Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

HijackThis log

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Unread postby krforrester » May 7th, 2006, 1:10 pm

Here is the regkey log:

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteCenter"=""
"MtdAcq"="C:\\Program Files\\Creative\\Shared Files\\Media Sniffer\\MtdAcq.EXE /s"
"ATI DeviceDetect"="C:\\Program Files\\ATI Multimedia\\main\\ATIDtct.EXE"
"ATI Launchpad"=""
@=" /s"

And here is the regperms log:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Can't open Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run:

1011 - The configuration registry key could not be opened.
krforrester
Regular Member
 
Posts: 55
Joined: January 8th, 2006, 4:05 pm
Advertisement
Register to Remove

Unread postby 'KotaGuy » May 7th, 2006, 8:02 pm

Still looking into this... trying to figure out why the permissions weren't exported properly...
User avatar
'KotaGuy
Admin/Teacher Emeritus
 
Posts: 12472
Joined: April 7th, 2005, 7:06 pm
Location: Alberta, Canada

Unread postby 'KotaGuy » May 8th, 2006, 12:07 pm

Hi... had a mistake in my batch file... try this please.

Copy/paste the following text into a new Notepad document. Make sure that wordwrap is turned off.

@echo off
if exist regperms.txt del regperms.txt
For %%i in ("HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run") Do regdacl %%i /L /E >> regperms.txt

regedit /a /e regkey.txt "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"

Notepad regperms.txt
notepad regkey.txt


Save it in the same folder you saved RegDACL in as readperm.bat. Save it as File Type All Files(not as a text document or it wont work).

Open folder you saved RegDACL in. Double click readperm.bat. Notepad will open with regperms.txt and regkey.txt. Post the content please of both files please. If notepad doesn't bring up the text files, open the RegDacl folder and open regperms.txt and regkey.txt yourself.

Thanks!
User avatar
'KotaGuy
Admin/Teacher Emeritus
 
Posts: 12472
Joined: April 7th, 2005, 7:06 pm
Location: Alberta, Canada

Unread postby krforrester » May 8th, 2006, 8:53 pm

Here is the regperms log:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run:
(NI) ALLOW Full access S-1-5-21-1733290971-784569582-2966927733-1005
(IO) ALLOW Full access S-1-5-21-1733290971-784569582-2966927733-1005
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Read NT AUTHORITY\RESTRICTED
(IO) ALLOW Read NT AUTHORITY\RESTRICTED

Effective permissions for Registry key HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run:
Full access S-1-5-21-1733290971-784569582-2966927733-1005
Full access NT AUTHORITY\SYSTEM
Full access BUILTIN\Administrators
Read NT AUTHORITY\RESTRICTED


And here is the regkey log:

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteCenter"=""
"MtdAcq"="C:\\Program Files\\Creative\\Shared Files\\Media Sniffer\\MtdAcq.EXE /s"
"ATI DeviceDetect"="C:\\Program Files\\ATI Multimedia\\main\\ATIDtct.EXE"
"ATI Launchpad"=""
@=" /s"
krforrester
Regular Member
 
Posts: 55
Joined: January 8th, 2006, 4:05 pm

Unread postby 'KotaGuy » May 8th, 2006, 10:20 pm

Thanks for posting the logs... permissions look good.

Hmmm Image

This is wierd...

Ok... off to do more reasearch... I'll be back 8)
User avatar
'KotaGuy
Admin/Teacher Emeritus
 
Posts: 12472
Joined: April 7th, 2005, 7:06 pm
Location: Alberta, Canada

Unread postby krforrester » May 9th, 2006, 10:33 pm

I just thought I would mention an issue that has been occurring on my computer for quite some time now. I have no idea if it has anything with what we are trying to accomplish but I will throw it out there anyway.

Whenever I start my computer the file "System 32" always opens up. It is not listed as a program or file to open on start up and I may have read something in the past that it has something to do with the Audigy sound card.

Anyway, just tossing that out there. Thanks for all your help.
krforrester
Regular Member
 
Posts: 55
Joined: January 8th, 2006, 4:05 pm

Unread postby 'KotaGuy » May 9th, 2006, 11:47 pm

Thanks for the info... that may have something to do with this reg entry... not sure yet.

Can you check something for me quickly please?

Go to Start>All Programs>Startup Folder... let me know if the System32 folder is listed there.

Thanks!
User avatar
'KotaGuy
Admin/Teacher Emeritus
 
Posts: 12472
Joined: April 7th, 2005, 7:06 pm
Location: Alberta, Canada

Unread postby krforrester » May 10th, 2006, 2:31 am

No it's not there.
krforrester
Regular Member
 
Posts: 55
Joined: January 8th, 2006, 4:05 pm

Unread postby krforrester » May 10th, 2006, 2:43 am

I just looked a little closer and I do see this on startup:

"RAMASST"

When I right click and check the properties it shows the target as:

"C:\WINDOWS\system32\RAMASST.exe"
krforrester
Regular Member
 
Posts: 55
Joined: January 8th, 2006, 4:05 pm

Unread postby 'KotaGuy » May 10th, 2006, 1:52 pm

RAMASST.exe is a file installed with some DVD burners... do you have one?
User avatar
'KotaGuy
Admin/Teacher Emeritus
 
Posts: 12472
Joined: April 7th, 2005, 7:06 pm
Location: Alberta, Canada

Unread postby krforrester » May 10th, 2006, 3:08 pm

Yes, I added a Sony DVD burner about a year ago. I do not recall if this problem started at that time, but it certainly could have.
krforrester
Regular Member
 
Posts: 55
Joined: January 8th, 2006, 4:05 pm

Unread postby 'KotaGuy » May 10th, 2006, 3:45 pm

OK... you could try deleting that shortcut from the Startup folder. Then reboot and see if the System32 folder pops up still.

Not sure if thats the issue though.

If it does solve the issue... test burn a DVD/CD or something and see if you have any problems... if not great! If you do have problems you may need to recreate that shortcut as removing it from starting up has caused issues with some burners.
User avatar
'KotaGuy
Admin/Teacher Emeritus
 
Posts: 12472
Joined: April 7th, 2005, 7:06 pm
Location: Alberta, Canada

Unread postby 'KotaGuy » May 10th, 2006, 7:02 pm

Copy/paste the following quote box into a new notepad (not wordpad) document.

regedit /e %systemdrive%\regkey.txt "HKEY_USERS\S-1-5-21-1733290971-784569582-2966927733-1005\Software\Microsoft\Windows\CurrentVersion\Run"
notepad %systemdrive%\regkey.txt
del /q %systemdrive%\regkey.txt


Save it to your Desktop as regkey.bat. Save it as:
File Type: All Files (not as a text document or it wont work).
Name:regkey.bat

Locate regkey.bat on your Desktop and double-click it. When notepad opens, copy/paste the content in your reply.

When you close Notepad the CMD window will close automatically and the text file will be deleted so copy/paste that info into your reply before closing the notepad window.

Thanks!
User avatar
'KotaGuy
Admin/Teacher Emeritus
 
Posts: 12472
Joined: April 7th, 2005, 7:06 pm
Location: Alberta, Canada

Unread postby krforrester » May 10th, 2006, 10:13 pm

That doesn't work. It tells me "Can't find regkey.txt file".
krforrester
Regular Member
 
Posts: 55
Joined: January 8th, 2006, 4:05 pm

Unread postby 'KotaGuy » May 10th, 2006, 11:33 pm

OK... thanks... will be back with more instructions :)
User avatar
'KotaGuy
Admin/Teacher Emeritus
 
Posts: 12472
Joined: April 7th, 2005, 7:06 pm
Location: Alberta, Canada
Advertisement
Register to Remove

PreviousNext

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 117 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware