Malware has hijacked my account, no admin rights, can't install or run scans

daveg · 14th November 2007

My account on my WIn XP machine has been hijacked and I have lost admin rights. I can't even change the time on the system or connect to my wireless router ThinkPad T42. I followed the previous threads where similar hijacks have been resolved, but the process fails pretty early on as I can't even install the software without admin rights. I tried to run the 2 online scans, but they failed to execute. I moved on to Spybot and AdAware but couldn't install the former on the machine without admin rights. I had an old copy of AdAware that I was able to use. In addition I had an old installation of HJT and SmitFraud from a couple months previous, so I re-ran what I could but got a lot of access denied errors.

I have the AdAware and HJT logs to post, but they don't fit in single posting window.

daveg · 14th November 2007

Ad-Aware 2007 Build
Log File Created on: 2007-11-14 00:27:01
Using Definitions File: C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware 2007\core.aawdef
Computer name: DAVIDGEBALA
Name of user performing scan: SYSTEM

System information
===========================
Number of processors: 1
Processor type: Intel(R) Pentium(R) M processor 1.80GHz
Memory Available: 58%
Total Physical Memory: 2146287616 Bytes
Available Physical Memory: 1243394048 Bytes
Total Page File Size: 3600109568 Bytes
Available On Page File: 2903429120 Bytes
Total Virtual Memory: 2147352576 Bytes
Available Virtual Memory: 1989066752 Bytes
OS: Microsoft Windows XP Service Pack 2 (Build 2600)

Ad-Aware 2007 Settings
===========================
Skipping files larger than 1048576 kB
Ignoring infections with lower TAI than: 3

Extended Ad-Aware 2007 Settings
===========================
Unloading known modules during scan
Ignoring spanned files when scanning cab archives
Scanning registry for all users
Using permanent archive caching
Reanalyzing results after scanning before displaying results
Trying to unload modules prior to removal
Let Windows remove files currently in use at next reboot
Removing quarantined objects after restore
Logging Ad-Aware events
Blocking Pop-Ups aggressively
Deactivating Ad-Watch during scans
Writeprotecting system files after repairs
Including Ad-aware command line parameters in log file
Include info about ignored objects in log file
Including basic settings in log file
Including advanced settings in log file
Including user and computer name in log file
Include reference summary in log file
Creating log file for removal operations
Including module info in log file
Include Alternate Data Stream details in log file
Create and save WebUpdate log file

Databaseinfo
===========================
Version number: 33
Build Number: 0
Build Date and Time: 2007/11/11 23:22:48

Scan Statistics
===========================
Method: Full
Scan tracking cookies.............................: On
Scan ADS filestreams..............................: Off

Item Scanned: 583680
Infections Detected: 30
Infections Ignored: 0

Scan detailed statistics
===========================
Type Critical Total
Process Scan....: 0 0
Registry Scan...: 0 0
Registry PE Scan: 0 0
Hosts File Scan.: 0 0
File Scan.......: 0 0
Folder Scan.....: 0 0
LSP Scan........: 0 0
ADS Scan........: 0 0
Cookie Scan.....: 27 27
File Hash Scan..: 0 0

Infections Found
===========================
Family Id: 725 Name: Tracking Cookie Category: DataMiner TAI:3
Item Id: 600000263 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\dgebala\Cookies\index.dat mediaplex.com svid /
Item Id: 600000263 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\dgebala\Cookies\index.dat mediaplex.com mojo1 /
Item Id: 600000126 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\dgebala\Cookies\index.dat hitbox.com CTG /
Item Id: 600000126 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\dgebala\Cookies\index.dat hitbox.com WSS_GW /
Item Id: 600000212 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\dgebala\Cookies\index.dat msnportal.112.2o7.net s_vi /
Item Id: 600000144 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\dgebala\Cookies\index.dat doubleclick.net id /
Item Id: 600000179 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\dgebala\Cookies\index.dat atdmt.com AA002 /
Item Id: 600000050 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\dgebala\Cookies\index.dat tribalfusion.com ANON_ID /
Item Id: 600000212 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\dgebala\Cookies\index.dat 2o7.net s_vi_x7Fx7Cx7Eebxxkx60cnmx60 /
Item Id: 600000555 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\dgebala\Cookies\index.dat insightexpressai.com IXAIBanners792 /
Item Id: 600000555 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\dgebala\Cookies\index.dat insightexpressai.com lastInviteTime /
Item Id: 600000555 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\dgebala\Cookies\index.dat insightexpressai.com IXAIinvited792 /
Item Id: 600000555 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\dgebala\Cookies\index.dat insightexpressai.com IXAIBannerCounter22623 /
Item Id: 600000555 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\dgebala\Cookies\index.dat insightexpressai.com IXAIFirstHit792 /
Item Id: 600000555 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\dgebala\Cookies\index.dat insightexpressai.com IXAILastHit792 /
Item Id: 600000555 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\dgebala\Cookies\index.dat insightexpressai.com IXAICampaignCounter792 /
Item Id: 600000555 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\dgebala\Cookies\index.dat insightexpressai.com IXAIBanners780 /
Item Id: 600000555 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\dgebala\Cookies\index.dat insightexpressai.com IXAIBannerCounter21593 /
Item Id: 600000555 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\dgebala\Cookies\index.dat insightexpressai.com IXAIinvited780 /
Item Id: 600000555 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\dgebala\Cookies\index.dat insightexpressai.com IXAIBannerCounter21594 /
Item Id: 600000126 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\dgebala\Cookies\index.dat ehg-dig.hitbox.com DM51031542SZV6 /
Item Id: 600000126 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\dgebala\Cookies\index.dat ehg-dig.hitbox.com DM5103083LCAV6 /
Item Id: 600000126 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\dgebala\Cookies\index.dat ehg-dig.hitbox.com DM56042677CEV6 /
Item Id: 600000460 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\dgebala\Cookies\index.dat ad.yieldmanager.com uid /
Item Id: 600000460 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\dgebala\Cookies\index.dat ad.yieldmanager.com vuday1 /
Item Id: 600000460 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\dgebala\Cookies\index.dat ad.yieldmanager.com ih /
Item Id: 600000460 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\dgebala\Cookies\index.dat ad.yieldmanager.com fl_inst /
Family Id: 9999 Name: MRU Object Category: MRU Object TAI:0
Item Id: 1 Value: MRU Path: C:\Documents and Settings\dgebala\Recent Count: 57
Item Id: 2 Value: MRU Registry Key: S-1-5-21-310203456-1607214880-635260049-2406\Software\Microsoft\Search Assistant\ACMru\5603 Count: 2
Item Id: 3 Value: MRU Registry Key: S-1-5-21-310203456-1607214880-635260049-2406\Software\Microsoft\Internet Explorer\TypedURLs Count: 6

daveg · 14th November 2007

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:35:43 AM, on 11/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RunDll32.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\WINDOWS\system32\TpShocks.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\WINDOWS\system32\TpScrLk.exe
C:\Program Files\IBM\Password Manager\pwmgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\IBM\Security\certtool.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PdaNet for Treo 650\PdaNet.exe
C:\Program Files\PdaNet for Treo 650\UsbMan.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Documents and Settings\dgebala\Desktop\HijackThis.exe

O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\ThinkVantage Fingerprint Software\launcher.exe" /startup
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [BLOG] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [TPKBDLED] C:\WINDOWS\system32\TpScrLk.exe
O4 - HKLM\..\Run: [IBM_PWMGR] C:\Program Files\IBM\Password Manager\pwmgr.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [ISS_Certtool] C:\Program Files\IBM\Security\certtool.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: PdaNet Desktop.lnk = C:\Program Files\PdaNet for Treo 650\PdaNet.exe
O4 - Global Startup: Online Backup TaskBar Icon.LNK = C:\Program Files\Online Backup\CBSysTray.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\ThinkPad\PkgMgr\\PkgMgr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www-307.ibm.com/pc/support/a...t/IbmEgath.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = spotfire.com
O17 - HKLM\Software\..\Telephony: DomainName = spotfire.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = spotfire.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = spotfire.com
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: ACU Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Connected Agent Service (AgentSrv) - Connected Corporation - C:\Program Files\Online Backup\AgentSrv.EXE
O23 - Service: Access Manager Configuration Service (AMBroker) - MCI, Inc. - C:\Program Files\AccessManager\Client\AMBroker.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: beasvc spotfire_decisionsite81 - BEA Systems, Inc. - C:\PROGRA~1\Spotfire\DSAS81\weblogic\WEBLOG~1\server\bin\beasvc.exe
O23 - Service: Visual Insight DA Plugin (DAPlugin) - MCI, Inc. - C:\Program Files\AccessManager\Client\DAPlugin.exe
O23 - Service: Everdream VNC Server (EverdreamVNC) - Everdream Corporation - C:\SvcTools\VNC\WinVncEv.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM User Verification Manager - IBM - C:\Program Files\IBM\Security\uvmserv.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: SMBus Upgrade Service for Windows 2000 and above (ibmsmbus) - International Business Machines Corp. - C:\WINDOWS\System32\ibmsmbus.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: OracleDBConsoleorcl - Unknown owner - C:\oracle\product\10.1.0\Db_1\bin\nmesrvc.exe (file missing)
O23 - Service: OracleOraDb10g_home1TNSListener - Unknown owner - C:\oracle\product\10.1.0\Db_1\BIN\TNSLSNR.exe (file missing)
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: Software Management Agent 1.4 (SMA1.4) - Everdream - c:\SvcTools\1.4\bin\lnchr.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SP Software Installer - Smartpipes, Inc. - C:\Program Files\AccessManager\PMAC\sp_SWIns.exe
O23 - Service: Visual Insight Dial Analysis (sp_spi_da) - Smartpipes, Inc. - C:\Program Files\AccessManager\SMOC\spi_da.exe
O23 - Service: SSA Integration Manager (Sygman) - MCI, Inc. - C:\Program Files\AccessManager\Client\sygman.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: Venturi Client (Venturi2) - Venturi Wireless - c:\program files\verizon wireless\venturi\Client\ventc.exe

--
End of file - 8975 bytes

**noahdfear** · 15th November 2007

Welcome to WindowsBBS daveg

Did you try running Deckard's System Scanner? It does normally require an admin rights account to run, but may run anyway. Instructions follow, just in case.

