Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Removed Security Center 2010 now BSOD c000021a


  • This topic is locked This topic is locked
1 reply to this topic

#1 cguilmain

cguilmain

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:46 AM

Posted 22 September 2010 - 12:36 PM

Hello There -

I have a Dell Laptop with XPsp3 on it. It got infected with that Security Center 2010 rougeware. Upon reboot I got a BSOD c000021a. I replaced the ewinlogon.exe file with the orginal off the SP3 cd and I was able to logon. Spybot, Malwarebytes and Hijackthis do not run unless I reset the permissions on the .exe files to inherient the permissions from the parent. Upon using any on these tools, it reset the files permissions on the .exe files so they can't be run. This is also happening to the winlogon.exe file as if I reboot from "normal mode" not safe mode, I get the same BSOD. GMER utility locks up the machine requiring a hard power off via power button. Any help would be great.


DDS (Ver_10-03-17.01) - NTFSx86 NETWORK
Run by Gbissell at 12:20:15.01 on Wed 09/22/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3572.3126 [GMT -4:00]

AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\gbissell\Desktop\bc\dds.exe

============== Pseudo HJT Report ===============

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security 2011\ievkbd.dll
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky internet security 2011\klwtbbho.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\Wcescomm.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10e.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [DellControlPoint] "c:\program files\dell\dell controlpoint\Dell.ControlPoint.exe"
mRun: [DellConnectionManager] "c:\program files\dell\dell controlpoint\connection manager\Dell.UCM.exe"
mRun: [ChangeTPMAuth] c:\program files\wave systems corp\common\ChangeTPMAuth.exe /T:NTRU12
mRun: [WavXMgr] c:\program files\wave systems corp\services manager\docmgr\bin\WavXDocMgr.exe
mRun: [USCService] c:\program files\dell\dell controlpoint\security manager\BcmDeviceAndTaskStatusService.exe
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [avp] "c:\program files\kaspersky lab\kaspersky internet security 2011\avp.exe"
StartupFolder: c:\docume~1\gbissell\startm~1\programs\startup\_unins~1.lnk - c:\documents and settings\gbissell\local settings\temp\_uninst_kavscannersetup_9.0.0.722_22.09.2010_04-26.exe.bat
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoca~1.lnk - c:\program files\common files\autodesk shared\acstart16.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dellco~1.lnk - c:\program files\dell\dell controlpoint\system manager\DCPSysMgr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dloage~1.lnk - c:\program files\veritas\backup exec\nt\dlo\DLOClientu.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky internet security 2011\klwtbbho.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky internet security 2011\klwtbbho.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1255637468765
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1255642328109
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: klogon - c:\windows\system32\klogon.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\kloehk.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Authentication Packages = msv1_0 wvauth

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\gbissell\applic~1\mozilla\firefox\profiles\moeyn50h.default\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 KL1;kl1;c:\windows\system32\drivers\kl1.sys [2010-6-9 132184]
R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [2010-6-9 11352]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [2009-10-7 244368]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2010-5-7 32856]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2010-9-21 28552]
S1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2010-9-21 475736]
S1 vykynlaw.dll;vykynlaw.dll;c:\windows\system32\vykynlaw.dll [2008-4-25 18432]
S2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2008-4-25 14336]
S2 ASFAgent;ASF Agent;c:\program files\intel\asf agent\ASFAgent.exe [2007-4-19 133968]
S2 AVP;Kaspersky Anti-Virus Service;c:\program files\kaspersky lab\kaspersky internet security 2011\avp.exe [2010-7-1 352976]
S2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\dell\dell controlpoint\DCPButtonSvc.exe [2009-4-27 293968]
S2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\broadcom corporation\broadcom ush host components\cv\bin\HostControlService.exe [2009-6-26 812392]
S2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\broadcom corporation\broadcom ush host components\cv\bin\HostStorageService.exe [2009-6-26 26984]
S2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\dell\dell controlpoint\system manager\DCPSysMgrSvc.exe [2009-7-16 376096]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-7-19 136176]
S2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2009-11-4 10384]
S2 MotoConnect Service;MotoConnect Service;c:\program files\motorola\motoconnectservice\MotoConnectService.exe [2009-11-13 91456]
S2 SMManager;Smith Micro Connection Manager Service;c:\program files\dell\dell controlpoint\connection manager\SMManager.exe [2009-7-22 76288]
S2 VRTSChangeJournalReader;VERITAS Backup Exec DLO Agent Change Journal Reader;c:\program files\veritas\backup exec\nt\dlo\DLOChangeLogSvcu.exe [2005-4-25 271960]
S3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2009-10-7 112512]
S3 cvusbdrv;Dell ControlVault;c:\windows\system32\drivers\cvusbdrv.sys [2009-10-7 33832]
S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-11-2 19472]
S3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;c:\windows\system32\drivers\LEqdUsb.sys [2009-6-17 40720]
S3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;c:\windows\system32\drivers\LHidEqd.sys [2009-6-17 10384]
S3 NvtSp50;NvtSp50 NDIS Protocol Driver;c:\windows\system32\drivers\nvtsp50.sys --> c:\windows\system32\drivers\NvtSp50.sys [?]
S3 SRS_PremiumSound_Service;SRS Labs Premium Sound;c:\windows\system32\drivers\SRS_PremiumSound_i386.sys [2009-10-7 232744]
S3 usbkey;USB Dongle;c:\windows\system32\drivers\Usbkey.sys [2009-10-16 33852]
S3 ute3ody5;AVZ Kernel Driver;c:\windows\system32\drivers\ute3ody5.sys [2010-9-22 7168]

============== File Associations ===============

.scr=AutoCADScriptFile

=============== Created Last 30 ================

2010-09-22 15:48:14 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2010-09-22 10:48:39 507904 ----a-w- c:\windows\system32\winlogon.god
2010-09-22 10:48:12 507904 ----a-w- c:\windows\system32\winlogon.exe
2010-09-22 05:47:39 0 ----a-w- c:\documents and settings\gbissell\defogger_reenable
2010-09-22 04:59:07 7168 ----a-w- c:\windows\system32\drivers\ute3ody5.sys
2010-09-22 02:58:16 97549 ----a-w- c:\windows\system32\drivers\klick.dat
2010-09-22 02:58:16 113933 ----a-w- c:\windows\system32\drivers\klin.dat
2010-09-22 02:57:00 0 d-----w- c:\program files\Kaspersky Lab
2010-09-22 00:39:31 0 d-----w- c:\windows\pss
2010-09-21 23:29:26 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-09-21 23:29:23 0 d-----w- c:\program files\Panda Security
2010-09-21 22:58:47 0 d-sha-r- C:\cmdcons
2010-09-21 22:54:17 98816 ----a-w- c:\windows\sed.exe
2010-09-21 22:54:17 77312 ----a-w- c:\windows\MBR.exe
2010-09-21 22:54:17 256512 ----a-w- c:\windows\PEV.exe
2010-09-21 22:54:17 161792 ----a-w- c:\windows\SWREG.exe
2010-09-21 22:53:24 389120 ----a-w- c:\windows\system32\CF7249.exe
2010-09-21 22:40:23 0 d-----w- c:\program files\Trend Micro
2010-09-21 22:33:20 265069 ----a-w- c:\windows\system32\WINLOGON.EX_
2010-09-21 22:33:00 265069 ----a-w- C:\WINLOGON.EX_
2010-09-21 20:24:29 0 d--h--w- c:\windows\PIF
2010-09-21 20:23:35 711168 ----a-w- c:\windows\is-PNR6S.exe
2010-09-21 20:23:35 354 ----a-w- c:\windows\is-PNR6S.lst
2010-09-21 20:23:35 10562 ----a-w- c:\windows\is-PNR6S.msg
2010-09-21 14:01:04 0 d---a-w- C:\Kaspersky Rescue Disk 10.0
2010-09-21 10:32:03 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab
2010-08-31 17:54:42 0 d-----w- C:\Autodesk

==================== Find3M ====================

2010-09-21 13:18:36 6 ---ha-w- C:\SA.DAT
2010-09-13 16:56:32 114332 ----a-w- c:\windows\system32\nvModes.dat
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-07-22 15:49:15 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57:20 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-07-02 01:35:12 228024 ----a-w- c:\windows\system32\klogon.dll
2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll

============= FINISH: 12:20:18.50 ===============


Attached Files



BC AdBot (Login to Remove)

 


#2 SpySentinel

SpySentinel

  • Staff Emeritus
  • 2,090 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The United States
  • Local time:04:46 AM

Posted 22 September 2010 - 01:44 PM

Since you are being helped by the MBAM support Team, this topic will be closed.

If you need this topic re-opened, please send me a PM.

Thanks smile.gif
Posted Image
Unified Network of Instructors and Trained Eliminators

Posted Image

My help is always free, but if you can, please Posted Image to help me continue the fight against malware.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users