"Access Members Area"

  1. 23-05-2006  #1
    ms3039
    ms3039 is offline Newbie

    "Access Members Area"

    Hello,
    I have a spyware/adware problem. I used to have a dialler pop-up which asked me to pay $1.50 a minute etc. and an icon would appear on my desktop saying "Access Members Area". I think I have managed to remove this, by following instructions on this and other sites given to other people. However, when I try and bring up task manager, I am told "Task Manager has been disabled by your administrator". I have run AVG, Spybot S&D, AD-Aware. Here is my Hijack-this log:
    Logfile of HijackThis v1.99.1
    Scan saved at 12:37:23, on 23/05/2006
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\brsvc01a.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\brss01a.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\Rundll32.exe
    C:\WINDOWS\System32\nvraidservice.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\Program Files\Brother\ControlCenter2\brctrcen.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\WINDOWS\system32\Brmfrmps.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\MSI\Live Update 3\LMonitor.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\wdfmgr.exe
    C:\Program Files\BitLord\BitLord.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    C:\Program Files\MSI\DigiCell\DigiCell.exe
    C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
    C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
    C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
    C:\Documents and Settings\Mark\Start Menu\Programs\Spyware\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ig?hl=en
    O1 - Hosts: localhost 127.0.0.1
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [SW20] C:\WINDOWS\System32\sw20.exe
    O4 - HKLM\..\Run: [SW24] C:\WINDOWS\System32\sw24.exe
    O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
    O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\System32\nvraidservice.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
    O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
    O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
    O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
    O4 - HKLM\..\Run: [pizda] RtlFindVal.exe
    O4 - HKLM\..\Run: [ActionScr] MsNetHelper.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [dmrfb.exe] C:\WINDOWS\System32\dmrfb.exe
    O4 - HKCU\..\Run: [typeconf] panel_its.exe
    O4 - HKCU\..\Run: [bnui] SAPSTR.exe
    O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitLord\BitLord.exe"
    O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: BTTray.lnk = ?
    O4 - Global Startup: CoreCenter.lnk = C:\Program Files\MSI\Core Center\CoreCenter.exe
    O4 - Global Startup: DigiCell.lnk = C:\Program Files\MSI\DigiCell\DigiCell.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O17 - HKLM\System\CCS\Services\Tcpip\..\{0467D1C8-F897-4A53-B334-F4852126B902}: NameServer = 85.255.116.131
    O17 - HKLM\System\CCS\Services\Tcpip\..\{50ACC1E0-17CB-48EB-8398-2AD1F325FA70}: NameServer = 85.255.116.131
    O17 - HKLM\System\CCS\Services\Tcpip\..\{561DED6B-BD61-4DB2-B195-6427416A7082}: NameServer = 85.255.116.131
    O17 - HKLM\System\CCS\Services\Tcpip\..\{91925AC6-F458-43BE-AC8B-2BFD9C7C614A}: NameServer = 85.255.116.131
    O17 - HKLM\System\CS1\Services\Tcpip\..\{0467D1C8-F897-4A53-B334-F4852126B902}: NameServer = 85.255.116.131
    O17 - HKLM\System\CS2\Services\Tcpip\..\{0467D1C8-F897-4A53-B334-F4852126B902}: NameServer = 85.255.116.131
    O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\System32\btxppanel.dll
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
    O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
    O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

    Any Ideas?
  2. 23-05-2006  #2
    indraroop
    indraroop is offline Newbie
    Are you on a network, and if not are there any others admins on your computer? If yes to either of the 2 questions, one of the admins might have disabled the Task Manager.

    If this is your PC and you are the only person who uses it, try doing a system restore and see if the problem persists. If it doesn't let you do a system restore, go into safe mode and:
    1. if your computer has a safe mode "admin" account, do a spyware check, antivirus, system restore etc etc from that account.
    2. if your computer doesn't have the admin account, try doing the same with your account.

    I once had the same problem with a virus infestation on my computer, and the steps detailed above seem to have fixed the problem. Once the problem is fixed, you might want to get a firewall like Zone Alarm or equivalent so that it is harder for viruses to enter your computer.

    Indraroop.
  3. 23-05-2006  #3
    VopThis
    VopThis is offline Senior Member (Canada)
    Save 20% on AVG Internet Security 2012 Suite!
    O4 - HKCU\..\Run: [SHELL] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"


    I'm afraid I have unpleasant news for you. You have a very dangerous keylogger and additional Wareout infection on this machine. With a serious infection like this, I would recommend that you seriously consider a reformat and reinstall.


    If you do not want to do this, do not ever use the computer for anything confidential. Let us know how you wish to proceed.


    The infection installs itself primarily in machines that have not had all the Win XP updates installed. It allows outsiders COMPLETE access to every keystroke, account, and password you use while on this machine, and complete access to anything else present...

    My best recommendation is to Disconnect from internet, Re-Format the entire drive and re-install your Operating system and Applications.



    We can likely clean the infected files off the computer but we cannot be sure that the files involved didn't do anything to your system to reduce overall system security. Even after removal of the infection, you could be vulnerable to another attack or takeover as soon as you connect to the net again.

    You are strongly advised to do the following immediately:
    1. Disconnect infected computer from the Internet and from any networked computers until the computer can be cleaned.

    2. If you have ever used this computer for shopping, banking, or any transactions relating to your financial well being:
    Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts and/or change all your account numbers.

    3. From a clean computer, change *ALL* your online passwords -- for ISP login, email, banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.

    Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.



    Also you may wish to take any other steps appropriate for an attempted identity theft.
+ Reply to Thread
« Hijack this log | help! getting rid of gbdialer??(RESOLVED) »