|
Answer» This is my first post and I'm not sure where to post it at... if this isn't the correct place, please direct me or move this topic.
In an effort to clean my computer (I run XP Pro 2002/sp3), I ran the following programs yesterday in the order listed below and accompanied by their log files.
After running these programs with the necessary restarts, I started to play a game and the audio started breaking up, skipping, and just didn't sound correct. I then attempted to play a song with WMP with the same results. Thinking my Sound Blaster Live had a problem, I uninstalled and reinstalled it, but the problem remained.
At this point I did a System Restore to just prior to running all of the scans listed below. That corrected my audio problem but now I'm sure that every thing the scans found and deleted have been reinstalled.
Today, I downloaded and saved several INSTALLERS, Montiera Toolbar removal tool and SpyHunter (I never run an installer w/o first scanning it) and tried to scan them by right clicking and selecting MalwareByes in the Context menu. When I did this, I rec'd this error - Run-Time Error 383....Text property is read only. I tried the scan several times with the same error message. I then decided to scan a folder in My Documents with the same results.
I use Zone Alarm Anti-Virus + Firewall (free) and was able to scan the installers and the My Docs. folder.
Sorry if this post seems long and 'rambling' but I felt that all the steps I took (and the scan logs) leading up to this Run-Time Error would be helpful and that someone would be able to tell me if they see what may be causing this Run-Time error.
Any help will be greatly appreciated...... Grayghost
> Kaspersky TDSSKiller - nothing was found, no log file.
> RKillRkill 2.6.1 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2013 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html
Program started at: 09/20/2013 06:15:11 PM in x86 mode.
Windows Version: Microsoft Windows XP Service Pack 3
Checking for Windows services to stop:
* No malware services found to stop.
Checking for processes to terminate:
* C:\WINDOWS\system32\CTsvcCDA.exe (PID: 1240) [WD-HEUR]
* C:\WINDOWS\system32\MsPMSPSv.exe (PID: 1464) [WD-HEUR]
2 proccesses terminated!
Checking Registry for malware related settings:
* No issues found in the Registry.
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
Performing miscellaneous checks:
* Windows Firewall Disabled
[HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = dword:00000000
* Reparse Point/Junctions Found (Most likely legitimate)!
* C:\WINDOWS\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a => C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_4.0.0.0_x-ww_29b51492 [Dir]
Checking Windows Service Integrity:
* No issues found.
Searching for Missing DIGITAL Signatures:
* No issues found.
Checking HOSTS File:
* HOSTS file entries found:
127.0.0.1 localhost
Program finished at: 09/20/2013 06:16:23 PM
Execution time: 0 hours(s), 1 minute(s), and 12 seconds(s)
> MalwareBytes (free)Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org
Database version: v2013.09.20.10
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Grayghost :: HOME-5409271691 [administrator]
9/20/2013 6:24:08 PM
mbam-log-2013-09-20 (18-24-08).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 246730
Time ELAPSED: 14 minute(s), 47 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 1
HKCU\SOFTWARE\Trymedia Systems (Adware.TryMedia) -> Quarantined and deleted successfully.
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
> HitmanPro
Code: [Select]HitmanPro 3.7.7.205
www.hitmanpro.com
Computer name . . . . : HOME-5409271691
Windows . . . . . . . : 5.1.3.2600.X86/1
User name . . . . . . : HOME-5409271691\Grayghost
License . . . . . . . : Free
Scan date . . . . . . : 2013-09-20 18:54:23
Scan mode . . . . . . : Normal
Scan duration . . . . : 12m 47s
Disk access mode . . : Direct disk access (SRB)
Cloud . . . . . . . . : Internet
Reboot . . . . . . . : No
Threats . . . . . . . : 0
Traces . . . . . . . : 112
Objects scanned . . . : 674,460
Files scanned . . . . : 65,801
Remnants scanned . . : 128,072 files / 480,587 keys
Potential Unwanted Programs _________________________________________________
HKLM\SOFTWARE\Classes\AppID\escort.DLL\ (Funmoods)
HKLM\SOFTWARE\Classes\AppID\escortApp.DLL\ (Funmoods)
HKLM\SOFTWARE\Classes\AppID\escortEng.DLL\ (Funmoods)
HKLM\SOFTWARE\Classes\AppID\escorTlbr.DLL\ (Funmoods)
HKLM\SOFTWARE\Classes\AppID\esrv.EXE\ (Funmoods)
HKLM\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}\ (Funmoods)
HKLM\SOFTWARE\Classes\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\ (Funmoods)
HKLM\SOFTWARE\Classes\AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D}\ (Funmoods)
HKLM\SOFTWARE\Classes\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\ (Funmoods)
HKLM\SOFTWARE\Classes\c\ (Claro)
HKLM\SOFTWARE\Classes\escort.escortIEPane.1\ (Funmoods)
HKLM\SOFTWARE\Classes\escort.escortIEPane\ (Funmoods)
HKLM\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\ (Funmoods)
HKLM\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\ (Funmoods)
HKU\S-1-5-21-789336058-1417001333-1177238915-1003\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}\ (SearchQU)
HKU\S-1-5-21-789336058-1417001333-1177238915-1006\Software\Microsoft\Internet Explorer\Approved Extensions\{9D717F81-9148-4F12-8568-69135F087DB0} (SearchQU)
[b][b]> RogueKiller[/b] (2 notepad files created (different numbers) and 1 Quarentine file created (not shown here)
[b]1st log;[/b] RogueKiller V8.6.12 [Sep 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/
Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Grayghost [Admin rights]
Mode : Remove -- Date : 09/20/2013 19:18:15
| ARK || FAK || MBR |
¤¤¤ Bad processes : 0 ¤¤¤
¤¤¤ Registry Entries : 1 ¤¤¤
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
¤¤¤ Scheduled tasks : 0 ¤¤¤
¤¤¤ Startup Entries : 0 ¤¤¤
¤¤¤ Web browsers : 0 ¤¤¤
¤¤¤ Particular Files / Folders: ¤¤¤
¤¤¤ Driver : [LOADED] ¤¤¤
¤¤¤ External Hives: ¤¤¤
¤¤¤ Infection : ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts
127.0.0.1 localhost
¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 IDE) (Standard disk drives) - WDC WD5000AAKB-00H8A0 +++++
--- User ---
[MBR] 5397d9ca488f96641665f93ebf426bd4
[BSP] 5e7fc1c73a65fa437c926d5262ff9d16 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 476929 Mo
User = LL1 ... OK!
