Register - Login
Views: 99855246
 Main - Memberlist - Active users - Calendar - Wiki - IRC Chat - Online users
Ranks - Rules/FAQ - Stats - Latest Posts - Color Chart - Smilies 		05-04-22 11:43:26 AM
Jul - Computers and Technology - HALP New poll - New thread - New reply
Next newer thread | Next older thread
Erika
Catgirl
미안합니다
Level: 68


Posts: 671/1088
EXP: 2637802
For next: 90998

Since: 07-19-07


Since last post: 9.5 years
Last activity: 9.3 years
Posted on 04-11-09 12:50:22 AM Link | Quote
T_T guyyys....my computer's acting all slow and stupid. And it takes a bajillion years to shut down or restart...and the internet is only going slow on this one and I think I know why! Well when I go to Google anything, clicking the result redirects me to some popup saying FIND THE BEST DEALS ON [search term]....aaand so I ran hijack this! to see what was wrong.... 


Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:36:42 PM, on 4/10/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal



Running processes:

E:\WINXP\system32\csrss.exe

E:\WINXP\system32\winlogon.exe

E:\WINXP\system32\services.exe

E:\WINXP\system32\lsass.exe

E:\WINXP\system32\svchost.exe

E:\WINXP\system32\svchost.exe

E:\WINXP\System32\svchost.exe

E:\WINXP\System32\svchost.exe

E:\WINXP\system32\svchost.exe

E:\WINXP\system32\spoolsv.exe

E:\WINXP\Explorer.EXE

E:\Program Files\QuickTime\qttask.exe

E:\Program Files\Lexmark 2500 Series\lxddmon.exe

E:\Program Files\Lexmark 2500 Series\lxddamon.exe

E:\Documents and Settings\Sato\lsass.exe

E:\WINXP\system32\ctfmon.exe

E:\WINXP\System32\wdfmgr.exe

E:\WINXP\System32\CTsvcCDA.exe

E:\WINXP\system32\lxddcoms.exe

E:\WINXP\System32\svchost.exe

E:\WINXP\System32\MsPMSPSv.exe

E:\Program Files\Trend Micro\HijackThis\analyse.exe

E:\WINXP\System32\wbem\wmiprvse.exe

E:\Program Files\RegCure\RegCure.exe



R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

F2 - REG:system.ini: UserInit=E:\WINXP\system32\userinit.exe,E:\WINXP\system32\oembios.exe,

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [lxddmon.exe] "E:\Program Files\Lexmark 2500 Series\lxddmon.exe"

O4 - HKLM\..\Run: [lxddamon] "E:\Program Files\Lexmark 2500 Series\lxddamon.exe"

O4 - HKLM\..\Run: [LXDDCATS] rundll32 E:\WINXP\System32\spool\DRIVERS\W32X86\3\LXDDtime.dll,_RunDLLEntry@16

O4 - HKLM\..\Run: [LSA Shellu] E:\Documents and Settings\Sato\lsass.exe

O4 - HKLM\..\Run: [Pwuyufeworit] rundll32.exe "E:\WINXP\idibuzitowayew.dll",e

O4 - HKCU\..\Run: [msnmsgr] "E:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] E:\WINXP\system32\ctfmon.exe

O4 - HKCU\..\Run: [AIM] E:\Program Files\AIM\aim.exe -cnetwait.odl

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] E:\WINXP\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINXP\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] E:\WINXP\System32\CTFMON.EXE (User 'Default user')

O4 - S-1-5-18 Startup: ChkDisk.dll (User 'SYSTEM')

O4 - S-1-5-18 Startup: ChkDisk.lnk = ? (User 'SYSTEM')

O4 - .DEFAULT Startup: ChkDisk.dll (User 'Default user')

O4 - .DEFAULT Startup: ChkDisk.lnk = ? (User 'Default user')

O8 - Extra context menu item: Sothink SWF Catcher - E:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM\aim .exe

O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - E:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm

O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - E:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm

O10 - Unknown file in Winsock LSP: e:\winxp\system32\nwprovau.dll

O16 - DPF: {01118400-3E00-11D2-8470-0060089874ED} (SdcNetCheckCtl Class) - http://activex.microsoft.com/objects/ocget.dll

O16 - DPF: {50BD5CDA-4BA8-4048-8FAA-763F222E41D8} - ms-its:mhtml:file://c:\nores.mht!http://adxanet.net/code/chm/xpre.chm::/xpreload.ocx

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - E:\WINXP\System32\CTsvcCDA.exe

O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Unknown owner - (no file)

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - E:\Program Files\iPod\bin\iPodService.exe

O23 - Service: lxdd_device -   - E:\WINXP\system32\lxddcoms.exe

O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - E:\WINXP\System32\NMSSvc.exe

O23 - Service: Pml Driver HPZ12 - HP - E:\WINXP\System32\HPZipm12.exe


obviously...there is a fake lsass and a stupid dll file that is obviously bad news...but the question is how do I even clean this and get it out of being integrated in to my system for good!!! I can't even close the fake lsass because windows thinks its a "critical system proces" and I tried everything typical... ._.

____________________
Xkeeper

Level: 263


Posts: 10090/25353
EXP: 297173789
For next: 1786664

Since: 07-03-07

Pronouns: they/them/????????

Since last post: 4 days
Last activity: 31 min.
Posted on 04-11-09 12:51:44 AM Link | Quote
reboot into safe mode / command line and delete it there to start with

____________________
Erika
Catgirl
미안합니다
Level: 68


Posts: 672/1088
EXP: 2637802
For next: 90998

Since: 07-19-07


Since last post: 9.5 years
Last activity: 9.3 years
Posted on 04-11-09 12:52:43 AM (last edited by Erika at 04-10-09 09:54 PM) Link | Quote
When I deleted it though it somehow came back? ._. maybe I did something incorrectly..

Edit: and in safemode or in any other mode it thinks the fake lsass does not even exist...browsing to the directory would confirm this, even when hidden files are viewable. so then how is it even running

____________________
Xkeeper

Level: 263


Posts: 10091/25353
EXP: 297173789
For next: 1786664

Since: 07-03-07

Pronouns: they/them/????????

Since last post: 4 days
Last activity: 31 min.
Posted on 04-11-09 12:59:12 AM Link | Quote 
Processes:

E:\Documents and Settings\Sato\lsass.exe



R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

F2 - REG:system.ini: UserInit=E:\WINXP\system32\userinit.exe,E:\WINXP\system32\oembios.exe,

O4 - HKLM\..\Run: [LSA Shellu] E:\Documents and Settings\Sato\lsass.exe

O4 - HKLM\..\Run: [Pwuyufeworit] rundll32.exe "E:\WINXP\idibuzitowayew.dll",e

O4 - HKCU\..\Run: [ctfmon.exe] E:\WINXP\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] E:\WINXP\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINXP\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] E:\WINXP\System32\CTFMON.EXE (User 'Default user')

O4 - S-1-5-18 Startup: ChkDisk.dll (User 'SYSTEM')

O4 - S-1-5-18 Startup: ChkDisk.lnk = ? (User 'SYSTEM')

O4 - .DEFAULT Startup: ChkDisk.dll (User 'Default user')

O4 - .DEFAULT Startup: ChkDisk.lnk = ? (User 'Default user')

O8 - Extra context menu item: Sothink SWF Catcher - E:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM\aim .exe

O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - E:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm

O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - E:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm

O10 - Unknown file in Winsock LSP: e:\winxp\system32\nwprovau.dll

O16 - DPF: {01118400-3E00-11D2-8470-0060089874ED} (SdcNetCheckCtl Class) - http://activex.microsoft.com/objects/ocget.dll

O16 - DPF: {50BD5CDA-4BA8-4048-8FAA-763F222E41D8} - ms-its:mhtml:file://c:\nores.mht!http://adxanet.net/code/chm/xpre.chm::/xpreload.ocx

O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Unknown owner - (no file)

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: lxdd_device -   - E:\WINXP\system32\lxddcoms.exe


delete all of this shit

____________________
Xkeeper

Level: 263


Posts: 10092/25353
EXP: 297173789
For next: 1786664

Since: 07-03-07

Pronouns: they/them/????????

Since last post: 4 days
Last activity: 31 min.
Posted on 04-11-09 01:00:40 AM Link | Quote
actually a better idea is to add the other shit to the ignore list, then change hijackthis to auto-check everything for fixing and set it to scan on booting

that way you can immediately tell if something is wrong when booting up and either ignore it or nuke it.
Very useful.

____________________
Erika
Catgirl
미안합니다
Level: 68


Posts: 673/1088
EXP: 2637802
For next: 90998

Since: 07-19-07


Since last post: 9.5 years
Last activity: 9.3 years
Posted on 04-11-09 01:03:48 AM (last edited by Erika at 04-10-09 10:04 PM) Link | Quote
"HijackThis cannot repair O10 Winsock LSP entries.

You should use LSPFix for that, which is available from http://www.cexx.org/lspfix.htm.



If the O10 item belongs to WebHancer, New.Net or CommonName, Spybot S&D can remove it automatically. Spybot S&D is available from http://www.spybot.info/."

Which I suppose I'll be doing next. It wants a reboot now so let's see what happens.


Edit: Ah! Will try that too

____________________
Hiryuu

Level: 207


Posts: 8184/14435
EXP: 127636120
For next: 2148034

Since: 07-06-07


Since last post: 11.8 years
Last activity: 11.7 years
Posted on 04-11-09 01:07:00 AM Link | Quote
I'm finding related hits to the LSASHELLU entry and it's pointing to ComboFix.exe to being used to combat it. Did a search for 'LSASS.EXE in Documents and Settings' and it pulled the info up.

ComboFix.exe is powerful though...take a guide just in case.

____________________
Erika
Catgirl
미안합니다
Level: 68


Posts: 674/1088
EXP: 2637802
For next: 90998

Since: 07-19-07


Since last post: 9.5 years
Last activity: 9.3 years
Posted on 04-11-09 01:13:21 AM Link | Quote
Thanks~~ I managed to get rid of the lsass that loads (I'll use combofix in case the file itself and related stuff is still there...) and the computer is a LITTLE less slow...but the browser still redirects and it still takes 9 million years to shut down or reset I think the redirecting is related to that WinSock LSA thing...so we'll see how that goes. As for the shutdown issue I guess I just need to be patient ;\ thanks for all the help so far .o. I have to run but I'll keep you guys updated..

____________________
Xkeeper

Level: 263


Posts: 10094/25353
EXP: 297173789
For next: 1786664

Since: 07-03-07

Pronouns: they/them/????????

Since last post: 4 days
Last activity: 31 min.
Posted on 04-11-09 01:14:16 AM Link | Quote
Originally posted by Erika
Thanks~~ I managed to get rid of the lsass that loads (I'll use combofix in case the file itself and related stuff is still there...) and the computer is a LITTLE less slow...but the browser still redirects and it still takes 9 million years to shut down or reset I think the redirecting is related to that WinSock LSA thing...so we'll see how that goes. As for the shutdown issue I guess I just need to be patient ;\ thanks for all the help so far .o. I have to run but I'll keep you guys updated..

It's an LSP, and yes, it will do that. Run Spybot S&D.

Once you've done that, post your log again.

____________________
Erika
Catgirl
미안합니다
Level: 68


Posts: 675/1088
EXP: 2637802
For next: 90998

Since: 07-19-07


Since last post: 9.5 years
Last activity: 9.3 years
Posted on 04-12-09 06:48:53 PM Link | Quote
Spybot wouldn't run. It loaded a console screen with nothing on it, and either hung there or eventually disappeared and ran in the background doing nothing. ComboFix also wouldn't run, nothing came up and the process just ran in the background. Safemode had the same effect. The ChkDisk things seem to come back even when fixed in HijackThis but I assume that's nothing that really matters. I used LSP fix to remove that Winsock LSA however it does not seem to have stopped my browser slowdowns or redirects...I got Adaware to run but it didn't even detect anything major. I'm kind of at my wit's end, especially since that strange DLL keeps regenerating even when deleted through a safemode comman prompt ><...nothing seems to have really gotten any better. At any rate, here's the log again since you asked for it.... 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 2:37:14 PM, on 4/12/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal



Running processes:

E:\WINXP\system32\csrss.exe

E:\WINXP\system32\winlogon.exe

E:\WINXP\system32\services.exe

E:\WINXP\system32\lsass.exe

E:\WINXP\system32\svchost.exe

E:\WINXP\system32\svchost.exe

E:\WINXP\System32\svchost.exe

E:\WINXP\System32\svchost.exe

E:\WINXP\system32\svchost.exe

E:\WINXP\system32\spoolsv.exe

E:\WINXP\Explorer.EXE

E:\WINXP\System32\wdfmgr.exe

E:\WINXP\System32\CTsvcCDA.exe

E:\WINXP\System32\svchost.exe

E:\WINXP\System32\MsPMSPSv.exe

E:\Program Files\QuickTime\qttask.exe

E:\Program Files\Lexmark 2500 Series\lxddamon.exe

E:\Program Files\MSN Messenger\msnmsgr.exe

E:\WINXP\system32\ctfmon.exe

E:\Program Files\Mozilla Firefox\firefox.exe

E:\Program Files\Trend Micro\HijackThis\analyse.exe

E:\WINXP\System32\wbem\wmiprvse.exe



R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 

F2 - REG:system.ini: UserInit=E:\WINXP\SYSTEM32\Userinit.exe,E:\WINXP\system32\oembios.exe,

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [lxddmon.exe] "E:\Program Files\Lexmark 2500 Series\lxddmon.exe"

O4 - HKLM\..\Run: [lxddamon] "E:\Program Files\Lexmark 2500 Series\lxddamon.exe"

O4 - HKLM\..\Run: [LXDDCATS] rundll32 E:\WINXP\System32\spool\DRIVERS\W32X86\3\LXDDtime.dll,_RunDLLEntry@16

O4 - HKLM\..\Run: [Pwuyufeworit] rundll32.exe "E:\WINXP\idibuzitowayew.dll",e

O4 - HKCU\..\Run: [msnmsgr] "E:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [AIM] E:\Program Files\AIM\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [ctfmon.exe] E:\WINXP\system32\ctfmon.exe

O4 - S-1-5-18 Startup: ChkDisk.dll (User 'SYSTEM')

O4 - .DEFAULT Startup: ChkDisk.dll (User 'Default user')

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM\aim .exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - E:\WINXP\System32\CTsvcCDA.exe

O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Unknown owner - (no file)

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - E:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - E:\WINXP\System32\NMSSvc.exe

O23 - Service: Pml Driver HPZ12 - HP - E:\WINXP\System32\HPZipm12.exe



--

End of file - 3310 bytes


____________________
emcee
Member
Level: 37


Posts: 152/267
EXP: 320001
For next: 18252

Since: 08-11-07


Since last post: 12.9 years
Last activity: 12.7 years
Posted on 04-13-09 03:46:21 AM Link | Quote
Certain variants of Vundo screw with Spybot.

First get rid of this: HKLM\..\Run: [Pwuyufeworit] rundll32.exe "E:\WINXP\idibuzitowayew.dll",e

Next, what you need to do is get a hold of process explorer, its part of the "sysinternals suite" in the diagnostic apps thread.

Start process explorer and click on the button with dll icon on it to view all dll hooks. Click on the "company" pane so that the dlls with no company attribute are displayed on top. Look through these for suspicion dll names (long string of random letters, for instance), anything you're not sure of, search google for it, most critical dlls have a company attribute, but better safe than sorry. Write down the full path to anything you find.

Then, go back into the registry and make sure that entry you deleted isn't back (if it is delete it). Restart into safe mode with command prompt and change to the directory of one of the dlls, and run 'del filename' (obviously, without the quotes, and filename is the name of the offending dll). If it comes back with 'file not found', run 'attrib -h -s filename', and try again. Use this process for each dll.

Restart into normal Windows and shut down any unnecessary processes, then run a bombardment of anti-virus/spyware tools. Start with a standard antivirus like AVG or Avira (both free), then hit it with Spybot, then Microsoft's online One Care scanner (this one takes forever but its worth it), and delete everything they find, then run Spybot one more time to make sure it doesn't find anything new. Running several decent tools in a row like this with knock out most anything, but the one caveat is that there can't be any part of the virus still running in the background, or it will just reinfect already scanned areas. Your antivirus will report everything it finds, but the virus will just keep dropping crap places it already looked.

One more issue you may run into after this is that your internet connection will no longer work properly. Normally, this command fixes it:

netsh winsock reset catalog

You should write that down, since you won't have access to this thread with no internet connection. Also download this program to try if the doesn't work (it should, though): http://www.snapfiles.com/get/winsockxpfix.html

Anyway, hope this helps and isn't too hard to follow.
Next newer thread | Next older thread
Jul - Computers and Technology - HALP New poll - New thread - New reply


Rusted Logic

Acmlmboard - commit 47be4dc [2021-08-23]
©2000-2022 Acmlm, Xkeeper, Kaito Sinclaire, et al.

29 database queries, 4 query cache hits.
Query execution time: 0.086891 seconds
Script execution time: 0.031542 seconds
Total render time: 0.118433 seconds