[Me Too] XP Pro Hacked: Lost Admin rights on User Account!

noahdfear · 2007/12/24

No need to run Kaspersky again unless it came up with some infections.

Post a dss log from Carrie's account too.

taylorwn · 2007/12/24

DSS scan under Carrie's profile

Deckard's System Scanner v20071014.68
Run by carrie on 2007-12-24 16:52:38
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 510 MiB (512 MiB recommended).

-- HijackThis (run as carrie.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:52:51 PM, on 12/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
c:\program files\aol\aim toolbar 5.0\AolTbServer.exe
C:\Program Files\Windows Live Toolbar\msn_sl.exe
C:\Documents and Settings\carrie\Desktop\dss.exe
C:\HJT\carrie.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: PaltalkWebLogin - {502C3BA4-2C3E-4317-BC29-C0445E82B1F9} - C:\Program Files\Common Files\Paltalk\PaltalkWebLogin.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\common\YIeTagBm.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn4\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [dlccmon.exe] "C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe "
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ErrorSafe] C:\Program Files\Error Safe\ERS.exe /min
O4 - HKCU\..\Run: [Spoolsv] C:\WINDOWS\system32\spoolvs.exe
O4 - HKCU\..\Run: [Ultimate Cleaner] "C:\Program Files\Ultimate Cleaner\UltimateCleaner.exe" hide
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O23 - Service: dlcc_device - Unknown owner - C:\WINDOWS\system32\dlcccoms.exe (file missing)
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8152 bytes

-- Files created between 2007-11-24 and 2007-12-24 -----------------------------

2007-12-19 20:45:53 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-19 20:45:51 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-09 10:36:27 50688 --a------ C:\ATF-Cleaner.exe <Not Verified; Atribune.org; ATF Cleaner>
2007-12-05 20:06:14 0 d-------- C:\Documents and Settings\ADMIN\Application Data\Macromedia
2007-12-02 20:27:22 1372 --a------ C:\WINDOWS\system32\tmp.reg
2007-12-02 14:46:13 0 d-------- C:\Documents and Settings\ADMIN\Application Data\Lavasoft
2007-12-01 19:30:14 0 d-------- C:\HJT
2007-11-28 20:48:32 0 d-------- C:\Program Files\Lavasoft
2007-11-27 21:28:04 0 d-------- C:\quarantine
2007-11-27 21:23:19 0 d-------- C:\Documents and Settings\ADMIN\Application Data\Yahoo!
2007-11-27 21:05:48 0 d-------- C:\Program Files\Common Files\Cisco Systems
2007-11-27 21:05:25 58464 --a------ C:\WINDOWS\system32\drivers\mvstdi5x.sys <Not Verified; Network Associates, Inc.; VirusScan>
2007-11-27 21:05:24 108480 --a------ C:\WINDOWS\system32\drivers\naiavf5x.sys <Not Verified; Network Associates, Inc.; VirusScan>
2007-11-27 21:01:11 0 d-------- C:\Documents and Settings\All Users\Application Data\Network Associates
2007-11-27 21:00:13 0 d-------- C:\Program Files\Network Associates
2007-11-27 21:00:13 0 d-------- C:\Program Files\Common Files\Network Associates
2007-11-27 20:02:44 0 d--h----- C:\Documents and Settings\ADMIN\Application Data\GTek
2007-11-27 20:00:55 0 dr------- C:\Documents and Settings\ADMIN\Favorites
2007-11-27 20:00:55 0 d-------- C:\Documents and Settings\ADMIN\Desktop
2007-11-27 20:00:55 0 d--hs---- C:\Documents and Settings\ADMIN\Cookies
2007-11-27 20:00:55 0 dr-h----- C:\Documents and Settings\ADMIN\Application Data
2007-11-27 20:00:55 0 d-------- C:\Documents and Settings\ADMIN\Application Data\Sun
2007-11-27 20:00:55 0 d---s---- C:\Documents and Settings\ADMIN\Application Data\Microsoft
2007-11-27 20:00:55 0 d-------- C:\Documents and Settings\ADMIN\Application Data\Identities
2007-11-27 20:00:55 0 d-------- C:\Documents and Settings\ADMIN\Application Data\Google
2007-11-27 20:00:55 0 d-------- C:\Documents and Settings\ADMIN\Application Data\Corel
2007-11-27 20:00:54 0 d--h----- C:\Documents and Settings\ADMIN\Templates
2007-11-27 20:00:54 0 dr------- C:\Documents and Settings\ADMIN\Start Menu
2007-11-27 20:00:54 0 dr-h----- C:\Documents and Settings\ADMIN\SendTo
2007-11-27 20:00:54 0 dr-h----- C:\Documents and Settings\ADMIN\Recent
2007-11-27 20:00:54 0 d--h----- C:\Documents and Settings\ADMIN\PrintHood
2007-11-27 20:00:54 1572864 --ah----- C:\Documents and Settings\ADMIN\NTUSER.DAT
2007-11-27 20:00:54 0 d--h----- C:\Documents and Settings\ADMIN\NetHood
2007-11-27 20:00:54 0 dr------- C:\Documents and Settings\ADMIN\My Documents
2007-11-27 20:00:54 0 d--h----- C:\Documents and Settings\ADMIN\Local Settings
2007-11-27 14:31:08 0 d-------- C:\Documents and Settings\carrie\Application Data\Ultimate Cleaner
2007-11-27 14:24:44 0 d-------- C:\Documents and Settings\carrie\Application Data\Zango
2007-11-26 14:57:39 20944 --a------ C:\Documents and Settings\trey\Application Data\info.dat
2007-11-24 20:04:07 0 d-------- C:\Documents and Settings\trey\Application Data\acccore
2007-11-24 13:02:05 0 d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2007-11-24 12:59:15 0 d-------- C:\Program Files\AIM6

-- Find3M Report ---------------------------------------------------------------

2007-12-19 22:16:55 0 d-------- C:\Program Files\Common Files\SysProtect
2007-12-13 00:48:44 7728 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-12-13 00:48:44 152 -r-hs---- C:\WINDOWS\system32\C4A95FEE05.sys
2007-12-05 20:19:46 0 d-a------ C:\Program Files\Common Files
2007-12-03 03:01:05 0 d-------- C:\Program Files\Windows Live Toolbar
2007-11-28 21:50:25 0 d-------- C:\Program Files\MSN Gaming Zone
2007-11-28 20:40:45 0 d-------- C:\Program Files\BFG
2007-11-27 21:54:55 7396 --ahs---- C:\Documents and Settings\carrie\Application Data\DFF1692788E64EAAA097460B7E65289B.sta
2007-11-27 21:54:55 63465 ---hs---- C:\Documents and Settings\carrie\Application Data\DFF1692788E64EAAA097460B7E65289B.rul
2007-11-24 13:04:00 0 d-------- C:\Program Files\Viewpoint
2007-11-24 13:00:05 0 d-------- C:\Program Files\Common Files\AOL
2007-11-02 18:55:05 0 d-------- C:\Program Files\LimeWire

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DMXLauncher "= "C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [01/27/2005 12:02 AM]
"dlccmon.exe "= "C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe" [07/22/2005 12:03 PM]
"Corel Photo Downloader "= "C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe" [08/31/2005 10:06 AM]
"ShStatEXE "= "C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [09/22/2004 08:00 PM]
"McAfeeUpdaterUI "= "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [08/06/2004 03:50 AM]
"Network Associates Error Reporting Service "= "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [10/07/2003 09:48 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 04:00 AM]
"Yahoo! Pager "= "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [08/30/2007 04:43 PM]
"swg "= "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [06/19/2007 06:16 PM]
"DellSupport "= "C:\Program Files\DellSupport\DSAgnt.exe" [03/15/2007 10:09 AM]
"ErrorSafe "= "C:\Program Files\Error Safe\ERS.exe" []
"Spoolsv "= "C:\WINDOWS\system32\spoolvs.exe" []
"Ultimate Cleaner "= "C:\Program Files\Ultimate Cleaner\UltimateCleaner.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM "=C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoControlPanel "=1 (0x1)

*Newly Created Service* - ENTDRV51

-- End of Deckard's System Scanner: finished at 2007-12-24 16:53:19 ------------

noahdfear · 2007/12/24

On Carrie's account, highlight and copy the contents of the code box below.
Code:
reg delete  "HKCU\software\microsoft\windows\currentversion\run" /v ErrorSafe /f
reg delete  "HKCU\software\microsoft\windows\currentversion\run" /v Spoolsv /f
reg delete  "HKCU\software\microsoft\windows\currentversion\run" /v  "Ultimate Cleaner" /f
reg delete  "HKCU\software\microsoft\windows\currentversion\policies\explorer" /v NoControlPanel /f
exit
cls
Click Start>Run and type cmd then hit enter to open a command window. Right click in the command window and select paste. The command window will close on it's own.

Scan again with HijackThis and save the log. Post the contents of that log here and let me know if the Control Panel is now accessible.

taylorwn · 2007/12/24

Control Panel is back!!!

Thanks, the control panel is back.

Deckard's System Scanner v20071014.68
Run by carrie on 2007-12-24 18:39:28
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 510 MiB (512 MiB recommended).

-- HijackThis (run as carrie.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:39:39 PM, on 12/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
c:\program files\aol\aim toolbar 5.0\AolTbServer.exe
C:\Documents and Settings\carrie\Desktop\dss.exe
C:\HJT\carrie.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: PaltalkWebLogin - {502C3BA4-2C3E-4317-BC29-C0445E82B1F9} - C:\Program Files\Common Files\Paltalk\PaltalkWebLogin.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\common\YIeTagBm.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn4\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [dlccmon.exe] "C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe "
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O23 - Service: dlcc_device - Unknown owner - C:\WINDOWS\system32\dlcccoms.exe (file missing)
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7870 bytes

-- Files created between 2007-11-24 and 2007-12-24 -----------------------------

2007-12-19 20:45:53 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-19 20:45:51 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-09 10:36:27 50688 --a------ C:\ATF-Cleaner.exe <Not Verified; Atribune.org; ATF Cleaner>
2007-12-05 20:06:14 0 d-------- C:\Documents and Settings\ADMIN\Application Data\Macromedia
2007-12-02 20:27:22 1372 --a------ C:\WINDOWS\system32\tmp.reg
2007-12-02 14:46:13 0 d-------- C:\Documents and Settings\ADMIN\Application Data\Lavasoft
2007-12-01 19:30:14 0 d-------- C:\HJT
2007-11-28 20:48:32 0 d-------- C:\Program Files\Lavasoft
2007-11-27 21:28:04 0 d-------- C:\quarantine
2007-11-27 21:23:19 0 d-------- C:\Documents and Settings\ADMIN\Application Data\Yahoo!
2007-11-27 21:05:48 0 d-------- C:\Program Files\Common Files\Cisco Systems
2007-11-27 21:05:25 58464 --a------ C:\WINDOWS\system32\drivers\mvstdi5x.sys <Not Verified; Network Associates, Inc.; VirusScan>
2007-11-27 21:05:24 108480 --a------ C:\WINDOWS\system32\drivers\naiavf5x.sys <Not Verified; Network Associates, Inc.; VirusScan>
2007-11-27 21:01:11 0 d-------- C:\Documents and Settings\All Users\Application Data\Network Associates
2007-11-27 21:00:13 0 d-------- C:\Program Files\Network Associates
2007-11-27 21:00:13 0 d-------- C:\Program Files\Common Files\Network Associates
2007-11-27 20:02:44 0 d--h----- C:\Documents and Settings\ADMIN\Application Data\GTek
2007-11-27 20:00:55 0 dr------- C:\Documents and Settings\ADMIN\Favorites
2007-11-27 20:00:55 0 d-------- C:\Documents and Settings\ADMIN\Desktop
2007-11-27 20:00:55 0 d--hs---- C:\Documents and Settings\ADMIN\Cookies
2007-11-27 20:00:55 0 dr-h----- C:\Documents and Settings\ADMIN\Application Data
2007-11-27 20:00:55 0 d-------- C:\Documents and Settings\ADMIN\Application Data\Sun
2007-11-27 20:00:55 0 d---s---- C:\Documents and Settings\ADMIN\Application Data\Microsoft
2007-11-27 20:00:55 0 d-------- C:\Documents and Settings\ADMIN\Application Data\Identities
2007-11-27 20:00:55 0 d-------- C:\Documents and Settings\ADMIN\Application Data\Google
2007-11-27 20:00:55 0 d-------- C:\Documents and Settings\ADMIN\Application Data\Corel
2007-11-27 20:00:54 0 d--h----- C:\Documents and Settings\ADMIN\Templates
2007-11-27 20:00:54 0 dr------- C:\Documents and Settings\ADMIN\Start Menu
2007-11-27 20:00:54 0 dr-h----- C:\Documents and Settings\ADMIN\SendTo
2007-11-27 20:00:54 0 dr-h----- C:\Documents and Settings\ADMIN\Recent
2007-11-27 20:00:54 0 d--h----- C:\Documents and Settings\ADMIN\PrintHood
2007-11-27 20:00:54 1572864 --ah----- C:\Documents and Settings\ADMIN\NTUSER.DAT
2007-11-27 20:00:54 0 d--h----- C:\Documents and Settings\ADMIN\NetHood
2007-11-27 20:00:54 0 dr------- C:\Documents and Settings\ADMIN\My Documents
2007-11-27 20:00:54 0 d--h----- C:\Documents and Settings\ADMIN\Local Settings
2007-11-27 14:31:08 0 d-------- C:\Documents and Settings\carrie\Application Data\Ultimate Cleaner
2007-11-27 14:24:44 0 d-------- C:\Documents and Settings\carrie\Application Data\Zango
2007-11-26 14:57:39 20944 --a------ C:\Documents and Settings\trey\Application Data\info.dat
2007-11-24 20:04:07 0 d-------- C:\Documents and Settings\trey\Application Data\acccore
2007-11-24 13:02:05 0 d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2007-11-24 12:59:15 0 d-------- C:\Program Files\AIM6

-- Find3M Report ---------------------------------------------------------------

2007-12-19 22:16:55 0 d-------- C:\Program Files\Common Files\SysProtect
2007-12-13 00:48:44 7728 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-12-13 00:48:44 152 -r-hs---- C:\WINDOWS\system32\C4A95FEE05.sys
2007-12-05 20:19:46 0 d-a------ C:\Program Files\Common Files
2007-12-03 03:01:05 0 d-------- C:\Program Files\Windows Live Toolbar
2007-11-28 21:50:25 0 d-------- C:\Program Files\MSN Gaming Zone
2007-11-28 20:40:45 0 d-------- C:\Program Files\BFG
2007-11-27 21:54:55 7396 --ahs---- C:\Documents and Settings\carrie\Application Data\DFF1692788E64EAAA097460B7E65289B.sta
2007-11-27 21:54:55 63465 ---hs---- C:\Documents and Settings\carrie\Application Data\DFF1692788E64EAAA097460B7E65289B.rul
2007-11-24 13:04:00 0 d-------- C:\Program Files\Viewpoint
2007-11-24 13:00:05 0 d-------- C:\Program Files\Common Files\AOL
2007-11-02 18:55:05 0 d-------- C:\Program Files\LimeWire

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DMXLauncher "= "C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [01/27/2005 12:02 AM]
"dlccmon.exe "= "C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe" [07/22/2005 12:03 PM]
"Corel Photo Downloader "= "C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe" [08/31/2005 10:06 AM]
"ShStatEXE "= "C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [09/22/2004 08:00 PM]
"McAfeeUpdaterUI "= "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [08/06/2004 03:50 AM]
"Network Associates Error Reporting Service "= "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [10/07/2003 09:48 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 04:00 AM]
"Yahoo! Pager "= "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [08/30/2007 04:43 PM]
"swg "= "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [06/19/2007 06:16 PM]
"DellSupport "= "C:\Program Files\DellSupport\DSAgnt.exe" [03/15/2007 10:09 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM "=C:\Program Files\MySpace\IM\MySpaceIM.exe

*Newly Created Service* - ENTDRV51

-- End of Deckard's System Scanner: finished at 2007-12-24 18:40:08 ------------

noahdfear · 2007/12/24

Looks great! There are a couple of files I'd like to check out. Copy the contents of the code box below and paste it into a command window.
Code:
attrib -h -s  "%userprofile%\Applic~1\DFF1692788E64EAAA097460B7E65289B.sta "
attrib -h -s  "%userprofile%\Applic~1\DFF1692788E64EAAA097460B7E65289B.rul "
md  "%userprofile%\desktop\suspect "
copy  "%userprofile%\Applic~1\DFF1692788E64EAAA097460B7E65289B.sta"  "%userprofile%\desktop\suspect "
copy  "%userprofile%\Applic~1\DFF1692788E64EAAA097460B7E65289B.rul"  "%userprofile%\desktop\suspect "
attrib +h +s  "%userprofile%\Applic~1\DFF1692788E64EAAA097460B7E65289B.sta "
attrib +h +s  "%userprofile%\Applic~1\DFF1692788E64EAAA097460B7E65289B.rul "
exit
cls
It will create a folder named suspect on the desktop and copy the files to that folder, then the command window will close. Please zip the suspect folder and submit the zip file to my submission channel. Leave a link back to this topic.

Everything else appears to be in order, so if the Kaspersky scan was clean I'd say we're finished (pending analysis of those two files).

Log in or Sign up

[Me Too] XP Pro Hacked: Lost Admin rights on User Account!

noahdfear Inactive

taylorwn Inactive Thread Starter

noahdfear Inactive

taylorwn Inactive Thread Starter

noahdfear Inactive

Share This Page

Log in or Sign up

[Me Too] XP Pro Hacked: Lost Admin rights on User Account!

noahdfear Inactive

taylorwn Inactive Thread Starter

noahdfear Inactive

taylorwn Inactive Thread Starter

noahdfear Inactive

Share This Page

Useful Searches