Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vista 64 Prisoner of WMI-DCOM burglar resident-/invader/network


  • This topic is locked This topic is locked
1 reply to this topic

#1 Mstrez

Mstrez

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:29 PM

Posted 06 October 2009 - 06:57 PM

Please help! A management hacker program, with higher elevation than I can attain, holds me hostage as a networked computer - under it's control! (So are my anti-virus programs.)

I'm nuts with this. I've read your tutorials & can't use root Repeal. I used SDfix & Catch me which showed the problems once; but I couldn't get back to you. & now they won't work.

I'm still unsure if I am posting this correctly.

Be advised: I know to delete Norton; I can't. Control panel add & remove won't work anymore. I've used

******************************************************8
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:59:04 PM, on 10/6/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Safe mode with network support

Running processes:
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2010

\avp.exe
C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2010

\avp.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\m\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant

=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch

=
O4 - HKLM\..\Run: [avp] "C:\Program Files (x86)\Kaspersky

Lab\Kaspersky Internet Security 2010\avp.exe"
O4 - HKLM\..\Run: [WinPatrol] "C:\Program Files (x86)\BillP

Studios\WinPatrol\winpatrol.exe" -expressboot
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files

(x86)\Kaspersky Lab\Kaspersky Internet Security 2010

\ie_banner_deny.htm
O23 - Service: Andrea ST Filters Service (AESTFilters) - Unknown owner

- C:\Windows\System32

\DriverStore\FileRepository\stwrt64.inf_1e90062d\AESTSr64.exe (file

missing)
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) -

Unknown owner - C:\Windows\system32\agr64svc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown

owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab -

C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2010

\avp.exe
O23 - Service: Bluetooth Service (btwdins) - Unknown owner -

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe (file

missing)
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner -

C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) -

Unknown owner - C:\Windows\
O23 - Service: HP Service (hpsrv) - Unknown owner -

C:\Windows\system32\Hpservice.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision

Corporation - C:\Program Files (x86)\Common

Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner -

C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner -

C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) -

Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300

(ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe

(file missing)
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown

owner - C:\Windows\
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown

owner - C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) -

Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown

owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Unknown

owner - C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe

(file missing)
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) -

Unknown owner - C:\Windows\
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown

owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) -

Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) -

Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: Audio Service (STacSV) - Unknown owner -

C:\Windows\System32

\DriverStore\FileRepository\stwrt64.inf_1e90062d\STacSV64.exe (file

missing)
O23 - Service: TV Background Capture Service (TVBCS) (TVCapSvc) -

Unknown owner - C:\Program Files (x86)\Hewlett-

Packard\Media\TV\Kernel\TV\TVCapSvc.exe
O23 - Service: TV Task Scheduler (TVTS) (TVSched) - Unknown owner -

C:\Program Files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVSched.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) -

Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown

owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown

owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110

(wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe

(file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101

(WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media

Player\wmpnetwk.exe (file missing)

--
End of file - 5201 bytes
****************************************************************************


DDS (Ver_09-09-29.01) - NTFSx86 NETWORK
Run by m at 18:23:26.48 on Tue 10/06/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.4026.3036 [GMT -5:00]

SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
C:\Users\m\Desktop\HiJackThis.exe
C:\Windows\SysWOW64\NOTEPAD.EXE
C:\Windows\system32\igfxsrvc.exe
C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Users\m\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
mRun: [avp] "c:\program files (x86)\kaspersky lab\kaspersky internet security 2010\avp.exe"
mRun: [WinPatrol] "c:\program files (x86)\billp studios\winpatrol\winpatrol.exe" -expressboot
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Anti-Banner - c:\program files (x86)\kaspersky lab\kaspersky internet security 2010

\ie_banner_deny.htm
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07

-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07

-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07

-windows-i586.cab

============= SERVICES / DRIVERS ===============

R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\drivers\klim6.sys -->

c:\windows\system32\drivers\klim6.sys [?]
S0 KLBG;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys -->

c:\windows\system32\drivers\klbg.sys [?]
S2 {55662437-DA8C-40c0-AADA-2C816A897A49};{55662437-DA8C-40c0-AADA-2C816A897A49};c:\program files

(x86)\hewlett-packard\media\dvd\000.fcl [2008-9-26 27632]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\system32

\driverstore\filerepository\stwrt64.inf_1e90062d\aestsr64.exe --> c:\windows\system32

\driverstore\filerepository\stwrt64.inf_1e90062d\AESTSr64.exe [?]
S2 hpsrv;HP Service;c:\windows\system32\hpservice.exe --> c:\windows\system32\Hpservice.exe [?]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\spybot - search &

destroy\sdwinsec.exe --> c:\program files (x86)\spybot - search & destroy\SDWinSec.exe [?]
S2 TVCapSvc;TV Background Capture Service (TVBCS);c:\program files (x86)\hewlett-

packard\media\tv\kernel\tv\TVCapSvc.exe [2008-9-24 296320]
S2 TVSched;TV Task Scheduler (TVTS);c:\program files (x86)\hewlett-

packard\media\tv\kernel\tv\TVSched.exe [2008-9-24 116096]
S3 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN

v2.0.50727_X64;c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe [2009-10-4 93184]
S3 enecir;ENE CIR Receiver;c:\windows\system32\drivers\enecir.sys --> c:\windows\system32

\drivers\enecir.sys [?]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32

\drivers\intchdmi.sys --> c:\windows\system32\drivers\IntcHdmi.sys [?]
S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys -->

c:\windows\system32\drivers\klmouflt.sys [?]
S3 NETw3v64;Intel® PRO/Wireless 3945ABG Adapter Driver for Windows Vista 64

Bit;c:\windows\system32\drivers\netw3v64.sys --> c:\windows\system32\drivers\NETw3v64.sys [?]
S3 PerfHost;Performance Counter DLL Host;c:\windows\syswow64\perfhost.exe [2008-1-20 19968]
S3 yukonx64;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32

\drivers\yk60x64.sys --> c:\windows\system32\drivers\yk60x64.sys [?]
S4 Com4QLBEx;Com4QLBEx;c:\program files (x86)\hewlett-packard\hp quick launch

buttons\Com4QLBEx.exe [2008-11-18 193840]
S4 Recovery Service for Windows;Recovery Service for Windows;c:\program files (x86)

\sminst\BLService.exe [2008-11-18 365952]

=============== Created Last 30 ================

2009-10-04 15:22 <DIR> --d----- c:\programdata\Spybot - Search & Destroy
2009-10-04 15:22 <DIR> --d----- c:\progra~3\Spybot - Search & Destroy
2009-10-04 13:25 <DIR> --d----- C:\SDFix
2009-10-04 12:10 <DIR> --d----- c:\users\m\appdata\roaming\Malwarebytes
2009-10-04 12:10 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-04 12:10 <DIR> --d----- c:\programdata\Malwarebytes
2009-10-04 12:10 <DIR> --d----- c:\progra~3\Malwarebytes
2009-10-04 11:33 <DIR> --d----- c:\program files (x86)\Trend Micro
2009-10-04 03:10 41,984 a------- c:\windows\system32\netfxperf.dll
2009-10-04 03:10 96,760 a------- c:\windows\system32\dfshim.dll
2009-10-04 03:10 282,112 a------- c:\windows\system32\mscoree.dll
2009-10-04 03:10 158,720 a------- c:\windows\system32\mscorier.dll
2009-10-04 03:10 83,968 a------- c:\windows\system32\mscories.dll
2009-10-03 14:46 <DIR> --d----- c:\users\m\appdata\roaming\WinPatrol
2009-10-03 14:45 <DIR> --d----- c:\program files (x86)\BillP Studios
2009-10-03 13:14 <DIR> --d----- c:\program files (x86)\common files\Symantec

Shared
2009-10-03 12:57 <DIR> --d----- c:\programdata\Symantec
2009-10-03 12:57 <DIR> --d----- c:\program files (x86)\Norton Security Scan
2009-10-03 12:57 <DIR> --d----- c:\progra~3\Symantec
2009-10-03 11:58 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-10-03 11:57 2,868,224 a------- c:\windows\system32\mf.dll
2009-10-03 11:57 289,792 a------- c:\windows\system32\atmfd.dll
2009-10-03 11:57 156,672 a------- c:\windows\system32\t2embed.dll
2009-10-03 11:57 72,704 a------- c:\windows\system32\fontsub.dll
2009-10-03 11:57 10,240 a------- c:\windows\system32\dciman32.dll
2009-10-03 11:57 71,680 a------- c:\windows\system32\atl.dll
2009-10-03 11:57 996,352 a------- c:\windows\system32\WMNetMgr.dll
2009-10-03 11:57 94,720 a------- c:\windows\system32\logagent.exe
2009-10-03 11:56 562,176 a------- c:\windows\system32\msdtcprx.dll
2009-10-03 11:56 38,912 a------- c:\windows\system32\xolehlp.dll
2009-10-03 11:56 91,136 a------- c:\windows\system32\avifil32.dll
2009-10-03 11:29 566,170,158 a------- c:\windows\MEMORY.DMP
2009-10-03 11:27 <DIR> --d----- c:\users\m\{9bac00a4-f61a-401c-91de-537f3622c644}
2009-10-03 11:18 83,456 a------- c:\windows\system32\wudriver.dll
2009-10-03 11:16 162,064 a------- c:\windows\system32\wuwebv.dll
2009-10-03 11:16 31,232 a------- c:\windows\system32\wuapp.exe
2009-10-03 00:49 <DIR> --d----- c:\program files (x86)\MSXML 4.0
2009-10-02 20:36 <DIR> --d----- c:\programdata\Kaspersky Lab
2009-10-02 20:36 <DIR> --d----- c:\program files (x86)\Kaspersky Lab
2009-10-02 20:36 <DIR> --d----- c:\progra~3\Kaspersky Lab
2009-10-02 20:16 <DIR> --dsh--- C:\$RECYCLE.BIN
2009-10-02 20:04 <DIR> --d----- c:\programdata\Kaspersky Lab Setup Files
2009-10-02 20:04 <DIR> --d----- c:\progra~3\Kaspersky Lab Setup Files
2009-10-02 18:41 <DIR> --d----- c:\users\m\appdata\roaming\HP TCS
2009-10-02 18:32 <DIR> --d----- c:\users\m
2009-10-02 18:26 <DIR> --d----- c:\windows\system32\es-MX
2009-10-02 18:26 <DIR> --d----- c:\windows\system32\es-AR
2009-10-02 18:25 <DIR> --d----- c:\windows\system32\HPMDP
2009-10-02 18:24 53,248 a------- c:\windows\system32\CSVer.dll
2009-10-02 18:23 <DIR> --d----- c:\program files (x86)\Realtek
2009-10-02 18:22 441,856 a------- c:\windows\sttray64.exe
2009-10-02 18:19 920,088 a------- c:\windows\system32\igxpun.exe
2009-10-02 18:19 319,456 a------- c:\windows\system32\difxapi.dll
2009-10-02 18:19 <DIR> --d----- c:\windows\system32\x64
2009-10-02 18:19 <DIR> --d----- c:\windows\system32\Lang
2009-10-02 18:19 54,824 -------- c:\windows\system32\agrsmdel.exe
2009-10-02 18:19 14,336 -------- c:\windows\system32\agrsco64.dll
2009-10-02 18:19 <DIR> --d----- c:\windows\Options
2009-10-02 17:25 <DIR> a-d----- c:\windows\SMINST

==================== Find3M ====================

2009-10-04 03:03 51,200 a------- c:\windows\inf\infpub.dat
2009-10-04 03:03 86,016 a------- c:\windows\inf\infstrng.dat
2009-10-04 03:03 86,016 a------- c:\windows\inf\infstor.dat
2008-11-18 06:20 665,600 a------- c:\windows\inf\drvindex.dat
2008-01-20 22:21 174 a--sh--- c:\program files (x86)\desktop.ini
2006-11-02 10:14 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 10:14 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 10:14 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 10:14 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 05:52 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 05:52 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 05:52 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 05:52 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 18:23:37.73 ===============

BC AdBot (Login to Remove)

 


#2 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:29 PM

Posted 07 October 2009 - 01:19 PM

When you create multiple threads you will create more work for the helpers. Please keep your questions and things in the same topic and then helpers will know where they can help you.
http://www.bleepingcomputer.com/forums/t/262652/vista-64-prisoner-of-wmi-dcom-burglar-resident-invadernetwork/

Thank You.
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users