Solved

Missing Recycle Bin, restricted privileges on admin account - Hijack This Log

Posted on 2007-11-20
5
710 Views
Last Modified: 2016-08-29
Hello, I have a computer here that is having some strange symptoms.  The program listings are missing from the Program Files area in the Start menu, the Recycle Bin is missing from the desktop, and it seems my admin account is restricted from installing some programs (specifically RemoveIT Pro).  The computer is running Windows HP Home SP2.  I ran a virus scan with WinAntiVirus Pro and removed a couple of possible viruses, but the above symptons still occur.  Can somebody please review my Hijack This log and let me know if they see any additional problems?  Thanks in advance.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 4:35:45 PM, on 11/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\WinAntiVirus Pro 2007\uwa7pcw.exe
C:\Program Files\WinAntiVirus Pro 2007\WinAv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Best Western\Knock Knock\version_check.exe
C:\WINDOWS\SCURIT~1\svchost.exe
C:\Documents and Settings\Steve Black\My Documents\F?nts\i?xplore.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\PROGRA~1\Magentic\bin\MgApp.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Documents and Settings\Steve Black\Desktop\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dslstart.verizon.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: CIEIntegrator Object - {2178F3FB-2560-458F-BDEE-631E2FE0DFE4} - C:\Program Files\WinAntiVirus Pro 2007\winpgi.dll
O2 - BHO: (no name) - {4CB8F4B4-5F66-4D9E-BC3B-184596A58824} - C:\WINDOWS\system32\urqoomk.dll (file missing)
O3 - Toolbar: InternetAnonymizer - {7873A33B-E2A1-4a0b-A418-B6378908ABAD} - C:\Program Files\InternetAnonymizer\IAToolBar.dll
O4 - HKLM\..\Run: [uwa7pcw] "C:\Program Files\Common Files\WinAntiVirus Pro 2007\uwa7pcw.exe" -c
O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [287a06ea] rundll32.exe "C:\WINDOWS\system32\hguodifj.dll",b
O4 - HKLM\..\Run: [WinAntiVirus Pro 2007] C:\Program Files\WinAntiVirus Pro 2007\WinAv.exe /min
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Magentic] C:\PROGRA~1\Magentic\bin\Magentic.exe /c
O4 - HKCU\..\Run: [Knock Knock] C:\Program Files\Best Western\Knock Knock\version_check.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [uwa7pcw] "C:\Program Files\Common Files\WinAntiVirus Pro 2007\uwa7pcw.exe" -c
O4 - HKCU\..\Run: [Sen] "C:\WINDOWS\SCURIT~1\svchost.exe" -vt yazb
O4 - HKCU\..\Run: [Lcvdur] "C:\Documents and Settings\Steve Black\My Documents\F?nts\i?xplore.exe"
O4 - HKCU\..\Run: [WinAble] C:\Program Files\WinAble\winable.exe
O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\Program Files\IncrediMail\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZNxmk121IUUS
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: (no name) - {1A93C934-025B-4c3a-B38E-9654A7003239} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: GamesBar - {1A93C934-025B-4c3a-B38E-9654A7003239} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O13 - DefaultPrefix:
O13 - WWW Prefix:
O13 - Home Prefix:
O13 - Mosaic Prefix:
O13 - FTP Prefix:
O13 - Gopher Prefix:
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone (HKLM)
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {50647AB5-18FD-4142-82B0-5852478DD0D5} (Keynote Connector Launcher 2) - http://webeffective.keynote.com/applications/pconnector/download/ConnectorLauncher.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD LT 2002\AcDcToday.ocx
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD LT 2002\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD LT 2002\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD LT 2002\AcPreview.ocx
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL c:\windows\system32\ldcore.dll
O20 - Winlogon Notify: urqoomk - urqoomk.dll (file missing)
O20 - Winlogon Notify: vtsqn - C:\WINDOWS\system32\vtsqn.dll (file missing)
O20 - Winlogon Notify: yayvwvt - yayvwvt.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

--
End of file - 6738 bytes
0
Comment
Question by:anrky1
  • 3
  • 2
5 Comments
 
LVL 20

Expert Comment

by:IndiGenus
ID: 20324899
Hi,

Well, you have quite a nice collection of Malware there. A couple of things...

WinAntiVirus Pro is a rogue program. It plants malware on your system then asks you for $$ to remove it. It is garbage. Hope you didn't give them any money.

You can try removing it with Add or Remove Programs but it will still likely linger. And you now have Vundo and Purity Scan infections from what I can see. Also, you are using the Beta HJT. You should update to 2.0.2. Here is a link:

http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php

Let's go after Vundo first. Going give SDFix a run first to hopefully get your permissions back first though.

Please download SDFix and save it to your Desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe 

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Double click on SDFix.exe. It should automatically extract a folder called SDFix to your system drive (usually C:\). Please reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

Open the SDFix folder and double click on RunThis.bat to start the script.
Type Y and press Enter to begin the script.
It will start cleaning your PC and then prompt you to press any key to Reboot.
Press any key to restart the PC.
Your system will take longer than normal to restart as the fixtool will be removing files.
When the desktop loads the Fixtool will complete the removal and display Finished.
Press any key to end the script and to load your desktop icons.
A text file should automatically open, so please upload the contents to http://www.ee-stuff.com.

