Sysinternals Homepage
Forum Home Forum Home > Sysinternals Utilities > Autoruns
  New Posts New Posts RSS Feed - Autoruns
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

Autoruns

 Post Reply Post Reply
Author
Message
Albear View Drop Down
Newbie
Newbie
Avatar

Joined: 19 May 2010
Location: England
Status: Offline
Points: 13
Post Options Post Options   Thanks (0) Thanks(0)   Quote Albear Quote  Post ReplyReply Direct Link To This Post Topic: Autoruns
    Posted: 19 January 2012 at 4:21pm
Is it phat autoruns has been interered with on my machine? Windows has already with the wrong product ID on my machines AVG (paid) is showing a version that does not appear legitimate  the AVG tool can not find any version of AVG on my machine but it appears to be running on my machines? I am a home user who has been tring to convince those with skill and knowledge that my machines are hijacked  and that the hijack it would appear must be in the boot because I have reinstalled on all 3 machines to factory settings and they all revert back to their hijack state within a week or two. Microsoft seemed interested when they had sfc report that was only 99% and files that could not be repaired, where they found the illegal product ID. But once I proved legitimate and purchased recovery disks from ACER they were no longer interested. I ran the SFC on my other machines and they both came back the same only 99% complete and when I checked their product ID they were wrong as well!
Back to autoruns I have run it at various times of reinstalls and had imagehacks, I ran today and got nothing, however Security Task manager is highlighting autoruns as a risk and when I read the notation it looks to me and I'm no Techie though have been operating computers since 1974 when I worked on a giant ICL mainframe, that it has been compromised, I paste below some of the notation (not all because of the length).
Please do not take this the wrong way but I hope this shows that someone has corrupted Autoruns I have been trying for over 2 years to prove my machines are hijacked but because they do not return a virus or root kit result I get dismissed. I do not have these, I believe whoever is taking control of my machines via group policy, then downloading legitimate microsoft tools to keep control, the downloads are not being picked up as illegitimate because of this. The strange thing is for me the boot is the perfect place to corrupt the system but eevryone tells me no and I don't understand why, if I was a hijacker I would be looking at such a place if I knew all the 'experts' were ignoring it!?
I ran autoruns and it appears to have run ok but the og below suggests the opposite? Help pleaseUnhappy
 
 
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
Disabling or deleting Userinit will prevent users from logging on.
Settings derived from imported logs cannot be modified
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
Deleting Userinit will prevent users from logging on.
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
\pard\sb240\lang1036 Remarque  Ce logiciel \e9tant distribu\e9 au Qu\e9bec, Canada, certaines des clauses dans ce contrat sont fournies cidessous en fran\e7ais.\par
\pard\sb120\sa120 EXON\c9RATION DE GARANTIE.\b0  Le logiciel vis\e9 par une licence est offert \ab tel quel \bb. Toute utilisation de ce logiciel est \e0 votre seule risque et p\e9ril. Sysinternals naccorde aucune autre garantie expresse. Vous pouvez b\e9n\e9ficier de droits additionnels en vertu du droit local sur la protection dues consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties implicites de qualit\e9 marchande, dad\e9quation \e0 un usage particulier et dabsence de contrefa\e7on sont exclues.\par
\pard\keepn\fi360\li720\sb120\sa120\tx720\lang1036\b7\tab tout  ce qui est reli\e9 au logiciel, aux services ou au contenu y compris le code figurant sur des sites Internet tiers ou dans des programmes tiers  et\par
----------------
This program cannot be run in DOS mode.
uj hlK
uVu uPu
fofoNfoV fo0f
vectorT too long
The specified directory is not a Windows system root
Autoruns requires Administrator privilege to analyze an offline system
Cannot load registry hive
Cannot open system registry key of the selected system root
Cannot load registry hive
Cannot open system registry key of the selected system root
Cannot load user registry hive of the offline system
Cannot open system registry key of the selected system root
Microsoft\Windows NT\CurrentVersion
CurrentControlSet\Control\Session Manager\Environment
No items to search
Cannot find string
Cannot find string
Cannot find string
MS Sans Serif
AutoRuns Data
Compare to Saved AutoRuns File..
Error opening file
Terminal Server
File not found
File not found
File not found
bad command
Software\Microsoft\Windows\CurrentVersion\App Paths\
File not found
File not found
File not found
File not found
File not found
Error loading profile for
Settings from loaded scans cannot be modified
Winsock Protocol Providers cannot be disabled
only deletion is supported
Are you sure you want to disable autorun of
Error changing item state
Are you sure you want to delete autorun of
Are you sure you want to delete autorun of
Error deleting start setting
Error saving file
AutoRuns Data
Import AutoRuns data from File..
Error importing file
AutoRuns Data
Save AutoRuns Output to File..
Error saving file
The full name of the selected key or value is not available.
Autoruns was unable to launch Regedit.
Cancelling scan..
Escape to cancel scan
Not verified
Not Verified
Not verified
Signed Microsoft and Windows Entries Hidden.
Microsoft and Windows Entries Hidden.
Signed Windows Entries Hidden.
Windows Entries Hidden.
No Filter.
Escape to cancel
System\CurrentControlSet\Control\Session Manager
System\CurrentControlSet\Control\Session Manager
System\CurrentControlSet\Control\Session Manager
System\CurrentControlSet\Control\Session Manager
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
Software\Microsoft\Command Processor
Software\Wow6432Node\Microsoft\Command Processor
Software\Microsoft\Command Processor
SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers
Control Panel\Desktop
SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters
SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers
Notification Packages
SOFTWARE\Policies\Microsoft\Windows\Control Panel\Desktop
Security Packages
Authentication Packages
System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd
Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup
Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows
System\CurrentControlSet\Control\Session Manager
System\CurrentControlSet\Control\Session Manager\KnownDlls
Common AltStartup
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunonceEx
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run
File not found
SOFTWARE\Microsoft\Internet Explorer\Desktop\Components
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Common Startup
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Software\Microsoft\Windows NT\CurrentVersion\Windows
Software\Microsoft\Windows NT\CurrentVersion\Windows
SOFTWARE\Microsoft\Active Setup\Installed Components
Software\Microsoft\Windows NT\CurrentVersion\Windows
SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunonceEx
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows CE Services\AutoStartOnConnect
SOFTWARE\Wow6432Node\Microsoft\Windows CE Services\AutoStartOnConnect
SOFTWARE\Microsoft\Windows CE Services\AutoStartOnDisconnect
SOFTWARE\Wow6432Node\Microsoft\Windows CE Services\AutoStartOnDisconnect
Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
Autorun Entry
Software\Microsoft\Internet Explorer\UrlSearchHooks
Software\Microsoft\Internet Explorer\Toolbar
Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar
Software\Microsoft\Internet Explorer\Explorer Bars
Software\Microsoft\Internet Explorer\Explorer Bars
Software\Wow6432Node\Microsoft\Internet Explorer\Explorer Bars
Software\Wow6432Node\Microsoft\Internet Explorer\Explorer Bars
Software\Microsoft\Internet Explorer\Extensions
Software\Microsoft\Internet Explorer\Extensions
Software\Wow6432Node\Microsoft\Internet Explorer\Extensions
Software\Wow6432Node\Microsoft\Internet Explorer\Extensions
Software\Microsoft\Windows NT\CurrentVersion\Drivers32
Software\Microsoft\Windows NT\CurrentVersion\Drivers32
Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
Escape to cancel
Software\Microsoft\Windows NT\CurrentVersion\ProfileList
You must download the latest version of Process Explorer to use this feature.
Process Explorer from Sysinternals is not running and not in the path.
Select offline folder
Image Path
Network Providers
LSA Providers
Sidebar Gadgets
Print Monitors
Winsock Providers
Image Hijacks
Boot Execute
Scheduled Tasks
Internet Explorer
Escape to cancel
Cancelling scan..
Unable to open help file
Task Scheduler
Task Scheduler
Not verified
Not verified
Vista and higher only
Missing ARN output file.
map/setT too longstatus
invalid map/setT iterator
File not found
File not found
File not found
File not found
\Microsoft\Windows Sidebar\Settings.ini
listT too long
bad allocation
Task Scheduler
Task Scheduler
bad allocation
string too long
invalid string position
Unknown exception
bad exception
runtime error
TLOSS error
DOMAIN error
An application has made an attempt to load the C runtime library incorrectly.Please contact the applications support team for more information.
This application has requested the Runtime to terminate it in an unusual way.Please contact the applications support team for more information.
Microsoft Visual C
program name unknown
Runtime Error
Back to Top
Albear View Drop Down
Newbie
Newbie
Avatar

