Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected - Lost Admin Rights.


  • Please log in to reply
9 replies to this topic

#1 Bob Harding

Bob Harding

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:56 PM

Posted 17 August 2006 - 08:10 AM

The problem started when a colleague had an excel file he'd forgotten the password to. I downloaded a password utility and ran it. It was not a program at all but a suite of spyware. (I still have the program if you want to have a look! via a VMware machine or similar).

Now the windows firewall is switched off and I'm told I don't have admin rights to switch it back on again (this applies when logged on as admin in safe mode as well). I cannot call up task manager either. Adaware detects and fixes the task manager problem but it comes back at re-boot

I've used Adaware, Spybot and Spyware doctor and cleared out a load but the main problem remains. Spydoctor reports Backdoor.CIADoor.13 - it says it has fixed it but it's there when re-scanned

As the 'login startup' begins the firewall is 'on' but gets turned off as the computer finishes it's startup which make me think that there is something in the startup sequence. I've used Hijackthis and suspect a 'userinit' entry that I'd not noticed before but best internet advice says it should be there.

I hope someone out there can help me ....

BC AdBot (Login to Remove)

 


#2 tg1911

tg1911

    Lord Spam Magnet


  • Members
  • 19,274 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SW Louisiana
  • Local time:12:56 PM

Posted 17 August 2006 - 08:55 AM

Have you run any online virus scanners?
Try these:
http://www.pandasoftware.com/activescan/
http://housecall.trendmicro.com/

Also this online Trojan scanner:
TrojanScan
MOBO: GIGABYTE GA-MA790X-UD4P, CPU: Phenom II X4 955 Deneb BE, HS/F: CoolerMaster V8, RAM: 2 x 1G Kingston HyperX DDR2 800, VGA: ECS GeForce Black GTX 560, PSU: Antec TruePower Modular 750W, Soundcard: Asus Xonar D1, Case: CoolerMaster COSMOS 1000, Storage: Internal - 2 x Seagate 250GB SATA, 2 x WD 1TB SATA; External - Seagate 500GB USB, WD 640GB eSATA, 3 x WD 1TB eSATA

Become a BleepingComputer fan: Facebook

#3 Bob Harding

Bob Harding
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:56 PM

Posted 17 August 2006 - 05:59 PM

tg - thanks for getting back

I've tried what you suggested and they did find 'bits and bobs' and fixed them but nothing to tough the problem. The Trojan Scanner engine (activeX Controls) wouldn't download properly - but I'm running that much antispyware at the moment I'm not suprised.

I've tried (in safe mode) deleting these entries in Hijackthis but they pop back again on reboot:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\svcvhost.exe
F3 - REG:win.ini: load=C:\WINDOWS\system32\svcvhost.exe
F3 - REG:win.ini: run=C:\WINDOWS\system32\svcvhost.exe
O4 - HKLM\..\RunServices: [Generic Host Process] C:\WINDOWS\system32\svcvhost.exe

this one worries me - I just wonder if this is responsible for the loss of admin rights? What do you think?

F2 - REG:system.ini: UserInit=userinit.exe

These two I'm just not sure about:

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

#4 Bob Harding

Bob Harding
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:56 PM

Posted 18 August 2006 - 08:33 AM

Latest update.

XoftSpy promissed a fix and tech support. It detected CIA keylogger and said it fixed it but it came back on reboot. Nothing from support yet (why am I not suprised). SO ...

In Safe mode - logged in as admin - ran Xoft, Spudoctor, Adaware and spybot to thoroughly clean. Removed entries in Hijackthis as suggested. Logged on as me (bob) and repeated - got a clean bill of health.

Logged on as normal and everything was back as before - no difference.

Current hijackthis log below ... Current thinking is a rebuild over the weekend!!! I do have an applic called Startuplist which looks very comprehensive but is beyond my ability to read - it has a log file which I could send?

Bob

Logfile of HijackThis v1.99.1
Scan saved at 14:28:43, on 18/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Utilities\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 4.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2 a.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Utilities\Skype Phone\Skype.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Utilities\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Utilities\Spyware Doctor\swdoctor.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Utilities\ObjectDock\ObjectDock.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Bob\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\svcvhost.exe
F3 - REG:win.ini: load=C:\WINDOWS\system32\svcvhost.exe
F3 - REG:win.ini: run=C:\WINDOWS\system32\svcvhost.exe
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Utilities\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\UTILIT~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\UTILIT~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\Utilities\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 4.exe
O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v2] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2 a.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Generic Host Process] C:\WINDOWS\system32\svcvhost.exe
O4 - HKLM\..\RunServices: [Generic Host Process] C:\WINDOWS\system32\svcvhost.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Utilities\Skype Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Utilities\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Utilities\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Utilities\ObjectDock\ObjectDock.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\UTILIT~1\SPYWAR~1\tools\iesdpb.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1144762899859
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1144763800015
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O20 - Winlogon Notify: MCPClient - C:\Program Files\Common Files\Stardock\mcpstub.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Utilities\Spyware Doctor\sdhelp.exe
O23 - Service: Windows Firewall/Internet Connection Sharing (ICS) (SharedAccess) - Unknown owner - C:\WINDOWS\C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:56 PM

