Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please help! Even my admin rights wont work


  • This topic is locked This topic is locked
1 reply to this topic

#1 sportin4

sportin4

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:33 PM

Posted 28 September 2010 - 10:50 AM

My PC is running slow, locks up, plus I am getting strange messages saying I have a false version of microsoft and my email is not valid?? There are lot of things running when I open the task mgr....when I try to stop them...It tells me I dont have permission to do that. When I run Hijack this...The first pop up I get is...."For some reason your system denied Write access to the Host File. If any hijacked domains are in this file, Hijack This may not be able to fix this." It tells me if I am using Vista...and I am .....to exit...right click and run as admin.....but admin doesn't even show up...and I WAS the admin. So I click OK...and then it continues to give me a log file. Now...that I have located your site for help...Whatever is going on will not even let me see a logfile now....so I am going to attach the one I was able to save yesterday under a different file name..Please help!! Thank you in advance.

StartupList report, 9/26/2010,

3:50:37 PM
StartupList version: 1.52.2
Started from :

C:\Users\hollie\AppData\Local\

Microsoft\Windows\Temporary

Internet Files\Content.IE5

\7GRV83AL\HijackThis[1].EXE
Detected: Windows Vista SP2

(WinNT 6.00.1906)
Detected: Internet Explorer

v7.00 (7.00.6002.18005)
* Using default options
* Showing rarely important

sections
==============================

====================

Running processes:

C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32

\taskeng.exe
C:\Program Files\Windows

Defender\MSASCui.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32

\igfxpers.exe
C:\Program Files\Avira\AntiVir

Desktop\avgnt.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media

Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32

\wuauclt.exe
C:\Windows\System32

\mobsync.exe
C:\Program Files\Trend

Micro\HiJackThis\HiJackThis.ex

e
C:\Windows\system32

\werfault.exe
C:\Program Files\Internet

Explorer\IEUser.exe
C:\Program Files\Internet

Explorer\iexplore.exe
C:\Windows\system32

\Macromed\Flash\FlashUtil10i_A

ctiveX.exe
C:\Users\hollie\AppData\Local\

Microsoft\Windows\Temporary

Internet Files\Content.IE5

\7GRV83AL\HijackThis[1].exe

-----------------------------

---------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windo

ws NT\CurrentVersion\Winlogon]
UserInit =

C:\Windows\system32

\userinit.exe,

-----------------------------

---------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Window

s\CurrentVersion\Run

HotKeysCmds =

C:\Windows\system32\hkcmd.exe
Persistence =

C:\Windows\system32

\igfxpers.exe
avgnt = "C:\Program

Files\Avira\AntiVir

Desktop\avgnt.exe" /min

-----------------------------

---------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Window

s\CurrentVersion\Run

ehTray.exe =

C:\Windows\ehome\ehTray.exe
WMPNSCFG = C:\Program

Files\Windows Media

Player\WMPNSCFG.exe

-----------------------------

---------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Window

s\CurrentVersion\RunOnce

Shockwave Updater =

C:\Windows\system32

\Adobe\Shockwave 11

\SwHelper_1150596.exe -Update

-1150596 -"Mozilla/4.0

(compatible; MSIE 7.0; Windows

NT 6.0; GTB6; Mozilla/4.0

(compatible; MSIE 6.0; Windows

NT 5.1; SV1) ; SLCC1; .NET CLR

2.0.50727; Media Center PC

5.1; InfoPath.2; .NET CLR

3.5.30729;

OfficeLiveConnector.1.3;

OfficeLivePatch.0.0; .NET CLR

3.0.30729; .NET4.0C)"

-"http://www8.agame.com/games/

shockwave/c/cannons_yo_ho/Cann

onYoHo_www_agame_com.htm"