Joined: 19 May 2010
Location: England
Status: Offline
Points: 13
Post Options Post Options   Thanks (0) Thanks(0)   Quote Albear Quote  Post ReplyReply Direct Link To This Post Posted: 19 January 2012 at 4:24pm
Please accept my apologies for typing errors above, my icon jumps all over the place without me realising, it is always a struggle to compose messages.
The first sentence above should read
Is it possible that autoruns has been interfered with on my machines
Back to Top
Albear View Drop Down
Newbie
Newbie
Avatar

Joined: 19 May 2010
Location: England
Status: Offline
Points: 13
Post Options Post Options   Thanks (0) Thanks(0)   Quote Albear Quote  Post ReplyReply Direct Link To This Post Posted: 20 January 2012 at 3:46pm
Hi is there anyone who is prepared to explain the above please?
Back to Top
Dax1792 View Drop Down
Senior Member
Senior Member
Avatar

Joined: 15 March 2011
Status: Offline
Points: 640
Post Options Post Options   Thanks (0) Thanks(0)   Quote Dax1792 Quote  Post ReplyReply Direct Link To This Post Posted: 20 January 2012 at 3:59pm
Where did you get that 'log' from. It looks like a list of the text strings in the Autoruns executable.

Looking at the Security Task Manager website, it seems to consider virtually everything to be a risk.
Back to Top
Albear View Drop Down
Newbie
Newbie
Avatar

