Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vista 64 Prisoner of WMI-DCOM burglar resident-/invader/network


  • This topic is locked This topic is locked
3 replies to this topic

#1 Mstrez

Mstrez

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:38 PM

Posted 06 October 2009 - 07:02 PM

Please help! A management hacker program, with higher elevation than I can attain, holds me hostage as a networked computer - under it's control! :) (So are my anti-virus programs.)

I'm nuts with this. :( I've read your tutorials & can't use root Repeal. I used SDfix & Catch me which showed the problems once; but I couldn't get back to you. & now they won't work. :(
I'm still unsure if I am posting this correctly. :)

Be advised: I know to delete Norton; I can't. Control panel add & remove won't work anymore.
******************************************************8
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:59:04 PM, on 10/6/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Safe mode with network support

Running processes:
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2010

\avp.exe
C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2010

\avp.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\m\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant

=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch

=
O4 - HKLM\..\Run: [avp] "C:\Program Files (x86)\Kaspersky

Lab\Kaspersky Internet Security 2010\avp.exe"
O4 - HKLM\..\Run: [WinPatrol] "C:\Program Files (x86)\BillP

Studios\WinPatrol\winpatrol.exe" -expressboot
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files

(x86)\Kaspersky Lab\Kaspersky Internet Security 2010

\ie_banner_deny.htm
O23 - Service: Andrea ST Filters Service (AESTFilters) - Unknown owner

- C:\Windows\System32

\DriverStore\FileRepository\stwrt64.inf_1e90062d\AESTSr64.exe (file

missing)
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) -

Unknown owner - C:\Windows\system32\agr64svc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown

owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab -

C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2010

\avp.exe
O23 - Service: Bluetooth Service (btwdins) - Unknown owner -

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe (file

missing)
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner -

C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) -

Unknown owner - C:\Windows\
O23 - Service: HP Service (hpsrv) - Unknown owner -

C:\Windows\system32\Hpservice.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision

Corporation - C:\Program Files (x86)\Common

Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner -

C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner -

C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) -

Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300

(ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe

(file missing)
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown

owner - C:\Windows\
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown

owner - C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) -

Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown

owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Unknown

owner - C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe

(file missing)
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) -

Unknown owner - C:\Windows\
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown

owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) -

Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) -

Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: Audio Service (STacSV) - Unknown owner -

C:\Windows\System32

\DriverStore\FileRepository\stwrt64.inf_1e90062d\STacSV64.exe (file

missing)
O23 - Service: TV Background Capture Service (TVBCS) (TVCapSvc) -

Unknown owner - C:\Program Files (x86)\Hewlett-

Packard\Media\TV\Kernel\TV\TVCapSvc.exe
O23 - Service: TV Task Scheduler (TVTS) (TVSched) - Unknown owner -

C:\Program Files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVSched.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) -

Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown

owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown

owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110

(wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe

(file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101

(WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media

Player\wmpnetwk.exe (file missing)

--
End of file - 5201 bytes
****************************************************************************


DDS (Ver_09-09-29.01) - NTFSx86 NETWORK
Run by m at 18:23:26.48 on Tue 10/06/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.4026.3036 [GMT -5:00]

SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
C:\Users\m\Desktop\HiJackThis.exe
C:\Windows\SysWOW64\NOTEPAD.EXE
C:\Windows\system32\igfxsrvc.exe
C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Users\m\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
mRun: [avp] "c:\program files (x86)\kaspersky lab\kaspersky internet security 2010\avp.exe"
mRun: [WinPatrol] "c:\program files (x86)\billp studios\winpatrol\winpatrol.exe" -expressboot
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Anti-Banner - c:\program files (x86)\kaspersky lab\kaspersky internet security 2010

\ie_banner_deny.htm
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07

-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07

-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07

-windows-i586.cab

============= SERVICES / DRIVERS ===============

R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\drivers\klim6.sys -->

c:\windows\system32\drivers\klim6.sys [?]
S0 KLBG;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys -->

c:\windows\system32\drivers\klbg.sys [?]
S2 {55662437-DA8C-40c0-AADA-2C816A897A49};{55662437-DA8C-40c0-AADA-2C816A897A49};c:\program files

(x86)\hewlett-packard\media\dvd\000.fcl [2008-9-26 27632]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\system32

\driverstore\filerepository\stwrt64.inf_1e90062d\aestsr64.exe --> c:\windows\system32

\driverstore\filerepository\stwrt64.inf_1e90062d\AESTSr64.exe [?]
S2 hpsrv;HP Service;c:\windows\system32\hpservice.exe --> c:\windows\system32\Hpservice.exe [?]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\spybot - search &

destroy\sdwinsec.exe --> c:\program files (x86)\spybot - search & destroy\SDWinSec.exe [?]
S2 TVCapSvc;TV Background Capture Service (TVBCS);c:\program files (x86)\hewlett-

packard\media\tv\kernel\tv\TVCapSvc.exe [2008-9-24 296320]
S2 TVSched;TV Task Scheduler (TVTS);c:\program files (x86)\hewlett-

packard\media\tv\kernel\tv\TVSched.exe [2008-9-24 116096]
S3 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN

v2.0.50727_X64;c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe [2009-10-4 93184]
S3 enecir;ENE CIR Receiver;c:\windows\system32\drivers\enecir.sys --> c:\windows\system32

\drivers\enecir.sys [?]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32

\drivers\intchdmi.sys --> c:\windows\system32\drivers\IntcHdmi.sys [?]
S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys -->

c:\windows\system32\drivers\klmouflt.sys [?]
S3 NETw3v64;Intel® PRO/Wireless 3945ABG Adapter Driver for Windows Vista 64

Bit;c:\windows\system32\drivers\netw3v64.sys --> c:\windows\system32\drivers\NETw3v64.sys [?]
S3 PerfHost;Performance Counter DLL Host;c:\windows\syswow64\perfhost.exe [2008-1-20 19968]
S3 yukonx64;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32

\drivers\yk60x64.sys --> c:\windows\system32\drivers\yk60x64.sys [?]
S4 Com4QLBEx;Com4QLBEx;c:\program files (x86)\hewlett-packard\hp quick launch

buttons\Com4QLBEx.exe [2008-11-18 193840]
S4 Recovery Service for Windows;Recovery Service for Windows;c:\program files (x86)

\sminst\BLService.exe [2008-11-18 365952]

=============== Created Last 30 ================

2009-10-04 15:22 <DIR> --d----- c:\programdata\Spybot - Search & Destroy
2009-10-04 15:22 <DIR> --d----- c:\progra~3\Spybot - Search & Destroy
2009-10-04 13:25 <DIR> --d----- C:\SDFix
2009-10-04 12:10 <DIR> --d----- c:\users\m\appdata\roaming\Malwarebytes
2009-10-04 12:10 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-04 12:10 <DIR> --d----- c:\programdata\Malwarebytes
2009-10-04 12:10 <DIR> --d----- c:\progra~3\Malwarebytes
2009-10-04 11:33 <DIR> --d----- c:\program files (x86)\Trend Micro
2009-10-04 03:10 41,984 a------- c:\windows\system32\netfxperf.dll
2009-10-04 03:10 96,760 a------- c:\windows\system32\dfshim.dll
2009-10-04 03:10 282,112 a------- c:\windows\system32\mscoree.dll
2009-10-04 03:10 158,720 a------- c:\windows\system32\mscorier.dll
2009-10-04 03:10 83,968 a------- c:\windows\system32\mscories.dll
2009-10-03 14:46 <DIR> --d----- c:\users\m\appdata\roaming\WinPatrol
2009-10-03 14:45 <DIR> --d----- c:\program files (x86)\BillP Studios
2009-10-03 13:14 <DIR> --d----- c:\program files (x86)\common files\Symantec

Shared
2009-10-03 12:57 <DIR> --d----- c:\programdata\Symantec
2009-10-03 12:57 <DIR> --d----- c:\program files (x86)\Norton Security Scan
2009-10-03 12:57 <DIR> --d----- c:\progra~3\Symantec
2009-10-03 11:58 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-10-03 11:57 2,868,224 a------- c:\windows\system32\mf.dll
2009-10-03 11:57 289,792 a------- c:\windows\system32\atmfd.dll
2009-10-03 11:57 156,672 a------- c:\windows\system32\t2embed.dll
2009-10-03 11:57 72,704 a------- c:\windows\system32\fontsub.dll
2009-10-03 11:57 10,240 a------- c:\windows\system32\dciman32.dll
2009-10-03 11:57 71,680 a------- c:\windows\system32\atl.dll
2009-10-03 11:57 996,352 a------- c:\windows\system32\WMNetMgr.dll
2009-10-03 11:57 94,720 a------- c:\windows\system32\logagent.exe
2009-10-03 11:56 562,176 a------- c:\windows\system32\msdtcprx.dll
2009-10-03 11:56 38,912 a------- c:\windows\system32\xolehlp.dll
2009-10-03 11:56 91,136 a------- c:\windows\system32\avifil32.dll
2009-10-03 11:29 566,170,158 a------- c:\windows\MEMORY.DMP
2009-10-03 11:27 <DIR> --d----- c:\users\m\{9bac00a4-f61a-401c-91de-537f3622c644}
2009-10-03 11:18 83,456 a------- c:\windows\system32\wudriver.dll
2009-10-03 11:16 162,064 a------- c:\windows\system32\wuwebv.dll
2009-10-03 11:16 31,232 a------- c:\windows\system32\wuapp.exe
2009-10-03 00:49 <DIR> --d----- c:\program files (x86)\MSXML 4.0
2009-10-02 20:36 <DIR> --d----- c:\programdata\Kaspersky Lab
2009-10-02 20:36 <DIR> --d----- c:\program files (x86)\Kaspersky Lab
2009-10-02 20:36 <DIR> --d----- c:\progra~3\Kaspersky Lab
2009-10-02 20:16 <DIR> --dsh--- C:\$RECYCLE.BIN
2009-10-02 20:04 <DIR> --d----- c:\programdata\Kaspersky Lab Setup Files
2009-10-02 20:04 <DIR> --d----- c:\progra~3\Kaspersky Lab Setup Files
2009-10-02 18:41 <DIR> --d----- c:\users\m\appdata\roaming\HP TCS
2009-10-02 18:32 <DIR> --d----- c:\users\m
2009-10-02 18:26 <DIR> --d----- c:\windows\system32\es-MX
2009-10-02 18:26 <DIR> --d----- c:\windows\system32\es-AR
2009-10-02 18:25 <DIR> --d----- c:\windows\system32\HPMDP
2009-10-02 18:24 53,248 a------- c:\windows\system32\CSVer.dll
2009-10-02 18:23 <DIR> --d----- c:\program files (x86)\Realtek
2009-10-02 18:22 441,856 a------- c:\windows\sttray64.exe
2009-10-02 18:19 920,088 a------- c:\windows\system32\igxpun.exe
2009-10-02 18:19 319,456 a------- c:\windows\system32\difxapi.dll
2009-10-02 18:19 <DIR> --d----- c:\windows\system32\x64
2009-10-02 18:19 <DIR> --d----- c:\windows\system32\Lang
2009-10-02 18:19 54,824 -------- c:\windows\system32\agrsmdel.exe
2009-10-02 18:19 14,336 -------- c:\windows\system32\agrsco64.dll
2009-10-02 18:19 <DIR> --d----- c:\windows\Options
2009-10-02 17:25 <DIR> a-d----- c:\windows\SMINST

==================== Find3M ====================

2009-10-04 03:03 51,200 a------- c:\windows\inf\infpub.dat
2009-10-04 03:03 86,016 a------- c:\windows\inf\infstrng.dat
2009-10-04 03:03 86,016 a------- c:\windows\inf\infstor.dat
2008-11-18 06:20 665,600 a------- c:\windows\inf\drvindex.dat
2008-01-20 22:21 174 a--sh--- c:\program files (x86)\desktop.ini
2006-11-02 10:14 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 10:14 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 10:14 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 10:14 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 05:52 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 05:52 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 05:52 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 05:52 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 18:23:37.73 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:38 PM

Posted 23 October 2009 - 03:42 PM

Hi

My name is Extremeboy (or EB for short), and I will be helping you with your log.

We apologize for the delay of response.

If you still require assistance we would like to see the current condition of your system so please post a new set of DDS Logs as well as a RootRepeal log and a description of any remaining problems or symptoms you may still have please.

If for any reason you did not post a DDS log or RootRepeal log please refer to this page and in step #6 and Step #7 for further instructions on downloading and running DDS & RootRepeal. If you have any problems just let me know in your next reply or simply post a Hijackthis log.


For your next reply I would like to see:
-The DDS logs
---DDS.txt and Attach logs
-RootRepeal logs
-Description of any remaining problems you may still have.


Thanks again and we apologize for the delay.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:38 PM

Posted 26 October 2009 - 07:03 PM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 from the last day I replied initially, the topic will need to be closed.

Thanks for understanding.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:38 PM

Posted 28 October 2009 - 07:06 PM

Hello.

Due to Lack of feedback, this topic is now Closed

If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users