Tech Support Forum banner
Status
Not open for further replies.
1 - 12 of 12 Posts

·
Registered
Joined
·
1,337 Posts
Discussion Starter · #1 ·
Please help I have a PC that is infected really bad to the point that I am not able to perform the 5 steps cause this thing has caused me to lose my connection with my ISP.

Let me just explain a little about how bad it is, I am on a administrator account and I am getting errors like my task manager and registry editing has been disabled by the administrator.

Will some one please help me I do have a working P.C. that is hooked up to the world wide web and maybe that can help you help me.
 

·
TSF Security Manager, Emeritus
Joined
·
52,196 Posts
Re: No longer does my XP Home PC reconizw me as it's administrator.

Hi -

Do you have any removable media (USB Stick, CD-R, floppy) to transfer tools to and logs from the affected machine?

If so, download this tool and carry it to the affected machine. Save the logs, and carry them back to the machine you're now using, and post them.

Please do this:

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
  1. Close all applications and windows.
  2. Double-click on dss.exe to run it, and follow the prompts.
  3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
  4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt here.
  5. Please attach extra.txt to your post.
To attach a file to a new post, simply
  1. Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
  2. copy and paste the following into the "Upload File from your Computer" box:
    C:\Deckard\System Scanner\extra.txt
  3. Click Upload.

What DSS will do:
  • create a new System Restore point in Windows XP and Vista.
  • clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
  • check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

---------------------------------------------------------------------------------------------

Edit:

P.S. -

Is this the same machine as this one, which you did not reply to?

http://www.techsupportforum.com/security-center/hijackthis-log-help/254783-extra-cautious.html
 

·
Registered
Joined
·
1,337 Posts
Discussion Starter · #4 ·
Re: No longer does my XP Home PC reconizw me as it's administrator.

Thanks again for the response, this PC that I described as infected badly is a different machine.

O.K. and after hours of searching I think I have found at least one of the virus names.

Tronjan.Pandex! is what one of the infections is and from what Ive seen thus far it is really nasty.

And I do have means to transfer logs and almost anything else although I do have a concern and maybe you have a simple yet comforting solution.

Cant I infect the clean machine if I start to stick anything in the infected PC and return it to the clean one? ie:floppy, USB stick , CD etc.etc.

Once again thanks for the help and I will await to hear back from you.

P.S.
 

·
Registered
Joined
·
1,337 Posts
Discussion Starter · #5 ·
Re: No longer does my XP Home PC reconizw me as it's administrator.

oops the P.S. was suppoose to have been followed by a formal thank you and I have replied to it it now and checked it to have been resolved didnt mean to have two threads going on nor do I want any confusion or obstacle for you while providing me with assistance.

Thanks!
 

·
TSF Security Manager, Emeritus
Joined
·
52,196 Posts
Re: No longer does my XP Home PC reconizw me as it's administrator.

Cant I infect the clean machine if I start to stick anything in the infected PC and return it to the clean one
It's possible, yes, but without some sort of logs from the affected machine, there's not much else I can do from here. I won't work blind, sorry.

A CD would be the least likely, floppy next, USB stick most likely to carry an infection from one machine to another. That said, we need to start somewhere. Unless your affected machine has a flash drive infection (did the machine start acting up after inserting a USB stick which had been in some other machine?), the likelihood of transferring infection from one to the other is not great. Worse comes to worse, we disinfect the other machine should it also become infected.

this thing has caused me to lose my connection with my ISP
Does this mean the machine does not connect to the internet, or your ISP has suspended your account?

Can you connect the affected machine to the internet via Safe Mode with Networking? If so, you can carry the tool to the affected machine, create the logs in normal mode, then boot into Safe Mode with Networking to post the logs.

Instructions if needed:

http://www.computerhope.com/issues/chsafe.htm#02

Of course, another option is to format and reinstall clean using your Windows installation CD, or perform a system recovery from the manufacturer's recovery disks, or onboard recovery partition.
 

·
Registered
Joined
·
1,337 Posts
Discussion Starter · #7 ·
Re: No longer does my XP Home PC reconizw me as it's administrator.

Finally got the infected PC connectivity restored, through troubleshooting the infection/s was the cause of the connectivity lost.

If there is any other order in what you would want me to follow instuctions in please tell me so.

Right now I await to hear back from you before proceeding any further.

Again THANK YOU in ADVANCE!
 

·
Registered
Joined
·
1,337 Posts
Discussion Starter · #9 ·
Re: No longer does my XP Home PC reconizw me as it's administrator.

Deckard's System Scanner v20071014.68
Run by Vanessa on 2008-06-05 20:50:52
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 2 Restore Point(s) --
2: 2008-06-06 03:50:59 UTC - RP2 - Deckard's System Scanner Restore Point
1: 2008-01-02 02:40:04 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 480 MiB (512 MiB recommended).


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-06-05 20:54:02
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Vanessa\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../verizon/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/verizon/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://media.fastclick.net:80/w/safepop.cgi?cid=84342&mid=164634&sid=13762&c=5
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {10B5E5C2-8901-4E3C-BF61-AC6E11039292} - C:\WINDOWS\system32\yayvSmLF.dll
O2 - BHO: (no name) - {118225CB-571C-4324-BDAA-ADC88027499F} - C:\WINDOWS\system32\opnmMgGa.dll
O2 - BHO: QXK Olive - {37029E75-F144-4F09-994A-0D897DB219D4} - C:\WINDOWS\boqnrwdmble.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Documents and Settings\Dad\Desktop\My tools\avgssie.dll (file missing)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: atfxqogp - {EC2B736E-2B50-4709-A63E-F69855335854} - C:\WINDOWS\atfxqogp.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [28aca437] rundll32.exe "C:\WINDOWS\system32\oqldqgho.dll",b
O4 - HKLM\..\RunServicesOnce: [washindex] c:\Program Files\Cookie Washer\washidx.exe "Dad"
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableTaskMgr=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Verizon Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: vzTCPConfig () - http://www2.verizon.net/help/fios_settings/include/vzTCPConfig.CAB
O16 - DPF: Yahoo! Pool 2 () - http://download2.games.yahoo.com/games/clients/y/poti_x.cab
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1185214028218
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://ak.imgag.com/imgag/cp/install/Crusher.cab
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Documents and Settings\Dad\Desktop\My tools\avgpp.dll (file missing)
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O20 - Winlogon Notify: WinCtrl32 - C:\WINDOWS\system32\WinCtrl32.dll
O20 - Winlogon Notify: yayvSmLF - C:\WINDOWS\system32\yayvSmLF.dll
O21 - SSODL: vregfwlx - {A7FED520-B18E-401D-B088-E550C9C32F9A} - C:\WINDOWS\vregfwlx.dll
O21 - SSODL: vltdfabw - {45D73340-E38D-4856-A363-2CCB9301BDFC} - C:\WINDOWS\vltdfabw.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares Ultra\chatServer.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: dvpapi - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Microsoft security update service (msupdate) - Unknown owner - C:\WINDOWS\system32\mssrv32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Radialpoint Unicorn Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Verizon\PC Security Checkup\rpsupdaterR.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPcservice.exe


--
End of file - 8970 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 vcG72 - c:\windows\system32\drivers\vcg72.sys
R2 BT848 (BtCap, WDM Video Capture) - c:\windows\system32\drivers\bt848.sys <Not Verified; TelSignal Co., Ltd.; BT878.SYS>
R2 BTTUNER (BtTuner, WDM TV Tuner) - c:\windows\system32\drivers\bttuner.sys <Not Verified; TelSignal Co., Ltd.; BTTUNER.SYS>
R2 BTXBAR (BtXBar, WDM Crossbar) - c:\windows\system32\drivers\btxbar.sys <Not Verified; TelSignal Co., Ltd.; BTXBAR.SYS>

S0 agK04 - c:\windows\system32\drivers\agk04.sys (file missing)
S0 lrV37 - c:\windows\system32\drivers\lrv37.sys (file missing)
S3 hamachi_oem (PlayLinc Adapter) - c:\windows\system32\drivers\gan_adapter.sys <Not Verified; Applied Networking Inc.; Hamachi Virtual Network Interface Driver, OEM>
S3 MREMPR5 (MREMPR5 NDIS Protocol Driver) - c:\program files\common files\motive\mrempr5.sys <Not Verified; Motive, Inc.; Motive Rawether for Windows>
S3 MRENDIS5 (MRENDIS5 NDIS Protocol Driver) - c:\program files\common files\motive\mrendis5.sys <Not Verified; Motive, Inc.; Motive Rawether for Windows>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 UPHClean (User Profile Hive Cleanup) - c:\program files\uphclean\uphclean.exe <Not Verified; Microsoft Corporation; User Profile Hive Cleanup Service>

S2 msupdate (Microsoft security update service) - c:\windows\system32\mssrv32.exe
S4 AresChatServer (Ares Chatroom server) - c:\program files\ares ultra\chatserver.exe <Not Verified; Ares Development Group; Ares Chat Server>
S4 CLTNetCnService (Symantec Lic NetConnect service) - "c:\program files\common files\symantec shared\ccsvchst.exe" /h cccommon (file missing)
S4 YPCService - c:\windows\system32\ypcser~1.exe <Not Verified; Yahoo! Inc.; YPCService Module>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-05-05 and 2008-06-05 -----------------------------

2008-06-05 20:47:28 96128 --a------ C:\WINDOWS\system32\oqldqgho.dll
2008-06-05 11:46:32 0 d-------- C:\Documents and Settings\Vanessa\Application Data\TmpRecentIcons
2008-06-05 10:07:09 0 d-------- C:\Documents and Settings\Vincent\Application Data\TmpRecentIcons
2008-06-04 23:43:51 95232 --a------ C:\WINDOWS\system32\ohpoxmvo.dll
2008-06-04 22:04:16 0 d-------- C:\Documents and Settings\Dad\.housecall6.6
2008-06-04 21:49:28 0 --a------ C:\WINDOWS\nsreg.dat
2008-06-04 21:48:52 0 d-------- C:\Documents and Settings\Dad\Application Data\Mozilla
2008-06-04 07:14:26 0 d-------- C:\Program Files\AVG
2008-06-04 07:14:24 0 d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-06-04 07:09:44 30080 --a------ C:\WINDOWS\system32\drivers\vcG72.sys
2008-06-03 23:54:52 0 dr-h----- C:\Documents and Settings\Dad\Recent
2008-06-03 17:24:21 0 d--h----- C:\Documents and Settings\Administrator.OWNER-031D60E4E\Templates
2008-06-03 17:24:21 0 dr------- C:\Documents and Settings\Administrator.OWNER-031D60E4E\Start Menu
2008-06-03 17:24:21 0 dr-h----- C:\Documents and Settings\Administrator.OWNER-031D60E4E\SendTo
2008-06-03 17:24:21 0 d--h----- C:\Documents and Settings\Administrator.OWNER-031D60E4E\Recent
2008-06-03 17:24:21 0 d--h----- C:\Documents and Settings\Administrator.OWNER-031D60E4E\PrintHood
2008-06-03 17:24:21 0 d--h----- C:\Documents and Settings\Administrator.OWNER-031D60E4E\NetHood
2008-06-03 17:24:21 0 d-------- C:\Documents and Settings\Administrator.OWNER-031D60E4E\My Documents
2008-06-03 17:24:21 0 d--h----- C:\Documents and Settings\Administrator.OWNER-031D60E4E\Local Settings
2008-06-03 17:24:21 0 d-------- C:\Documents and Settings\Administrator.OWNER-031D60E4E\Favorites
2008-06-03 17:24:21 0 d-------- C:\Documents and Settings\Administrator.OWNER-031D60E4E\Desktop
2008-06-03 17:24:21 0 d--hs---- C:\Documents and Settings\Administrator.OWNER-031D60E4E\Cookies
2008-06-03 17:24:21 0 dr-h----- C:\Documents and Settings\Administrator.OWNER-031D60E4E\Application Data
2008-06-03 17:24:21 0 d---s---- C:\Documents and Settings\Administrator.OWNER-031D60E4E\Application Data\Microsoft
2008-06-03 17:24:21 0 d-------- C:\Documents and Settings\Administrator.OWNER-031D60E4E\Application Data\Apple Computer
2008-06-03 17:24:20 786432 --ah----- C:\Documents and Settings\Administrator.OWNER-031D60E4E\NTUSER.DAT
2008-06-03 17:09:37 0 d-------- C:\WINDOWS\pss
2008-06-03 16:39:13 0 d-------- C:\Documents and Settings\Dad\Application Data\SoftwareDetectionScripts
2008-06-03 16:38:08 0 d-------- C:\Documents and Settings\Dad\Application Data\TmpRecentIcons
2008-06-03 16:31:59 0 d-------- C:\Documents and Settings\Ricky\Application Data\SoftwareDetectionScripts
2008-06-03 16:30:57 0 d-------- C:\Documents and Settings\All Users\Application Data\temp
2008-06-03 16:24:01 0 d-------- C:\Program Files\Common Files\AnswerWorks 4.0
2008-06-03 16:23:01 0 d-------- C:\Program Files\Verizon
2008-06-03 15:09:44 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-06-03 15:09:44 0 d-------- C:\Documents and Settings\Administrator\Cookies
2008-06-03 15:09:44 0 d-------- C:\Documents and Settings\Administrator\Application Data
2008-06-03 15:09:44 0 d-------- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-06-03 15:09:44 0 d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-06-03 15:09:43 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-06-03 15:09:43 0 d-------- C:\Documents and Settings\Administrator\Local Settings
2008-06-03 15:09:42 0 d-------- C:\Documents and Settings\Administrator\Templates
2008-06-03 15:09:42 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-06-02 20:05:18 5074944 --a------ C:\Documents and Settings\Vincent\ntuser.dat
2008-06-02 20:05:17 229376 --a------ C:\Documents and Settings\LocalService\ntuser.dat
2008-06-02 20:04:59 372324 --ahs---- C:\WINDOWS\system32\aGgMmnpo.ini2
2008-06-02 20:04:50 324352 --a------ C:\WINDOWS\system32\opnmMgGa.dll
2008-06-02 20:02:36 12792 --a------ C:\WINDOWS\system32\mssrv32.exe
2008-06-02 20:02:03 15360 --a------ C:\WINDOWS\system32\WinCtrl32.dll
2008-06-02 20:02:03 14848 --a------ C:\WINDOWS\system32\WinCtrl32(2).dll
2008-06-02 19:59:45 33920 --a------ C:\WINDOWS\system32\yayvSmLF.dll
2008-06-02 19:59:17 143360 --a------ C:\WINDOWS\xmpstean.exe
2008-06-02 19:59:17 278528 --a------ C:\WINDOWS\vregfwlx.dll
2008-06-02 19:59:17 311296 --a------ C:\WINDOWS\vltdfabw.dll
2008-06-02 19:59:17 282624 --a------ C:\WINDOWS\boqnrwdmble.dll
2008-06-02 19:59:17 184320 --a------ C:\WINDOWS\atfxqogp.dll
2008-05-30 00:59:22 0 d-------- C:\Program Files\LG Electronics
2008-05-29 23:53:50 0 d-------- C:\Documents and Settings\Vincent\Application Data\WeatherDPA
2008-05-29 23:53:07 0 d-------- C:\Documents and Settings\Vincent\Application Data\Zango
2008-05-12 16:23:23 0 d-------- C:\Program Files\iPod
2008-05-12 16:23:09 0 d-------- C:\Program Files\iTunes
2008-05-12 08:10:38 0 d-------- C:\Program Files\Safari
2008-05-12 07:39:15 0 d-------- C:\WINDOWS\system32\ReinstallBackups


-- Find3M Report ---------------------------------------------------------------

2008-06-05 12:04:40 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-05 10:42:29 0 d-------- C:\Program Files\Sony
2008-06-05 10:15:54 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-06-04 02:29:47 0 d-------- C:\Program Files\Norton 360
2008-06-04 02:27:07 0 d-------- C:\Program Files\Common Files
2008-06-03 16:23:26 0 d-------- C:\Program Files\Common Files\Motive
2008-06-03 14:41:39 0 d-------- C:\Program Files\Java
2008-06-03 11:41:49 0 d-------- C:\Program Files\Soulseek
2008-05-24 10:00:01 0 d-------- C:\Documents and Settings\Vanessa\Application Data\Adobe
2008-05-12 07:52:38 0 d-------- C:\Program Files\Apple Software Update
2008-05-12 07:49:27 0 d-------- C:\Program Files\QuickTime
2008-04-30 18:12:16 0 d-------- C:\Program Files\Common Files\xing shared
2008-04-30 18:11:27 0 d-------- C:\Program Files\Common Files\Real
2008-04-29 18:25:11 0 d-------- C:\Program Files\Common Files\Adobe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{10B5E5C2-8901-4E3C-BF61-AC6E11039292}]
06/02/2008 19:59: VIRUS ALERT! 33920 --a------ C:\WINDOWS\system32\yayvSmLF.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{118225CB-571C-4324-BDAA-ADC88027499F}]
06/02/2008 20:04: VIRUS ALERT! 324352 --a------ C:\WINDOWS\system32\opnmMgGa.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{37029E75-F144-4F09-994A-0D897DB219D4}]
06/02/2008 09:46: VIRUS ALERT! 282624 --a------ C:\WINDOWS\boqnrwdmble.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cmaudio"="cmicnfg.cpl" []
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [02/19/2006 02:41: VIRUS ALERT!]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 23:16: VIRUS ALERT!]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [03/28/2008 23:37: VIRUS ALERT!]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/30/2008 10:36: VIRUS ALERT!]
"28aca437"="C:\WINDOWS\system32\oqldqgho.dll" [06/05/2008 20:47: VIRUS ALERT!]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [03/28/2008 23:37: VIRUS ALERT!]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [09/12/2007 14:58: VIRUS ALERT!]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 05:00: VIRUS ALERT!]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservicesonce]
"washindex"=c:\Program Files\Cookie Washer\washidx.exe "Dad"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=1 (0x1)
"DisableRegistryTools"=1 (0x1)
"NoDispCPL"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoToolbarCustomize"=1 (0x1)
"StartMenuLogoff"=1 (0x1)
"NoStartMenuMorePrograms"=1 (0x1)
"NoSetFolders"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{10B5E5C2-8901-4E3C-BF61-AC6E11039292}"= C:\WINDOWS\system32\yayvSmLF.dll [06/02/2008 19:59: VIRUS ALERT! 33920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"vregfwlx"= {A7FED520-B18E-401D-B088-E550C9C32F9A} - C:\WINDOWS\vregfwlx.dll [06/02/2008 09:46: VIRUS ALERT! 278528]
"vltdfabw"= {45D73340-E38D-4856-A363-2CCB9301BDFC} - C:\WINDOWS\vltdfabw.dll [06/02/2008 09:46: VIRUS ALERT! 311296]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WinCtrl32]
WinCtrl32.dll 06/05/2008 20:41: VIRUS ALERT! 15360 C:\WINDOWS\system32\WinCtrl32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayvSmLF]
yayvSmLF.dll 06/02/2008 19:59: VIRUS ALERT! 33920 C:\WINDOWS\system32\yayvSmLF.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\opnmMgGa

