Jump to content


Photo

back again with all new problems ...


  • Please log in to reply
13 replies to this topic

#1 soul

soul

    Member

  • Members
  • PipPip
  • 22 posts

Posted 23 October 2006 - 03:32 PM

hello again Gentlepeople ... a friend decided to help me out of my previous problems by installing windows 2000 on my computer, and after a few days of relative peace, my internet connection suddenly started collapsing after like 30 seconds every time i try to get on line. my server says everything's fine on their end, and they tell me i must have some kind of virus or spyware that's causing this, but Ad-Aware says i'm clean; so does Norton Anti-Virus (both of which are freshly updated).

in despair i've installed a trial version of Norton Personal Firewall that i happened to have, but i don't want to keep it if i don't have to: although it does allow me to get/stay on line, it slows my system down hugely, and also keeps interrupting me every three seconds because it wants to block lsass.exe, which i understand is (or may be??) a valid/necessary program that shouldn't be blocked.

anyway while trying to figure out what's causing the problem, i've tried these steps:
a] i tried the etrust online scan and it says i'm clean (but of course i had the Norton firewall on, in order to maintain a connection, and i don't know if the scanner can do its thing properly with a firewall on);
b] i downloaded SmitFraudFix and append the report below;
c] i'll run Highjack This in a moment, and will post that as well.

thank you thank you for any insights ...


SmitFraudFix v2.113

Scan done at 16:04:48.03, Mon 2006-10-23
Run from C:\unzipped\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows 2000 [Wersja 5.00.2195] - Windows_NT
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\SSSOUL1


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\SSSOUL1\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\SSSOUL1\Ulubione


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Moja bieľĄca strona gˆ˘wna"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

Edited by soul, 23 October 2006 - 03:42 PM.


#2 soul

soul

    Member

  • Members
  • PipPip
  • 22 posts

Posted 23 October 2006 - 03:35 PM

here's my Highjack This log:

Logfile of HijackThis v1.99.1
Scan saved at 4:35:31 PM, on 2006-10-23
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINNT\lsass.exe
c:\winnt\system32\microsoft\user\FireDaemon.EXE
c:\winnt\system32\microsoft\user\dll32.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
c:\winnt\system32\microsoft\user\FireDaemon.EXE
c:\winnt\system32\microsoft\user\dll39.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\slserv.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\sistray.EXE
C:\WINNT\system32\khooker.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Wanadoo\taskbaricon.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Wanadoo\EspaceWanadoo.exe
C:\Program Files\Wanadoo\ComComp.exe
C:\Program Files\Wanadoo\Watch.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\unzipped\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rollingstones.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada Plus - welcome to the Internet
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = L1cza
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Norton Personal Firewall 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Personal Firewall 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O4 - HKLM\..\Run: [SiS Tray] C:\WINNT\system32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINNT\system32\khooker.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WOOTASKBARICON] C:\Program Files\Wanadoo\taskbaricon.exe
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: iFinger - {936E5D60-596C-11D3-BB96-00600816DF55} - C:\WINNT\system32\SHDOCVW.DLL
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1160640790354
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1160657231421
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7B0406B9-DC57-4A74-BF16-DD91EC23D6CE}: NameServer = 194.204.152.34 217.98.63.164
O17 - HKLM\System\CS1\Services\Tcpip\..\{7B0406B9-DC57-4A74-BF16-DD91EC23D6CE}: NameServer = 194.204.152.34 217.98.63.164
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Us3uga administracyjna Mened?era dysków logicznych (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LSA Shel (Export Version) - Unknown owner - C:\WINNT\lsass.exe
O23 - Service: FireDaemon Service: MSVC9 (MSVC9) - Unknown owner - c:\winnt\system32\microsoft\user\FireDaemon.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: FireDaemon Service: QOS (QOS) - Unknown owner - c:\winnt\system32\microsoft\user\FireDaemon.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINNT\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#3 soul

soul

    Member

  • Members
  • PipPip
  • 22 posts

Posted 23 October 2006 - 03:54 PM

and for good measure, my Ad-Aware log, which keeps reporting only "negligible objects":

Ad-Aware SE Build 1.06r1
Logfile Created on:Monday, October 23, 2006 4:38:58 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R128 18.10.2006
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
MRU List(TAC index:0):11 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Search for low-risk threats
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


2006-10-23 4:38:58 PM - Scan started. (Full System Scan)

MRU List Object Recognized!
Location: : C:\Documents and Settings\SSSOUL1\recent
Description : list of recently opened documents


MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw


MRU List Object Recognized!
Location: : S-1-5-21-507921405-1343024091-14780595-1000\software\microsoft\internet explorer\typedurls
Description : list of recently entered addresses in microsoft internet explorer


MRU List Object Recognized!
Location: : S-1-5-21-507921405-1343024091-14780595-1000\software\microsoft\microsoft management console\recent file list
Description : list of recent snap-ins used in the microsoft management console


MRU List Object Recognized!
Location: : S-1-5-21-507921405-1343024091-14780595-1000\software\microsoft\office\8.0\common\open find\microsoft word\settings\open\file name mru
Description : list of recent documents opened by microsoft word


MRU List Object Recognized!
Location: : S-1-5-21-507921405-1343024091-14780595-1000\software\microsoft\office\8.0\excel\recent file list
Description : list of recent files used by microsoft excel


MRU List Object Recognized!
Location: : S-1-5-21-507921405-1343024091-14780595-1000\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened


MRU List Object Recognized!
Location: : S-1-5-21-507921405-1343024091-14780595-1000\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension


MRU List Object Recognized!
Location: : S-1-5-21-507921405-1343024091-14780595-1000\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened


MRU List Object Recognized!
Location: : S-1-5-21-507921405-1343024091-14780595-1000\software\microsoft\windows\currentversion\explorer\runmru
Description : mru list for items opened in start | run


MRU List Object Recognized!
Location: : S-1-5-21-507921405-1343024091-14780595-1000\software\nico mak computing\winzip\filemenu
Description : winzip recently used archives


Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 156
ThreadCreationTime : 2006-10-23 1:52:03 PM
BasePriority : Normal


#:2 [csrss.exe]
FilePath : \??\C:\WINNT\system32\
ProcessID : 184
ThreadCreationTime : 2006-10-23 1:52:09 PM
BasePriority : Normal


#:3 [winlogon.exe]
FilePath : \??\C:\WINNT\system32\
ProcessID : 204
ThreadCreationTime : 2006-10-23 1:52:11 PM
BasePriority : High


#:4 [services.exe]
FilePath : C:\WINNT\system32\
ProcessID : 232
ThreadCreationTime : 2006-10-23 1:52:13 PM
BasePriority : Normal
FileVersion : 5.00.2195.7035
ProductVersion : 5.00.2195.7035
ProductName : System operacyjny Microsoft® Windows ® 2000
CompanyName : Microsoft Corporation
FileDescription : Usługi i aplikacja Kontroler
InternalName : services.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINNT\system32\
ProcessID : 244
ThreadCreationTime : 2006-10-23 1:52:13 PM
BasePriority : Normal
FileVersion : 5.00.2195.7011
ProductVersion : 5.00.2195.7011
ProductName : System operacyjny Microsoft® Windows ® 2000
CompanyName : Microsoft Corporation
FileDescription : Biblioteka DLL pliku wykonywalnego i serwera LSA (wersja eksportowa)
InternalName : lsasrv.dll and lsass.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : lsasrv.dll and lsass.exe

#:6 [svchost.exe]
FilePath : C:\WINNT\system32\
ProcessID : 396
ThreadCreationTime : 2006-10-23 1:52:18 PM
BasePriority : Normal
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : svchost.exe

#:7 [svchost.exe]
FilePath : C:\WINNT\system32\
ProcessID : 440
ThreadCreationTime : 2006-10-23 1:52:19 PM
BasePriority : Normal
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : svchost.exe

#:8 [ccsetmgr.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ProcessID : 476
ThreadCreationTime : 2006-10-23 1:52:19 PM
BasePriority : Normal
FileVersion : 104.0.7.3
ProductVersion : 104.0.7.3
ProductName : Client and Host Security Platform
CompanyName : Symantec Corporation
FileDescription : Symantec Settings Manager Service
InternalName : ccSetMgr
LegalCopyright : Copyright © 2000-2005 Symantec Corporation. All rights reserved.
OriginalFilename : ccSetMgr.exe

#:9 [ccevtmgr.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ProcessID : 508
ThreadCreationTime : 2006-10-23 1:52:24 PM
BasePriority : Normal
FileVersion : 104.0.7.3
ProductVersion : 104.0.7.3
ProductName : Client and Host Security Platform
CompanyName : Symantec Corporation
FileDescription : Symantec Event Manager Service
InternalName : ccEvtMgr
LegalCopyright : Copyright © 2000-2005 Symantec Corporation. All rights reserved.
OriginalFilename : ccEvtMgr.exe

#:10 [ccproxy.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ProcessID : 632
ThreadCreationTime : 2006-10-23 1:52:28 PM
BasePriority : Normal
FileVersion : 104.0.11.1
ProductVersion : 104.0.11.1
ProductName : Client and Host Security Platform
CompanyName : Symantec Corporation
FileDescription : Symantec Network Proxy Service
InternalName : ccProxy
LegalCopyright : Copyright © 2000-2005 Symantec Corporation. All rights reserved.
OriginalFilename : ccProxy.exe

#:11 [sndsrvc.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ProcessID : 664
ThreadCreationTime : 2006-10-23 1:52:28 PM
BasePriority : Normal
FileVersion : 6.0.4.402
ProductVersion : 6.0
ProductName : Symantec Security Drivers
CompanyName : Symantec Corporation
FileDescription : Network Driver Service
InternalName : SndSrvc
LegalCopyright : Copyright 2002 - 2006 Symantec Corporation
OriginalFilename : SndSrvc.exe

#:12 [spbbcsvc.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\SPBBC\
ProcessID : 704
ThreadCreationTime : 2006-10-23 1:52:29 PM
BasePriority : Normal
FileVersion : 2.1.0.4
ProductVersion : 2.1.0.4
ProductName : SPBBC
CompanyName : Symantec Corporation
FileDescription : SPBBC Service
InternalName : SPBBCSvc
LegalCopyright : Copyright © 2004, 2005 Symantec Corporation. All rights reserved.
OriginalFilename : SPBBCSvc.exe

#:13 [symlcsvc.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\CCPD-LC\
ProcessID : 752
ThreadCreationTime : 2006-10-23 1:52:30 PM
BasePriority : Normal
FileVersion : 1.9.1.762
ProductVersion : 1.9.1.762
ProductName : Symantec Core Component
CompanyName : Symantec Corporation
FileDescription : Symantec Core Component
InternalName : symlcsvc
LegalCopyright : Copyright © 2003
OriginalFilename : symlcsvc.exe

#:14 [spoolsv.exe]
FilePath : C:\WINNT\system32\
ProcessID : 892
ThreadCreationTime : 2006-10-23 1:52:35 PM
BasePriority : Normal
FileVersion : 5.00.2195.7059
ProductVersion : 5.00.2195.7059
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolss.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : spoolss.exe

#:15 [aluschedulersvc.exe]
FilePath : C:\Program Files\Symantec\LiveUpdate\
ProcessID : 916
ThreadCreationTime : 2006-10-23 1:52:36 PM
BasePriority : Normal
FileVersion : 3.0.0.171
ProductVersion : 3.0.0.171
ProductName : LiveUpdate
CompanyName : Symantec Corporation
FileDescription : Automatic LiveUpdate Scheduler Service
InternalName : Automatic LiveUpdate Scheduler Service
LegalCopyright : Copyright © 1996-2005 Symantec Corporation
OriginalFilename : ALUSchedulerSvc.exe

#:16 [lsass.exe]
FilePath : C:\WINNT\
ProcessID : 956
ThreadCreationTime : 2006-10-23 1:52:37 PM
BasePriority : Normal


#:17 [firedaemon.exe]
FilePath : c:\winnt\system32\microsoft\user\
ProcessID : 1028
ThreadCreationTime : 2006-10-23 1:52:39 PM
BasePriority : Normal


#:18 [dll32.exe]
FilePath : c:\winnt\system32\microsoft\user\
ProcessID : 1040
ThreadCreationTime : 2006-10-23 1:52:40 PM
BasePriority : Normal


#:19 [navapsvc.exe]
FilePath : C:\Program Files\Norton AntiVirus\
ProcessID : 1048
ThreadCreationTime : 2006-10-23 1:52:40 PM
BasePriority : Normal
FileVersion : 9.05.1015
ProductVersion : 9.05.1015
ProductName : Norton AntiVirus
CompanyName : Symantec Corporation
FileDescription : Norton AntiVirus Auto-Protect Service
InternalName : NAVAPSVC
LegalCopyright : Copyright © 2000-2002 Symantec Corporation. All rights reserved.
OriginalFilename : NAVAPSVC.EXE

#:20 [firedaemon.exe]
FilePath : c:\winnt\system32\microsoft\user\
ProcessID : 1096
ThreadCreationTime : 2006-10-23 1:52:41 PM
BasePriority : Normal


#:21 [dll39.exe]
FilePath : c:\winnt\system32\microsoft\user\
ProcessID : 1112
ThreadCreationTime : 2006-10-23 1:52:41 PM
BasePriority : Normal


#:22 [regsvc.exe]
FilePath : C:\WINNT\system32\
ProcessID : 1140
ThreadCreationTime : 2006-10-23 1:52:41 PM
BasePriority : Normal
FileVersion : 5.00.2195.6701
ProductVersion : 5.00.2195.6701
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Remote Registry Service
InternalName : regsvc
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : REGSVC.EXE

#:23 [mstask.exe]
FilePath : C:\WINNT\system32\
ProcessID : 1168
ThreadCreationTime : 2006-10-23 1:52:45 PM
BasePriority : Normal
FileVersion : 4.71.2195.6972
ProductVersion : 4.71.2195.6972
ProductName : Microsoft® Windows® - Harmonogram zadań
CompanyName : Microsoft Corporation
FileDescription : Aparat Harmonogramu zadań
InternalName : TaskScheduler
LegalCopyright : Copyright © Microsoft Corp. 1997
OriginalFilename : mstask.exe

#:24 [slserv.exe]
FilePath : C:\WINNT\system32\
ProcessID : 1220
ThreadCreationTime : 2006-10-23 1:52:46 PM
BasePriority : Normal
FileVersion : 2.80.00(24Apr2000)
ProductVersion : 2.80.00
ProductName : Modem
FileDescription : User-Level Modem Service
InternalName : slserv
LegalCopyright : Copyright © 1999-2000
OriginalFilename : slserv.exe

#:25 [winmgmt.exe]
FilePath : C:\WINNT\System32\WBEM\
ProcessID : 1288
ThreadCreationTime : 2006-10-23 1:52:47 PM
BasePriority : Normal
FileVersion : 1.50.1085.0100
ProductVersion : 1.50.1085.0100
ProductName : Instrumentacja zarządzania Windows
CompanyName : Microsoft Corporation
FileDescription : Instrumentacja zarządzania Windows
InternalName : WINMGMT
LegalCopyright : Copyright © Microsoft Corp. 1995-1999

#:26 [explorer.exe]
FilePath : C:\WINNT\
ProcessID : 1304
ThreadCreationTime : 2006-10-23 1:52:47 PM
BasePriority : Normal
FileVersion : 5.00.3700.6690
ProductVersion : 5.00.3700.6690
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : EXPLORER.EXE

#:27 [svchost.exe]
FilePath : C:\WINNT\system32\
ProcessID : 1352
ThreadCreationTime : 2006-10-23 1:52:49 PM
BasePriority : Normal
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : svchost.exe

#:28 [svchost.exe]
FilePath : C:\WINNT\system32\
ProcessID : 1392
ThreadCreationTime : 2006-10-23 1:52:51 PM
BasePriority : Normal
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : svchost.exe