User = LL2 ... OK!
+++++ PhysicalDrive1: (\\.\PHYSICALDRIVE1 IDE) (Standard disk drives) - WDC WD1200JB-75CRA0 +++++
--- User ---
[MBR] e86710e4c0e4914455de6d4454727d49
[BSP] f0531316a6163d16f4ba254ab3fe3bf4 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 114438 Mo
User = LL1 ... OK!
User = LL2 ... OK!
+++++ PhysicalDrive2: (\\.\PHYSICALDRIVE2 USB) (Standard disk drives) - SanDisk Cruzer USB Device +++++
--- User ---
[MBR] 813e5696250ca15131df650420bac6e4
[BSP] 096ca65415799301792a33c93b5e78da : Windows XP MBR Code
Partition table:
0 - [ACTIVE] FAT32 (0x0b) [VISIBLE] Offset (sectors): 32 | Size: 7691 Mo
User = LL1 ... OK!
Error reading LL2 MBR!
Finished : << RKreport[0]_D_09202013_191815.txt >>
RKreport[0]_S_09202013_191648.txt
[b]2nd. log;[/b]RogueKiller V8.6.12 [Sep 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/
Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Grayghost [Admin rights]
Mode : Remove -- Date : 09/20/2013 19:27:45
| ARK || FAK || MBR |
¤¤¤ Bad processes : 0 ¤¤¤
¤¤¤ Registry Entries : 0 ¤¤¤
¤¤¤ Scheduled tasks : 0 ¤¤¤
¤¤¤ Startup Entries : 0 ¤¤¤
¤¤¤ Web browsers : 0 ¤¤¤
¤¤¤ Particular Files / Folders: ¤¤¤
¤¤¤ Driver : [LOADED] ¤¤¤
¤¤¤ External Hives: ¤¤¤
¤¤¤ Infection : ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts
127.0.0.1 localhost
¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 IDE) (Standard disk drives) - WDC WD5000AAKB-00H8A0 +++++
--- User ---
[MBR] 5397d9ca488f96641665f93ebf426bd4
[BSP] 5e7fc1c73a65fa437c926d5262ff9d16 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 476929 Mo
User = LL1 ... OK!
User = LL2 ... OK!
+++++ PhysicalDrive1: (\\.\PHYSICALDRIVE1 IDE) (Standard disk drives) - WDC WD1200JB-75CRA0 +++++
--- User ---
[MBR] e86710e4c0e4914455de6d4454727d49
[BSP] f0531316a6163d16f4ba254ab3fe3bf4 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 114438 Mo
User = LL1 ... OK!
User = LL2 ... OK!
+++++ PhysicalDrive2: (\\.\PHYSICALDRIVE2 USB) (Standard disk drives) - SanDisk Cruzer USB Device +++++
--- User ---
[MBR] 813e5696250ca15131df650420bac6e4
[BSP] 096ca65415799301792a33c93b5e78da : Windows XP MBR Code
Partition table:
0 - [ACTIVE] FAT32 (0x0b) [VISIBLE] Offset (sectors): 32 | Size: 7691 Mo
User = LL1 ... OK!
Error reading LL2 MBR!
Finished : << RKreport[0]_D_09202013_192745.txt >>
RKreport[0]_D_09202013_191815.txt;RKreport[0]_S_09202013_191648.txt;RKreport[0]_S_09202013_192503.txt
[b]> JRT[/b] (Junk Removal Tool)
Junkware Removal Tool (JRT) by Thisisu
Version: 6.0.1 (09.15.2013:1)
OS: Microsoft Windows XP x86
Ran by Grayghost on Fri 09/20/2013 at 19:59:07.92
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~ Services
~~~ Registry Values
~~~ Registry Keys
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\speedypc software
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\speedypc software
~~~ Files
~~~ Folders
Successfully deleted: [Folder] "C:\Documents and Settings\All Users\application data\wincert"
Successfully deleted: [Folder] "C:\Documents and Settings\Grayghost\Application Data\speedypc software"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Fri 09/20/2013 at 20:23:50.57
End of JRT log
[b]> AdwCleaner[/b]
# AdwCleaner v3.004 - Report created 20/09/2013 at 19:48:49
# Updated 15/09/2013 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : Grayghost - HOME-5409271691
# Running from : C:\Documents and Settings\Grayghost\Desktop\adwcleaner.exe
# Option : Clean
***** [ Services ] *****
***** [ Files / Folders ] *****
Folder Deleted : C:\Documents and Settings\All Users\Application Data\Trymedia
[x] Not Deleted : C:\Documents and Settings\Grayghost\Application Data\CheckPoint\ZoneAlarm LTD Toolbar
Folder Deleted : C:\Documents and Settings\Grayghost\Application Data\DriverCure
***** [ Shortcuts ] *****
***** [ Registry ] *****
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escort.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escortApp.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escortEng.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escorTlbr.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\esrv.EXE
Key Deleted : HKLM\SOFTWARE\Classes\escort.escortIEPane
Key Deleted : HKLM\SOFTWARE\Classes\escort.escortIEPane.1
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHost.Tool
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHost.Tool.1
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{19D2F415-D58B-46BC-9390-C03DCBC21EB2}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{6E45F3E8-2683-4824-A6BE-08108022FB36}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{9F0F16DD-4E76-4049-A9B1-7A91E48F0323}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F4288797-CB12-49CE-9DF8-7CDFA1143BEA}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{212C2C4F-C845-4FBC-9561-C833A13D8DCE}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{3C5D1D57-16C8-473C-A552-37B8D88596FE}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{4A115D8A-6A7B-4C72-92B1-2E2D01F36979}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{99DF8440-814E-497F-BDDD-FB93E9E9DF96}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{83CAD530-387D-40FD-82EA-B9E863D92A9B}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}
***** [ Browsers ] *****
-\\ Internet Explorer v8.0.6001.18702
*************************
AdwCleaner[R0].txt - [5056 octets] - [10/09/2013 19:54:42]
AdwCleaner[R1].txt - [2884 octets] - [20/09/2013 19:44:23]
AdwCleaner[S0].txt - [5257 octets] - [10/09/2013 19:58:20]
AdwCleaner[S1].txt - [2868 octets] - [20/09/2013 19:48:49]
########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [2928 octets] ##########Just curious...what A/V app do you run ? ?
BTW nothing malicious can exist in a read only text file so i wouldn't fret too much...Not sure what you mean by the question "what A/V app do you run ? ?"
If you're asking for my Anti-Virus (A/V);
I use Zone Alarm Anti-Virus + Firewall (Free)
If you're asking about my audio video (A/V);
I use Creative Sound Blaster Live (driver version 5.12.01.124) for the audio It's old and has the last updates I could find.
I use an ATI Diamond S120 128mb DDR Radeon 9550 Graphics card.
I understand what you're saying about "nothing Malicious can exist.......", but it goes beyond the reading of those installer "read only" files. I can't right click and scan (from the Context menu) any folder in My Docs. with MalwareBytes w/o getting that Run-Time error, yet I can run scans of the same items with Zone Alarm Anti-Virus. I never had this problem until I ran all of these scans yesterday and would like to fix the problem.
It's very possible that MBAM won't scan those file types...visit their Forums and see...I'll check it out, but like I said, in the past I've individually scanned not only folders in My Docs., but also all downloaded and saved installers/programs before I run them.
Don't know if I NEED to create another post for this but I'll ask and see what happens.....
I've noticed in my registry many folders of programs I've tried and removed with Add/Remove Programs. These are under HKEY- local Machine - Software. My question is.... can I right click on those folders and delete them w/o any problems? They are not listed in Add/Remove, Msconfig Startup tab, and I've deleted them through C: All Programs and C: Docs & Settings > (each individual User and All Users) Application Data folders.
My CCleaner and Auslogics Reg. cleaners never remove any of these unused/uninstalled Reg. folders. Also, none of the scans I ran yesterday (that led to this Run-Time error problem) picked up on any of these folders.Consider this Run-Time error383 thread as solved. I decided to uninstall MalwareBytes and reinstall it and during the uninstall I got a message that something was missing and it couldn't uninstall the program. Right then I knew there was a problem with the installed version so I downloaded another copy of the installer and installed it over the first one, then deleted every thing and reinstalled it again and the problem was solved... the program scanned every thing I tried to scan when I was getting the error message. Wish I'd thought about a possible 'bad install' sooner.
Thanks Patio for your time and help....... Grayghost Good to hear you are fixed up...
|