Joined: 19 May 2010
Location: England
Status: Offline
Points: 13
Post Options Post Options   Thanks (0) Thanks(0)   Quote Albear Quote  Post ReplyReply Direct Link To This Post Posted: 20 January 2012 at 7:30pm
Thanks for replying yes it's off Security task manager, but why would it not be able to run the registry hive? Abd I seea reference to terminal server, I beleive my sytem has been hijacked I cannot gain control of it, when it closes don it refers to group policy client service but I acnnot access group policy.
I have three machines at home, I rebntly carried out an SFC scan for microsoft and it only completed to 99% and many corruptions could not be corrected, this was on a machine reinstalled to factory settings after having a new hard drive fitted under warranty.
I could not update windows and was referred to a windows  specilist. He told me my o/s was illegal, I needed to get recovery disks from the manufacturer and he would ensure it was reinstalled correctly, when I confirmed I had the disks and I installed  because of non response after about 3 days I thought the machine was going again and I sent the cbs log to him, he replied the system was fine. This week I ran sfc again and it found corrupt files it coud not repair, several of which refer to rasautodial, which I think (?) helps show my system is hijacked.
Also after running the SFC on here I ran it on the other two machines and they both only ran 99% and they both had the wrong product ID on them! Microsoft are not interested my feeling is they only wanted to see if I was running illegal software.
This ACER is 64 bit (wn7 home premium) but I have many drivers that open in 'unknown applications' and many that I have checked are xp files, I keepdisabling the ISATAPadapter and a new one is created in its place. y the time the hijack is coplete I have a ras sync adapter installed, time to reinstall!
My problem is no one wants to know. I've had every bit of anti virus/maware on my machine I can run but this shows up nothing. I have no doubt there is no virus, I actually believe that either my disk is not cleaned on install the flag is tampered so that hijackers code remains, or the boot is corrupt; whichever instance it is the hacker has immedite access to my 'network' not that my machines are networked at all. Then the hacker installs legitimate microsoft tools on to my system. It ends up often with unidentified networks, auyoconfig IPV4 with an address I can not change. On my Dell laptop my adapter had an additional tab, on the tab was a dialogue box allow for unauthenticated networks, if I did not tick this box, I could not get internet access. I would happily attach the cbs log but I see that's not possible. I will paste below the section outlining those files SFC could not repair. This has been ging on for 2 years and has/is a nightmare, with the computer manufacturers saying its Microsoft and Microsoft just ignoring. If you or anyone could help to config my machines so that a) I have control and b) they are set not to allow domain control that would solve this problem, I do not have the knowledge to know where to change my netwrok settings and my machine tells me it can not find group policy. I'm told it wouldn't be on my version of 7 well how cone when I log off it tells me its closing down group policy client? part of log follows:-
2012-01-15 22:14:31, Info                  CSI    000002e1 [SR] Beginning Verify and Repair transaction
2012-01-15 22:14:31, Info                  CSI    000002e2 [SR] Cannot repair member file [l:22{11}]"rasmans.dll" of Microsoft-Windows-RasmanService, Version = 6.1.7601.17514, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, file is missing
2012-01-15 22:14:31, Info                  CSI    000002e3 [SR] Cannot repair member file [l:22{11}]"rasauto.dll" of Microsoft-Windows-RasAutoDial, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, file is missing
2012-01-15 22:14:31, Info                  CSI    000002e4 [SR] Cannot repair member file [l:20{10}]"rasacd.sys" of Microsoft-Windows-RasAutoDial, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, file is missing
2012-01-15 22:14:31, Info                  CSI    000002e5 [SR] Cannot repair member file [l:24{12}]"rasautou.exe" of Microsoft-Windows-RasAutoDial, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, file is missing
2012-01-15 22:14:31, Info                  CSI    000002e6 [SR] Cannot repair member file [l:24{12}]"rasadhlp.dll" of Microsoft-Windows-RasAutoDial, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, file is missing
2012-01-15 22:14:31, Info                  CSI    000002e7 [SR] Cannot repair member file [l:20{10}]"rasman.dll" of Microsoft-Windows-Rasman, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, file is missing
2012-01-15 22:14:31, Info                  CSI    000002e8 [SR] Cannot repair member file [l:24{12}]"rasautou.exe" of Microsoft-Windows-RasAutoDial, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_IA32_ON_WIN64 (10), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, file is missing
2012-01-15 22:14:31, Info                  CSI    000002e9 [SR] Cannot repair member file [l:24{12}]"rasadhlp.dll" of Microsoft-Windows-RasAutoDial, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_IA32_ON_WIN64 (10), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, file is missing
2012-01-15 22:14:31, Info                  CSI    000002ea [SR] Cannot repair member file [l:20{10}]"rasman.dll" of Microsoft-Windows-Rasman, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, file is missing
2012-01-15 22:14:31, Info                  CSI    000002eb [SR] Cannot repair member file [l:20{10}]"rasman.dll" of Microsoft-Windows-Rasman, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, file is missing
2012-01-15 22:14:31, Info                  CSI    000002ec [SR] This component was referenced by [l:202{101}]"Microsoft-Windows-Foundation-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.WindowsFoundationDelivery"
2012-01-15 22:14:31, Info                  CSI    000002ed [SR] Cannot repair member file [l:22{11}]"rasmans.dll" of Microsoft-Windows-RasmanService, Version = 6.1.7601.17514, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, file is missing
2012-01-15 22:14:31, Info                  CSI    000002ee [SR] This component was referenced by [l:202{101}]"Microsoft-Windows-Foundation-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.WindowsFoundationDelivery"
2012-01-15 22:14:31, Info                  CSI    000002ef [SR] Could not reproject corrupted file [ml:520{260},l:46{23}]"\??\C:\Windows\System32"\[l:22{11}]"rasmans.dll"; source file in store is also corrupted
2012-01-15 22:14:31, Info                  CSI    000002f0 [SR] Cannot repair member file [l:20{10}]"rasman.dll" of Microsoft-Windows-Rasman, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, file is missing
2012-01-15 22:14:31, Info                  CSI    000002f1 [SR] This component was referenced by [l:202{101}]"Microsoft-Windows-Foundation-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.WindowsFoundationDelivery"
2012-01-15 22:14:32, Info                  CSI    000002f2 [SR] Repaired file \SystemRoot\WinSxS\Manifests\\[l:22{11}]"rasauto.dll" by copying from backup
2012-01-15 22:14:32, Info                  CSI    000002f3 [SR] Repaired file \SystemRoot\WinSxS\Manifests\\[ml:22{11},l:20{10}]"rasacd.sys" by copying from backup
2012-01-15 22:14:32, Info                  CSI    000002f4 [SR] Repaired file \SystemRoot\WinSxS\Manifests\\[l:24{12}]"rasautou.exe" by copying from backup
2012-01-15 22:14:32, Info                  CSI    000002f5 [SR] Repaired file \SystemRoot\WinSxS\Manifests\\[l:24{12}]"rasadhlp.dll" by copying from backup
2012-01-15 22:14:32, Info                  CSI    000002f6 [SR] Repairing corrupted file [ml:520{260},l:46{23}]"\??\C:\Windows\System32"\[l:22{11}]"rasauto.dll" from store
2012-01-15 22:14:32, Info                  CSI    000002f7 [SR] Repairing corrupted file [ml:520{260},l:46{23}]"\??\C:\Windows\System32"\[l:24{12}]"rasautou.exe" from store
2012-01-15 22:14:32, Info                  CSI    000002f8 [SR] Repaired file \SystemRoot\WinSxS\Manifests\\[l:24{12}]"rasautou.exe" by copying from backup
2012-01-15 22:14:32, Info                  CSI    000002f9 [SR] Repaired file \SystemRoot\WinSxS\Manifests\\[l:24{12}]"rasadhlp.dll" by copying from backup
2012-01-15 22:14:32, Info                  CSI    000002fa [SR] Repairing corrupted file [ml:48{24},l:46{23}]"\??\C:\Windows\SysWOW64"\[l:24{12}]"rasautou.exe" from store
2012-01-15 22:14:32, Info                  CSI    000002fb Repair results created:
POQ 109 starts:
     0: Create File: File = [l:240{120}]"\SystemRoot\WinSxS\amd64_microsoft-windows-rasautodial_31bf3856ad364e35_6.1.7600.16385_none_6bcef05d7f04260a\rasauto.dll", Attributes = 00000080
    1: Move File: Source = [l:166{83}]"\SystemRoot\WinSxS\Temp\PendingRenames\2d87610ed3d3cc010c300000f4139405.rasauto.dll", Destination = [l:240{120}]"\SystemRoot\WinSxS\amd64_microsoft-windows-rasautodial_31bf3856ad364e35_6.1.7600.16385_none_6bcef05d7f04260a\rasauto.dll"
