Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Various Infections, Lsass.exe shutdown


  • Please log in to reply
4 replies to this topic

#1 kkingv

kkingv

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:37 PM

Posted 18 January 2009 - 09:39 PM

OK, So I've been asked to fix this computer and I've no clue when it went all screwy. All I know is the PC-cillin software listed 10 possible infections/viruses (unknown), and I've had it shutdown on me with an Lsass error -2147483641. I've only just now stabilized it enough to secure an internet connection by disabling all questionable services and/or startups but have no idea how to proceed.

I am reluctant to keep this notebook connected to my network so I've been transfering exe. files, via memory stick, for your basic freeware tools. I installed the newest Ad-Aware, HijackThis, and attempted to install AVG but received an error (missed this one when I received lsass countdown..)

If anyone can help me out I'd really appreciate it. I'm not sure if everything can be resolved, and I'm not 100% sure what all the problems are. The owner is not computer-literate, so she was unable to describe the what's and when's... Obviously I would love to clean her computer up without reformatting, but if this needs to be done, so be it. Her personal files, pictures, resumes, etc.. can be saved.

Another problem is a driver failure for her DVD Drive. In the device Manager, it says it is corrupted, and I've been unable to rectify that issue as well... So I can't read or write to any CD's or DVD's. (makes saving files a little more difficult since it's a very small memory card)

The notebook in question is as follows:
Model: Dell XPS M1210
Service Tag: 23LK8C1

Thanks in advance, and I do understand that I may be lacking sufficient information. I'm flying blind so to speak...

-Kent

DDS Log follows:

DDS (Ver_09-01-18.01) - NTFSx86
Run by Andrea Castaneda at 18:08:37.51 on Sun 01/18/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.455 [GMT -8:00]

AV: PC-cillin Internet Security - Virus Protection *On-access scanning enabled* (Updated)
FW: PC-cillin Internet Security - Firewall *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\system32\stacsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Broadcom\BACS\BacsTray.exe
C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe
C:\Program Files\Dell Photo AIO Printer 926\memcard.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe
C:\PROGRA~1\MI3AA1~1\wcescomm.exe
C:\DOCUME~1\ANDREA~1\LOCALS~1\Temp\clclean.0001
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\dlcxcoms.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Documents and Settings\Andrea Castaneda\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.myspace.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=0061215
mDefault_Page_URL = hxxp://www.dell.com
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page =
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
mURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: NoExplorer - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {0ffeca6d-becd-446a-88c8-aa0c2e56acff} - c:\windows\system32\duyagawe.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: {9821ecd5-41dd-4a91-b4e0-b2e676e6ab46} - c:\windows\system32\mlJBuTnn.dll
BHO: Viewpoint Toolbar BHO: {a7327c09-b521-4edb-8509-7d2660c9ec98} - c:\program files\viewpoint\viewpoint toolbar\3.8.0\ViewBarBHO.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: {d1dc124d-8bc4-46d6-a3c5-454c53324f4e} - c:\windows\system32\qoMeDuTj.dll
TB: Viewpoint Toolbar: {f8ad5aa5-d966-4667-9daf-2561d68b2012} - c:\program files\common files\viewpoint\toolbar runtime\3.8.0\IEViewBar.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [SetDefaultMIDI] MIDIDef.exe
uRun: [OE_OEM] "c:\program files\trend micro\internet security 14\tmas_oe\TMAS_OEMon.exe"
uRun: [H/PC Connection Agent] "c:\progra~1\mi3aa1~1\wcescomm.exe"
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [CTSysVol] c:\program files\creative\sbaudigy\surround mixer\CTSysVol.exe /r
mRun: [MBMon] Rundll32 CTMBHA.DLL,MBMon
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [pccguide.exe] "c:\program files\trend micro\internet security 14\pccguide.exe"
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [bacstray] c:\program files\broadcom\bacs\BacsTray.exe
mRun: [FaxCenterServer] "c:\program files\dell pc fax\fm3032.exe" /s
mRun: [dlcxmon.exe] "c:\program files\dell photo aio printer 926\dlcxmon.exe"
mRun: [MemoryCardManager] "c:\program files\dell photo aio printer 926\memcard.exe"
mRun: [DLCXCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCXtime.dll,_RunDLLEntry@16
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [hazuhujidu] Rundll32.exe "c:\windows\system32\rosotuse.dll",s
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partygaming\partypoker\RunApp.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Notify: qoMeDuTj - qoMeDuTj.dll
SEH: {d1dc124d-8bc4-46d6-a3c5-454c53324f4e} - c:\windows\system32\qoMeDuTj.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\mlJBuTnn
LSA: Notification Packages = scecli c:\windows\system32\kakekuze.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\andrea~1\applic~1\mozilla\firefox\profiles\m19gppke.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com/
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R3 dlcx_device;dlcx_device;c:\windows\system32\dlcxcoms.exe -service --> c:\windows\system32\dlcxcoms.exe -service [?]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2006-9-25 280392]
R4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R4 hnmwrlspkt;HomeNet Manager Wireless Protocol;c:\windows\system32\drivers\hnm_wrls_pkt.sys [2006-7-13 13824]
R4 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R4 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\trendm~1\intern~1\Tmntsrv.exe [2006-9-25 345696]
R4 TmPfw;Trend Micro Personal Firewall;c:\progra~1\trendm~1\intern~1\TmPfw.exe [2006-9-25 923216]
R4 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2006-9-25 36368]
R4 tmproxy;Trend Micro Proxy Service;c:\progra~1\trendm~1\intern~1\tmproxy.exe [2006-9-25 566872]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-2-21 24652]
R4 wsppkt;Wireless Security Protocol;c:\windows\system32\drivers\wsp_pkt.sys [2006-7-13 13696]
S3 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2008-7-31 42376]
S3 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2008-7-31 66952]
S3 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2008-7-31 81288]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2008-7-31 356920]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2008-7-31 1073544]

