Jump to content


Photo

My logs


  • This topic is locked This topic is locked
21 replies to this topic

#1 Mamoun

Mamoun

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 11 July 2006 - 09:12 AM

Hii, I experienced strange problems recently with my system, I hope that I found a way to fix them.

symptoms:
1- Turn off button in the start menu disappeared.
2- Opening of Task manager or regedit produce the error "Task manager/regedit has disabled by the administrator".
3- Can't add/remove any program, it tells me that I'm not the admin.

My system configuration:
Windows XP home edition, 512 RAM, pentium 4.

What I did:
1- Followed all the instructions here
2- Made a full system scan, and found that the browser I always use is infected, it's called Maxthon.

Logs:
Logfile of HijackThis v1.99.1
Scan saved at 5:14:29 PM, on 7/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\PROGRA~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Ela-Salaty\Salaty.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\DOCUME~1\MOAMEN~1\LOCALS~1\Temp\Rar$EX00.469\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hp.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [igfxtray] -C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] -C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] -C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] -C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] -C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [AGRSMMSG] -AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] -C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] -C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [HP Software Update] -C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] -"c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QPService] -"C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [eabconfg.cpl] -C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [SunJavaUpdateSched] -C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Cpqset] -C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] -C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [Reminder] -C:\Windows\CREATOR\Remind_XP.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] -C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,26/mcgdmgr.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - -"C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: Bluetooth Service (btwdins) - Unknown owner - -C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: HP WMI Interface (hpqwmi) - Unknown owner - -C:\Program Files\HPQ\Shared\hpqwmi.exe (file missing)
O23 - Service: hpqwmiex - Unknown owner - -C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - -"C:\Program Files\Common Files\LightScribe\LSSrvc.exe (file missing)
O23 - Service: LiveUpdate - Unknown owner - -"C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Unknown owner - -C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe (file missing)
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe




---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 5:04:35 PM 7/11/2006

+ Scan result:



C:\Documents and Settings\moamen kohail\Cookies\moamen kohail@bfast[1].txt -> TrackingCookie.Bfast : Cleaned with backup (quarantined).
C:\Documents and Settings\moamen kohail\Cookies\moamen kohail@b.casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
C:\Documents and Settings\moamen kohail\Cookies\moamen kohail@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
C:\Documents and Settings\moamen kohail\Cookies\moamen kohail@com[1].txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
C:\Documents and Settings\moamen kohail\Cookies\moamen kohail@spinbox[2].txt -> TrackingCookie.Spinbox : Cleaned with backup (quarantined).
C:\Documents and Settings\moamen kohail\Cookies\moamen kohail@trafic[1].txt -> TrackingCookie.Trafic : Cleaned with backup (quarantined).
C:\Program Files\Trillian\Patch.exe -> Trojan.Agent.jh : Cleaned with backup (quarantined).


::Report end






SmitFraudFix v2.69

Scan done at 15:40:38.23, Tue 07/11/2006
Run from C:\Documents and Settings\Administrator\ \SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode

Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files


Deleting Temp Files


Registry Cleaning

Registry Cleaning done.

After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End


Thanks..

#2 Mamoun

Mamoun

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 12 July 2006 - 03:11 PM

helloo?

#3 miekiemoes

miekiemoes

    Malware Expert

  • Retired Staff
  • PipPipPipPipPip
  • 20,026 posts

Posted 14 July 2006 - 03:03 AM

Hello,

Have you been using a tool to tweak some settings? Because it looks like some policies have been added.

Perform next:

Open notepad and copy and paste next present in the quotebox in it:

regedit /a peek1.txt "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies"
regedit /a peek2.txt "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies"
type peek1.txt >> look.txt
type peek2.txt >> look.txt
del peek*.txt
start notepad look.txt

Save this as look.bat , choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and notepad should open.
Copy and paste the contents of it in your next reply.
In case you still are unsure how to create a bat file, take a look here with screenshots.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#4 Mamoun

Mamoun

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 14 July 2006 - 08:27 AM

Hello,

Have you been using a tool to tweak some settings? Because it looks like some policies have been added.

I didn't, and that's the problem, And Windows xp home edition doesn't have group policy editor.

Perform next:

Open notepad and copy and paste next present in the quotebox in it:

regedit /a peek1.txt "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies"
regedit /a peek2.txt "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies"
type peek1.txt >> look.txt
type peek2.txt >> look.txt
del peek*.txt
start notepad look.txt

Save this as look.bat , choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and notepad should open.
Copy and paste the contents of it in your next reply.
In case you still are unsure how to create a bat file, take a look here with screenshots.

Thanks I will try what you suggested, and report back.

#5 miekiemoes

miekiemoes

    Malware Expert

  • Retired Staff
  • PipPipPipPipPip
  • 20,026 posts

Posted 14 July 2006 - 08:41 AM

And Windows xp home edition doesn't have group policy editor


yes I know, but Tweak XP, and other 'XP tweakers' have these options as well, so that's why I thought you maybe used similar tool.
Anyway, we'll see what the reports show.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#6 miekiemoes

miekiemoes

    Malware Expert

  • Retired Staff
  • PipPipPipPipPip
  • 20,026 posts

Posted 14 July 2006 - 08:45 AM

By the way -- as a sidenote. I see you have three antivirus and two firewalls installed... :blink:
I don't know which ones you bought or which ones are a trial, but I strongly recommend you uninstall the ones you didn't buy.

Rather than giving you extra protection, this can actually give problems because of incompatibility issues, can even cause BSODs and decrease the reliability of it seriously!

If you decide to only keep one Anti-Virus and firewall installed,
you should uninstall the other(s) through the Add or Remove Programs option in Control Panel.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#7 Mamoun

Mamoun

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 14 July 2006 - 09:03 AM

I can't use this bat file in "normal" mode, It always say: (Regedit has been disabled by your admin)

Using the safe mode:

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"=dword:00000000

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments]
"ScanWithAntiVirus"=dword:00000002

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum]
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"=dword:00000001
"{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}"=dword:40000021
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"=dword:00000020

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Ratings]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"=dword:00000000

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments]
"ScanWithAntiVirus"=dword:00000002

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum]
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"=dword:00000001
"{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}"=dword:40000021
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"=dword:00000020

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Ratings]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001



#8 Mamoun

Mamoun

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 14 July 2006 - 09:05 AM

By the way -- as a sidenote. I see you have three antivirus and two firewalls installed... :blink:
I don't know which ones you bought or which ones are a trial, but I strongly recommend you uninstall the ones you didn't buy.

Rather than giving you extra protection, this can actually give problems because of incompatibility issues, can even cause BSODs and decrease the reliability of it seriously!

If you decide to only keep one Anti-Virus and firewall installed,
you should uninstall the other(s) through the Add or Remove Programs option in Control Panel.

I bought only one and the others are trials, I don't like that either, but I can't use add/remove any program, an error message appear telling me that I'm not the admin so I can't remove any program.

#9 Mamoun

Mamoun

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 14 July 2006 - 09:05 AM

:duplicated post:

Edited by Mamoun, 14 July 2006 - 09:06 AM.


#10 miekiemoes

miekiemoes

    Malware Expert

  • Retired Staff
  • PipPipPipPipPip
  • 20,026 posts

Posted 14 July 2006 - 09:22 AM

Mamoun, in normal mode, does your account have admin privileges - are you an admin? Or do you have restricted privileges?
Are there more than one useraccounts present on this computer?
Because most probably in safe mode, you choose the admin account ond not your MOAMEN.. account which may explain why these policies are not set there.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#11 Mamoun

Mamoun

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 14 July 2006 - 09:45 AM

Mamoun, in normal mode, does your account have admin privileges - are you an admin? Or do you have restricted privileges?
Are there more than one useraccounts present on this computer?
Because most probably in safe mode, you choose the admin account ond not your MOAMEN.. account which may explain why these policies are not set there.

In the safe mode I have admin privileges and I can use regedit, I'm the admin and not a limited user account.

No there aren't any other users on thic computer.

Because most probably in safe mode, you choose the admin account ond not your MOAMEN.. account which may explain why these policies are not set there.

Yes, that's right.

#12 miekiemoes

miekiemoes

    Malware Expert

  • Retired Staff
  • PipPipPipPipPip
  • 20,026 posts

Posted 14 July 2006 - 09:52 AM

well, the output of the look.bat won't make any sense if you run it from another account than the account where you are having the problems.

I overlooked the fact that your regedit was also disabled.

Can you first tell me what this is?

C:\Program Files\Ela-Salaty\Salaty.exe

I want to know first before we deal with these policies in another way, because if anything malware related is responsible to set these policies, it doesn't make any sense that we try to restore it if the malware is still active - so what is this Ela-salaty? Did you install this? And what does it do?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#13 miekiemoes

miekiemoes

    Malware Expert

  • Retired Staff
  • PipPipPipPipPip
  • 20,026 posts

Posted 14 July 2006 - 10:48 AM

Anyway, let's give next a try - we'll see afterwards if malware is involved here and modifies it again..

Open notepad and copy and paste next present in the quotebox in it:

On Error Resume Next
Set Sh = CreateObject("WScript.Shell")
Sh.RegDelete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr"
Sh.RegDelete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools"
Sh.RegDelete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\StartMenuLogoff"
Sh.RegDelete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall\NoAddRemovePrograms"
Set Sh = Nothing

Save this as restore.vbs , choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it.

This should restore your regedit, taskmanager, enable logoff and enable add/remove programs.
To get your logoff button back, you need a reboot first. So reboot.

And I guess there will be more policies set as well, so that's why we still have look.bat to take a look. It should hopefully work now.
So after reboot (to restore the logoff button), delete the look.txt that the look.bat created previously and doubleclick look.bat again, so a new look.txt gets created and paste the contents in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#14 Mamoun

Mamoun

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 14 July 2006 - 11:02 AM

well, the output of the look.bat won't make any sense if you run it from another account than the account where you are having the problems.

