Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HELP! My computer has been taken over by another ADMIN user!


  • Please log in to reply
11 replies to this topic

#1 Amznwmn

Amznwmn

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:13 PM

Posted 17 April 2012 - 01:10 AM

I am the ADMIN acct user on my laptop, however, recently I haven't been able to run the disk defragmenter, or other admin tools/files.

When I ran the HijackThis program, it couldn't access the "host" file, so I followed the instructions to try to run as admin, but that didn't even come up in the list of options when I right-clicked the icon. So I followed the other instructions to enter a command in the "Run" command line, deleted the alternate host and when I tried to save the new file, I was given an error message saying I didn't have permission to do that.


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421
Run by AMZNWMN at 21:25:04 on 2012-04-16
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2494.1233 [GMT -7:00]
.
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\system32\defrag.exe
C:\Windows\system32\DfrgNtfs.exe
C:\Windows\system32\WUDFHost.exe
\\?\C:\Windows\system32\wbem\WMIADAP.EXE
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.google.com/
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.msn.com
mDefault_Page_URL = www.google.com
mSearch Page = www.google.com
mSearch Bar = www.google.com
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\alwil software\avast5\aswWebRepIE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\alwil software\avast5\aswWebRepIE.dll
TB: {F3DF2532-A2CC-48D8-8643-A033AE4FC313} - No File
mRun: [OnScreenDisplay] c:\program files\hewlett-packard\hp quicktouch\HPKBDAPP.exe
mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll
DPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_client_4.5.1.0.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.6.0.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{1B06F666-2B9C-400D-9269-0E13A1A6E9BB} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{51934ED1-9031-40B3-B4C7-63FC34662405} : DhcpNameServer = 75.75.75.75 75.75.76.76
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-6-5 612184]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-11-25 337880]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-11-25 20696]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-11-25 57688]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2012-1-7 44768]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2012-1-20 21504]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-9 253600]
S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-11-26 136176]
.
=============== Created Last 30 ================
.
.
==================== Find3M ====================
.
2012-04-10 01:29:05 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-10 01:29:05 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-04-04 22:56:40 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-10 01:32:32 4431872 ----a-w- c:\windows\system32\GPhotos.scr
2012-03-06 23:15:19 41184 ----a-w- c:\windows\avastSS.scr
2012-03-06 23:03:51 612184 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-03-06 23:01:48 57688 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2012-02-08 03:02:54 979456 ----a-w- c:\windows\system32\MFH264Dec.dll
2012-02-08 03:00:50 4096 ----a-w- c:\windows\system32\drivers\en-us\dxgkrnl.sys.mui
2012-02-08 03:00:49 519680 ----a-w- c:\windows\system32\d3d11.dll
2012-02-08 03:00:49 369664 ----a-w- c:\windows\system32\WMPhoto.dll
2012-02-08 03:00:49 252928 ----a-w- c:\windows\system32\dxdiag.exe
2012-02-08 03:00:49 195584 ----a-w- c:\windows\system32\dxdiagn.dll
2012-02-08 03:00:48 974848 ----a-w- c:\windows\system32\WindowsCodecs.dll
2012-02-08 03:00:48 321024 ----a-w- c:\windows\system32\PhotoMetadataHandler.dll
2012-02-08 03:00:48 189440 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
2012-01-21 06:47:11 82432 ----a-w- c:\windows\system32\axaltocm.dll
2012-01-21 06:47:11 101888 ----a-w- c:\windows\system32\ifxcardm.dll
2012-01-20 19:57:43 472808 ----a-w- c:\windows\system32\deployJava1.dll
.
============= FINISH: 21:26:25.78 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Amznwmn

Amznwmn
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:13 PM

Posted 20 April 2012 - 12:57 AM

I'm not trying to bump this, but I haven't had a reply yet and am concerned about using my laptop.

Help? Please?

#3 nasdaq

nasdaq

  • Malware Response Team
  • 38,925 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:13 PM

Posted 21 April 2012 - 01:09 PM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

The defrag program is shown as active in your DDS log.
C:\Windows\system32\defrag.exe

Open your Taks manager at the process lever and stop it it still running.
===

Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

IMPORTANT....

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Do not install any other programs until this if fixed.


How to : Disable Anti-virus and Firewall...
http://www.bleepingcomputer.com/forums/topic114351.html

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
Note:
Do not mouse click ComboFix's window while it's running. That may cause it to stall


Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

===

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please post the logs and let me know what problem persists.

#4 Amznwmn

Amznwmn
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:13 PM

Posted 23 April 2012 - 01:35 PM

I will do all of this today when I get home and let you know what happens. Thank you for your help!

#5 Amznwmn

Amznwmn
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:13 PM

Posted 24 April 2012 - 12:42 AM

Here is the combofix file:


ComboFix 12-04-23.03 - AMZNWMN 04/23/2012 20:08:13.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2494.1539 [GMT -7:00]
Running from: c:\users\AMZNWMN\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\drivers\etc\hosts.ics
c:\windows\system32\urttemp
c:\windows\system32\urttemp\regtlib.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-03-24 to 2012-04-24 )))))))))))))))))))))))))))))))
.
.
2012-04-24 03:16 . 2012-04-24 03:16 -------- d-----w- c:\users\AMZNWMN\AppData\Local\temp
2012-04-24 02:45 . 2012-04-24 02:45 -------- d-----w- c:\users\AMZNWMN\BOOKS
2012-04-11 04:29 . 2012-04-11 04:29 388096 ----a-r- c:\users\AMZNWMN\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-04-11 04:29 . 2012-04-11 04:29 -------- d-----w- c:\program files\Trend Micro
2012-04-10 01:09 . 2012-04-10 01:29 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-10 01:29 . 2011-10-29 05:41 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-04 22:56 . 2011-02-19 06:47 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-10 01:32 . 2012-03-10 01:32 4431872 ----a-w- c:\windows\system32\GPhotos.scr
2012-03-06 23:15 . 2010-11-25 18:21 41184 ----a-w- c:\windows\avastSS.scr
2012-03-06 23:15 . 2010-11-25 18:21 201352 ----a-w- c:\windows\system32\aswBoot.exe
2012-03-06 23:03 . 2011-06-05 18:32 612184 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-03-06 23:03 . 2010-11-25 18:22 337880 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-03-06 23:02 . 2010-11-25 18:22 35672 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2012-03-06 23:01 . 2010-11-25 18:22 53848 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-03-06 23:01 . 2010-11-25 18:22 57688 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2012-03-06 23:01 . 2010-11-25 18:22 20696 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-02-08 03:03 . 2012-02-08 03:03 161792 ----a-w- c:\windows\system32\msls31.dll
2012-02-08 03:03 . 2012-02-08 03:03 1127424 ----a-w- c:\windows\system32\wininet.dll
2012-02-08 03:03 . 2012-02-08 03:03 86528 ----a-w- c:\windows\system32\iesysprep.dll
2012-02-08 03:03 . 2012-02-08 03:03 76800 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2012-02-08 03:03 . 2012-02-08 03:03 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2012-02-08 03:03 . 2012-02-08 03:03 63488 ----a-w- c:\windows\system32\tdc.ocx
2012-02-08 03:03 . 2012-02-08 03:03 48640 ----a-w- c:\windows\system32\mshtmler.dll
2012-02-08 03:03 . 2012-02-08 03:03 367104 ----a-w- c:\windows\system32\html.iec
2012-02-08 03:03 . 2012-02-08 03:03 74752 ----a-w- c:\windows\system32\iesetup.dll
2012-02-08 03:03 . 2012-02-08 03:03 420864 ----a-w- c:\windows\system32\vbscript.dll
2012-02-08 03:03 . 2012-02-08 03:03 35840 ----a-w- c:\windows\system32\imgutil.dll
2012-02-08 03:03 . 2012-02-08 03:03 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-02-08 03:03 . 2012-02-08 03:03 23552 ----a-w- c:\windows\system32\licmgr10.dll
2012-02-08 03:03 . 2012-02-08 03:03 1798144 ----a-w- c:\windows\system32\jscript9.dll
2012-02-08 03:03 . 2012-02-08 03:03 152064 ----a-w- c:\windows\system32\wextract.exe
2012-02-08 03:03 . 2012-02-08 03:03 150528 ----a-w- c:\windows\system32\iexpress.exe
2012-02-08 03:03 . 2012-02-08 03:03 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-02-08 03:03 . 2012-02-08 03:03 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2012-02-08 03:03 . 2012-02-08 03:03 11776 ----a-w- c:\windows\system32\mshta.exe
2012-02-08 03:03 . 2012-02-08 03:03 101888 ----a-w- c:\windows\system32\admparse.dll
2012-02-08 03:03 . 2012-02-08 03:03 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
2012-02-08 03:02 . 2012-02-08 03:02 979456 ----a-w- c:\windows\system32\MFH264Dec.dll
2012-02-08 03:02 . 2012-02-08 03:02 357376 ----a-w- c:\windows\system32\MFHEAACdec.dll
2012-02-08 03:02 . 2012-02-08 03:02 98816 ----a-w- c:\windows\system32\mfps.dll
2012-02-08 03:02 . 2012-02-08 03:02 586240 ----a-w- c:\windows\system32\stobject.dll
2012-02-08 03:02 . 2012-02-08 03:02 302592 ----a-w- c:\windows\system32\mfmp4src.dll
2012-02-08 03:02 . 2012-02-08 03:02 2873344 ----a-w- c:\windows\system32\mf.dll
2012-02-08 03:02 . 2012-02-08 03:02 261632 ----a-w- c:\windows\system32\mfreadwrite.dll
2012-02-08 03:02 . 2012-02-08 03:02 209920 ----a-w- c:\windows\system32\mfplat.dll
2012-02-08 03:02 . 2012-02-08 03:02 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2012-02-08 03:02 . 2012-02-08 03:02 847360 ----a-w- c:\windows\system32\OpcServices.dll
2012-02-08 03:02 . 2012-02-08 03:02 797184 ----a-w- c:\windows\system32\FntCache.dll
2012-02-08 03:02 . 2012-02-08 03:02 683008 ----a-w- c:\windows\system32\d2d1.dll
2012-02-08 03:02 . 2012-02-08 03:02 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2012-02-08 03:02 . 2012-02-08 03:02 638336 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2012-02-08 03:02 . 2012-02-08 03:02 486400 ----a-w- c:\windows\system32\d3d10level9.dll
2012-02-08 03:02 . 2012-02-08 03:02 478720 ----a-w- c:\windows\system32\dxgi.dll
2012-02-08 03:02 . 2012-02-08 03:02 37376 ----a-w- c:\windows\system32\cdd.dll
2012-02-08 03:02 . 2012-02-08 03:02 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2012-02-08 03:02 . 2012-02-08 03:02 258048 ----a-w- c:\windows\system32\winspool.drv
2012-02-08 03:02 . 2012-02-08 03:02 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2012-02-08 03:02 . 2012-02-08 03:02 189952 ----a-w- c:\windows\system32\d3d10core.dll
2012-02-08 03:02 . 2012-02-08 03:02 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2012-02-08 03:02 . 2012-02-08 03:02 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2012-02-08 03:02 . 2012-02-08 03:02 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2012-02-08 03:02 . 2012-02-08 03:02 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2012-02-08 03:02 . 2012-02-08 03:02 1068544 ----a-w- c:\windows\system32\DWrite.dll
2012-02-08 03:02 . 2012-02-08 03:02 1029120 ----a-w- c:\windows\system32\d3d10.dll
2012-02-08 03:02 . 2012-02-08 03:02 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2012-02-08 03:00 . 2012-02-08 03:00 4096 ----a-w- c:\windows\system32\drivers\en-US\dxgkrnl.sys.mui
2012-02-08 03:00 . 2012-02-08 03:00 519680 ----a-w- c:\windows\system32\d3d11.dll
2012-02-08 03:00 . 2012-02-08 03:00 369664 ----a-w- c:\windows\system32\WMPhoto.dll
2012-02-08 03:00 . 2012-02-08 03:00 252928 ----a-w- c:\windows\system32\dxdiag.exe
2012-02-08 03:00 . 2012-02-08 03:00 195584 ----a-w- c:\windows\system32\dxdiagn.dll
2012-02-08 03:00 . 2012-02-08 03:00 974848 ----a-w- c:\windows\system32\WindowsCodecs.dll
2012-02-08 03:00 . 2012-02-08 03:00 321024 ----a-w- c:\windows\system32\PhotoMetadataHandler.dll
2012-02-08 03:00 . 2012-02-08 03:00 189440 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-03-06 23:15 123536 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OnScreenDisplay"="c:\program files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe" [2007-09-04 554320]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-09-13 480560]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-24 13601312]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-06-24 92704]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"avast"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2012-03-06 4241512]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl]
2007-09-19 22:31 202032 ----a-w- c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"hpqSRMon"=c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2447480966-3888228188-3149487418-1000]
"EnableNotificationsRef"=dword:00000003
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-10 253600]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-08-24 01:34 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-24 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-10 01:29]
.
2012-04-24 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2010-11-25 00:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.msn.com
mSearch Bar = www.google.com
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{F3DF2532-A2CC-48D8-8643-A033AE4FC313} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-23 20:16
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2012-04-23 20:19:06
ComboFix-quarantined-files.txt 2012-04-24 03:19
.
Pre-Run: 90,163,982,336 bytes free
Post-Run: 89,714,319,360 bytes free
.
- - End Of File - - 793A4BB4D0D3BAE33127986F57AAEE77


and here is the security check:

Results of screen317's Security Check version 0.99.32
Windows Vista Service Pack 2 x86 (UAC is enabled)
Internet Explorer 9
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
avast! Free Antivirus
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

Java™ 6 Update 22
Java™ 6 Update 2
Java version out of date!
Adobe Flash Player 11.2.202.228
Adobe Reader 8 Adobe Reader out of date!
````````````````````````````````
Process Check:
objlist.exe by Laurent

Alwil Software Avast5 AvastSvc.exe
Alwil Software Avast5 AvastUI.exe
``````````End of Log````````````


Here is what's bugging me - you can tell me if this is normal or not (I have a feeling it's not):

When I look in the Services folder and more closely at some of the service properties, a number of services that are running have to do with network access or remote access to my laptop. They are all located in one version or another of a file called "C:\\Windows\system32\svchost.exe -k netsvcs (or svchost.exe -k LocalService or svchost.exe -k LocalSystemNetworkRestricted).

When I click on the Log On tab, on each one there is a hardwire profile called "undocked profile" that is enabled. Sometimes it shows to log on the local system acct, while others are checked to sign on with a specific acct name (either Local Service or NT AUTHORITY or Network Service) with a hidden password.

Also, there are a number of services, such as Remote Access Control Manager, Task Scheduler Properties, and Dcom Server Process Launcher Properties, that will not allow me to stop the service (it starts automatically) or make any other changes.

I tried to open Task Scheduler from the Administrator Tools link and an error msg came up saying, "An error has occurred for task Reminders - AMZNWMN. Error message: "The specified account name is not valid."

I looked at some of the other bothersome things also:

In the Event Viewer Security log, it showed that "special privileges assigned to a new logon." Some of the privileges include: SecurityPrivilege; TakeOwnershipPrivilege; and "seImpersonatePrivilege." Then "an account was successfully logged on: Acct name: B$ on computer B." it included a new logon: Security ID: SYSTEM, Acct name: SYSTEM, Acct Domain: NT AUTHORITY.

Another event log showed, "a logon was attempted using explicit credentials. Account whose credentials were used: Acct name: System, Acct domain: NT AUTHORITY, Target service name: localhost."

There was an event where "an attempt was made to unregister a security event source."

These are only a fraction of the events and network connections being made and remote access being made that are listed in the Event logs for this evening (since I ran ComboFix).

:{ What should I do now?



The Dh

#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,925 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:13 PM

Posted 24 April 2012 - 12:19 PM

Secure your system by updating 3rd party programs.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

Check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

If present remove the old version(s) of Java using the Add/Remove Programs applet.


Java™ 6 Update 22
Java™ 6 Update 2


===

Critical vulnerabilities have been identified in Adobe Flash Player 10.3.183.10 and earlier versions... being exploited in the wild in active targeted attacks...

Get the latest Flash Player

On the top of the page you will be given an opportunity to download the version for your operating system.
Make sure you select appropriate version.

You will also have an option to install the Free! McAfee Security Scan Plus Un-check the box if you are NOT using McAfee's virus protection software.

For the users of Internet Explorer download version 11.
Flash Player 11 (64 bit)
Flash Player 11 (32 bit)
===

Get the latest version of the Adobe Reader.
http://get.adobe.com/reader/
Before your download I suggest you unckeck the box on the top right "Include in your download" this is not required. While the installation is in progress you can also deny the installation of any other programs that may be suggested.

When installed remove your old version of the Reader using the Add/Remove Programs applet if present.
===

On the service issue.

Copy the text in bold to Notepad and save the file as MyNetsvcs.bat on your desktop.

@echo off
swreg query hklm\system\currentcontrolset\services /s |(
SED -r "/^HK|^ +ImagePath.*-k netsvcs/I!d" |(
SED -r ":a; $!N;s/\n.*\t.*/\t/;ta;P;D" |(
SED -r "/.*\\(.*)\t/!d; s//\1/"
)))>Log.txt
Start Notepad Log.txt


Run the MyNetsvcs.bat file. (Right click the file and run as Administrator)

Notepad will open the file Log.txt. Please post the contents back here.

#7 Amznwmn

Amznwmn
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:13 PM

Posted 25 April 2012 - 12:20 AM

Here's the netsvcs log:

AeLookupSvc
Appinfo
AppMgmt
BITS
Browser
CertPropSvc
EapHost
hkmsvc
IKEEXT
iphlpsvc
LanmanServer
MMCSS
MSiSCSI
ProfSvc
RasAuto
RasMan
RemoteAccess
Schedule
SCPolicySvc
seclogon
SENS
SessionEnv
SharedAccess
ShellHWDetection
Themes
wercplsupport
Winmgmt
wuauserv

I have always made it a point to disable any and all remote access services or applications. Although I usually have a router hooked up to my pc, I have taken it out of circulation for now until this issue is gone. Even then, I also try to disable any network access services/applications or programs since there is no reason to have any of them enabled. But, now, EVERYTHING related to remote access and network access seems to be enabled and locked so I can't change it.

Anyway, got Java updated along with Flash Player.

However, when attempting to update Reader, I had problems. The installer got to about 96% then a window opened and said "the following application is using files that need to be updated by this setup. Close this applicaiton and retry or exit." Adobe Reader 8.1 was listed in the window below the statement.

Another window that opened shortly after that said, "the file cannot be verified. The install process encountered a problem. Please choose one of the following options:"
One option said to stop updating but continue installing the other files. The other option said to stop installation, so I cancelled and backed out of it.

Then I went into Programs and trieed to uninstall Reader so i could restart my computer and try to install the updated version. However, during the uninstall I got another message that said, "A process is running that cannot be shut down by Setup. Please either close all applications and run Setup again or restart your computer and run setup again."

At that point, I stopped because I've seen messages like this that are coming from the "alien host" rather than Windows or the actual application.