Download Deckard's System Scanner (dss.exe) and save it to your desktop.

Close all applications and windows.
Double click on dss.exe to run it and follow the prompts.
When the scan is complete, two text files will open; main.txt, which will be maximized and extra.txt, which will be minimized.

Post the contents of main.txt only for now.

If that fails, first rename HijackThis.exe to something else, like icanrun.exe or whatever, then do another scan and post the log.

daveg · 15th November 2007

Hi noahdfear, I really appreciate the assistance. I wasn't able to run dss.exe, so I tried to run HJT as a renamed .exe as you suggested. I am posting it here. Not sure what to look for, so I am posting it blindly hoping you can narrow in on the problem! Thanks in advance.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:50:56 PM, on 11/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RunDll32.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\WINDOWS\system32\TpScrLk.exe
C:\Program Files\IBM\Password Manager\pwmgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\IBM\Security\certtool.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PdaNet for Treo 650\PdaNet.exe
C:\Program Files\PdaNet for Treo 650\UsbMan.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Documents and Settings\dgebala\Desktop\icanrun.exe

O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\ThinkVantage Fingerprint Software\launcher.exe" /startup
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [BLOG] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [TPKBDLED] C:\WINDOWS\system32\TpScrLk.exe
O4 - HKLM\..\Run: [IBM_PWMGR] C:\Program Files\IBM\Password Manager\pwmgr.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [ISS_Certtool] C:\Program Files\IBM\Security\certtool.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: PdaNet Desktop.lnk = C:\Program Files\PdaNet for Treo 650\PdaNet.exe
O4 - Global Startup: Online Backup TaskBar Icon.LNK = C:\Program Files\Online Backup\CBSysTray.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\ThinkPad\PkgMgr\\PkgMgr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www-307.ibm.com/pc/support/a...t/IbmEgath.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = spotfire.com
O17 - HKLM\Software\..\Telephony: DomainName = spotfire.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = spotfire.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = spotfire.com
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: ACU Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Connected Agent Service (AgentSrv) - Connected Corporation - C:\Program Files\Online Backup\AgentSrv.EXE
O23 - Service: Access Manager Configuration Service (AMBroker) - MCI, Inc. - C:\Program Files\AccessManager\Client\AMBroker.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: beasvc spotfire_decisionsite81 - BEA Systems, Inc. - C:\PROGRA~1\Spotfire\DSAS81\weblogic\WEBLOG~1\server\bin\beasvc.exe
O23 - Service: Visual Insight DA Plugin (DAPlugin) - MCI, Inc. - C:\Program Files\AccessManager\Client\DAPlugin.exe
O23 - Service: Everdream VNC Server (EverdreamVNC) - Everdream Corporation - C:\SvcTools\VNC\WinVncEv.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM User Verification Manager - IBM - C:\Program Files\IBM\Security\uvmserv.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: SMBus Upgrade Service for Windows 2000 and above (ibmsmbus) - International Business Machines Corp. - C:\WINDOWS\System32\ibmsmbus.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: OracleDBConsoleorcl - Unknown owner - C:\oracle\product\10.1.0\Db_1\bin\nmesrvc.exe (file missing)
O23 - Service: OracleOraDb10g_home1TNSListener - Unknown owner - C:\oracle\product\10.1.0\Db_1\BIN\TNSLSNR.exe (file missing)
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: Software Management Agent 1.4 (SMA1.4) - Everdream - c:\SvcTools\1.4\bin\lnchr.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SP Software Installer - Smartpipes, Inc. - C:\Program Files\AccessManager\PMAC\sp_SWIns.exe
O23 - Service: Visual Insight Dial Analysis (sp_spi_da) - Smartpipes, Inc. - C:\Program Files\AccessManager\SMOC\spi_da.exe
O23 - Service: SSA Integration Manager (Sygman) - MCI, Inc. - C:\Program Files\AccessManager\Client\sygman.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: Venturi Client (Venturi2) - Venturi Wireless - c:\program files\verizon wireless\venturi\Client\ventc.exe

--
End of file - 8972 bytes

**noahdfear** · 15th November 2007

Are you able to logon to the Administrator account in safe mode? If so, try toggling your user account to limited then back to admin. If no joy regaining admin rights, but you can access the Administrator account, run a Deckards scan from there.

daveg · 15th November 2007

No luck getting any different behavior. I think I may just have to recover back to the factory IBM settings

**noahdfear** · 16th November 2007

And did you try running Deckard's from the Admin account? Logs will be created in a subfolder of C:\Deckard\System Scanner