I overlooked the fact that your regedit was also disabled. Strange Hijackthis doesn't show this though...

Can you first tell me what this is?

C:\Program Files\Ela-Salaty\Salaty.exe

I want to know first before we deal with these policies in another way, because if anything malware related is responsible to set these policies, it doesn't make any sense that we try to restore it if the malware is still active - so what is this Ela-salaty? Did you install this? And what does it do?

Yes I installed that, Don't worry about it, it doesn't make any problems, It's a reminder program, I installed it on other computers and there were no problems..

#15 miekiemoes

miekiemoes

    Malware Expert

  • Retired Staff
  • PipPipPipPipPip
  • 20,026 posts

Posted 14 July 2006 - 11:02 AM

Thanks for the feedback on that - I just wanted to be sure. Now perform my next step :)
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#16 Mamoun

Mamoun

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 14 July 2006 - 11:26 AM

Here you go, thanks for your patience..

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoRun"=dword:00000001
"NoClose"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments]
"ScanWithAntiVirus"=dword:00000002

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum]
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"=dword:00000001
"{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}"=dword:40000021
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"=dword:00000020

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Ratings]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoRun"=dword:00000001
"NoClose"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"=dword:00000000

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments]
"ScanWithAntiVirus"=dword:00000002

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum]
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"=dword:00000001
"{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}"=dword:40000021
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"=dword:00000020

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Ratings]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001


BTW, Turn off button is not restored even after restart.

#17 miekiemoes

miekiemoes

    Malware Expert

  • Retired Staff
  • PipPipPipPipPip
  • 20,026 posts

Posted 14 July 2006 - 11:37 AM

I already see now... It's a policy 'NoClose' which is set - this one also disables the turn off button.
And I also see that the start > run is gone as well.

So let's fix that..

Open notepad and copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoRun"=-
"NoClose"=-

Save this as fix.reg Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.
In case you still are unsure how to create a reg file, take a look here with screenshots.

This should fix it. If the logoff button is not restored immediately, reboot first.
Is the rest working now? Well, your regedit should be restored though, otherwise you wouldn't be able to export above log :)
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#18 Mamoun

Mamoun

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 14 July 2006 - 11:49 AM

It DID WORK! Thanks! :thumbsup: :thumbsup: :D

Now the run button is here too, Great!

I'm curious about how this malware/spyware got to my computer and changed the policies, May you explain that please, and how to prevent similar infections in the feature?

#19 miekiemoes

miekiemoes

    Malware Expert

  • Retired Staff
  • PipPipPipPipPip
  • 20,026 posts

Posted 14 July 2006 - 12:04 PM

Well, this could be anything that changed these policies. Several pieces of malware are also responsible for this. Maybe you opened an attachement in a mail from someone you didn't know?
Now I see this entry WAS present in your hijackthislog:

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

That should be gone now.
In anyway, I assume you already scanned with SUPERAntiSpyware, Windows Defender, Ewido, NOD32, McAfee and Norton to delete all malware present.
The rest of your log looks clean.
Now uninstall the extra scanners/firewalls which are a trial - as I already noted in a previous post.

Glad I could help. :)

To keep this clean in the future, I would suggest the following things:

Install Spywareblaster
SpywareBlaster doesn`t scan and clean for so-called spyware, but prevents it from being installed in the first place. It blocks the popular spyware ActiveX controls, and also prevents the installation of any of them via a webpage.

* Avoid illegal sites, because that's where most malware is present.
* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. Because a lot of free software can bundle other software, including spyware.

Let your antispywarescanner(s) scan frequently and don't forget to update before.

And I do suggest you perform an online virusscan once in a while. (Housecall and/or Bitdefender). Because what one virusscanner can't find another one maybe can.
Also make sure that your virusscanner, the one that is installed on your system is always up to date!

Make sure your windows has the latest updates: http://windowsupdate.microsoft.com/

If you are having XP SP2, read here how to configure Security Features for Internet Explorer:
http://www.microsoft...xp/iesecxp.mspx

Also visit this Free Online Scanner for PC Health and Safety and Microsoft Security At Home for tips to Protect your Pc, Protect yourself and Protect your Family.

More info on how to prevent malware you can also find here (By Tony Klein)
and here: http://wiki.castleco...nt_Re-infection

Also read: Simple and easy ways to keep your computer safe and secure on the Internet

Happy surfing again! :)
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#20 Mamoun

Mamoun

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 14 July 2006 - 05:49 PM

Looks like there is a new problem :(
The internet is not working :( any ideas?

#21 miekiemoes

miekiemoes

    Malware Expert

  • Retired Staff
  • PipPipPipPipPip
  • 20,026 posts

Posted 14 July 2006 - 11:01 PM

What happened previously to that? It worked fine yesterday. Did you uninstall all the firewalls?

Post a new hijackthislog in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#22 miekiemoes

miekiemoes

    Malware Expert

  • Retired Staff
  • PipPipPipPipPip
  • 20,026 posts

Posted 24 July 2006 - 05:52 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.




Member of UNITE
Support SpywareInfo Forum - click the button