Recommended Posts

Hi:

I keep getting a popup from TrendMicro pc-cillin 2005 "lsass exploit 04-011 (835732). I'm pretty sure this is a false positive, but want to make sure.

I have run Spybot S&D, Ad-awareSE, a-squared, ewido and finally pc-cillin malware scan. NOTHING. Did a scan as TrendMicro suggested the first time, came up clean. I have no symptons of sasser virus. No slow down or shut down.

Would appreciate some one taking a look at HJT log, for peace of mind.

Logfile of HijackThis v1.99.0

Scan saved at 2:22:04 PM, on 2/5/2005

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\Explorer.EXE

C:\WINNT\system32\spoolsv.exe

C:\Program Files\ewido\security suite\ewidoctrl.exe

C:\Program Files\ewido\security suite\ewidoguard.exe

C:\PROGRA~1\Iomega\System32\AppServices.exe

C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe

C:\WINNT\System32\svchost.exe

C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe

C:\Program Files\Iomega\AutoDisk\ADService.exe

C:\PROGRA~1\VISION~1\ONETOU~2.EXE

C:\Program Files\Iomega\AutoDisk\ADUserMon.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\Program Files\Iomega\DriveIcons\ImgIcon.exe

C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe

C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe

C:\Program Files\Messenger\msmsgs.exe

C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe

C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe

C:\Program Files\AdSubtract\adsub.exe

C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

C:\Documents and Settings\bar5\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rivnet.net/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=AdSubtract:4444

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE

O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe

O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe

O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe

O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~1\NTXcontext.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\PROGRA~1\NEOTRA~1\NTXtoolbar.htm (HKCU)

O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll

O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1093022335540

O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/SymAData.cab

O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab

O16 - DPF: {ED6D016A-12F8-4871-BEDC-CE13AAAB4F0B} (DD_v4_Member.DDv4) - http://www.drivershq.com/members/DD_v4_Member.CAB

O17 - HKLM\System\CCS\Services\Tcpip\..\{7A960D13-2B05-453A-98C5-859A5E9C4848}: NameServer = 205.130.32.8,205.130.32.13

O17 - HKLM\System\CCS\Services\Tcpip\..\{9D94E2BF-2C2A-44BA-AE12-0B1C68B8ACDD}: NameServer = 66.19.192.200 216.126.128.40

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe

O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe

O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe

O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe

O23 - Service: Trend Micro Central Control Component - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe

O23 - Service: Trend Micro Real-time Service - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe

O23 - Service: Trend Micro Personal Firewall - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe

O23 - Service: Trend Micro Proxy Service - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

O23 - Service: Iomega Active Disk - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

I hope I did this correct. Thanks for your time.

Barb

Link to post
Share on other sites

Hi bar5,

Open Hijack This!, run a scan and check these items:

The following item is a restriction to your computer. If you did not set this entry with Spybot or another protection program, or if your administrator did not set it, then check this item .

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Now please close all windows and browsers, except HijackThis, and have HijackThis fix them by clicking on Fix Checked.

Apart from that entry, your log looks clean.

TJ

Edited by tj416
Link to post
Share on other sites

You can leave it alone. Your log is clean. The Windows LSASS vulnerability, which is a buffer overrun that allows remote code execution and enables an attacker to gain full control of the affected system. This vulnerability is discussed in detail here.

Running Windows Update should install this critical update and hopefully stop those popups.

TJ

Link to post
Share on other sites
You can leave it alone. Your log is clean. The Windows LSASS vulnerability, which is a buffer overrun that allows remote code execution and enables an attacker to gain full control of the affected system. This vulnerability is discussed in detail here.

Running Windows Update should install this critical update and hopefully stop those popups.

TJ

TJ:

I have already installed that patch a long time ago KB835732, that is why I was confused why I'm getting these popups. I checked in my WINNT folder and it is there, dated 4/04. I keep updated with all security updates etc.

I'm not having any problems with my computer, just wanted to make sure I was clean. I'm thinking there is something in TrendMicro that keeps reading a virus when I don't have one. What do you think?

Barb :D

Link to post
Share on other sites

Quoted from Microsoft's Security Bulletin MS04-011:

Affected Software:

Microsoft Windows NT® Workstation 4.0 Service Pack 6a – Download the update

Microsoft Windows NT Server 4.0 Service Pack 6a – Download the update

Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6 – Download the update

Microsoft Windows 2000 Service Pack 2, Microsoft Windows 2000 Service Pack 3, and Microsoft Windows 2000 Service Pack 4 – Download the update

Microsoft Windows XP and Microsoft Windows XP Service Pack 1 – Download the update

Microsoft Windows XP 64-Bit Edition Service Pack 1 – Download the update

Microsoft Windows XP 64-Bit Edition Version 2003 – Download the update

Microsoft Windows Server™ 2003 – Download the update

Microsoft Windows Server 2003 64-Bit Edition – Download the update

Microsoft NetMeeting

Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME) – Review the FAQ section of this bulletin for details about these operating systems.

I think you should ignore those popups. The Windows LSASS vulnerability is not a problem with Windows XP SP2. :D

Edited by tj416
Link to post
Share on other sites
Quoted from Microsoft's Security Bulletin MS04-011:
Affected Software:

Microsoft Windows NT® Workstation 4.0 Service Pack 6a – Download the update

Microsoft Windows NT Server 4.0 Service Pack 6a – Download the update

Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6 – Download the update

Microsoft Windows 2000 Service Pack 2, Microsoft Windows 2000 Service Pack 3, and Microsoft Windows 2000 Service Pack 4 – Download the update

Microsoft Windows XP and Microsoft Windows XP Service Pack 1 – Download the update

Microsoft Windows XP 64-Bit Edition Service Pack 1 – Download the update

Microsoft Windows XP 64-Bit Edition Version 2003 – Download the update

Microsoft Windows Server™ 2003 – Download the update

Microsoft Windows Server 2003 64-Bit Edition – Download the update

Microsoft NetMeeting

Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME) – Review the FAQ section of this bulletin for details about these operating systems.

I think you should ignore those popups. The Windows LSASS vulnerability is not a problem with Windows XP SP2. :D

TJ:

Thanks for your help. Here is some info from Trend Micro on this subject in case you run across this again.

Trend Micro

I did what this bulletin suggested.

Barb :D

Link to post
Share on other sites
Guest
This topic is now closed to further replies.