1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Malware has hijacked my account, no admin rights, can't install or run scans

Discussion in 'Malware and Virus Removal Archive' started by daveg, 2007/11/14.

  1. 2007/11/14
    daveg

    daveg Inactive Thread Starter

    Joined:
    2007/11/14
    Messages:
    5
    Likes Received:
    0
    My account on my WIn XP machine has been hijacked and I have lost admin rights. I can't even change the time on the system or connect to my wireless router ThinkPad T42. I followed the previous threads where similar hijacks have been resolved, but the process fails pretty early on as I can't even install the software without admin rights. I tried to run the 2 online scans, but they failed to execute. I moved on to Spybot and AdAware but couldn't install the former on the machine without admin rights. I had an old copy of AdAware that I was able to use. In addition I had an old installation of HJT and SmitFraud from a couple months previous, so I re-ran what I could but got a lot of access denied errors.

    I have the AdAware and HJT logs to post, but they don't fit in single posting window.
     
    daveg,
    #1
  2. 2007/11/14
    daveg

    daveg Inactive Thread Starter

    Joined:
    2007/11/14
    Messages:
    5
    Likes Received:
    0
    AdAware Log Summary (Header cuz the whole thing won't fit)

    Ad-Aware 2007 Build
    Log File Created on: 2007-11-14 00:27:01
    Using Definitions File: C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware 2007\core.aawdef
    Computer name: DAVIDGEBALA
    Name of user performing scan: SYSTEM

    System information
    ===========================
    Number of processors: 1
    Processor type: Intel(R) Pentium(R) M processor 1.80GHz
    Memory Available: 58%
    Total Physical Memory: 2146287616 Bytes
    Available Physical Memory: 1243394048 Bytes
    Total Page File Size: 3600109568 Bytes
    Available On Page File: 2903429120 Bytes
    Total Virtual Memory: 2147352576 Bytes
    Available Virtual Memory: 1989066752 Bytes
    OS: Microsoft Windows XP Service Pack 2 (Build 2600)

    Ad-Aware 2007 Settings
    ===========================
    Skipping files larger than 1048576 kB
    Ignoring infections with lower TAI than: 3


    Extended Ad-Aware 2007 Settings
    ===========================
    Unloading known modules during scan
    Ignoring spanned files when scanning cab archives
    Scanning registry for all users
    Using permanent archive caching
    Reanalyzing results after scanning before displaying results
    Trying to unload modules prior to removal
    Let Windows remove files currently in use at next reboot
    Removing quarantined objects after restore
    Logging Ad-Aware events
    Blocking Pop-Ups aggressively
    Deactivating Ad-Watch during scans
    Writeprotecting system files after repairs
    Including Ad-aware command line parameters in log file
    Include info about ignored objects in log file
    Including basic settings in log file
    Including advanced settings in log file
    Including user and computer name in log file
    Include reference summary in log file
    Creating log file for removal operations
    Including module info in log file
    Include Alternate Data Stream details in log file
    Create and save WebUpdate log file

    Databaseinfo
    ===========================
    Version number: 33
    Build Number: 0
    Build Date and Time: 2007/11/11 23:22:48

    Scan Statistics
    ===========================
    Method: Full
    Scan tracking cookies.............................: On
    Scan ADS filestreams..............................: Off

    Item Scanned: 583680
    Infections Detected: 30
    Infections Ignored: 0

    Scan detailed statistics
    ===========================
    Type Critical Total
    Process Scan....: 0 0
    Registry Scan...: 0 0
    Registry PE Scan: 0 0
    Hosts File Scan.: 0 0
    File Scan.......: 0 0
    Folder Scan.....: 0 0
    LSP Scan........: 0 0
    ADS Scan........: 0 0
    Cookie Scan.....: 27 27
    File Hash Scan..: 0 0