=============== Created Last 30 ================

2009-01-18 00:25 <DIR> --d----- c:\program files\Lavasoft
2009-01-18 00:22 <DIR> --d----- C:\ComboFix
2009-01-18 00:22 389,120 a------- c:\windows\system32\CF23821.exe
2009-01-18 00:22 389,120 a------- c:\windows\system32\CF23818.exe
2009-01-18 00:22 389,120 a------- c:\windows\system32\CF23808.exe
2009-01-17 17:35 <DIR> --d----- c:\windows\pss
2009-01-07 14:39 2,098 ---sh--- c:\windows\system32\denezudu.exe
2009-01-07 13:11 1,055 a------- C:\net_save.dna
2009-01-07 13:08 <DIR> --d----- c:\program files\support.com
2009-01-07 13:07 <DIR> --d----- c:\program files\common files\SupportSoft
2008-12-28 05:04 2,098 ---sh--- c:\windows\system32\dikuyeji.exe
2008-12-27 19:33 <DIR> --d----- c:\docume~1\andrea~1\applic~1\MSNInstaller
2008-12-27 11:06 1,261,704 ---sh--- c:\windows\system32\ogihabak.ini
2008-12-24 17:58 5,154 a------- c:\windows\system32\enxwulfl.dll
2008-12-24 10:25 5,154 a------- c:\windows\system32\ybglqmvs.dll
2008-12-23 17:50 1,661,209 ---sh--- c:\windows\system32\ctsykmqb.ini
2008-12-22 13:30 5,154 a------- c:\windows\system32\qxheffrv.dll
2008-12-22 13:27 1,661,209 ---sh--- c:\windows\system32\lasdikmk.ini

==================== Find3M ====================

2009-01-18 18:08 3,015 a--sh--- c:\windows\system32\nnTuBJlm.ini2
2009-01-16 20:58 62,035 a--sh--- c:\windows\system32\nefuwipi.dll
2009-01-08 01:45 24,205 a------- c:\windows\system32\nvModes.dat
2008-12-26 17:13 5,500 a--sh--- c:\windows\system32\piyuzuju.dll
2008-12-17 11:41 5,154 a------- c:\windows\system32\ibqtbihi.dll
2008-12-17 11:37 5,155 a------- c:\windows\system32\ndtkqthc.dll
2008-11-26 17:42 205,328 a------- c:\windows\system32\drivers\tmxpflt.sys
2008-11-26 17:42 36,368 a------- c:\windows\system32\drivers\tmpreflt.sys
2008-11-26 17:39 1,195,384 a------- c:\windows\system32\drivers\vsapint.sys
2008-11-24 06:56 5,154 a------- c:\windows\system32\mnmvalip.dll
2008-11-24 06:53 5,155 a------- c:\windows\system32\rtfujlhq.dll
2008-11-20 22:55 5,154 a------- c:\windows\system32\oxebsgbr.dll
2008-11-20 22:52 5,155 a------- c:\windows\system32\ynujwwnh.dll
2008-11-19 22:53 5,154 a------- c:\windows\system32\ltaaogyq.dll
2008-11-19 22:50 5,155 a------- c:\windows\system32\tykafxxx.dll
2008-11-18 12:54 5,154 a------- c:\windows\system32\vlowitad.dll
2008-11-17 10:53 5,155 a------- c:\windows\system32\djidlxso.dll
2008-11-16 19:17 5,154 a------- c:\windows\system32\aswymjil.dll
2008-11-15 19:17 5,154 a------- c:\windows\system32\cjeksvyp.dll
2008-11-14 19:15 5,154 a------- c:\windows\system32\pkagughr.dll
2008-11-13 19:15 5,154 a------- c:\windows\system32\onaqlduv.dll
2008-11-12 19:16 5,154 a------- c:\windows\system32\cpmpykpg.dll
2008-11-11 19:16 5,154 a------- c:\windows\system32\scvkqlih.dll
2008-11-10 19:12 5,155 a------- c:\windows\system32\oviglhkq.dll
2008-11-10 19:12 5,154 a------- c:\windows\system32\iglragno.dll
2008-11-10 07:14 5,155 a------- c:\windows\system32\cmbjncec.dll
2008-11-10 07:11 5,154 a------- c:\windows\system32\rasookwa.dll
2008-11-10 07:07 313,856 a------- c:\windows\system32\mlJBuTnn.dll
2008-11-09 17:03 26,112 a------- c:\windows\system32\ljJAPFUn.dll
2008-11-09 17:03 26,112 a------- c:\windows\system32\efcCrQKA.dll
2008-11-09 17:02 26,112 a------- c:\windows\system32\ssqQijif.dll
2008-11-09 17:02 26,112 a------- c:\windows\system32\jkkJyWOg.dll
2008-11-06 18:11 26,112 a------- c:\windows\system32\qoMeDuTj.dll
2008-11-06 18:11 26,112 a------- c:\windows\system32\awtqpPfd.dll
2008-08-09 23:51 63,530,280 a------- c:\program files\iTunesSetup.exe
2008-01-15 09:20 104 ---shr-- c:\windows\system32\59845CFB15.sys
2008-09-26 17:05 60,928 a--sh--- c:\windows\system32\bomajati.dll
0000-00-00 00:00 62,035 a--sh--- c:\windows\system32\duyagawe.dll
0000-00-00 00:00 62,035 a--sh--- c:\windows\system32\kakekuze.dll
2008-01-15 09:20 6,060 a--sh--- c:\windows\system32\KGyGaAvL.sys
2008-09-26 17:05 60,928 a--sh--- c:\windows\system32\nudegoya.dll
0000-00-00 00:00 62,035 a--sh--- c:\windows\system32\rosotuse.dll
2008-09-26 17:05 60,928 a--sh--- c:\windows\system32\tejonubo.dll

============= FINISH: 18:10:52.60 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 kkingv

kkingv
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:37 PM

Posted 18 January 2009 - 11:15 PM

Virus Update

Notified of a quarantined "TROJ INJECT.VX"

file name: A0132079.EXE

Incident Name: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP336\A0132079.exe

Removed File using installed "PC-cillin Internet Security 14"

#3 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:37 AM

Posted 30 January 2009 - 07:55 AM

Hello kkingv

Welcome to BleepingComputer :thumbup2:
========================

Please download DDS and save it to your desktop.
  • Disable any script blocking protection
  • Double click dds.scr to run the tool.
  • When done, DDS.txt will open.
  • Click Yes at the next prompt for Optional Scan.
  • Save both reports to your desktop.
---------------------------------------------------

Please include the contents of the following in your next reply:

DDS.txt
Attach.txt.
================
Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any
"<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
  • Click NO
  • In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  • Now click the Scan button.
    Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  • Save it where you can easily find it, such as your desktop.
Post the contents of GMER.txt in your next reply.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#4 kkingv

kkingv
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:37 PM

Posted 01 February 2009 - 12:58 AM

Hey kahdah,

Thanks for the reply. Unfortunately, I don't have the notebook with me at this time. I did however manage to walk the owner through a hijack scan over the phone. I'm including that for now. It should also be noted that her virus software detected the VUNDO trojan. I won't be able to get her computer for a couple days.

I have already included the DDS scans in my initial post if that's something you can use. Otherwise all I've got is the following hijack scan.. Let me know what you think.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:21:00 PM, on 1/31/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\stacsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Broadcom\BACS\BacsTray.exe
C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe
C:\Program Files\Dell Photo AIO Printer 926\memcard.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe
C:\PROGRA~1\MI3AA1~1\wcescomm.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\DOCUME~1\ANDREA~1\LOCALS~1\Temp\clclean.0001
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\dlcxcoms.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tsc.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=0061215
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=0061215
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [bacstray] C:\Program Files\Broadcom\BACS\BacsTray.exe
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Dell PC Fax\fm3032.exe" /s
O4 - HKLM\..\Run: [dlcxmon.exe] "C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe"
O4 - HKLM\..\Run: [MemoryCardManager] "C:\Program Files\Dell Photo AIO Printer 926\memcard.exe"
O4 - HKLM\..\Run: [DLCXCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCXtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [70c8c7cd] rundll32.exe "C:\WINDOWS\system32\iedldecc.dll",b
O4 - HKLM\..\Run: [hazuhujidu] Rundll32.exe "C:\WINDOWS\system32\wapudimo.dll",s
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MI3AA1~1\wcescomm.exe"
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1212512638359
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: dlcx_device - - C:\WINDOWS\system32\dlcxcoms.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\stacsv.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 9417 bytes

#5 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:37 AM

Posted 01 February 2009 - 09:15 AM

Hi yes I will need to see the logs rewuested above in order to see everything present on the system.
WHen you can have them post those or you do it.
Thanks.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users