Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Restoring permissions


  • This topic is locked This topic is locked
5 replies to this topic

#1 a9642

a9642

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:50 AM

Posted 03 November 2009 - 08:15 PM

This topic is a continuation of the closed topic here:

http://www.bleepingcomputer.com/forums/ind...p;#entry1408950

When I last worked on this computer I was denied access to even the most basic features. Now that I'm coming back to it I've discovered that these symptoms have disappeared. I'd like to be able to tell the computer's owner that the system is clean. Here are the logs you requested:

DDS.txt:



DDS (Ver_09-09-24.01) - NTFSx86
Run by Compaq_Administrator at 19:24:40.05 on Tue 11/03/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1982.1494 [GMT -5:00]

FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\ehome\RMSvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\PreSonus\1394AudioDriver_FIREBox\FIREBOX Control.exe
C:\Program Files\Zone Labs 09\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DISC\DISCover.exe
C:\Program Files\DISC\DiscUpdMgr.exe
C:\Program Files\DISC\DiscStreamHub.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Compaq_Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
uSearch Bar = hxxp://safesearch.cyberdefender.com/smallsearch.html
uDefault_Search_URL = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
mSearch Bar = hxxp://www.google.com/
mSearchMigratedDefaultURL = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/
mSearchURL = hxxp://www.google.com/
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
TB: ZoneAlarm Spy Blocker: {f0d4b239-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\zonealarmsb\bar\1.bin\SPYBLOCK.DLL
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [AlwaysReady Power Message APP] ARPWRMSG.EXE
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [FIREBOX] c:\program files\presonus\1394audiodriver_firebox\FIREBOX Control.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs 09\zonealarm\zlclient.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\compaq~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - f:\program files\aim95\aim.exe
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
Trusted Zone: trymedia.com
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\compaq~1\applic~1\mozilla\firefox\profiles\1av7oqve.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - google.com
FF - plugin: c:\documents and settings\compaq_administrator\application data\move networks\plugins\npqmp071504000001.dll
FF - plugin: c:\documents and settings\compaq_administrator\application data\mozilla\firefox\profiles\1av7oqve.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\documents and settings\compaq_administrator\desktop\byond 4.0 beta\bin\npbyond.dll
FF - plugin: c:\documents and settings\compaq_administrator\desktop\jacob\byond 4.0 beta\bin\npbyond.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbyond.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPZoneSB.dll

============= SERVICES / DRIVERS ===============

R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-8-13 353672]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\McrdSvc.exe [2005-10-20 96256]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S3 ps_1394;ps_1394;c:\windows\system32\drivers\ps_1394.sys [2009-4-6 97152]
S3 ps_avs;ps_avs;c:\windows\system32\drivers\ps_avs.sys [2009-4-6 24576]
S3 RDID1003;EDIROL UM-2;c:\windows\system32\drivers\Rdwm1003.sys [2009-5-26 66530]
S3 SynasUSB;SynasUSB;c:\windows\system32\drivers\synasUSB.sys [2009-4-6 18432]

=============== Created Last 30 ================


==================== Find3M ====================

2009-11-03 19:01 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-11-03 16:11 15,265 a------- c:\windows\system32\tablet.dat
2009-10-19 19:00 3,070,976 a------- c:\windows\system32\dllcache\mshtml.dll
2009-09-25 00:49 1,509,888 a------- c:\windows\system32\dllcache\shdocvw.dll
2009-09-25 00:49 668,672 a------- c:\windows\system32\wininet.dll
2009-09-25 00:49 668,672 a------- c:\windows\system32\dllcache\wininet.dll
2009-09-25 00:49 628,224 a------- c:\windows\system32\dllcache\urlmon.dll
2009-09-25 00:49 474,112 a------- c:\windows\system32\dllcache\shlwapi.dll
2009-09-25 00:49 532,480 a------- c:\windows\system32\dllcache\mstime.dll
2009-09-25 00:49 449,024 a------- c:\windows\system32\dllcache\mshtmled.dll
2009-09-25 00:49 146,432 a------- c:\windows\system32\dllcache\msrating.dll
2009-09-25 00:49 39,424 a------- c:\windows\system32\dllcache\pngfilt.dll
2009-09-25 00:48 251,904 a------- c:\windows\system32\dllcache\iepeers.dll
2009-09-25 00:48 96,256 a------- c:\windows\system32\dllcache\inseng.dll
2009-09-25 00:48 81,920 a------- c:\windows\system32\ieencode.dll
2009-09-25 00:48 81,920 a------- c:\windows\system32\dllcache\ieencode.dll
2009-09-25 00:48 55,808 a------- c:\windows\system32\dllcache\extmgr.dll
2009-09-25 00:48 16,384 a------- c:\windows\system32\dllcache\jsproxy.dll
2009-09-25 00:48 1,054,208 a------- c:\windows\system32\dllcache\danim.dll
2009-09-25 00:48 357,888 a------- c:\windows\system32\dllcache\dxtmsft.dll
2009-09-25 00:48 205,312 a------- c:\windows\system32\dllcache\dxtrans.dll
2009-09-25 00:48 151,040 a------- c:\windows\system32\dllcache\cdfview.dll
2009-09-25 00:48 1,024,000 a------- c:\windows\system32\dllcache\browseui.dll
2009-09-18 04:46 18,432 a------- c:\windows\system32\dllcache\iedw.exe
2009-09-14 01:12 229,888 a------- c:\windows\PEV.exe
2009-09-11 09:33 133,632 a------- c:\windows\system32\msv1_0.dll
2009-09-11 09:33 133,632 a------- c:\windows\system32\dllcache\msv1_0.dll
2009-09-10 14:03 26,528 a------- c:\docume~1\compaq~1\applic~1\wklnhst.dat
2009-09-10 13:54 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 13:53 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-09-04 15:45 58,880 a------- c:\windows\system32\msasn1.dll
2009-09-04 15:45 58,880 a------- c:\windows\system32\dllcache\msasn1.dll
2009-08-26 03:16 247,326 a------- c:\windows\system32\strmdll.dll
2009-08-26 03:16 247,326 a------- c:\windows\system32\dllcache\strmdll.dll
2009-08-21 04:46 450,560 a------- c:\windows\system32\dllcache\jscript.dll
2009-08-06 19:24 327,896 a------- c:\windows\system32\dllcache\wucltui.dll
2009-08-06 19:24 209,632 a------- c:\windows\system32\dllcache\wuweb.dll
2009-08-06 19:24 53,472 a------- c:\windows\system32\dllcache\wuauclt.exe
2009-08-06 19:24 96,480 a------- c:\windows\system32\dllcache\cdm.dll
2009-08-06 19:23 575,704 a------- c:\windows\system32\dllcache\wuapi.dll
2009-08-06 19:23 1,929,952 a------- c:\windows\system32\dllcache\wuaueng.dll
2009-05-18 22:03 13,195 a------- c:\documents and settings\compaq_administrator\ZGUICFGW.DAT
2009-01-23 15:21 82 a------- c:\docume~1\alluse~1\applic~1\SUMQU0C1-FE20-APII-YE7M-BEDSDWMY5R6A.dat
2007-03-23 03:28 40 a------- c:\documents and settings\compaq_administrator\language.dat
2007-02-19 14:46 251 a------- c:\program files\wt3d.ini

============= FINISH: 19:25:09.96 ===============


I can try and pick up the instructions from the other thread if you think that's wise. Thanks in advance.

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:50 AM

Posted 03 November 2009 - 08:21 PM

Hi a9642,

I will look over the logs and post back soon. :(
Posted Image
m0le is a proud member of UNITE

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:50 AM

Posted 03 November 2009 - 08:34 PM

Nothing showing on the logs at all :(

No symptoms from your end, no more permission problems which was what we had left I think :(

Looking at the previous thread I would say that Combofix probably removed the malware after you last booted up. There is nothing showing here at all a9642.

You've got a clean PC :)


Do your friend a favour and update his Java though

Old versions of Java are big doors to malware. JavaRa removes them and updates your version to the most current.

Please download JavaRa to your desktop and unzip it to its own folder
  • Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.
  • Open JavaRa.exe again and select Search For Updates.
  • Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

Also make sure that Combofix and the other tools have been uninstalled by following these instructions

Uninstall ComboFix

Remove Combofix now that we're done with it.
  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
    (For Vista/Windows 7 please click Start -> All Programs -> Accessories -> Run)
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between "Combofix" and "/")
  • Please follow the prompts to uninstall Combofix.
  • You will then receive a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
This will uninstall Combofix and anything associated with it.


And


Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click Posted Image icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big Posted Image button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
...And that should do it.

Cheers,

m0le
Posted Image
m0le is a proud member of UNITE

#4 a9642

a9642
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:50 AM

Posted 05 November 2009 - 06:29 PM

Everything seems to be fine. The only problem I had was the Combofix /Uninstall command which Windows didn't recognize. If that doesn't really matter, then I'm fine with the Comp as-is if your fine with it.

#5 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:50 AM

Posted 05 November 2009 - 07:23 PM

The Combofix issue is easy.

It was renamed when you downloaded it so put in:

combo-fix /uninstall


Other than that you are good to go :(
Posted Image
m0le is a proud member of UNITE

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:50 AM

Posted 11 November 2009 - 04:20 PM

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. :(

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users