\system
HKEY_CLASSES_ROOT\Zlavscan.ZLAVShExt : 2 change(s)
Zlavscan.ZLAVShExt\CLSID : delete Perm. ACE 1 nt authority\system
Zlavscan.ZLAVShExt\CLSID : new ace for nt authority\system
HKEY_CLASSES_ROOT\Zlavscan.ZLAVShExt\CLSID : 2 change(s)
Zlavscan.ZLAVShExt\CurVer : delete Perm. ACE 1 nt authority\system
Zlavscan.ZLAVShExt\CurVer : new ace for nt authority\system
HKEY_CLASSES_ROOT\Zlavscan.ZLAVShExt\CurVer : 2 change(s)
Zlavscan.ZLAVShExt.1 : delete Perm. ACE 1 nt authority\system
Zlavscan.ZLAVShExt.1 : new ace for nt authority\system
HKEY_CLASSES_ROOT\Zlavscan.ZLAVShExt.1 : 2 change(s)
Zlavscan.ZLAVShExt.1\CLSID : delete Perm. ACE 1 nt authority\system
Zlavscan.ZLAVShExt.1\CLSID : new ace for nt authority\system
HKEY_CLASSES_ROOT\Zlavscan.ZLAVShExt.1\CLSID : 2 change(s)
Zone.ClientM : delete Perm. ACE 1 nt authority\system
Zone.ClientM : new ace for nt authority\system
HKEY_CLASSES_ROOT\Zone.ClientM : 2 change(s)
Zone.ClientM\CLSID : delete Perm. ACE 1 nt authority\system
Zone.ClientM\CLSID : new ace for nt authority\system
HKEY_CLASSES_ROOT\Zone.ClientM\CLSID : 2 change(s)
Zone.ClientM\CurVer : delete Perm. ACE 1 nt authority\system
Zone.ClientM\CurVer : new ace for nt authority\system
HKEY_CLASSES_ROOT\Zone.ClientM\CurVer : 2 change(s)
Zone.ClientM.1 : delete Perm. ACE 1 nt authority\system
Zone.ClientM.1 : new ace for nt authority\system
HKEY_CLASSES_ROOT\Zone.ClientM.1 : 2 change(s)
Zone.ClientM.1\CLSID : delete Perm. ACE 1 nt authority\system
Zone.ClientM.1\CLSID : new ace for nt authority\system
HKEY_CLASSES_ROOT\Zone.ClientM.1\CLSID : 2 change(s)
{49968EDC-6871-4777-8A29-784254A9D827} : delete Perm. ACE 1 nt authority\system
{49968EDC-6871-4777-8A29-784254A9D827} : new ace for nt authority\system
HKEY_CLASSES_ROOT\{49968EDC-6871-4777-8A29-784254A9D827} : 2 change(s)
{49968EDC-6871-4777-8A29-784254A9D827}\0 : delete Perm. ACE 1 nt authority\syste
m
{49968EDC-6871-4777-8A29-784254A9D827}\0 : new ace for nt authority\system
HKEY_CLASSES_ROOT\{49968EDC-6871-4777-8A29-784254A9D827}\0 : 2 change(s)


Elapsed Time: 00 00:03:50
Done:    93177, Modified    93177, Failed        0, Syntax errors        0
Last Done  : HKEY_CLASSES_ROOT\{49968EDC-6871-4777-8A29-784254A9D827}\0

C:\PROGRA~1\Windows Resource Kits\Tools>subinacl /subdirectories C: /grant=syste
m=f
C:\PROGRA~1\Windows Resource Kits\Tools : delete Perm. ACE 7 nt authority\system

C:\PROGRA~1\Windows Resource Kits\Tools : delete Perm. ACE 6 nt authority\system

C:\PROGRA~1\Windows Resource Kits\Tools : new ace for nt authority\system
C:\PROGRA~1\Windows Resource Kits\Tools : new ace for nt authority\system
C:\PROGRA~1\Windows Resource Kits\Tools : 4 change(s)


Elapsed Time: 00 00:00:00
Done:        1, Modified        1, Failed        0, Syntax errors        0
Last Done  : C:\PROGRA~1\Windows Resource Kits\Tools

C:\PROGRA~1\Windows Resource Kits\Tools>
0
 
Donald StewartNetwork AdministratorCommented:
skip reboot, see if you can now run any of the apps
0
 
Grover247Author Commented:
still the same I am afraid
I have since rebooted and am currently 6 mins into the boot up process
Shall I run your script again and try to identify the failures more accurately?

0
 
Donald StewartNetwork AdministratorCommented:
no, it only needs to run once, we need to look for other issues.

check event log for errors
0
 
Grover247Author Commented:
Hi,

I have looked into the event log after completely clearing the log files to prevent anything misleading from being there. I have two services that cannot start that are flooding the system log file. They are KLIF (90%)and TSP(10%). I saw on the EE knowledgebase they are from an old antivirus install, yet i can't see them anywhere in the list of installed devices. I have selected to show hidden and also run the command that the article suggested but I can't see the entries. Maybe I typed it wrongly, but it took it and did not give me syntax errors. I would estimate there are around 50 entries in there from these two in the last hour as it is constantly trying to start them

Do you think this might be the cause of the slow startup?
0
 
Grover247Author Commented:
Hi,

i did this and I got some useful results as I could not see these services mentioned anywhere

(1) Download Autoruns from: http://www.microsoft.com/technet/sysinternals/utilities/Autoruns.mspx
(2) Run the program. It lists a bunch of things that start when Windows starts.
(3) From the menu bar, select Options, and uncheck "Include Empty Locations" and "check" "Hide Microsoft Entries"
    Important -> Then click the Refresh button in the toolbar.
(4) This will give you a shorter, more meaningful list.
(5) Examine that list for anything relating to those services.

I was then able to remove the entries and it boots a tiny bit faster but its still slower on boot up than an ice age

I will look for more entries in the event log as I seem to remember somewhere reading one of the 'ordinary errors' that I saw reported in there was actually a possible trojan virus.

I'll be honest,  I hate this pc with the viruses, which is the cause of this thread.

If it wasn't for the fact that the guy who owns it runs a great restaurant and I stand to get some free meals from him as payment, I would have given up long ago.

Indian food is soooo good, especially the really hot stuff. Baz Luhrmann said in his Sunscreen song 'do something every day that scares you' and sometimes eating their really hot curries takes me a little closer to that song...

Anyway, onward and upward and I will post the event log messages in case it rings a few bells with one of you extremely clever folks out there

Won't be long...
0
 
Grover247Author Commented:
I see nothing untoward in the event logs, but I still cannot install most AV products. I am currently running Kaspersky online scan after a lot of fighting to even get it to run. It has only scanned a couple of files and has been stuck on SHLWAPI.DLL for absolutely hours, so I think this may be corrupted or infected
i have looked through the EE knowledgebase and it points me in the direction to run some free fix programs. I obviously don't want to mess things up by messing with this, but it seems to be the logical next step. Does anyone else know why Kaspersky may be stuck on this file?

Cheers
Grover247
0
 
Grover247Author Commented:
I finally got the authority back to run the cleanup programs available free on the web.
I used

SuperAntiSpyware
http://www.superantispyware.com/

Kaspersky online scanner and eventually kaspersky internet security suite
http://www.kaspersky.co.uk/virusscanner
http://www.kaspersky.co.uk/trials

I hope this helps somebody else

All the best to others infected in the same way

Points go to dstewartjr as I got so much help from him. Thanks pal

Zone alarm
www.zonealarm.com 

Autoruns
See my entry above for a link to this

Malware Bytes AntilMalware
http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?part=dl-10804572&subj=dl&tag=button
I used the anti malware program because I had the "Antivirus 2009" trojan virus on my machine. Info here on this one which leads you to the MBAM link above
http://www.bleepingcomputer.com/malware-removal/uninstall-antivirus-2009


Sophos anti rootkit
http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html


subinacl
See the above entries from the expert who helped me

SDFix
http://www.bleepingcomputer.com/forums/topic131299.html

ResetSecuritySettingsBackToTheDefaults (from Microsoft)
http://support.microsoft.com/kb/313222

Hijack this
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis

Unlocker (allows you to delete locked files)
http://majorgeeks.com/Unlocker_d4660.html

Regcure
http://www.regcure.com


Combofix
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

MSCONFIG MISSING ISSUE

I discovered I could not use msconfig from the start/run process as  it had been deleted by a virus. I found a copy of it in and it allowed me to run it from that folder only, so I copied it back into the correct folder and it could be called from the start/run command again

The location of the msconfig.exe is defined in HKLM\sotware\microsoft\windows\currentversion\app paths\msconfig\
The default value contains the path to the msconfig executable
Mine should have been in C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe but I found and copied it back from C:\WINDOWS\ServicePackFiles\i386
0
 
Grover247Author Commented:
You got me started on the right track so thanks very much for your time. I finally got it all fixed with a multitude of other programs and fixes. See my last posts if you are interested
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 12
  • 8
Tackle projects and never again get stuck behind a technical roadblock.
Join Now