    Infections Found
    ===========================
    Family Id: 725 Name: Tracking Cookie Category: DataMiner TAI:3
    Item Id: 600000263 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\dgebala\Cookies\index.dat mediaplex.com svid /
    Item Id: 600000263 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\dgebala\Cookies\index.dat mediaplex.com mojo1 /
    Item Id: 600000126 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\dgebala\Cookies\index.dat hitbox.com CTG /
    Item Id: 600000126 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\dgebala\Cookies\index.dat hitbox.com WSS_GW /
    Item Id: 600000212 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\dgebala\Cookies\index.dat msnportal.112.2o7.net s_vi /
    Item Id: 600000144 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\dgebala\Cookies\index.dat doubleclick.net id /
    Item Id: 600000179 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\dgebala\Cookies\index.dat atdmt.com AA002 /
    Item Id: 600000050 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\dgebala\Cookies\index.dat tribalfusion.com ANON_ID /
    Item Id: 600000212 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\dgebala\Cookies\index.dat 2o7.net s_vi_x7Fx7Cx7Eebxxkx60cnmx60 /
    Item Id: 600000555 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\dgebala\Cookies\index.dat insightexpressai.com IXAIBanners792 /
    Item Id: 600000555 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\dgebala\Cookies\index.dat insightexpressai.com lastInviteTime /
    Item Id: 600000555 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\dgebala\Cookies\index.dat insightexpressai.com IXAIinvited792 /
    Item Id: 600000555 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\dgebala\Cookies\index.dat insightexpressai.com IXAIBannerCounter22623 /
    Item Id: 600000555 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\dgebala\Cookies\index.dat insightexpressai.com IXAIFirstHit792 /
    Item Id: 600000555 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\dgebala\Cookies\index.dat insightexpressai.com IXAILastHit792 /
    Item Id: 600000555 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\dgebala\Cookies\index.dat insightexpressai.com IXAICampaignCounter792 /
    Item Id: 600000555 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\dgebala\Cookies\index.dat insightexpressai.com IXAIBanners780 /
    Item Id: 600000555 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\dgebala\Cookies\index.dat insightexpressai.com IXAIBannerCounter21593 /
    Item Id: 600000555 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\dgebala\Cookies\index.dat insightexpressai.com IXAIinvited780 /
    Item Id: 600000555 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\dgebala\Cookies\index.dat insightexpressai.com IXAIBannerCounter21594 /
    Item Id: 600000126 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\dgebala\Cookies\index.dat ehg-dig.hitbox.com DM51031542SZV6 /
    Item Id: 600000126 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\dgebala\Cookies\index.dat ehg-dig.hitbox.com DM5103083LCAV6 /
    Item Id: 600000126 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\dgebala\Cookies\index.dat ehg-dig.hitbox.com DM56042677CEV6 /
    Item Id: 600000460 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\dgebala\Cookies\index.dat ad.yieldmanager.com uid /
    Item Id: 600000460 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\dgebala\Cookies\index.dat ad.yieldmanager.com vuday1 /
    Item Id: 600000460 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\dgebala\Cookies\index.dat ad.yieldmanager.com ih /
    Item Id: 600000460 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\dgebala\Cookies\index.dat ad.yieldmanager.com fl_inst /
    Family Id: 9999 Name: MRU Object Category: MRU Object TAI:0
    Item Id: 1 Value: MRU Path: C:\Documents and Settings\dgebala\Recent Count: 57
    Item Id: 2 Value: MRU Registry Key: S-1-5-21-310203456-1607214880-635260049-2406\Software\Microsoft\Search Assistant\ACMru\5603 Count: 2
    Item Id: 3 Value: MRU Registry Key: S-1-5-21-310203456-1607214880-635260049-2406\Software\Microsoft\Internet Explorer\TypedURLs Count: 6
     
    daveg,
    #2


  3. to hide this advert.

  4. 2007/11/14
    daveg

    daveg Inactive Thread Starter

    Joined:
    2007/11/14
    Messages:
    5
    Likes Received:
    0
    HJT log

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 7:35:43 AM, on 11/14/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
    C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
    C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
    C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
    C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\RunDll32.exe
    C:\IBMTOOLS\UTILS\ibmprc.exe
    C:\WINDOWS\system32\TpShocks.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
    C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
    C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
    C:\WINDOWS\system32\TpScrLk.exe
    C:\Program Files\IBM\Password Manager\pwmgr.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\IBM\Security\certtool.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\PdaNet for Treo 650\PdaNet.exe
    C:\Program Files\PdaNet for Treo 650\UsbMan.exe
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
    C:\Documents and Settings\dgebala\Desktop\HijackThis.exe

    O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
    O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\ThinkVantage Fingerprint Software\launcher.exe" /startup
    O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
    O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
    O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
    O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
    O4 - HKLM\..\Run: [BLOG] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
    O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
    O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
    O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
    O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
    O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
    O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
    O4 - HKLM\..\Run: [TPKBDLED] C:\WINDOWS\system32\TpScrLk.exe
    O4 - HKLM\..\Run: [IBM_PWMGR] C:\Program Files\IBM\Password Manager\pwmgr.exe
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
    O4 - HKLM\..\Run: [ISS_Certtool] C:\Program Files\IBM\Security\certtool.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
    O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
    O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Startup: PdaNet Desktop.lnk = C:\Program Files\PdaNet for Treo 650\PdaNet.exe
    O4 - Global Startup: Online Backup TaskBar Icon.LNK = C:\Program Files\Online Backup\CBSysTray.exe
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\ThinkPad\PkgMgr\\PkgMgr.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www-307.ibm.com/pc/support/access/aslibmain/aslib/content/IbmEgath.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = spotfire.com
    O17 - HKLM\Software\..\Telephony: DomainName = spotfire.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = spotfire.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = spotfire.com
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
    O23 - Service: ACU Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
    O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
    O23 - Service: Connected Agent Service (AgentSrv) - Connected Corporation - C:\Program Files\Online Backup\AgentSrv.EXE
    O23 - Service: Access Manager Configuration Service (AMBroker) - MCI, Inc. - C:\Program Files\AccessManager\Client\AMBroker.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: beasvc spotfire_decisionsite81 - BEA Systems, Inc. - C:\PROGRA~1\Spotfire\DSAS81\weblogic\WEBLOG~1\server\bin\beasvc.exe
    O23 - Service: Visual Insight DA Plugin (DAPlugin) - MCI, Inc. - C:\Program Files\AccessManager\Client\DAPlugin.exe
    O23 - Service: Everdream VNC Server (EverdreamVNC) - Everdream Corporation - C:\SvcTools\VNC\WinVncEv.exe
    O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
    O23 - Service: IBM User Verification Manager - IBM - C:\Program Files\IBM\Security\uvmserv.exe
    O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
    O23 - Service: SMBus Upgrade Service for Windows 2000 and above (ibmsmbus) - International Business Machines Corp. - C:\WINDOWS\System32\ibmsmbus.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
    O23 - Service: OracleDBConsoleorcl - Unknown owner - C:\oracle\product\10.1.0\Db_1\bin\nmesrvc.exe (file missing)
    O23 - Service: OracleOraDb10g_home1TNSListener - Unknown owner - C:\oracle\product\10.1.0\Db_1\BIN\TNSLSNR.exe (file missing)
    O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
    O23 - Service: Software Management Agent 1.4 (SMA1.4) - Everdream - c:\SvcTools\1.4\bin\lnchr.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: SP Software Installer - Smartpipes, Inc. - C:\Program Files\AccessManager\PMAC\sp_SWIns.exe
    O23 - Service: Visual Insight Dial Analysis (sp_spi_da) - Smartpipes, Inc. - C:\Program Files\AccessManager\SMOC\spi_da.exe
    O23 - Service: SSA Integration Manager (Sygman) - MCI, Inc. - C:\Program Files\AccessManager\Client\sygman.exe
    O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
    O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
    O23 - Service: Venturi Client (Venturi2) - Venturi Wireless - c:\program files\verizon wireless\venturi\Client\ventc.exe

    --
    End of file - 8975 bytes
     
    daveg,
    #3
  5. 2007/11/14
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Welcome to WindowsBBS daveg :)

    Did you try running Deckard's System Scanner? It does normally require an admin rights account to run, but may run anyway. Instructions follow, just in case.

    Download Deckard's System Scanner (dss.exe) and save it to your desktop.
    • Close all applications and windows.
    • Double click on dss.exe to run it and follow the prompts.
    • When the scan is complete, two text files will open; main.txt, which will be maximized and extra.txt, which will be minimized.
    Post the contents of main.txt only for now.


    If that fails, first rename HijackThis.exe to something else, like icanrun.exe or whatever, then do another scan and post the log.
     
    noahdfear,
    #4
  6. 2007/11/14
    daveg

    daveg Inactive Thread Starter

    Joined:
    2007/11/14
    Messages:
    5
    Likes Received:
    0
    Still denied. Can't run dss.exe as my account no longer has admin rights

    Hi noahdfear, I really appreciate the assistance. I wasn't able to run dss.exe, so I tried to run HJT as a renamed .exe as you suggested. I am posting it here. Not sure what to look for, so I am posting it blindly hoping you can narrow in on the problem! Thanks in advance.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:50:56 PM, on 11/14/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
    C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
    C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
    C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
    C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\RunDll32.exe
    C:\IBMTOOLS\UTILS\ibmprc.exe
    C:\WINDOWS\system32\TpShocks.exe
    C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
    C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
    C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
    C:\WINDOWS\system32\TpScrLk.exe
    C:\Program Files\IBM\Password Manager\pwmgr.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\IBM\Security\certtool.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\PdaNet for Treo 650\PdaNet.exe
    C:\Program Files\PdaNet for Treo 650\UsbMan.exe
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
    C:\Documents and Settings\dgebala\Desktop\icanrun.exe

    O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
    O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\ThinkVantage Fingerprint Software\launcher.exe" /startup
    O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
    O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
    O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
    O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
    O4 - HKLM\..\Run: [BLOG] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
    O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
    O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
    O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
    O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
    O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
    O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
    O4 - HKLM\..\Run: [TPKBDLED] C:\WINDOWS\system32\TpScrLk.exe
    O4 - HKLM\..\Run: [IBM_PWMGR] C:\Program Files\IBM\Password Manager\pwmgr.exe
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
    O4 - HKLM\..\Run: [ISS_Certtool] C:\Program Files\IBM\Security\certtool.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
    O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
    O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Startup: PdaNet Desktop.lnk = C:\Program Files\PdaNet for Treo 650\PdaNet.exe
    O4 - Global Startup: Online Backup TaskBar Icon.LNK = C:\Program Files\Online Backup\CBSysTray.exe
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\ThinkPad\PkgMgr\\PkgMgr.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www-307.ibm.com/pc/support/access/aslibmain/aslib/content/IbmEgath.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = spotfire.com
    O17 - HKLM\Software\..\Telephony: DomainName = spotfire.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = spotfire.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = spotfire.com
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
    O23 - Service: ACU Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
    O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
    O23 - Service: Connected Agent Service (AgentSrv) - Connected Corporation - C:\Program Files\Online Backup\AgentSrv.EXE
    O23 - Service: Access Manager Configuration Service (AMBroker) - MCI, Inc. - C:\Program Files\AccessManager\Client\AMBroker.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: beasvc spotfire_decisionsite81 - BEA Systems, Inc. - C:\PROGRA~1\Spotfire\DSAS81\weblogic\WEBLOG~1\server\bin\beasvc.exe
    O23 - Service: Visual Insight DA Plugin (DAPlugin) - MCI, Inc. - C:\Program Files\AccessManager\Client\DAPlugin.exe
    O23 - Service: Everdream VNC Server (EverdreamVNC) - Everdream Corporation - C:\SvcTools\VNC\WinVncEv.exe
    O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
    O23 - Service: IBM User Verification Manager - IBM - C:\Program Files\IBM\Security\uvmserv.exe
    O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
    O23 - Service: SMBus Upgrade Service for Windows 2000 and above (ibmsmbus) - International Business Machines Corp. - C:\WINDOWS\System32\ibmsmbus.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
    O23 - Service: OracleDBConsoleorcl - Unknown owner - C:\oracle\product\10.1.0\Db_1\bin\nmesrvc.exe (file missing)
    O23 - Service: OracleOraDb10g_home1TNSListener - Unknown owner - C:\oracle\product\10.1.0\Db_1\BIN\TNSLSNR.exe (file missing)
    O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
    O23 - Service: Software Management Agent 1.4 (SMA1.4) - Everdream - c:\SvcTools\1.4\bin\lnchr.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: SP Software Installer - Smartpipes, Inc. - C:\Program Files\AccessManager\PMAC\sp_SWIns.exe
    O23 - Service: Visual Insight Dial Analysis (sp_spi_da) - Smartpipes, Inc. - C:\Program Files\AccessManager\SMOC\spi_da.exe
    O23 - Service: SSA Integration Manager (Sygman) - MCI, Inc. - C:\Program Files\AccessManager\Client\sygman.exe
    O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
    O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
    O23 - Service: Venturi Client (Venturi2) - Venturi Wireless - c:\program files\verizon wireless\venturi\Client\ventc.exe

    --
    End of file - 8972 bytes
     
    daveg,
    #5
  7. 2007/11/14
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Are you able to logon to the Administrator account in safe mode? If so, try toggling your user account to limited then back to admin. If no joy regaining admin rights, but you can access the Administrator account, run a Deckards scan from there.
     
    noahdfear,
    #6
  8. 2007/11/15
    daveg

    daveg Inactive Thread Starter

    Joined:
    2007/11/14
    Messages:
    5
    Likes Received:
    0
    No luck getting any different behavior. I think I may just have to recover back to the factory IBM settings :(
     
    daveg,
    #7
  9. 2007/11/16
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    And did you try running Deckard's from the Admin account? Logs will be created in a subfolder of C:\Deckard\System Scanner
     
    noahdfear,
    #8

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...