Download VundoFix.exe to your desktop.
http://www.atribune.org/ccount/click.php?id=4
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click Yes
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log (using your new version).
 
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from Click the Scan for Vundo button when VundoFix appears at reboot.

0
 

Author Comment

by:anrky1
ID: 20325401
0
 
LVL 20

Accepted Solution

by:
IndiGenus earned 250 total points
ID: 20326932
A little better...

Run HijackThis. Click None of the above, Click Do a System Scan Only. Put a Check in the box on the left side on these:

---------------------------------

R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: CIEIntegrator Object - {2178F3FB-2560-458F-BDEE-631E2FE0DFE4} - C:\Program Files\WinAntiVirus Pro 2007\winpgi.dll
O2 - BHO: (no name) - {4CB8F4B4-5F66-4D9E-BC3B-184596A58824} - (no file)
O4 - HKLM\..\Run: [uwa7pcw] "C:\Program Files\Common Files\WinAntiVirus Pro 2007\uwa7pcw.exe" -c
O4 - HKLM\..\Run: [287a06ea] rundll32.exe "C:\WINDOWS\system32\hguodifj.dll",b
O4 - HKLM\..\Run: [WinAntiVirus Pro 2007] C:\Program Files\WinAntiVirus Pro 2007\WinAv.exe /min
O4 - HKCU\..\Run: [uwa7pcw] "C:\Program Files\Common Files\WinAntiVirus Pro 2007\uwa7pcw.exe" -c
O4 - HKCU\..\Run: [Sen] "C:\WINDOWS\SCURIT~1\svchost.exe" -vt yazb
O4 - HKCU\..\Run: [Lcvdur] "C:\Documents and Settings\Steve Black\My Documents\F?nts\i?xplore.exe"
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone (HKLM)
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O20 - Winlogon Notify: urqoomk - urqoomk.dll (file missing)
O20 - Winlogon Notify: vtsqn - C:\WINDOWS\system32\vtsqn.dll (file missing)
O20 - Winlogon Notify: yayvwvt - yayvwvt.dll (file missing)

---------------------------------

Then close all windows except this one and press Fix checked.

Using Windows Explorer delete the following folders:


C:\Program Files\WinAntiVirus Pro 2007
C:\Program Files\Common Files\WinAntiVirus Pro 2007

The next 1 is Purity Scan. You will need to figure out what is in place of the ? and delete the folder.

C:\Documents and Settings\Steve Black\My Documents\F?nts

In this one the tilde ~ is representing one or more characters.

C:\WINDOWS\SCURIT~1

Reboot.

========================================

Next, you don't have any Antivirus. You need to put one in place ASAP, update it, and run a full system scan, letting it fix or quarantine anything it finds.

Here are 3 free ones.

http://free.grisoft.com/doc/5390/lng/us/tpl/v5#avg-anti-virus-free ~ AVG AntiVirus
http://www.avast.com/eng/avast_4_home.html ~ Avast Antivirus Home Version--Free
http://www.free-av.com/ - Antivir Personal ~ Free

I would also recommend running a Spyware Scan with AVG.

http://downloads.grisoft.cz/softw/70/filedir/inst/avgas-setup-7.5.1.43.exe

Run this in Safe Mode. Same as AV, update, run full system scan, let it fix or quarantine anything it finds.

Reboot and upload a fresh HJT log, let us know how it's running too.
0
 

Author Comment

by:anrky1
ID: 20332114
Fresh HJT log here:

https://filedb.experts-exchange.com/incoming/ee-stuff/5745-hijackthis-2.txthttps://filedb.experts-exchange.com/incoming/ee-stuff/5764-hijackthis-3.txt
https://filedb.experts-exchange.com/incoming/ee-stuff/5742-SDFix-2.txt
https://filedb.experts-exchange.com/incoming/ee-stuff/5743-VundoFix-2.txt


The computer is running better now.  I ran Avast and that removed the remaining issues.  The above symptoms (missing Recycle Bin, no "privileges" to run RemoveIT Pro, program listings missing from All Programs in Start Menu) are still there, though.  
0
 

Author Comment

by:anrky1
ID: 20332123
Oops, I submitted too early.  I also meant to say that I am accepting your instructions as the Solution because I think I can live with the symptoms.  So thank you again for helping me, I really appreciate your help!
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Some site administrators might be considering how to filter incoming traffic to a site by identifying the domains or networks of the traffic source, in the same way that a spam filter does on an email server, such as blocking all emails sent from th…
HOW TO REMOTELY CLEAN MEROND.O WITH ESET SILENTLY PROBLEM       If you have the fortunate luck to contract the Merond.O virus on your network, it can be quite troublesome to remove as it propagates to network shares on your network. In my case, the …
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…
I designed this idea while studying technology in the classroom.  This is a semester long project.  Students are asked to take photographs on a specific topic which they find meaningful, it can be a place or situation such as travel or homelessness.…

939 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now