Posted 18 August 2006 - 02:27 PM

I have split your most current HJT log away from this thread and moved it into the HJT forum.

You can find your log here: http://www.bleepingcomputer.com/forums/t/62596/infected-lost-admin-rights/

I left the previous one that you posted above in case it is need as a reference.

Now that your log is posted there, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files on your own, etc.) unless advised by a HJT Team member. Doing so can result in system changes which may not show it the log you already posted. Further, any modification you make may complicate the malware removal process and could adversely affect your system.

Please be patient and wait for a response from an HJT Team member.

Edited by quietman7, 18 August 2006 - 02:29 PM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 Bob Harding

Bob Harding
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:56 PM

Posted 18 August 2006 - 02:46 PM

Thanks Quietman - It's such a good service that you're offering I just can't believe that you're prepared to stick with it, it really good of you. I shall be making a donation for sure.

I wasthinking of setting up a VMware machine and doing a hijackthis log and a startup log then running the dodgy software and seeing what changes were made. I've never created a vmware machine before though and it sounds like I shouldn't install any software whilst you guys are working on it.

Incidentally the rubbish seems to be over and hasn't come back - possibly the CIA.backdoor trojan/keylogger/whatever is now gone. Just the access rights to sort out?

I can't help but wonder what made it come back the once though?

#7 Bob Harding

Bob Harding
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:56 PM

Posted 18 August 2006 - 03:39 PM

nothing much to add except the original offending software contained the snippet at the bottom ..

The offending software seems to be linked to 54.164.213.201; this belongs to :
OrgName: Merck and Co., Inc.
OrgID: MERCKA
Address: 126 East Lincoln Avenue
City: Rahway
StateProv: NJ
PostalCode: 07095
Country: US
Comment:
RegDate: 1992-03-17
Updated: 2005-12-21

I'm not the first to run foul of them ... I don't think it helps at all though ..

http://gladiator-antivirus.com/forum/index...showtopic=20173


**********Offending proigram snippet**********
;Der Kommentar unten enthält SFX Skript Befehle!

Path=%systemroot%\
SavePath
Setup=[O]meg[A]_Engine.exe
Presetup=Prices.txt
Silent=1
Overwrite=1
Title=[O]meg[A]_Final Counterstrike Hack Engine
Text
{
Released @ 08.14.2006
CS 1.6
By the [O]meg[A] Group
}
License=[O]meg[A]_Final
{
[O]meg[A]_Final Edition released @ 08.14.2006

Kenntucky USA

By The [O]meg[A] Group

Visit us
TS2@54.164.213.201:5465

Have Fun
}

#8 Bob Harding

Bob Harding
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:56 PM

Posted 19 August 2006 - 06:32 AM

Update

I seem to be clear now. The command prompt was a registry key:

I had to search for regedit because I can't run it from the command prompt of course ..

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System]

In the right-pane, double-click DisableCMD and set it's data to 0

The main problem left is access to the windows firewall settings. I've killed Shared Access to clear the virus but need it again to access the windows firewall and am a little anxious about re-initialising it.

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:56 PM

Posted 19 August 2006 - 06:50 AM

As I said before, after posting a log you should NOT make further changes to your computer unless advised by a HJT Team member. Doing so can result in system changes which may not show it the log you already posted and any modification you make may complicate the malware removal process.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 Bob Harding

Bob Harding
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:56 PM

Posted 19 August 2006 - 07:26 AM

Sorry quietman

I thought I was helping to reduce the work, hoping to share any little knowledge I'd gained. You're probably right though because the Administrator accounts also couldn't access the command prompt so a 'current user' key doesn't seem 100% correct. (unless it set it every time I logged in for whatever 'current user' I guess).

I'll do nothing more until I hear from you guys.

The windows firewall seems to be on now (I didn't do anything - it just was on) but I cannot access the firewall configuration from the control panel applet - error is "Due to and unidentified error, windows cannot display windows firewall settings")

Bob




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users