Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Malware Causing Administrator Denial of Privileges and Strange Outboun


  • Please log in to reply

#1
brokenfoot

brokenfoot

    New Member

  • Member
  • Pip
  • 1 posts
I have a Windows XP Pro computer which I may have malware on it. I have tried to keep my system protected by adding various utilities from other sites. I have the ZA pro Internet Suite 2007 so I have disabled AVG, Super Antispyware when not using them to avoid conflicts; used and re-installed only for periodic checks.

I have read the forum guideline requests nad I have Run ATF Cleaner, Cleansed System restore, Re-enabled everything in msconfig, ran AVG & Superantispyware (earlier when possible to run)----->both found nothing, Ran Panda scan---->found nothing, Windows update used regularly, just ran www.secunia.com checker, ran Sophos SARCLI.EXE---->clean., Bitdefender--->clean, SOPHOS anti-root kit ---->nothing found.

I just had a new hard drive and Win XP Pro reinstalled professionally. I installed Zone Alarm pro Internet Suite 6.5 2007 for AV/Spyware protection (I used to use Norton Internet Security). I also have added many programs recommended at spywarewarrior.com, merijn.org. majorgeeks.com etc. These include Spybot, Adaware, IE-Spyad for Zoned out, Spyblaster, some Sysinternal programs from Microsoft, (also loaded at times AVG, Super-AntiSpyware among others)

After the re-install I had to re-update IE6 to IE7 with some problems doping so, possibly getting infected in the process too. I frequently get redirected to a new start page with my normal one changed. I try to use Firefox when possible.

I was previously infected several months ago with a Smitfraud virus…ran Smitrem by Noah Fear which found 2 programs –I have run this again and still find these programs so something is still lurking in my system. I must have a program etc. that is infected or I am re-downloading a program that is corrupt during my reinstalls.

I have also found unwise.exe and unwise32qt.exe on my system some time ago. Some bulletins state these may be trojans calling www.nymex.com.

I have blocked a number of sites sited as those in which these trojans might call (Smitfraud, unvise32.exe, Cadux) I still get periodic outbound attempts blocked by my firewall by these programs to sites that I am trying to block. I do not know what is triggering it. (ie. realsearch.cc, ecjnoe3inwe.com, dkjfwekjnc.com etc.)

I just recently tried the e-mail battery test at gfi.com which my ZA pro/Outlook Express 6 seemed to protect against . However, afterwards my ZA pro AV/Antipyware updater could not update my spyware part. Also, the My Vault and all my configs and logs were cleansed.My Help & Support is loading slow again. (I have other related posts...this may be the same problem from a program re-infecting me)

I have run numerous AV/Antispyware programs. Besides those listed above I have run SOPHOS Savcli.exe, Stinger, Pnda online Activescan2 (totalscan), Bitdefender online, Kaspersky online, Sophos anti-rootkit, Rootkit Revealer-Sysinternals. Nothing significant was found except for Adware Luke the Screenwasher? which was deleted.

I have just installed the AntiHook 3.0 and Sandboxie per Gizmo Richards site recommendations. This program has found a number of hooks.

In my Antihook logs I have found programs GLB9.tmp launching zauninst.exe; GLBC.tmp launching isafe.exe; GLBC.tmp launching unwise.exe; unwise.exe launching GLB1a2b.exe. Most of these launches are form C:\Document & Settings\ Administrator\ Local Services\Temp folder. Somehow my ZoneAlarm pro was unstalled!!! After losing my ZA pro I have used either the ZA-fee or Windows XP firewall.

Recently, I have tried installing the AVG (I keep it off with the installer handy just if need to avoid ZA conflicts) but I get Access Denied dialogs –failed code 5 (apparently my Administrator privileges were somehow changed to prevent installation of many programs) The same thing happens when I try to install Webroot Spysweeper. How can i change the registry etc. to regain these privileges? If I try to install things freeze up and I get a dialog stating " program cannot be closed as it is locked by the system"

Before ZA pro was lost it had touble updating with Windows updater and viewing certain sites (Bitdefender & myspace.com) normally. These sites, however, were viewed normal with just the Windows XP firewall.

I seem to have some malware in my system but I do not know what it is. I have run HJK and have saved logs for the startup as well. I do not know if I have a rootkit infection or something else. I would like to try to avoid re-installing my OS if possible; it is backed up on an external drive which I just got.

I ran a Trend Micro Spywarescan and it found Spyware_KEYL_ASTLOG. This changed a registry key HKCU\S-1-5-21...\SOFTWARE\NIRSOFT....

The bulletin on Trend Micro states that HKCU\SOFTWARE\NIRSOFT\AsterikLogger\Columns is added and that this spyware reveals passwords of target applications. I must have gotten infected with this when I downloaded a program, CurrPorts from Nirsoft, which was recommended by Gizmo Richards' Tech alert site.(per article "Tracing Unexpected Internet Activity".


I probably have other malware on my machine. I am attaching a current HJK, a startup config from the HJK, and a portion of a log from AntiHook 3.


I appreciate any assistance that you can give me.

Attached Files


Edited by brokenfoot, 20 March 2007 - 09:49 PM.

  • 0

Advertisements







Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP