Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93084 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

help to regain hijacked default admin acc't plus

Started by Dax , Aug 28 2006 10:03 PM

  • This topic is locked This topic is locked
1 reply to this topic

#1 Dax

Dax

    New Member

  • New Member
  • Pip
  • 2 posts

Posted 28 August 2006 - 10:03 PM

Hi, everyone. I am totally new here and this would be my first post; I am not an expert nor am I skilled in recent technology, but I used to consider myself fairly tech savvy (at least can find the registry and new enough to keep virus protection and bot-checks up to date - or so I thougth anyway). About a week ago, it became apparent to me that I've been hijacked, locked out, and can "see" the culprit in my temp files, but have zero idea where it's *really* hiding, and I really am in dire need of some help.

Here's my HJT list - as you can see, I've virus scanners, sypware/bot checkers and the like, but nothing catches this thing; I think it came in via an Outlook exploit (I haven't been anywhere nasty, nor do I Kazaa or the like; a friend was fetching an email for me from one of my systems and was duped into sending a reciept to some "med" spam mailer; other than that, not sure how it came in. The locked files are entitled "3dclick" and runs from content.ie5; these files are protected, taking over my computer, and I am completely locked out (seems special permissions are set). I proceed to set up anther acc't as System Admin, downloading fresh installs of Lava's ad-aware, spybot and the like (don't you just know that, on the original account, updates had been stopped by this malicious file - and so, okay, now I've totally up to date on this new account and going to zap this thing, right? No - nothing found it; appears to all these programs (incl. ewido, etc.) that there is nothing wrong or threatening in the computer - and yet, it's there ... locked in content.ie5, and spreading into my second account; it took over/disabled my registry access, but I fixed that from yet another, third admin. account (which for now is clean); safe mode does not work, nor can I access my system from the "hidden default administrator account" (access denied -- like most XP owners, I had no idea such a default account even existed, and thus set no password or anything for it, only to now find that this vulnerability in XP is not only there, but that I've also been locked out! This is most troubling, and I really hope someone can help me get my computer back without wiping the entire disc and doing a clean install. Thank you in advance, and I sincerely look forward to your help.

As to the locked file itself: shows up as pe%3dclick&, with full string in the content.i5 being: Type%3dclick%26FlightID%3d72180%26AdID%3d105284&26TargetID%3d21936%26Segments%3d%26Targets%3d&26values%3d31,43, 51, 60, 72, 81, 100 (there are approx. 12 instances of this thing on my computer, each starting with the same string, but adding different variables, migrating throughout my entire cache).


Logfile of HijackThis v1.99.1
Scan saved at 11:10:09 PM, on 8/28/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\System32\WgaTray.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\LIUtilities\WinTasks\wintasks.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\QuickTime\qttask.exe
C:\program files\verbatim store n go\verbatim store 'n' go.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnf.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\TrojanHunter 4.5\THGuard.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\DAX\Desktop\hijackthis\HijackThis.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Program Files\Yahoo!\Yahoo! Music Engine\ymetray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://autoconfig.cpqcorp.net
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Verbatim Store 'n' G] c:\program files\verbatim store n go\verbatim store 'n' go.exe sys_auto_run C:\Program Files\Verbatim Store N Go
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [ymetray] "C:\Program Files\Yahoo!\Yahoo! Music Engine\YahooMusicEngine.exe" -preload
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Documents and Settings\DAX\Desktop\hijackthis\HijackThis.exe /startupscan
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D96F71------LEGIT UNIV ID} (QuickPlace Class) - http://osgoode.yorku.ca/qp2.cab
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h50203.www5.h...DataManager.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.h...staller_gmn.cab
O16 - DPF: {2871FC9B-5E34-4AAE-9E9C-EBD1652D5C92} (Rhapsody Player Engine) - http://forms.real.co...ne_Inst_Win.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1129069541250
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...571/mcfscan.cab
O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://www29itg.zcce...rt/SysQuery.cab
O16 - DPF: {FC6703A7-5B7E-4f58-BE6D-2693AA3906AE} (HP Content Update) - http://h30043.www3.h...hp.cab?1,0,0,94
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\System32\btxppanel.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

    Advertisements

Register to Remove

#2 Dax

Dax

    New Member

  • New Member
  • Pip
  • 2 posts

Posted 01 September 2006 - 03:23 AM

Just wanted to say thanks to everyone, and wanted to provide an update to let everyone know that I took the plunge and, ultimately, did a complete reformat and clean install. It was ashame to lose so much information (and the trouble of having to resign/authenticate everything), but so many dwords in the registry reset that it was no longer an annoyance/lack of computer efficiency issue (which all spyware/malware of course is), but a full blown security risk and privacy threat. After analysing the situation, going through registry keys and programs looking for suspicious roots and so forth, none of which any of the current removal tools we know and love caught, it was for certain beyond frustrating; I worked with an IT security at the university, and we concluded that, indeed, the intruder came in via the Outlook (disguised as a real message with a subject line pronouncing that its contents were related to my field of study (at least though my friend, who sent a returned receipt only to have (as she puts it) "something wierd happen" - indeed). The university and I were unable to pin-point the exact location of the intruder, but it would appear that the server it was sent from is somewhere in Germany or Eastern EU (of course, that means nothing, but that's as much as we could gather). After this most frustrating experience, which in sharing I do hope that any and all who read this may never go through for themselves, I wish to share the following (at least this is my new attitude when it comes to computing). Personal documents, such as resumes, tax stuff, etc., are no longer on my hard drive; I save them to a USB disc on key from now on, and not on my hardrive itself. This way, should anyone get in and go on a seeking mission, the cupboards are clean. I put no convenient files or pre-loaders on start-up, other than hijack this, spybot and my virus software (which I have changed to Avast ... it's free, register for a key and don't have to give any detailed information, and unlike some of the other products, don't pop up incessantly or gum-up your registry keys; this way, if there is another problem in future, I've few boot processes to worry about (hence, making it tough for stuff to get in or run, since only the bare essentials are now booting on start-up; also, with a lean machine, very little to look through comparatively speaking when the need to hunt down a problem should ever arise). I've placed strong passwords on my default admin account (this is a must; for everyone out there who, as I was, unaware that the default account even exists, please tend to this immediately so that, if there's an issue, you cannot so readily be locked out; I've also placed restrictions on my user-account, so that unless I'm in as the administrator, I cannot as a user download software to my own machine; this may seem a bit drastic to many, but it is more or less a fool-proof way of ensuring that problems cannot get in, since on the restricted acc't I've no privileges to invite unwanted things in; for clean-ups, updates and the like, just switch over to my admin acc't, from which I get rid of and shred all that unnecessary temp stuff daily, too. Yes, it's a bit of a pain, but having spent over a week trying to resolve the above problem, such inconvenience seems trifling by comparison. In addition, I no longer use Outlook Express (it's no longer supported, and even although I've gone to great lengths to ensure security, all these measures of mine went to naught when my friend, no fault and no blame, simply checked on what appeared to her to be a routine, non-suspicious thing. My tweaks ensure that nothing like this can happen again, regardless of the user. Remember: all my software was updated regularly, or so I thought, but these things get in and disable the process and/or rewrite/attach themselves within the body of any file, with Windows systems being their favorites, thus going completely undetected! (and yes, I took the plunge and finally updated to XP2 also - just when you know the problems of one, here comes an entirely new set of .... "issues" ;) In closing, I just want to thank everyone who read this. It is not only frustrating, but quite disconcerting that such "citizens" busy themselves with not only gumming up our machines, but wreaking havoc and damage, too. While not all viruses and spy-ware etc. are harmful, in the sense of destroying data, the very fact that they could be, and that identity theft does happen, and that so much time and money is moreover wasted in removing such things in any event is beyond a mere inconvenience, but a most troubling and serious matter, indeed. Until such time as web-merchants refuse to pay for referral trafick etc., the problem will continue; if only someone could begin a list or something, where posted for all consumers to see are the names of those e-businesses who pay for such referral "services" which in turn encourages and continues the biz of illegal and unwanted spyware/adware of course, but to which consumers could then be 'in the know' and if listed, I suspect many e-tailers would stop. I apologize for my rant, but this experience has been frustrating to say the least. Anyway, I really do hope that, in sharing my experience here, what happened to me won't happen to you. Thanks so much again, Dax

Edited by Dax, 01 September 2006 - 03:47 AM.

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·