-----------------------------

---------------------

Enumerating Active Setup stub

paths:
HKLM\Software\Microsoft\Active

Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-

0080c74c7e95}]
StubPath =

C:\Windows\system32

\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-

de460746276c}] *
StubPath =

C:\Windows\system32

\ie4uinit.exe -UserIconConfig

[{2C7339CF-2B09-4501-B3F3-

F3508C9228ED}] *
StubPath = %SystemRoot%

\system32\regsvr32.exe /s /n

/i:/UserInstall %SystemRoot%

\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-

00AA00B6015C}] *
StubPath = "%ProgramFiles%

\Windows Mail\WinMail.exe"

OCInstallUserConfigOE

[{6BF52A52-394A-11d3-B153-

00C04F79FAA6}] *
StubPath = %SystemRoot%

\system32\unregmp2.exe

/FirstLogon /Shortcuts

/RegBrowsers /ResetMUI

[{7070D8E0-650A-46b3-B03C-

9497582E6A74}] *
StubPath = %SystemRoot%

\system32\soundschemes.exe

/AddRegistration

[{89820200-ECBD-11cf-8B85-

00AA005B4340}] *
StubPath = regsvr32.exe /s /n

/i:U shell32.dll

[{89820200-ECBD-11cf-8B85-

00AA005B4383}] *
StubPath =

C:\Windows\system32

\ie4uinit.exe -BaseSettings

[{89B4C1CD-B018-4511-B0A1-

5476DBF70820}]
StubPath =

C:\Windows\system32

\Rundll32.exe

C:\Windows\system32

\mscories.dll,Install

[{B3688A53-AB2A-4b1d-8CEF-

8F93D8C51C24}] *
StubPath = %SystemRoot%

\system32\soundschemes2.exe

/AddRegistration

-----------------------------

---------------------

Shell & screensaver key from

C:\Windows\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not

found*
drivers=*INI section not

found*

Shell & screensaver key from

Registry:

Shell=explorer.exe
SCRNSAVE.EXE=*Registry value

not found*
drivers=*Registry value not

found*

Policies Shell key:

HKCU\..\Policies:

Shell=*Registry value not

found*
HKLM\..\Policies:

Shell=*Registry value not

found*

-----------------------------

---------------------

Checking for EXPLORER.EXE

instances:

C:\Windows\Explorer.exe:

PRESENT!

C:\Explorer.exe: not present
C:\Windows\Explorer\Explorer.e

xe: not present
C:\Windows\System\Explorer.exe

: not present
C:\Windows\System32

\Explorer.exe: not present
C:\Windows\Command\Explorer.ex

e: not present
C:\Windows\Fonts\Explorer.exe:

not present

-----------------------------

---------------------

Checking for superhidden

extensions:

.lnk: HIDDEN! (arrow overlay:

yes)
.pif: HIDDEN! (arrow overlay:

yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: *Registry key not found*
.shb: *Registry key not found*
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay:

NO!)
.url: HIDDEN! (arrow overlay:

yes)
.js: not hidden
.jse: not hidden

-----------------------------

---------------------

Verifying REGEDIT.EXE

integrity:

- Regedit.exe found in

C:\Windows
- .reg open command is normal

(regedit.exe %1)
- Company name OK: 'Microsoft

Corporation'
- Original filename NOT OK:

'REGEDIT.EXE.MUI'
- File description: 'Registry

Editor'

Registry check failed!

-----------------------------

---------------------

Enumerating Task Scheduler

jobs:

AWC AutoSweep.job
AWC Startup.job
AWC Update.job
COMODO System Cleaner

Update.job

-----------------------------

---------------------

Enumerating Download Program

Files:

[ExentInf Class]
InProcServer32 =

C:\Windows\Downloaded Program

Files\ExentCtl.ocx

[CPlayFirstWeddingDasControl

Object]
InProcServer32 =

C:\Windows\Downloaded Program

Files\WeddingDash2Web.1.0.0.11

.dll
CODEBASE =

http://games.bigfishgames.com/

en_wedding-dash-2-rings-

around-world-

game/online/WeddingDash2Web.1.

0.0.11.cab

[{E2883E8F-472F-4FB0-9522-

AC9BF37916A7}]
CODEBASE =

http://platformdl.adobe.com/NO

S/getPlusPlus/1.6/gp.cab

-----------------------------

---------------------

Enumerating Winsock LSP files:

NameSpace #1:

C:\Windows\system32\NLAapi.dll
NameSpace #2:

C:\Windows\system32

\napinsp.dll
NameSpace #3:

C:\Windows\system32

\pnrpnsp.dll
NameSpace #4:

C:\Windows\system32

\pnrpnsp.dll
NameSpace #5: C:\Program

Files\Bonjour\mdnsNSP.dll

-----------------------------

---------------------

Enumerating Windows NT/2000/XP

services

@%SystemRoot%\system32

\aelupsvc.dll,-1: %

systemroot%\system32

\svchost.exe -k netsvcs

(autostart)
Avira AntiVir Scheduler:

"C:\Program

Files\Avira\AntiVir

Desktop\sched.exe" (autostart)
Avira AntiVir Guard:

"C:\Program

Files\Avira\AntiVir

Desktop\avguard.exe"

(autostart)
Apple Mobile Device:

"C:\Program Files\Common

Files\Apple\Mobile Device

Support\bin\AppleMobileDeviceS

ervice.exe" (autostart)
@%SystemRoot%\system32

\audiosrv.dll,-204: %

SystemRoot%\System32

\svchost.exe -k

LocalSystemNetworkRestricted

(autostart)
@%SystemRoot%\system32

\audiosrv.dll,-200: %

SystemRoot%\System32

\svchost.exe -k

LocalServiceNetworkRestricted

(autostart)
avgntflt: system32

\DRIVERS\avgntflt.sys

(autostart)
@%SystemRoot%\system32

\bfe.dll,-1001: %systemroot%

\system32\svchost.exe -k

LocalServiceNoNetwork

(autostart)
@%SystemRoot%\system32

\qmgr.dll,-1000: %SystemRoot%

\System32\svchost.exe -k

netsvcs (autostart)
Bonjour Service: "C:\Program

Files\Bonjour\mDNSResponder.ex

e" (autostart)
@%systemroot%\system32

\browser.dll,-100: %

SystemRoot%\System32

\svchost.exe -k netsvcs

(autostart)
Microsoft .NET Framework NGEN

v4.0.30319_X86:

C:\Windows\Microsoft.NET\Frame

work\v4.0.30319\mscorsvw.exe

(autostart)
@%SystemRoot%\system32

\cryptsvc.dll,-1001: %

SystemRoot%\system32

\svchost.exe -k NetworkService

(autostart)
@oleres.dll,-5012: %

SystemRoot%\system32

\svchost.exe -k DcomLaunch

(autostart)
@%SystemRoot%\system32

\dhcpcsvc.dll,-100: %

SystemRoot%\system32

\svchost.exe -k

LocalServiceNetworkRestricted

(autostart)
@%SystemRoot%\System32

\dnsapi.dll,-101: %

SystemRoot%\system32

\svchost.exe -k NetworkService

(autostart)
@%systemroot%\system32

\dps.dll,-500: %SystemRoot%

\System32\svchost.exe -k

LocalServiceNoNetwork

(autostart)
@%SystemRoot%

\ehome\ehstart.dll,-101: %

windir%\system32\svchost.exe

-k LocalServiceNoNetwork

(autostart)
@%SystemRoot%\system32

\emdmgmt.dll,-1000: %

systemroot%\system32

\svchost.exe -k

LocalSystemNetworkRestricted

(autostart)
@%SystemRoot%\system32

\wevtsvc.dll,-200: %

SystemRoot%\System32

\svchost.exe -k

LocalServiceNetworkRestricted

(autostart)
@comres.dll,-2450: %

SystemRoot%\system32

\svchost.exe -k LocalService

(autostart)
@%systemroot%\system32

\fdrespub.dll,-100: %

SystemRoot%\system32

\svchost.exe -k LocalService

(autostart)
@gpapi.dll,-112: %windir%

\system32\svchost.exe -k

GPSvcGroup (autostart)
HP CUE DeviceDiscovery

Service: %SystemRoot%

\system32\svchost.exe -k

hpdevmgmt (autostart)
@%SystemRoot%\system32

\ikeext.dll,-501: %

systemroot%\system32

\svchost.exe -k netsvcs

(autostart)
@comres.dll,-2946: %

SystemRoot%\System32

\svchost.exe -k NetworkService

(autostart)
@%systemroot%\system32

\srvsvc.dll,-100: %

SystemRoot%\system32

\svchost.exe -k netsvcs

(autostart)
@%systemroot%\system32

\wkssvc.dll,-100: %

SystemRoot%\System32

\svchost.exe -k LocalService

(autostart)
Link-Layer Topology Discovery

Mapper I/O Driver: system32

\DRIVERS\lltdio.sys

(autostart)
@%SystemRoot%\system32

\lmhsvc.dll,-101: %

SystemRoot%\system32

\svchost.exe -k

LocalServiceNetworkRestricted

(autostart)
UAC File Virtualization:

