Re: malicious software removal tool



Accoding to File.net, szkg.sys belongs to StopZilla!. If you don't have /
have never had this program on your computer, you still have malware.
Szkg.sys is not a core Windows program.

C:\Documents and Settings\Ian\ntuser.dat is a hidden file. User ian must
have access to this file because it is the user portion of the registry. A
way to investigate this particular problem is by using Process Explorer.
Search for all programs which have a handle on the subject file.

Jim



"profile settings corrupted every month" <profile settings corrupted every
month@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:C270DD34-71B1-4BA3-AD1D-9839D21839CF@xxxxxxxxxxxxxxxx
Hello again - not sure if you are still willing to help me ? An update :
i
did not download any of the security updates this week, however today it
displayed exactly the same problem on the same date. However i did not do
a
system restore this time, i booted in safe mode, found the settings were
still there then booted back normally and the settings returned. This
seems
not to be a download problem but something on my system that runs on 15th.
i looked at event log (though i don't really understand much of it) and am
pasting a few things that might be relevant at the time i switched the
computer on.


Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1502
Date: 15/10/2009
Time: 14:02:22
User: NT AUTHORITY\SYSTEM
Computer: S2N7O9
Description:
Windows cannot load the locally stored profile. Possible causes of this
error include insufficient security rights or a corrupt local profile. If
this problem persists, contact your network administrator.

DETAIL - The process cannot access the file because it is being used by
another process.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1508
Date: 15/10/2009
Time: 14:02:12
User: NT AUTHORITY\SYSTEM
Computer: S2N7O9
Description:
Windows was unable to load the registry. This is often caused by
insufficient memory or insufficient security rights.

DETAIL - The process cannot access the file because it is being used by
another process. for C:\Documents and Settings\Ian\ntuser.dat

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.


Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7026
Date: 15/10/2009
Time: 13:57:15
User: N/A
Computer: S2N7O9
Description:
The following boot-start or system-start driver(s) failed to load:
szkg

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

I have tried to find ian/ntuser.dat but it can't display it becuase its in
use ?
i am also about to delete the registry entries for szkg, which some
entries
on google say is malware.

does any of this help?
(still grateful for any help, still trying to fix it myself by blundering
about.....)

"1PW" wrote:

lopar wrote:
Good news is that i have just downloaded KB915597 and no probs. If its
defender related then its not all defender updates. Won't know until
15th..It
sounds like you are running out of ideas to help further....

You have related what amounts to permanent damage. I'm afraid nobody
has real solutions for what you reported.

perhaps the
next step is to await 15 October therefore and see what happens then.
Thanks for your continued support.
Pl page down for other comments on your post.

I suppose if you are willing to live with the state of your system for
an indefinite time, then the status quo might leave you without some
safety features.


"1PW" wrote:

lopar wrote:
ok ran sas in safe mode, nothing except cookies found.. reran mwb and
nothing
at all found.
ran search in explorer for cbs.log but nothing found with that name.
search
included system files hidden folders and sub folders ??
did you see the mwb log i posted ?
I believe a reboot deletes the cbs.log file unless it's renamed before
the deletion occurs.

MBAM

Yes - I saw two Trojans and you also related the download3000 thing.
I was hoping for a better outcome. However, the other things you have
mentioned along the way leads me to believe that more serious damage
has taken place.

very cryptic - like, what sort of damage?

Directories that are now capitalized as if they were recreated.

i take it you advise me to uninstall the s/saver ? Is there any way to
retain it and fix the problem ?

Anything from download3000 is potentially very dangerous.


If the malware removals by MBAM and Shenan Stanley's cleanup procedure
do not eliminate your repeating trouble, I believe a "Flatten and
Rebuild" procedure is the next reasonable step.

don't know what flatten and rebuild is but it sounds hideous.....
as i said, Shenan's comments, whilst appreciated, may be a step too far
for
me. I only get an hour or so between work and family commitments to do
this
stuff - his "8 to 10 hours" post would be a big deal for me and would
be
warranted only if there was a major system problem. At the moment,
unless
there is something you are not telling me, its just an 'irritation'
having to
restore so often. That is certainly not to say that his and your help
isn't
welcome though.

I apologize for the overuse of jargon. Flatten & Rebuild is the
process of using your original install media (your CDs) to preform a
format of your system's hard disk drive. Effectively this erases
*everything* that ever was there. Then an entirely new system is
built from your install/recovery media.

--
1PW




.



Relevant Pages