1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Win 2K - Yellow Triange, Adware, Control Panel and Admin Privileges Missing

Discussion in 'Virus & Other Malware Removal' started by sk8skiier, Sep 4, 2007.

Thread Status:
Not open for further replies.
  1. sk8skiier

    sk8skiier Thread Starter

    Joined:
    Sep 4, 2007
    Messages:
    2
    Good morning. I noticed that you helped a user solve a similar problem that I'm experiencing on a Win 2K machine. The post that I'm referring to is here.

    I'm experiencing these same problems, but could not solve the problem from the post. I ran ComboFix, then SuperAntiSpyware, then HiJackThis. Those logs are below. However, I could not find the suggested lines to fix in the HiJackThis log (there are three), nor was the FireDaemon Service in the services window. It is still running, though, as I can see it running as a process in the Task Manager.

    I'm posting the logs from the three applications below, in hopes that someone can help me remove this for good?

    ComboFix 07-09-04.4 - "Administrator" 09/04/2007 8:27:41.1 - NTFSx86
    Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.242 [GMT -4:00]



    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    C:\DOCUME~1\ADMINI~1.GRE\STARTM~1\Programs\Startup\system.exe
    C:\DOCUME~1\ADMINI~1\STARTM~1\Programs\Startup\system.exe
    C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup.\autorun.exe
    C:\DOCUME~1\shiela\APPLIC~1\macromedia\Flash Player\#SharedObjects\5U5GJG8Z\www.broadcaster.com
    C:\DOCUME~1\shiela\APPLIC~1\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
    C:\DOCUME~1\shiela\STARTM~1\Programs\Startup\system.exe
    C:\WINNT\system32\drivers\fad.sys
    C:\WINNT\system32\printer.exe
    C:\WINNT\system32\WinAvXX.exe


    ((((((((((((((((((((((((( Files Created from 2007-08-04 to 2007-09-04 )))))))))))))))))))))))))))))))


    2007-09-04 08:27 51,200 --a------ C:\WINNT\NirCmd.exe
    2007-09-04 08:27 16,384 --a----t- C:\WINNT\SYSTEM32\Perflib_Perfdata_400.dat
    2007-08-31 15:43 <DIR> d-------- C:\WINNT\Content.IE5
    2007-08-31 15:28 2,916 --a------ C:\smitfra.reg
    2007-08-31 15:28 177,048 --a------ C:\smitfrau.reg
    2007-08-31 15:28 16,824 --a------ C:\replace.cmd
    2007-08-31 12:38 <DIR> d-------- C:\Program Files\PestPatrol
    2007-08-31 11:30 <DIR> d-------- C:\DOCUME~1\KLAUST~1\APPLIC~1\Sonic
    2007-08-31 11:28 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Yahoo!
    2007-08-29 14:12 <DIR> d-------- C:\DOCUME~1\ADMINI~1.GRE\APPLIC~1\Yahoo!