\SystemRoot\system32

\drivers\luafv.sys (autostart)
mdmxsdk: system32

\DRIVERS\mdmxsdk.sys

(autostart)
@%systemroot%\system32

\mmcss.dll,-100: %SystemRoot%

\system32\svchost.exe -k

netsvcs (autostart)
@%SystemRoot%\system32

\FirewallAPI.dll,-23090: %

SystemRoot%\system32

\svchost.exe -k

LocalServiceNoNetwork

(autostart)
Net Driver HPZ12: %

SystemRoot%\System32

\svchost.exe -k HPZ12

(autostart)
@%SystemRoot%\system32

\netprof.dll,-246: %

SystemRoot%\System32

\svchost.exe -k LocalService

(autostart)
@%SystemRoot%\System32

\nlasvc.dll,-1: %SystemRoot%

\System32\svchost.exe -k

NetworkService (autostart)
@%SystemRoot%\system32

\nsisvc.dll,-200: %

systemroot%\system32

\svchost.exe -k LocalService

(autostart)
Parvdm: system32

\DRIVERS\parvdm.sys

(autostart)
@%SystemRoot%\system32

\pcasvc.dll,-1: %systemroot%

\system32\svchost.exe -k

LocalSystemNetworkRestricted

(autostart)
PEAUTH: system32

\drivers\peauth.sys

(autostart)
@%SystemRoot%\system32

\umpnpmgr.dll,-100: %

SystemRoot%\system32

\svchost.exe -k DcomLaunch

(autostart)
Pml Driver HPZ12: %

SystemRoot%\System32

\svchost.exe -k HPZ12

(autostart)
@%SystemRoot%\System32

\polstore.dll,-5010: %

SystemRoot%\system32

\svchost.exe -k

NetworkServiceNetworkRestricte

d (autostart)
@%systemroot%\system32

\profsvc.dll,-300: %

systemroot%\system32

\svchost.exe -k netsvcs

(autostart)
@oleres.dll,-5010: %

SystemRoot%\system32

\svchost.exe -k rpcss

(autostart)
Link-Layer Topology Discovery

Responder: system32

\DRIVERS\rspndr.sys

(autostart)
@%SystemRoot%\system32

\samsrv.dll,-1: %SystemRoot%

\system32\lsass.exe

(autostart)
@%SystemRoot%\system32

\schedsvc.dll,-100: %

systemroot%\system32

\svchost.exe -k netsvcs

(autostart)
@%SystemRoot%\system32

\seclogon.dll,-7001: %windir%

\system32\svchost.exe -k

netsvcs (autostart)
@%SystemRoot%\system32

\Sens.dll,-200: %SystemRoot%

\system32\svchost.exe -k

netsvcs (autostart)
@%SystemRoot%\System32

\shsvcs.dll,-12288: %

SystemRoot%\System32

\svchost.exe -k netsvcs

(autostart)
@%SystemRoot%\system32

\SLsvc.exe,-101: %SystemRoot%

\system32\SLsvc.exe

(autostart)
@%systemroot%\system32

\spoolsv.exe,-1: %SystemRoot%

\System32\spoolsv.exe

(autostart)
@%SystemRoot%\system32

\wiaservc.dll,-9: %

SystemRoot%\system32

\svchost.exe -k imgsvc

(autostart)
@%SystemRoot%\system32

\sysmain.dll,-1000: %

systemroot%\system32

\svchost.exe -k

LocalSystemNetworkRestricted

(autostart)
@%SystemRoot%\system32

\TabSvc.dll,-100: %

SystemRoot%\System32

\svchost.exe -k

LocalSystemNetworkRestricted

(autostart)
@%SystemRoot%\system32

\tbssvc.dll,-100: %

SystemRoot%\System32

\svchost.exe -k LocalService

(autostart)
TCP/IP Registry Compatibility:

System32\drivers\tcpipreg.sys

(autostart)
@%SystemRoot%\System32

\termsrv.dll,-268: %

SystemRoot%\System32

\svchost.exe -k NetworkService

(autostart)
@%SystemRoot%\System32

\shsvcs.dll,-8192: %

SystemRoot%\System32

\svchost.exe -k netsvcs

(autostart)
@%SystemRoot%\system32

\trkwks.dll,-1: %SystemRoot%

\System32\svchost.exe -k

LocalSystemNetworkRestricted

(autostart)
@%systemroot%\system32

\upnphost.dll,-213: %

SystemRoot%\system32

\svchost.exe -k LocalService

(autostart)
@%SystemRoot%\system32

\dwm.exe,-2000: %SystemRoot%

\System32\svchost.exe -k

LocalSystemNetworkRestricted

(autostart)
@%SystemRoot%\system32

\w32time.dll,-200: %

SystemRoot%\system32

\svchost.exe -k LocalService

(autostart)
@%SystemRoot%\System32

\wersvc.dll,-100: %

SystemRoot%\System32

\svchost.exe -k WerSvcGroup

(autostart)
@%ProgramFiles%\Windows

Defender\MsMpRes.dll,-103: %

SystemRoot%\System32

\svchost.exe -k secsvcs

(autostart)
@%Systemroot%\system32

\wbem\wmisvc.dll,-205: %

systemroot%\system32

\svchost.exe -k netsvcs

(autostart)
@%SystemRoot%\System32

\wscsvc.dll,-200: %

SystemRoot%\System32

\svchost.exe -k

LocalServiceNetworkRestricted

(autostart)
@%systemroot%\system32

\SearchIndexer.exe,-103: %

systemroot%\system32

\SearchIndexer.exe /Embedding

(autostart)
@%systemroot%\system32

\wuaueng.dll,-105: %

systemroot%\system32

\svchost.exe -k netsvcs

(autostart)
@%SystemRoot%\system32

\wudfsvc.dll,-1000: %

SystemRoot%\system32

\svchost.exe -k

LocalSystemNetworkRestricted

(autostart)
XAudio: system32

\DRIVERS\xaudio.sys

(autostart)
XAudioService: %SystemRoot%

\system32\DRIVERS\xaudio.exe

(autostart)


-----------------------------

---------------------

Enumerating

ShellServiceObjectDelayLoad

items:

WebCheck: C:\Windows\System32

\webcheck.dll

-----------------------------

---------------------
End of report, 14,923 bytes
Report generated in 0.577

seconds

Command line options:
/verbose - to add

additional info on each

section
/complete - to include

empty sections and

unsuspicious data
/full - to include

several rarely-important

sections
/force9x - to include

Win9x-only startups even if

running on WinNT
/forcent - to include

WinNT-only startups even if

running on Win9x
/forceall - to include all

Win9x and WinNT startups,

regardless of platform
/history - to list version

history only

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,461 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:33 PM

Posted 28 September 2010 - 03:59 PM

Sounds like your infected. Please follow the steps here:

http://www.bleepingcomputer.com/forums/topic34773.html




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users