bar5 Posted February 5, 2005 Report Share Posted February 5, 2005 Hi:I keep getting a popup from TrendMicro pc-cillin 2005 "lsass exploit 04-011 (835732). I'm pretty sure this is a false positive, but want to make sure.I have run Spybot S&D, Ad-awareSE, a-squared, ewido and finally pc-cillin malware scan. NOTHING. Did a scan as TrendMicro suggested the first time, came up clean. I have no symptons of sasser virus. No slow down or shut down. Would appreciate some one taking a look at HJT log, for peace of mind.Logfile of HijackThis v1.99.0Scan saved at 2:22:04 PM, on 2/5/2005Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINNT\System32\smss.exeC:\WINNT\system32\winlogon.exeC:\WINNT\system32\services.exeC:\WINNT\system32\lsass.exeC:\WINNT\system32\svchost.exeC:\WINNT\System32\svchost.exeC:\WINNT\Explorer.EXEC:\WINNT\system32\spoolsv.exeC:\Program Files\ewido\security suite\ewidoctrl.exeC:\Program Files\ewido\security suite\ewidoguard.exeC:\PROGRA~1\Iomega\System32\AppServices.exeC:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exeC:\WINNT\System32\svchost.exeC:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exeC:\Program Files\Iomega\AutoDisk\ADService.exeC:\PROGRA~1\VISION~1\ONETOU~2.EXEC:\Program Files\Iomega\AutoDisk\ADUserMon.exeC:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exeC:\Program Files\Iomega\DriveIcons\ImgIcon.exeC:\Program Files\Java\j2re1.4.2_06\bin\jusched.exeC:\Program Files\Trend Micro\Internet Security 2005\pccguide.exeC:\Program Files\Messenger\msmsgs.exeC:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exeC:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exeC:\Program Files\AdSubtract\adsub.exeC:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exeC:\Documents and Settings\bar5\Desktop\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rivnet.net/R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=AdSubtract:4444O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logonO4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXEO4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exeO4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exeO4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsersO4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exeO4 - HKLM\..\Run: [iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exeO4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTARTO4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exeO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInitO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exeO4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exeO6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel presentO8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~1\NTXcontext.htmO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\PROGRA~1\NEOTRA~1\NTXtoolbar.htm (HKCU)O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dllO16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CABO16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CABO16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1093022335540O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/SymAData.cabO16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cabO16 - DPF: {ED6D016A-12F8-4871-BEDC-CE13AAAB4F0B} (DD_v4_Member.DDv4) - http://www.drivershq.com/members/DD_v4_Member.CABO17 - HKLM\System\CCS\Services\Tcpip\..\{7A960D13-2B05-453A-98C5-859A5E9C4848}: NameServer = 205.130.32.8,205.130.32.13O17 - HKLM\System\CCS\Services\Tcpip\..\{9D94E2BF-2C2A-44BA-AE12-0B1C68B8ACDD}: NameServer = 66.19.192.200 216.126.128.40O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exeO23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exeO23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exeO23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exeO23 - Service: Trend Micro Central Control Component - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exeO23 - Service: Trend Micro Real-time Service - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exeO23 - Service: Trend Micro Personal Firewall - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exeO23 - Service: Trend Micro Proxy Service - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exeO23 - Service: Iomega Active Disk - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exeI hope I did this correct. Thanks for your time.Barb Link to post Share on other sites
tj416 Posted February 5, 2005 Report Share Posted February 5, 2005 (edited) Hi bar5,Open Hijack This!, run a scan and check these items:The following item is a restriction to your computer. If you did not set this entry with Spybot or another protection program, or if your administrator did not set it, then check this item .O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel presentNow please close all windows and browsers, except HijackThis, and have HijackThis fix them by clicking on Fix Checked.Apart from that entry, your log looks clean.TJ Edited February 5, 2005 by tj416 Link to post Share on other sites
bar5 Posted February 5, 2005 Author Report Share Posted February 5, 2005 tj416:Got your PM, and sent you one back.Should I still do the correction as you suggested, or leave it alone?I read your PM first as it was the latest message. Just want to make sure.Barb Link to post Share on other sites
tj416 Posted February 5, 2005 Report Share Posted February 5, 2005 You can leave it alone. Your log is clean. The Windows LSASS vulnerability, which is a buffer overrun that allows remote code execution and enables an attacker to gain full control of the affected system. This vulnerability is discussed in detail here. Running Windows Update should install this critical update and hopefully stop those popups.TJ Link to post Share on other sites
tj416 Posted February 5, 2005 Report Share Posted February 5, 2005 I also found details here. Link to post Share on other sites
bar5 Posted February 5, 2005 Author Report Share Posted February 5, 2005 You can leave it alone. Your log is clean. The Windows LSASS vulnerability, which is a buffer overrun that allows remote code execution and enables an attacker to gain full control of the affected system. This vulnerability is discussed in detail here. Running Windows Update should install this critical update and hopefully stop those popups.TJTJ:I have already installed that patch a long time ago KB835732, that is why I was confused why I'm getting these popups. I checked in my WINNT folder and it is there, dated 4/04. I keep updated with all security updates etc. I'm not having any problems with my computer, just wanted to make sure I was clean. I'm thinking there is something in TrendMicro that keeps reading a virus when I don't have one. What do you think?Barb Link to post Share on other sites
tj416 Posted February 8, 2005 Report Share Posted February 8, 2005 (edited) Quoted from Microsoft's Security Bulletin MS04-011:Affected Software:Microsoft Windows NT® Workstation 4.0 Service Pack 6a – Download the updateMicrosoft Windows NT Server 4.0 Service Pack 6a – Download the updateMicrosoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6 – Download the updateMicrosoft Windows 2000 Service Pack 2, Microsoft Windows 2000 Service Pack 3, and Microsoft Windows 2000 Service Pack 4 – Download the updateMicrosoft Windows XP and Microsoft Windows XP Service Pack 1 – Download the updateMicrosoft Windows XP 64-Bit Edition Service Pack 1 – Download the updateMicrosoft Windows XP 64-Bit Edition Version 2003 – Download the updateMicrosoft Windows Server™ 2003 – Download the updateMicrosoft Windows Server 2003 64-Bit Edition – Download the updateMicrosoft NetMeetingMicrosoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME) – Review the FAQ section of this bulletin for details about these operating systems.I think you should ignore those popups. The Windows LSASS vulnerability is not a problem with Windows XP SP2. Edited February 8, 2005 by tj416 Link to post Share on other sites
bar5 Posted February 8, 2005 Author Report Share Posted February 8, 2005 Quoted from Microsoft's Security Bulletin MS04-011:Affected Software:Microsoft Windows NT® Workstation 4.0 Service Pack 6a – Download the updateMicrosoft Windows NT Server 4.0 Service Pack 6a – Download the updateMicrosoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6 – Download the updateMicrosoft Windows 2000 Service Pack 2, Microsoft Windows 2000 Service Pack 3, and Microsoft Windows 2000 Service Pack 4 – Download the updateMicrosoft Windows XP and Microsoft Windows XP Service Pack 1 – Download the updateMicrosoft Windows XP 64-Bit Edition Service Pack 1 – Download the updateMicrosoft Windows XP 64-Bit Edition Version 2003 – Download the updateMicrosoft Windows Server™ 2003 – Download the updateMicrosoft Windows Server 2003 64-Bit Edition – Download the updateMicrosoft NetMeetingMicrosoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME) – Review the FAQ section of this bulletin for details about these operating systems.I think you should ignore those popups. The Windows LSASS vulnerability is not a problem with Windows XP SP2. TJ:Thanks for your help. Here is some info from Trend Micro on this subject in case you run across this again.Trend MicroI did what this bulletin suggested. Barb Link to post Share on other sites
tj416 Posted February 8, 2005 Report Share Posted February 8, 2005 You're Welcome!btw Thanks for the link!TJ Link to post Share on other sites
Recommended Posts