    2: Create File: File = [l:238{119}]"\SystemRoot\WinSxS\amd64_microsoft-windows-rasautodial_31bf3856ad364e35_6.1.7600.16385_none_6bcef05d7f04260a\rasacd.sys", Attributes = 00000080
    3: Move File: Source = [l:164{82}]"\SystemRoot\WinSxS\Temp\PendingRenames\ed49660ed3d3cc010d300000f4139405.rasacd.sys", Destination = [l:238{119}]"\SystemRoot\WinSxS\amd64_microsoft-windows-rasautodial_31bf3856ad364e35_6.1.7600.16385_none_6bcef05d7f04260a\rasacd.sys"
    4: Create File: File = [l:242{121}]"\SystemRoot\WinSxS\amd64_microsoft-windows-rasautodial_31bf3856ad364e35_6.1.7600.16385_none_6bcef05d7f04260a\rasautou.exe", Attributes = 00000080
    5: Move File: Source = [l:168{84}]"\SystemRoot\WinSxS\Temp\PendingRenames\4eab680ed3d3cc010e300000f4139405.rasautou.exe", Destination = [l:242{121}]"\SystemRoot\WinSxS\amd64_microsoft-windows-rasautodial_31bf3856ad364e35_6.1.7600.16385_none_6bcef05d7f04260a\rasautou.exe"
    6: Create File: File = [l:242{121}]"\SystemRoot\WinSxS\amd64_microsoft-windows-rasautodial_31bf3856ad364e35_6.1.7600.16385_none_6bcef05d7f04260a\rasadhlp.dll", Attributes = 00000080
    7: Move File: Source = [l:168{84}]"\SystemRoot\WinSxS\Temp\PendingRenames\4eab680ed3d3cc010f300000f4139405.rasadhlp.dll", Destination = [l:242{121}]"\SystemRoot\WinSxS\amd64_microsoft-windows-rasautodial_31bf3856ad364e35_6.1.7600.16385_none_6bcef05d7f04260a\rasadhlp.dll"
    8: Hard Link File: Source = [l:240{120}]"\SystemRoot\WinSxS\amd64_microsoft-windows-rasautodial_31bf3856ad364e35_6.1.7600.16385_none_6bcef05d7f04
2012-01-15 22:14:32, Info                  CSI    260a\rasauto.dll", Destination = [l:70{35}]"\??\C:\Windows\System32\rasauto.dll"
    9: Hard Link File: Source = [l:242{121}]"\SystemRoot\WinSxS\amd64_microsoft-windows-rasautodial_31bf3856ad364e35_6.1.7600.16385_none_6bcef05d7f04260a\rasautou.exe", Destination = [l:72{36}]"\??\C:\Windows\System32\rasautou.exe"
    10: Checkpoint
    11: Move File: Source = [l:192{96}]"\SystemRoot\WinSxS\Temp\PendingRenames\8ff3760ed3d3cc0110300000f4139405._0000000000000000.cdf-ms", Destination = [l:104{52}]"\SystemRoot\WinSxS\FileMaps\_0000000000000000.cdf-ms"
    12: Move File: Source = [l:162{81}]"\SystemRoot\WinSxS\Temp\PendingRenames\8ff3760ed3d3cc0111300000f4139405.$$.cdf-ms", Destination = [l:74{37}]"\SystemRoot\WinSxS\FileMaps\$$.cdf-ms"
    13: Move File: Source = [l:214{107}]"\SystemRoot\WinSxS\Temp\PendingRenames\71da820ed3d3cc0112300000f4139405.$$_system32_21f9a9c4a2f8b514.cdf-ms", Destination = [l:126{63}]"\SystemRoot\WinSxS\FileMaps\$$_system32_21f9a9c4a2f8b514.cdf-ms"
    14: Create File: File = [l:242{121}]"\SystemRoot\WinSxS\wow64_microsoft-windows-rasautodial_31bf3856ad364e35_6.1.7600.16385_none_76239aafb364e805\rasautou.exe", Attributes = 00000080
    15: Move File: Source = [l:168{84}]"\SystemRoot\WinSxS\Temp\PendingRenames\d13b850ed3d3cc0113300000f4139405.rasautou.exe", Destination = [l:242{121}]"\SystemRoot\WinSxS\wow64_microsoft-windows-rasautodial_31bf3856ad364e35_6.1.7600.16385_none_76239aafb364e805\rasautou.exe"
    16: Create File: File = [l:242{121}]"\SystemRoot\WinSxS\wow64_microsoft-windows-rasautodial_31bf3856ad364e35_6.1.7600.16385_none_76239aafb364e805\rasadhlp.dll", Attributes = 00000080
    17: Move File: Source = [l:168{84}]"\SystemRoot\WinSxS\Temp\PendingRenames\319d870ed3d3cc0114300000f4139405.rasadhlp.dll", Destination = [l:242{121}]"\SystemRoot\WinSxS\wow64_microsoft-windows-rasautodial_31bf3856ad364e35_6.1.7600.16385_none_76239aafb364e805\rasadhlp.dll"
    18: Hard Link File: Source = [l:242{121}]"\SystemRoot\WinSxS\wow64_microsoft-windows-rasautodial_31bf3856ad364e35_6.1.7600.16
2012-01-15 22:14:32, Info                  CSI    385_none_76239aafb364e805\rasautou.exe", Destination = [l:72{36}]"\??\C:\Windows\SysWOW64\rasautou.exe"
    19: Checkpoint
    20: Move File: Source = [l:214{107}]"\SystemRoot\WinSxS\Temp\PendingRenames\73e5950ed3d3cc0115300000f4139405.$$_syswow64_21ffbdd2a2dd92e0.cdf-ms", Destination = [l:126{63}]"\SystemRoot\WinSxS\FileMaps\$$_syswow64_21ffbdd2a2dd92e0.cdf-ms"
POQ 109 ends.
2012-01-15 22:14:32, Info                  CSI    000002fc [SR] Repair complete
2012-01-15 22:14:32, Info                  CSI    000002fd Creating NT transaction (seq 2), objectname [6]"(null)"
2012-01-15 22:14:32, Info                  CSI    000002fe Created NT transaction (seq 2) result 0x00000000, handle @0x13a8
2012-01-15 22:14:33, Info                  CSI    000002ff@2012/1/15:22:14:33.096 CSI perf trace:
CSIPERF:TXCOMMIT;770885
2012-01-15 22:14:33, Info                  CBS    Reboot mark refs incremented to: 1
Back to Top
Dax1792 View Drop Down
Senior Member
Senior Member
Avatar

Joined: 15 March 2011
Status: Offline
Points: 640
Post Options Post Options   Thanks (0) Thanks(0)   Quote Dax1792 Quote  Post ReplyReply Direct Link To This Post Posted: 20 January 2012 at 9:11pm
That is not a log. It is a list of all the text strings in the Autorun executable. They are what Autoruns uses to create its reports and any error messages that it may produce if necessary.
You can see these by running Process Explorer at the same time as Autoruns. Right click the Autoruns entry in Process Explorer and select 'Properties', then select the Strings tab in the Window that opens. You will see all those strings plus many shorter ones that your program is ignoring.

It is impossible to diagnose your problems on a forum like this. It is possible that running multiple antivirus programs is causing you problems.
If antivirus scans are not finding anything and you still suspect you are infected, I suggest you run an offline scan of your system with Windows Defender Offline  
Back to Top
Albear View Drop Down
Newbie
Newbie
Avatar

Joined: 19 May 2010
Location: England
Status: Offline
Points: 13
Post Options Post Options   Thanks (0) Thanks(0)   Quote Albear Quote  Post ReplyReply Direct Link To This Post Posted: 24 January 2012 at 11:32pm

I know your knowledge is superior to me, but I do know that which I have pasted, is pasted direct from the cbs log created by SFC scannow, I can assure you 100%!

How can it be a list of executables .... would SFC try and repair autoruns if it is corrupt, all the ras entries are from autoruns? You have me at a loss I'm sorry.
I do not have lots of anti virus on my machines purely AVG and Security Task Manager. AVG have recently asked me to run GMER I could not, the 'select all' was greyed out.
I ran on my dell tonight which has only had the o/s loaded and it came back with a scarry report on the registry, the registry entries were 'yellow' as normal, I scrolled to 'sam' and then opened and had a 'red sam' and under that a long ist of 'red' entries referring to domains, users secret passwords. But I could not save it! I took a screenshot but there is no facility to provide you with it. I ran regedit on the Dell and the sam entries were completley diferent to those in the GMER scan.
It also found two unknown files c\windows\SoftwareDistribution\DataStore\Logs\tmp.edb and system32\B6C0.tmp also found a hidden device filesystem\fastfat \fat (microsoft file system file manager/microsoft corporation).
I am stuck but I can tell you 100% my 3 machines are hijacked and with 100% conviction that I am correct, I wish that I had your knowledge.
Back to Top
Dax1792 View Drop Down
Senior Member
Senior Member
Avatar

Joined: 15 March 2011
Status: Offline
Points: 640
Post Options Post Options   Thanks (0) Thanks(0)   Quote Dax1792 Quote  Post ReplyReply Direct Link To This Post Posted: 25 January 2012 at 1:45am
I was referring to the list in your first post not the SFC output. SFC would not repair Autoruns. I do not believe your copy of Autoruns is corrupted on the basis of anything you have posted here.

As I said before, it is impossible for me to comment on your other problems.
Back to Top
Albear View Drop Down
Newbie
Newbie
Avatar

Joined: 19 May 2010
Location: England
Status: Offline
Points: 13
Post Options Post Options   Thanks (0) Thanks(0)   Quote Albear Quote  Post ReplyReply Direct Link To This Post Posted: 25 January 2012 at 7:46am
Ok thank you for your kindness in looking at this
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down