0

I have spent the last 4 days trying to clear up the results of a 4 millisecond lapses of concentration.
By not paying sufficient attention to what I was doing I unwittingly unleashed the most sophisticated Viral and Malware attack I have thus far encountered upon myself.


Shortly after opening I download (I now realise was a very stupid mistake) I noticed a program accessing the command prompt and instantly alarm bells started to ring.
I immediately closed down the window and went to run a virus check on the ‘.exe’ file only to discover that it had vanished.
My first though was that it had reassigned itself to a hidden file but and although I generally have hidden files visible for some reason there was no sign.
I went to change the setting in 'Folder options' only to discover that it was no longer there.
My next step was to access the registry with 'Regedit' only to receive a message telling
me that I did not have administerial access. Which as you may guess is not true.

At this point I began to panic. It has been some time since I last had to provide IT support for others let alone myself so I was a little rusty.
Praise be to the trusty internet. The cause of and solution too all of our problems.
Within a couple of hours I had solutions to the ‘Folder options’ and ‘Regedit’ problems but as I suspected they were merely a delaying tactic for all of the nasty things going on below the surface.

With the help of Spyware Doctor, Spybot Search & Destroy, CC Cleaner, NoAdware, Hijackthis, Webroot AntiVirus, Norton Security Scan and a (very crap/out of date) version of McAfee Security Centre I have managed to eradicate a large number of invaders but there are still an illusive few that are beyond me.

- It appears that 'services.exe' has been hijacked. McAfee has started coming up with the following message every time windows boots up.


McAfee has automatically blocked a buffer overflow.

Details
Detection:
File: C:\WINDOWS\system32\services.exe

More Info
Buffer overflows occur when suspect programs or processes try to store more data in a
buffer (temporary data storage area) on your computer than its limit, corrupting or
overwriting valid data in adjacent buffers.

If you do not recognize this activity, McAfee recommends that you continue to block it.
If you recognize this activity, trust it in the future.


There are two problems that both Spybot and Spyware Doctor identify. Both issues are 'successfully' removed yet are still present at every scan.

The first is 'PWS.LDPinchIEI' believe connects massively to the internet causes internet explorer to behave erratically (not that I use IE I just don't like the thought of it sitting there) resulting in screen freezes and shutdowns. It places an entry in the registry: HKEYUSERS\s-1-5-21-24922056-3622800662-583947432-1005\software\microsoft\currentversion\explorer\idstrf

It is possible to delete it manually but as soon as windows restarts something, that I have yet to track down, is returning it to it's original location. I have tried modifying it's which is possible and is not reset on boot up but I'm not sure it that is helping the problem.

The second problem is 'virtumnode 'a trojan that connects to malicious websites. It also adds a randomly named dll to the Winlogon Notify, which will make it very resistible to removal.

Finally, more of a house keeping problem I think, in the process of cleaning up I deactivated a few problem Startup Items. The files they refer to have been removed but I'm not sure how to dispose of the requests in MSconfig. Two examples below -


Startup Item: winigon
Command: c:\recycler\s-1-5-21-1921194760-2681345537-329476299-8255\winigon.exe
Location:

Startup Item: dumprep
Command: c:\windows\system32\dumprep.exe"0 -k
Location: software\microsoft\windows\currentversion\run

These are just the problems I am currently aware of. i am convinced there are much worse things going on in the background but I am uanble to detect them. Explorer seems to be crashing quite regularly and ther are several annoying glitches turning up. I'll attach a Hijackthis log to the end.

If anyone can offer me a few pointers I would be extremely grateful

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:11:39 PM, on 11/21/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Clean Up Tools\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\lxctcoms.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\Clean Up Tools\WebrootSecurity\SpySweeper.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\McAfee\MSK\MskAgent.exe
C:\WINDOWS\vsnp2std.exe
C:\Clean Up Tools\WebrootSecurity\SpySweeperUI.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Clean Up Tools\WebrootSecurity\SSU.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\msiexec.exe
C:\Clean Up Tools\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.co.uk/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [MskAgentexe] "C:\Program Files\McAfee\MSK\MskAgent.exe"
O4 - HKLM\..\Run: [snp2std] "C:\WINDOWS\vsnp2std.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Clean Up Tools\WebrootSecurity\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Clean Up Tools\Spybot - Search & Destroy\TeaTimer.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\Clean Up Tools\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\Clean Up Tools\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: vrvlhc.dll
O22 - SharedTaskScheduler: mcb7uehuj3n8weuhejsw - {C5BF49A2-94F3-42BD-F434-3604812C897D} - C:\WINDOWS\system32\jsne87fidgf.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: lxct_device - - C:\WINDOWS\system32\lxctcoms.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (webrootspysweeperservice) - Webroot Software, Inc. (www.webroot.com) - C:\Clean Up Tools\WebrootSecurity\SpySweeper.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: Webroot Client Service (wrconsumerservice) - Webroot Software, Inc. - C:\Clean Up Tools\WebrootSecurity\WRConsumerService.exe

--
End of file - 9727 bytes

2
Contributors
4
Replies
5
Views
9 Years
Discussion Span
Last Post by creative-fury
0

I have a question for you... are you running all those anti-virus and spyware apps all at once on the same machine?
Secondly... you could honestly remove a crap load of them as many are doing the exact same thing. I believe I've been on the path you are on with a couple of pc's I've repaired in the past. I'm not here to sell anyone on a particular antivirus program, but I was able to successfully remove it with AVIRA free antivirus (you can search for it on download.com) (I also run Avast with the Avira simultaneously) and was able to eliminate the infection. Once completed you can use CCleaner to clean up your registry. Under the tools options it has a good registry cleaner that allows you to back up any changes in case you erase a link that should exist, etc.

Let me know if this helps you out any. Also, if you could include the statistics of the services running (how much memory and CPU each one takes) to see how all those programs run together it would be nice.

Thanks.

0

Let me know if this helps you out any. Also, if you could include the statistics of the services running (how much memory and CPU each one takes) to see how all those programs run together it would be nice.
I'm only asking for this info because your machine crashing might be due to all the anti-malware apps you have.

0

I realise that it all looks a bit hectic but most of these I've only added since the attack... I was concerned that somethings are being picked up by one and not the other.

I am not a fan of McAfee but it was bundled with the laptop. I refuse to pay the subscription so it is probably redundant now and it will be the first thing to go.

Norton does not seem to be very efficient but is at least not conflicting with anything else. I'm not overly confident with it's helpfulness so I wanted a safety net.

SpySweeper (Webroot) was recommended by another thread on Daniweb but without paying for the registration all it does is inform you of the problem not repair it.

Spybot and Spyware Doctor have been excellent (though teatimer is a pain in the ass)

I'll try avast and avira now and provide the info you asked for asap.
(Though I have been trying not to run them all together to avoid confliction.)

0

NB - Is there an existing automated process in windows to provide statistics of running services or is there some additional software I should download?

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.