    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

    09/04/07 07:57a --------- d-------- C:\Program Files\Symantec AntiVirus
    08/31/07 02:39p --------- d-------- C:\DOCUME~1\shiela\APPLIC~1\WholeSecurity
    08/10/07 08:40a --------- d-------- C:\DOCUME~1\shiela\APPLIC~1\AdobeUM
    07/30/07 07:19p 92504 --a------ C:\WINNT\system32\dllcache\cdm.dll
    07/30/07 07:19p 92504 --a------ C:\WINNT\system32\cdm.dll
    07/30/07 07:19p 549720 --a------ C:\WINNT\system32\wuapi.dll
    07/30/07 07:19p 53080 --a------ C:\WINNT\system32\wuauclt.exe
    07/30/07 07:19p 53080 --a------ C:\WINNT\system32\dllcache\wuauclt.exe
    07/30/07 07:19p 43352 --a------ C:\WINNT\system32\wups2.dll
    07/30/07 07:19p 325976 --a------ C:\WINNT\system32\wucltui.dll
    07/30/07 07:19p 271224 --a------ C:\WINNT\system32\mucltui.dll
    07/30/07 07:19p 207736 --a------ C:\WINNT\system32\muweb.dll
    07/30/07 07:19p 203096 --a------ C:\WINNT\system32\wuweb.dll
    07/30/07 07:19p 1712984 --a------ C:\WINNT\system32\wuaueng.dll
    07/30/07 07:19p 1712984 --a------ C:\WINNT\system32\dllcache\wuaueng.dll
    07/30/07 07:18p 33624 --a------ C:\WINNT\system32\wups.dll
    07/10/03 02:54p 271 --ah----- C:\Program Files\DESKTOP.INI
    07/10/03 02:54p 21952 --ah----- C:\Program Files\FOLDER.HTT
    06/26/07 05:57a 235280 --a------ C:\WINNT\system32\GDI32.DLL
    06/26/07 05:57a 235280 --a------ C:\WINNT\system32\dllcache\GDI32.DLL
    06/26/07 02:52p 2286080 --a------ C:\WINNT\system32\dllcache\VGX.DLL
    06/20/03 08:00a 32528 --a------ C:\WINNT\inf\WBFIRDMA.SYS
    06/12/07 11:11a 575488 --a------ C:\WINNT\system32\dllcache\WININET.DLL
    06/12/07 11:11a 462336 --a------ C:\WINNT\system32\dllcache\URLMON.DLL
    06/12/07 11:11a 12288 --a------ C:\WINNT\system32\dllcache\JSPROXY.DLL
    06/12/07 11:10a 69632 --a------ C:\WINNT\system32\dllcache\INSENG.DLL
    06/12/07 11:10a 236032 --a------ C:\WINNT\system32\dllcache\IEPEERS.DLL
    06/12/07 11:09a 498176 --a------ C:\WINNT\system32\dllcache\MSTIME.DLL
    06/12/07 11:09a 351744 --a------ C:\WINNT\system32\dllcache\DXTMSFT.DLL
    06/12/07 11:09a 34816 --a------ C:\WINNT\system32\dllcache\PNGFILT.DLL
    06/12/07 11:09a 2704896 --a------ C:\WINNT\system32\dllcache\MSHTML.DLL
    06/12/07 11:09a 192512 --a------ C:\WINNT\system32\dllcache\DXTRANS.DLL
    06/12/07 11:05a 132096 --a------ C:\WINNT\system32\dllcache\MSRATING.DLL
    06/12/07 11:04a 402944 --a------ C:\WINNT\system32\dllcache\SHLWAPI.DLL
    06/12/07 11:04a 143360 --a------ C:\WINNT\system32\dllcache\CDFVIEW.DLL
    06/12/07 11:04a 1340416 --a------ C:\WINNT\system32\dllcache\SHDOCVW.DLL
    06/12/07 11:04a 1017856 --a------ C:\WINNT\system32\dllcache\BROWSEUI.DLL
    06/07/07 02:50a 1119232 --a------ C:\WINNT\system32\msxml3.dll
    06/07/07 02:50a 1119232 --------- C:\WINNT\system32\dllcache\msxml3.dll


    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Synchronization Manager"="mobsync.exe" [06/20/03 08:00a C:\WINNT\SYSTEM32\MOBSYNC.EXE]
    "IgfxTray"="C:\WINNT\system32\igfxtray.exe" [05/06/04 04:52p]
    "HotKeysCmds"="C:\WINNT\system32\hkcmd.exe" [05/06/04 04:48p]
    "dla"="C:\WINNT\system32\dla\tfswctrl.exe" [03/15/04 02:04a]
    "UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [08/19/03 02:01a]
    "HP Lamp"="C:\SCANJET\PrecisionScanPro\HPLamp.exe" [07/23/99 02:11a]
    "FinishOptions"="C:\DOCUME~1\shiela\LOCALS~1\Temp\hpbinxst.exe" []
    "eBayToolbar"="C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe" [05/03/07 07:57a]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [04/27/07 09:41a]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [04/27/07 11:25a]
    "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [06/02/05 09:21a]
    "vptray"="C:\PROGRA~1\SYMANT~2\VPTray.exe" [06/23/05 07:27p]
    "PestPatrol Control Center"="C:\PROGRA~1\PESTPA~1\PPControl.exe" [11/15/04 11:49a]
    "PestPatrolCL"="" []
    "PPMemCheck"="C:\PROGRA~1\PESTPA~1\PPMemCheck.exe" [04/19/03 07:53a]
    "CookiePatrol"="C:\PROGRA~1\PESTPA~1\CookiePatrol.exe" [01/10/05 09:35a]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="ctfmon.exe" [03/21/05 03:13p C:\WINNT\SYSTEM32\CTFMON.EXE]

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
    "^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
    "internat.exe"=internat.exe

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
    @="Driver"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
    @="Driver"
    R0 fasttrak;fasttrak;C:\WINNT\system32\DRIVERS\fasttrak.sys
    R0 Fd16_700;Fd16_700;C:\WINNT\system32\DRIVERS\fd16_700.sys
    R0 mraid2k;mraid2k;C:\WINNT\system32\DRIVERS\mraid2k.sys
    R2 BASFND;BASFND;\??\C:\WINNT\system32\Drivers\BASFND.sys
    R3 usbhub20;USB 2.0 Root Hub Support;C:\WINNT\system32\DRIVERS\usbhub20.sys
    S3 EL90BC;3Com EtherLink XL B/C Adapter Driver;C:\WINNT\system32\DRIVERS\el90xbc5.sys
    S3 EraserUtilDrvI1;EraserUtilDrvI1;\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI1.sys

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 Pml Driver HPZ12 Net Driver HPZ12

    *Newly Created Service* - CATCHME

    Contents of the 'Scheduled Tasks' folder
    "2007-08-29 20:23:00 C:\WINNT\Tasks\AppleSoftwareUpdate.job"
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe

    **************************************************************************

    catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-09-04 08:34:36
    Windows 5.0.2195 Service Pack 4 NTFS

    scanning hidden processes ...

    \ComboFix\sed.cfexe [1632] 0x83221020


    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    Completion time: 09/04/2007 8:35:20
    C:\ComboFix-quarantined-files.txt ... 09/04/07 08:35a

    --- E O F ---
     
  2. sk8skiier

    sk8skiier Thread Starter

    Joined:
    Sep 4, 2007
    Messages:
    2
    ...the forum won't let me post the SuperAntiSpyware Log, it's too long (351047 chars).

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 09:28, on 2007-09-04
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Normal

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\system32\basfipm.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\hidserv.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\regsvc.exe
    C:\Program Files\Symantec AntiVirus\SavRoam.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\hkcmd.exe
    C:\WINNT\system32\dla\tfswctrl.exe
    C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
    C:\SCANJET\PrecisionScanPro\HPLamp.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~2\VPTray.exe
    C:\PROGRA~1\PESTPA~1\PPControl.exe
    C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    C:\WINNT\system32\ctfmon.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Documents and Settings\administrator.GREEN7\Desktop\HiJackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.metacrawler.com/crawler?general=%s
    R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.metacrawler.com/crawler?general=%s
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
    O2 - BHO: (no name) - rsion - (no file)
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
    O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
    O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
    O4 - HKLM\..\Run: [dla] C:\WINNT\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [HP Lamp] C:\SCANJET\PrecisionScanPro\HPLamp.exe
    O4 - HKLM\..\Run: [FinishOptions] C:\DOCUME~1\shiela\LOCALS~1\Temp\hpbinxst.exe
    O4 - HKLM\..\Run: [eBayToolbar] C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
    O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
    O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
    O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
    O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (Hewlett-Packard Printer Diagnostics) - http://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISWebManager.CAB
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1141071450789
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1141071440632
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = green7.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = green7.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = green7.com
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINNT\system32\basfipm.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

    --
    End of file - 7565 bytes
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/619499

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice