1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

No Control Panel, Admin Rights

Discussion in 'Malware and Virus Removal Archive' started by mihir67m, 2007/11/30.

  1. 2007/11/30
    mihir67m

    mihir67m Inactive Thread Starter

    Joined:
    2007/11/30
    Messages:
    1
    Likes Received:
    0
    Hi Guys,

    Was reading through the forum posts and hoping if you can help me fix my PC without requiring a re-format.

    My PC was hijacked by virus/spyware/malware. I cleaned out most of them using 2 antivirus softwares - initially used a trial version of McAfee and then bought Norton Internet Security which did a much better job (mcAfee didnt seem to fix much so I ended up buying Norton; have not been able to delete mcafee yet since Add/Remove Programs is disabled)

    Presently, most of the adware/trojans seem to be fixed. But these things remain unresolved -

    1) No admin rights. PC has only 1 user w/ Admin rights. I keep getting error msg saying "restrictions on your account. Contact system admin "

    2) Internet Explorer seems to remain hijacked. I get nasty pop ads every couple of minutes. I have been using Mozilla and that works perfectly well.

    Would highly appreciate if you can guide me on how to get my PC back to normal.

    Here is the HijackThis scan log file ----------->

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:38:41 AM, on 11/30/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
    C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
    C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
    C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\regsvr32.exe
    C:\WINDOWS\avp.exe
    C:\WINDOWS\mgrs.exe
    C:\Program Files\McAfee\MSK\MskAgent.exe
    C:\Program Files\SiteAdvisor\6028\SiteAdv.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\Administrator\Application Data\??crosoft.NET\c?rss.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\Program Files\QdrPack\QdrPack9.exe
    C:\Program Files\Web Buying\v1.8.6\webbuying.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    c:\program files\common files\mcafee\mna\mcnasvc.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    C:\blp\API\OFFICE~1\Bloomberg.UIServer.exe
    C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
    c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    C:\Program Files\McAfee\MPF\MPFSrv.exe
    C:\PROGRA~1\McAfee\MPS\mps.exe
    C:\Program Files\McAfee\MSK\MskSrver.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\SiteAdvisor\6028\SAService.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\System32\wdfmgr.exe
    C:\Program Files\McAfee\MPS\mpsevh.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\alg.exe
    c:\program files\mcafee\msc\mcuimgr.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
    C:\Program Files\Fund Manager\Fm.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\WINDOWS\System32\wbem\wmiprvse.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.compaq.com/1Q00CDT/0409/bl7.asp
    O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6028\SiteAdv.dll
    O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
    O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
    O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
    O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe "
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu77.exe 61A847B5BBF72815358B2B27128065E9C084320161C4661227A755E9C2933154389A
    O4 - HKLM\..\Run: [winshow] "C:\WINDOWS\winshow.exe "
    O4 - HKLM\..\Run: [qjcvodcn] rundll32.exe "C:\Program Files\qjcvodcn\wvupifwv.dll ",Init
    O4 - HKLM\..\Run: [mtazsnwp] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\mtazsnwp.dll "
    O4 - HKLM\..\Run: [avp] C:\WINDOWS\avp.exe
    O4 - HKLM\..\Run: [smgr] mgrs.exe
    O4 - HKLM\..\Run: [ShareSearcher] c:\wsusupd.exe
    O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernelwind32.exe
    O4 - HKLM\..\Run: [lanmanwrk.exe] C:\WINDOWS\System32\lanmanwrk.exe
    O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe
    O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6028\SiteAdv.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
    O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe "
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [CLRHost] C:\blp\API\OFFICE~1\bbxlcmd.exe
    O4 - HKCU\..\Run: [Lerm] "C:\PROGRA~1\COMMON~1\PPATCH~1\dvdplay.exe" -vt yazb
    O4 - HKCU\..\Run: [Hrfcodo] "C:\Documents and Settings\Administrator\Application Data\??crosoft.NET\c?rss.exe "
    O4 - HKCU\..\Run: [QdrPack9] "C:\Program Files\QdrPack\QdrPack9.exe "
    O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.8.6\webbuying.exe
    O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
    O4 - HKCU\..\Run: [Spoolsv] C:\WINDOWS\system32\spoolvs.exe
    O4 - HKCU\..\Run: [A00FFE556.exe] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_A00FFE556.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://bba.bloomberg.net/Citrix/ICAWEB/en/ica32/icaweb.cab
    O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_dev/plugin/IEGetPlugin.ocx
    O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{BB9CAE22-6AB5-4B08-B42D-80B5E70D2EF9}: NameServer = 85.255.116.131,85.255.112.112
    O17 - HKLM\System\CCS\Services\Tcpip\..\{EA5140FD-AC89-46C0-B691-BB1B90589F0F}: NameServer = 85.255.116.131,85.255.112.112
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.131 85.255.112.112
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.131 85.255.112.112
    O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
    O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
    O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
    O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
    O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
    O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    O23 - Service: Microsoft Inet Service - Unknown owner - C:\WINDOWS\System32\_svchost.exe (file missing)
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
    O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
    O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\System32\PSIService.exe (file missing)
    O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6028\SAService.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
    O24 - Desktop Component 0: (no name) - C:\Program Files\microsoft frontpage\profsyxym.html

    --
    End of file - 11031 bytes
     
  2. 2007/12/01
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Welcome to WindowsBBS mihir67m :)

    Download ComboFix by sUBs from here, saving the file to your desktop.

    Download FixWareout from here and save it to your desktop.

    Scan again with HijackThis and place a check next to the following entry, then click Fix Checked.

    O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1


    Close HijackThis.

    • Close all open programs and windows
    • Double click combofix.exe and follow the prompts.
    • When finished, it will open a log for you. Just close it for now.
    Note: Do not mouseclick combofix's window while its running. That may cause it to stall

    Note - Your internet connection will be terminated while ComboFix runs. Do Not attempt to re-enable it. Should ComboFix terminate prematurely, restart the computer to restore connectivity.



    • Double click FixWareout.exe to start it.
    • Click Next, then Install. Make sure "Run fixit" is checked and click Finish
    • The fix will begin. Please follow the prompts
    • If your firewall gives an alert (because this tool will download an additional file from the internet) please don't let your firewall block it, but allow it instead.
    • Then you will be asked to reboot your computer. Please do so.
    [color= "#FF0000"]Your system may take longer than usual to load .... this is normal.[/color]

    Once the desktop loads, please post the text that will open (report.txt), the ComboFix log located at C:\ComboFix.txt and a new Hijackthis log.
     

  3. to hide this advert.

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.