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\agK04.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\lrV37.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\uaE14.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vcG72.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Event Planner Reminders Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Event Planner Reminders Tray Icon.lnk
backup=C:\WINDOWS\pss\Event Planner Reminders Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=C:\WINDOWS\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ymetray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ymetray.lnk
backup=C:\WINDOWS\pss\ymetray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\28aca437]
rundll32.exe "C:\WINDOWS\system32\ohpoxmvo.dll",b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\advap32]
C:\DOCUME~1\Vincent\LOCALS~1\Temp\rbnpsrv.exe/r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]
"I:\Aaliyah\Ares\Ares.exe" -h

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares ultra]
"C:\Program Files\Ares Ultra\Ares Ultra.exe" -h

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccWasher]
c:\Program Files\Cookie Washer\aolwasher.exe /0

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
C:\WINDOWS\system32\rmctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VerizonServicepoint.exe]
"C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Verizon_McciTrayApp]
C:\Program Files\Verizon\McciTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YOP]
C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"YPCService"=3 (0x3)
"PACSPTISVR"=3 (0x3)
"msupdate"=2 (0x2)
"AresChatServer"=3 (0x3)
"Pml Driver HPZ12"=2 (0x2)
"iPod Service"=3 (0x3)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)




-- End of Deckard's System Scanner: finished at 2008-06-05 21:05:23


Well here ya go TetonBob! thx. ------------
 

Attachments

·
TSF Security Manager, Emeritus
Joined
·
52,196 Posts
Re: No longer does my XP Home PC reconizw me as it's administrator.

Ok, let's begin cleaning this machine.

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery mode if needed. This allows us to help you in the case that your computer has a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

As part of installing the Recovery Console, ComboFix will begin to run. Follow the prompts to install the Recovery Console. Your desktop may disappear. This is normal. It will return.

Once the Recovery Console is installed using ComboFix, you should see a message that says:

The Recovery Console was successfully installed.



Please continue as follows:

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

It does not appear as though DSS was allowed to download and install HijackThis. To produce a HijackThis log for your next reply, please do this:

Please download HijackThis to your desktop

Alternate link

Double-click on the file you just downloaded.
Click on the "Unzip" button to install. It will by default install to the directory - C:\Program Files\Trend Micro\HijackThis

Upon install, HijackThis should open for you.

Should it not open, navigate to C:\Program Files\Trend Micro\HijackThis and double click on HijackThis.exe

1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'.
2. If you don't get the intro screen, just hit Scan and then click on Save log.
3. Post the hijackthis.log file here. Do not fix anything in HijackThis since they may be harmless.

---------------------------------------------------------------------------------------------

If you have any questions along the way, STOP and ask them before proceeding.

======================

Please post the logs from:

ComboFix (C:\ComboFix.txt)
HijackThis
 

·
Registered
Joined
·
1,337 Posts
Discussion Starter · #11 ·
Re: No longer does my XP Home PC reconizw me as it's administrator.

Hey well thanks for the replies but my mother in law got a little inpatient and has decided to trash the computer and purchases a new one.

So as of now I do not have the PC in my possession.

Does this thread need to be closed?

I am going to see if she will pass on the PC to me after she finishes saving some of her so called important stuff from the PC so she can infect her new one just as bad.

Well I guess that is what I get for trying to be a nice guy, do not worry I will not waste anymore of your time or mine with her troubles.

Now I would love to have the machine disinfected if I am able to inherit the PC,just let me know what I do from here for now.

Should I check the resolved for this matter?
 

·
TSF Security Manager, Emeritus
Joined
·
52,196 Posts
Re: No longer does my XP Home PC reconizw me as it's administrator.

If I were you, and you do inherit the machine, I would restore it to factory condition using either the manufacturer's restore disks (if it came with) or the onboard recovery partition. That way, you'll be more certain not to carry forward anything from the current state. Just start over.

This thread will be closed.
 
1 - 12 of 12 Posts
Status
Not open for further replies.
Top