I am tempted to dump everything on my laptop and just do a complete system restore to factory settings from my recovery disk, is you think that would get rid of whatever has such a tough grasp on it.

thanks for your help. I look forward to hearing back soon.

#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,925 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:13 PM

Posted 25 April 2012 - 08:37 AM

I am tempted to dump everything on my laptop and just do a complete system restore to factory settings from my recovery disk, is you think that would get rid of whatever has such a tough grasp on it.


Continuing to search for a solution may take a few days and more.

Restoring your systems may take only a few hours.

Let me know how you want to proceed.

#9 Amznwmn

Amznwmn
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:13 PM

Posted 27 April 2012 - 02:27 AM

I restored my laptop to factory settings. I haven't checked anything yet to see if the alien is gone, but will try to do so over the weekend.

I have another problem but may have to take it to a different forum. Please let me know if that's what I need to do.

I thought I knew something about my pc when i changed some of the permissions. I was wrong. I have Windows 2003, and now when I try to log on, I get a msg that says I cant log on "interactively". I have no idea what that means.

I cannot for the life of me get past the windows sign on screen. I've booted up in safe mode, safe mood with command prompt, safe mood with networking, etc., but they all revert back to the sign on screen.

Is there a way to completely by-pass the Windows 2003 sign on screen so I can get in and do a system restore?? Argh!

I'd appreciate any help you could give me! Thank you!!

#10 nasdaq

nasdaq

  • Malware Response Team
  • 38,925 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:13 PM

Posted 27 April 2012 - 07:25 AM

I suggest you post this problem in this forum.

Windows NT/2000/2003/2008
http://www.bleepingcomputer.com/forums/forum83.html

#11 Amznwmn

Amznwmn
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:13 PM

Posted 30 April 2012 - 01:49 PM

I did a system restore to factory settings. That didn't help. Its still there.

I had gone into the Admin tools and into the security inbound and outbound connection rules. I was in the process of changing them all to block all incoming and outgoing connections. I was getting tired, so I left my laptop turned on, but my wireless disabled and my internet unplugged. I thought that would prevent any internet connection. It didn't.

When I got up yesterday morning and was going to start back into changing all those rules again, I noticed that my laptop was turned off. When I booted up and signed in, I got a Windows msg that said it had restarted my computer to install recent updates. I checked the installed updates history and saw that some updates were installed yesterday morning (2 AM) after I had gone to bed. The history showed a number of failed attempts, then a final successful installation.

Then I tried to go back into the Admin tools. Every option I tried to open brought up a window off to the left side of my screen that said an unknown program wanted to access my computer, and asked if I wanted to allow it or not. Of course, I didn't. Consequently, I can no longer access any Admin tools.

I did manage to find another list of programs that come on at start up and saw 2 entries for "wireless assistant', which I disabled.

Also, when I was changing those rules, all of a sudden my mouse stopped working (I use a wireless mouse rather than the touchpad on the laptop). I thought it might be my battery, but it happened twice. When it happened yesterday, I immediately unplugged the power cord and took the battery out so it has no power source at all.

I am assuming that there is a task scheduled in there somewhere that turned the wireless on so that would allow for the remote access to make the changes to the Admin tools.

I think I need to go back to the beginning, i.e. the system restore. System restore to factory settings is different than doing a system recovery right? I have a "system recovery" disc but it wasn't needed to do the restore.

Obviously the system restore didn't get rid of it, but maybe the system recovery would? If so, how do I do a system recovery with the disc? I thought that's what I was doing before, but when I checked the Windows help, it kept referring to restore rather than recovery. Can you give me a step-by-step to use the disc and do a system recovery, if you think that would work?

Thanks for your help.

#12 nasdaq

nasdaq

  • Malware Response Team
  • 38,925 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:13 PM

Posted 01 May 2012 - 07:54 AM

Search for this string on Google. System restore to factory

You will find instructions for the Manufacturer's computer. HP, Dell etc...

The Manufacturer's site may give you the exact information also.

If at any time you need help please ask.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users