#:29 [sistray.exe]
FilePath : C:\WINNT\system32\
ProcessID : 1480
ThreadCreationTime : 2006-10-23 1:53:00 PM
BasePriority : Normal
FileVersion : 0.0.0.2060
ProductVersion : 0.0.0.2060
ProductName : SiS ® Compatible Super VGA SiSTray application for Windows NT4.0/2000/XP
CompanyName : Silicon Integrated Systems Corporation
FileDescription : SiS Compatible Super VGA Tray Application
InternalName : SISTRAY 2.06.00
LegalCopyright : Copyright © Silicon Integrated Systems Corp. 1998-2002
OriginalFilename : SISTRAY.EXE
Comments : SiS Compatible Super VGA Tray Application

#:30 [khooker.exe]
FilePath : C:\WINNT\system32\
ProcessID : 1508
ThreadCreationTime : 2006-10-23 1:53:01 PM
BasePriority : Normal
FileVersion : 0, 0, 0, 2060
ProductVersion : 0, 0, 0, 2060
ProductName : SIS ® Compatible Super VGA keyboard daemon for Windows 2000/XP
CompanyName : Silicon Integrated Systems Corporation
FileDescription : SiS Compatible Super VGA Keyboard Daemon
InternalName : KHOOKER 2.06.50
LegalCopyright : Copyright © Silicon Integrated Systems Corp. 1998-2002
OriginalFilename : KHOOKER.EXE
Comments : SiS Compatible Super VGA Keyboard Daemon

#:31 [ccapp.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ProcessID : 1512
ThreadCreationTime : 2006-10-23 1:53:01 PM
BasePriority : Normal
FileVersion : 104.0.7.3
ProductVersion : 104.0.7.3
ProductName : Client and Host Security Platform
CompanyName : Symantec Corporation
FileDescription : Symantec User Session
InternalName : ccApp
LegalCopyright : Copyright © 2000-2005 Symantec Corporation. All rights reserved.
OriginalFilename : ccApp.exe

#:32 [dragdiag.exe]
FilePath : C:\Program Files\Alcatel\SpeedTouch USB\
ProcessID : 1624
ThreadCreationTime : 2006-10-23 1:53:08 PM
BasePriority : Normal
FileVersion : 200.7.0.0
ProductVersion : 200.7.0.0
ProductName : SpeedTouch USB
CompanyName : THOMSON multimedia
FileDescription : SpeedTouch Statistics
LegalCopyright : Copyright© THOMSON multimedia 1999-2002

#:33 [taskbaricon.exe]
FilePath : C:\Program Files\Wanadoo\
ProcessID : 1596
ThreadCreationTime : 2006-10-23 1:53:10 PM
BasePriority : Normal
FileVersion : 5.5 (1)
ProductVersion : 5.5 (1)
ProductName : Kit de Connexion et de Services
CompanyName : France Télécom R&D
FileDescription : Gestion de l'icône de la barre des tâches
InternalName : TaskBarIcon
LegalCopyright : Copyright © France Télécom R&D 1999 - 2002
OriginalFilename : TaskBarIcon.exe

#:34 [internat.exe]
FilePath : C:\WINNT\system32\
ProcessID : 1676
ThreadCreationTime : 2006-10-23 1:53:11 PM
BasePriority : Normal
FileVersion : 5.00.2920.0000
ProductVersion : 5.00.2920.0000
ProductName : System operacyjny Microsoft® Windows ® 2000
CompanyName : Microsoft Corporation
FileDescription : Aplikacja wskaźnika języka klawiatury
InternalName : INTERNAT
LegalCopyright : Copyright © Microsoft Corp. 1994-1999
OriginalFilename : INTERNAT.EXE

#:35 [msoffice.exe]
FilePath : C:\Program Files\Microsoft Office\Office\
ProcessID : 1736
ThreadCreationTime : 2006-10-23 1:53:17 PM
BasePriority : Normal
FileVersion : 8.0.3512
ProductVersion : 8.0.3512
ProductName : Microsoft Office
CompanyName : Microsoft Corporation
FileDescription : Microsoft Office Shortcut Bar
InternalName : MSOFFICE
LegalCopyright : Copyright © Microsoft Corp. 1990-1996.
OriginalFilename : MSOFFICE.EXE

#:36 [osa.exe]
FilePath : C:\Program Files\Microsoft Office\Office\
ProcessID : 1648
ThreadCreationTime : 2006-10-23 1:53:21 PM
BasePriority : Normal


#:37 [nscsrvce.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\Security Console\
ProcessID : 1444
ThreadCreationTime : 2006-10-23 1:56:38 PM
BasePriority : Normal
FileVersion : 2006.1.6.2
ProductVersion : 2006.1.6
ProductName : Norton Security Console
CompanyName : Symantec Corporation
FileDescription : Norton Security Console Norton Protection Center Service
InternalName : NSCService
LegalCopyright : Norton Security Console 2006 for Windows 2000/XP Copyright © 2005 Symantec Corporation. All rights reserved.
OriginalFilename : NSCSrvce.exe

#:38 [espacewanadoo.exe]
FilePath : C:\Program Files\Wanadoo\
ProcessID : 1852
ThreadCreationTime : 2006-10-23 1:59:16 PM
BasePriority : Normal
FileVersion : 5.5 (212)
ProductVersion : 5.5(212)
ProductName : Kit de connexion
CompanyName : France Télécom R&D
FileDescription : Espace Client
InternalName : EspaceClient
LegalCopyright : Copyright © France Télécom R&D 1999, 2000, 2001, 2002
OriginalFilename : EspaceClient.exe

#:39 [comcomp.exe]
FilePath : C:\Program Files\Wanadoo\
ProcessID : 1844
ThreadCreationTime : 2006-10-23 1:59:18 PM
BasePriority : Normal
FileVersion : 5.5 (257)
ProductVersion : 5.5 (257)
ProductName : Kit de Connexion et de Services
CompanyName : France Télécom R&D
FileDescription : Module de communication
InternalName : ComComp
LegalCopyright : Copyright © France Télécom R&D 1999- 2002
OriginalFilename : ComComp.exe

#:40 [watch.exe]
FilePath : C:\Program Files\Wanadoo\
ProcessID : 1976
ThreadCreationTime : 2006-10-23 1:59:25 PM
BasePriority : Normal
FileVersion : 5.5 (65)
ProductVersion : 5.5 (65)
ProductName : Kit de Connexion et de Services
CompanyName : France Télécom R&D
FileDescription : Surveillance des modifications
InternalName : Watch
LegalCopyright : Copyright © France Télécom R&D 1999-2002
OriginalFilename : Watch.exe

#:41 [firefox.exe]
FilePath : C:\Program Files\Mozilla Firefox\
ProcessID : 1816
ThreadCreationTime : 2006-10-23 2:17:31 PM
BasePriority : Normal


#:42 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 1640
ThreadCreationTime : 2006-10-23 2:37:58 PM
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 11


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 11


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 11


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 11



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 11


Deep scanning and examining files (F:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for F:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 11


Scanning Hosts file......
Hosts file location:"C:\WINNT\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 11




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 11

4:51:12 PM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:12:13.875
Objects scanned:75078
Objects identified:1
Objects ignored:1
New critical objects:0

#4 LS CalamityJane

LS CalamityJane

    Former Lavasoft Staff

  • Members
  • PipPipPip
  • 8814 posts

Posted 23 October 2006 - 09:17 PM

You have a suspicious file I'd like to examine further to determine what it is and the best way to remove it.

Go here to upload the file as an attachment
http://www.thespykil...x.php?board=1.0
Just press new topic (Make the subject: For CalamityJane from soul at LS ),
fill in a short message & then press the browse button and then navigate to & select this file on your computer, then press the *Post* button to upload the file

File to attach for upload:

C:\WINNT\lsass.exe (note: do not confuse this one with the legit lsass.exe which located in a different folder, (system32). This one that I suspect is located directly in the C:\WINNT directory

(Do not post HJT logs there as they will not get dealt with)

You DO NOT need to register to start a topic or upload, anybody can upload the files

You will not see the files that have been uploaded as they only show to the authorized users who can download them. I will be able to collect it from there and will reply to you back here with analysis results.
Please do NOT send Private Messages to Staff or helpers to request assistance! We do not give a personal support via PM The way to request help is to post a NEW TOPIC in the appropriate forum.

Look for the *New Topic* Button near the top right when viewing the forums.

Here in the forums, replies are posted to topics only. Thank you for your understanding and cooperation!
Plus and Pro Ad-Aware users (only) may use the Support Center for personal assistance:
Support Center


Microsoft MVP/Windows - Security 2003-2009

#5 soul

soul

    Member

  • Members
  • PipPip
  • 22 posts

Posted 24 October 2006 - 09:16 AM

thank you very much indeed, Calamity Jane -
i tried to upload that file you asked for, but i'm afraid it isn't the one you're interested in: there's no lsass in sight when i check the WINNT folder (except if i look inside other folders: there's "lsass.exe" in that "RollUpPackUninstall" folder, and LSASS.exe in the system32 folder). i see [below] that it's still in the Highjack This log, so i reckon it's hiding from me when i search for it? if there's something i can do to coax it into view so that i can upload it for you, i'll gladly and gratefully try again ...

meanwhile, another friend decided to try to help me out here; he uninstalled all the Norton stuff, installed AVast instead; and also dowloaded a different SmitFraudFix and ran that in safe mode. i can't find a log for what SmitFraudFix did, but here are my latest Highjack This logs, and the logs that Avast generated last night and this morning (it's in Polish, sorry! but i've translated what i hope are the significant bits).

the computer seems to be running okay for a while after i start it, but keeps getting painfully slow; i *am* able to get/stay on line, but every time i do Avast reports/quarantines four trojans in a row.

many thanks for all your help and advice ...

~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 9:43:47 AM, on 2006-10-24
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\csrss.exe
C:\WINNT\lsass.exe
c:\winnt\system32\microsoft\user\FireDaemon.EXE
c:\winnt\system32\microsoft\user\dll39.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\slserv.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINNT\system32\sistray.EXE
C:\WINNT\system32\khooker.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Wanadoo\taskbaricon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\unzipped\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = L1cza
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [SiS Tray] C:\WINNT\system32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINNT\system32\khooker.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WOOTASKBARICON] C:\Program Files\Wanadoo\taskbaricon.exe
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: iFinger - {936E5D60-596C-11D3-BB96-00600816DF55} - C:\WINNT\system32\SHDOCVW.DLL
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1160640790354
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1160657231421
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O17 - HKLM\System\CS2\Services\Tcpip\..\{7B0406B9-DC57-4A74-BF16-DD91EC23D6CE}: NameServer = 194.204.152.34 217.98.63.164
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Us3uga administracyjna Mened?era dysków logicznych (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Generic Host Process for Win32 Service - Unknown owner - C:\WINNT\csrss.exe
O23 - Service: LSA Shel (Export Version) - Unknown owner - C:\WINNT\lsass.exe
O23 - Service: FireDaemon Service: MSVC9 (MSVC9) - Unknown owner - c:\winnt\system32\microsoft\user\FireDaemon.EXE
O23 - Service: FireDaemon Service: QOS (QOS) - Unknown owner - c:\winnt\system32\microsoft\user\FireDaemon.EXE
O23 - Service: SmartLinkService (SLService) - - C:\WINNT\SYSTEM32\slserv.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Avast logs:

* Raport avast!
* Ten plik jest generowany automatycznie
*
* Użyto zadania 'Osłona rezydentna'
* Uruchomiono 23 październik 2006 19:09:14 = october 23rd 2006 19:09:14
* VPS: 0639-1, 2006-09-25
*

c:\winnt\system32\microsoft\user\dll32.exe [L] Win32:Iroffer-011 [Trj] (0)
c:\winnt\system32\microsoft\user\dll32.exe [L] Win32:Iroffer-011 [Trj] (0)
c:\winnt\system32\microsoft\user\dll32.exe [L] Win32:Iroffer-011 [Trj] (0)
c:\winnt\system32\microsoft\user\dll32.exe [L] Win32:Iroffer-011 [Trj] (0)
c:\winnt\system32\microsoft\user\dll32.exe [L] Win32:Iroffer-011 [Trj] (0)
c:\winnt\system32\microsoft\user\dll32.exe [L] Win32:Iroffer-011 [Trj] (0)
c:\winnt\system32\microsoft\user\dll32.exe [L] Win32:Iroffer-011 [Trj] (0)
c:\winnt\system32\microsoft\user\dll32.exe [L] Win32:Iroffer-011 [Trj] (0)
Plik został przeniesiony do kwarantanny z powodzeniem... = the file was successfully quarantined
C:\wen6j4d5.exe [L] Win32:Dialer-gen13 [Trj] (0)
Plik został przeniesiony do kwarantanny z powodzeniem... = the file was successfully quarantined
C:\Documents and Settings\Default User\Ustawienia lokalne\Temporary Internet Files\Content.IE5\T3P5FGN6\Browser[1].exe [L] Win32:Dialer-BZ [Trj] (0)
Plik został przeniesiony do kwarantanny z powodzeniem... = the file was successfully quarantined
C:\j1ho6.exe [L] Win32:Dialer-BZ [Trj] (0)
Plik został przeniesiony do kwarantanny z powodzeniem... = the file was successfully quarantined
*


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
next report:

* Raport avast!
* Ten plik jest generowany automatycznie
*
* Użyto zadania 'Osłona rezydentna'
* Uruchomiono 23 październik 2006 21:46:44 = october 23rd 21:46:44
* VPS: 0643-1, 2006-10-23
*

C:\Documents and Settings\Default User\Ustawienia lokalne\Temporary Internet Files\Content.IE5\4E9PT612\Browser[1].exe [L] Win32:Dialer-BZ [Trj] (0)
Plik został przeniesiony do kwarantanny z powodzeniem... = the file was successfully quarantined
C:\j1ho6.exe [L] Win32:Dialer-BZ [Trj] (0)
Plik został przeniesiony do kwarantanny z powodzeniem... = the file was successfully quarantined
C:\Documents and Settings\Default User\Ustawienia lokalne\Temporary Internet Files\Content.IE5\T3P5FGN6\adult1[1].exe [L] Win32:Dialer-gen13 [Trj] (0)
Plik został przeniesiony do kwarantanny z powodzeniem... = the file was successfully quarantined
C:\wen6j4d5.exe [L] Win32:Dialer-gen13 [Trj] (0)

Plik został przeniesiony do kwarantanny z powodzeniem... = the file was successfully quarantined

~~~~~~~~~~~~~~~~~~~~~~~~~~
this morning:

* Raport avast!
* Ten plik jest generowany automatycznie
*
* Użyto zadania 'Osłona rezydentna'
* Uruchomiono 24 październik 2006 07:14:52 = october 24th 07:14:52
* VPS: 0643-1, 2006-10-23
*

C:\Documents and Settings\Default User\Ustawienia lokalne\Temporary Internet Files\Content.IE5\LVQCP2IY\Browser[1].exe [L] Win32:Dialer-BZ [Trj] (0)
Plik został przeniesiony do kwarantanny z powodzeniem... = the file was successfully quarantined
C:\Documents and Settings\Default User\Ustawienia lokalne\Temporary Internet Files\Content.IE5\LVQCP2IY\adult1[1].exe [L] Win32:Dialer-gen13 [Trj] (0)
Plik został przeniesiony do kwarantanny z powodzeniem... = the file was successfully quarantined
C:\j1ho6.exe [L] Win32:Dialer-BZ [Trj] (0)
Plik został przeniesiony do kwarantanny z powodzeniem... = the file was successfully quarantined
C:\wen6j4d5.exe [L] Win32:Dialer-gen13 [Trj] (0)
Plik został przeniesiony do kwarantanny z powodzeniem... = the file was successfully quarantined


#6 LS CalamityJane

LS CalamityJane

    Former Lavasoft Staff

  • Members
  • PipPipPip
  • 8814 posts

Posted 24 October 2006 - 08:23 PM

No problem. The file you uploaded was the legitimate one and the bogus file must be hiding.

You now have another that is also probably hiding. I have a tool we can use to kill it though. Hold on while I write up the fix. It must be a new worm because Avast isn't detecting it either.

I'll be right back. :)
Please do NOT send Private Messages to Staff or helpers to request assistance! We do not give a personal support via PM The way to request help is to post a NEW TOPIC in the appropriate forum.

Look for the *New Topic* Button near the top right when viewing the forums.

Here in the forums, replies are posted to topics only. Thank you for your understanding and cooperation!
Plus and Pro Ad-Aware users (only) may use the Support Center for personal assistance:
Support Center


Microsoft MVP/Windows - Security 2003-2009

#7 LS CalamityJane

LS CalamityJane

    Former Lavasoft Staff

  • Members
  • PipPipPip
  • 8814 posts

Posted 24 October 2006 - 09:03 PM

Please download the Killbox by Option^Explicit.
http://www.downloads...org/KillBox.zip

Unzip/Extract the contents to your desktop
How to extract (decompress) zipped or compressed files
http://www.lvsonline...tut/index.shtml

1. Open Killbox by clicking on Killbox.exe

2. Select *Delete on Reboot* in the first column

DeleteOnReboot.gif

3. Press the *All Files* button IMPORTANT STEP!

AllFilesButton.gif

4. Copy the following text shown in bold below to clipboard by highlighting the bold text and press Control + C

C:\WINNT\csrss.exe
C:\WINNT\lsass.exe


5. In Killbox, select the "File" tab at the top

6. Choose "Paste from Clipboard" in the drop down menu

PasteFromClipboardDeleteOnReboot.gif

7. Press the red button with the white x in it.

8. You will receive a prompt stating that files will be deleted on next reboot. Do you want to reboot now?
Choose Yes when asked if you want to reboot. If your computer does not restart, please reboot it manually


Note: Backups will be stored in the following directory created on the Hard-drive (usually C):
C:\!KillBox

9. Navigate to the Killbox backup folder:
C:\!KillBox

a. Right–click folder !KillBox

b. Point to Send To

c. Then click Compressed (zipped) Folder

This will make a compressed folder, identified by a zipper icon, which displays the same name as the file you compressed.
C:\!KillBox.zip

10. Go here to upload the files as attachments
http://www.thespykil...hp?topic=2882.0
(That's the topic you started earlier - just post a reply)
fill in a short message & then press the browse button and then navigate to & select these files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press the *Post* button to upload the files

Files to upload:

C:\!KillBox.zip

You DO NOT need to be a member to upload, anybody can upload the files.

You will not see the files that have been uploaded as they only show to the authorized users who can download them.
...........................
Then please come back here and post a fresh HijackThis log - there will be some remaining entries to take care of but the files should be deleted and cannot run.
Please do NOT send Private Messages to Staff or helpers to request assistance! We do not give a personal support via PM The way to request help is to post a NEW TOPIC in the appropriate forum.

Look for the *New Topic* Button near the top right when viewing the forums.

Here in the forums, replies are posted to topics only. Thank you for your understanding and cooperation!
Plus and Pro Ad-Aware users (only) may use the Support Center for personal assistance:
Support Center


Microsoft MVP/Windows - Security 2003-2009

#8 soul

soul

    Member

  • Members
  • PipPip
  • 22 posts

Posted 25 October 2006 - 08:03 AM

thank you very very much, Calamity Jane - i will get right on it and report back as soon as i can.

in the meantime i located another lsass in my WINNT folder - i've uploaded that to the Spykiller thread in case its of any interest.

also in the meantime, i've downloaded a bunch of security tools that i was going to run today:
~ Avast in an English-language version (the Polish one was reporting itself as infected, which didn't sound promising to me; the new one is installed and running);
~ the free Zone Alarm firewall (also installed and running);
~ the free version of AVG Anti-Spyware 7.5 (likewise);
~ Spybot (installed but not yet run)
~ Stinger (ditto)
~ CW Shredder (ditto)
~ VX2finder (ditto)

if any of those are tools i don't need or should replace with something better, i'd be very very grateful to know that - i do want to be secure, of course, but i don't want to clutter up my poor benighted little system with stuff that isn't really going to help.

i truly appreciate your taking an interest and all your great help. thank you.

Edited by soul, 25 October 2006 - 09:33 AM.


#9 soul

soul

    Member

  • Members
  • PipPip
  • 22 posts

Posted 25 October 2006 - 03:41 PM

well, i tried! i'm not sure what happened or what to do next -
these steps didn't work quite as described:

4. Copy the following text shown in bold below to clipboard by highlighting the bold text and press Control + C
C:\WINNT\csrss.exe
C:\WINNT\lsass.exe

5. In Killbox, select the "File" tab at the top
6. Choose "Paste from Clipboard" in the drop down menu


doing this left the file-name space blank; i wound up pasting in each file name separately (separated by a comma) using Control+C then Control+V; then i clicked the wrong red button with the white X (i went first for the one in the upper lefthand corner); then i clicked the *right* red button with the white X and chose "yes". after a moment it told me this:

PendingFileRenameOperations Registry Data has been Removed by External Process!

the only possible response to that was "OK" (well, after staring at it dumbfounded for a while!) - is that normal, okay, expected, etc??
the computer didn't reboot automatically - i'm about to do it manually, but felt i'd better let you know what's going on before i do that. here goes nothing! :]

Edited by soul, 25 October 2006 - 03:42 PM.


#10 soul

soul

    Member

  • Members
  • PipPip
  • 22 posts

Posted 25 October 2006 - 04:14 PM

b. Point to Send To
c. Then click Compressed (zipped) Folder


thank you so much, Calamity Jane - i survived the reboot and hope i've managed to upload that file properly over on the Spykiller thread. (the steps described above didn't work for me - in case it's useful for finetuning the instructions for literal-minded know-nothings like me: when i pointed to "send to" i wasn't offered the option you mention; instead i chose "winzip" and the "add to !Killbox.zip" option. i hope it worked!)

is it okay for me to delete that !Killbox.zip file now, or ... ?

i've just run Highjack This and here's the log - oh and i ought to mention that before i ran Killbox i did a "thorough" scan with Avast in safe mode; it incarcerated 7 items, but i don't know where to find the log of that.

Logfile of HijackThis v1.99.1
Scan saved at 5:07:45 PM, on 2006-10-25
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\winnt\system32\microsoft\user\FireDaemon.EXE
c:\winnt\system32\microsoft\user\dll39.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\slserv.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\sistray.EXE
C:\WINNT\system32\khooker.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Wanadoo\taskbaricon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Wanadoo\EspaceWanadoo.exe
C:\Program Files\Wanadoo\ComComp.exe
C:\Program Files\Wanadoo\Watch.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\unzipped\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rollingst...mbers/login.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada Plus - welcome to the Internet
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = L1cza
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [SiS Tray] C:\WINNT\system32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINNT\system32\khooker.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WOOTASKBARICON] C:\Program Files\Wanadoo\taskbaricon.exe
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: iFinger - {936E5D60-596C-11D3-BB96-00600816DF55} - C:\WINNT\system32\SHDOCVW.DLL
O15 - Trusted Zone: www.iorr.org
O15 - Trusted Zone: http://www.rollingstones.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1160640790354
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1160657231421
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.mac...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7B0406B9-DC57-4A74-BF16-DD91EC23D6CE}: NameServer = 194.204.152.34 217.98.63.164
O17 - HKLM\System\CS1\Services\Tcpip\..\{7B0406B9-DC57-4A74-BF16-DD91EC23D6CE}: NameServer = 194.204.152.34 217.98.63.164
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Us3uga administracyjna Mened?era dysków logicznych (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Generic Host Process for Win32 Service - Unknown owner - C:\WINNT\csrss.exe (file missing)
O23 - Service: LSA Shel (Export Version) - Unknown owner - C:\WINNT\lsass.exe (file missing)
O23 - Service: FireDaemon Service: MSVC9 (MSVC9) - Unknown owner - c:\winnt\system32\microsoft\user\FireDaemon.EXE
O23 - Service: FireDaemon Service: QOS (QOS) - Unknown owner - c:\winnt\system32\microsoft\user\FireDaemon.EXE
O23 - Service: SmartLinkService (SLService) - - C:\WINNT\SYSTEM32\slserv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

Edited by soul, 25 October 2006 - 06:45 PM.


#11 soul

soul

    Member

  • Members
  • PipPip
  • 22 posts

Posted 25 October 2006 - 06:55 PM

... and now i've run the gizmos i listed above, all in safe mode: Avast found 7 nasties (i don't know how to locate the log, though); Stinger found nothing; the AVG/ewido program found 20 infected objects (it listed problems like Trojan.Dialer.qy, Trojan.Zapchast.au, Trojan.Zapchast, Backdoor.Sd.Bot.atz and .aad, Worm.Randon.am, Trojan.NoShare.K and Backdoor.Zapchat); Spybot fixed one problem (Alexa-related); Ad-Aware found 7 negligibles; CWShredder found nothing; and VX2Finder ... hm, its report was rather cryptic but since no file names were listed i guess that's good.

my Highjack This log now looks like this:

Logfile of HijackThis v1.99.1
Scan saved at 7:56:37 PM, on 2006-10-25
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\winnt\system32\microsoft\user\FireDaemon.EXE
c:\winnt\system32\microsoft\user\dll39.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\slserv.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINNT\system32\sistray.EXE
C:\WINNT\system32\khooker.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Wanadoo\taskbaricon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Wanadoo\EspaceWanadoo.exe
C:\Program Files\Wanadoo\ComComp.exe
C:\Program Files\Wanadoo\Watch.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\unzipped\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rollingst...mbers/login.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada Plus - welcome to the Internet
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = L1cza
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [SiS Tray] C:\WINNT\system32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINNT\system32\khooker.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WOOTASKBARICON] C:\Program Files\Wanadoo\taskbaricon.exe
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: iFinger - {936E5D60-596C-11D3-BB96-00600816DF55} - C:\WINNT\system32\SHDOCVW.DLL
O15 - Trusted Zone: www.iorr.org
O15 - Trusted Zone: http://www.rollingstones.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1160640790354
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1160657231421
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.mac...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7B0406B9-DC57-4A74-BF16-DD91EC23D6CE}: NameServer = 194.204.152.34 217.98.63.164
O17 - HKLM\System\CS1\Services\Tcpip\..\{7B0406B9-DC57-4A74-BF16-DD91EC23D6CE}: NameServer = 194.204.152.34 217.98.63.164
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Us3uga administracyjna Mened?era dysków logicznych (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Generic Host Process for Win32 Service - Unknown owner - C:\WINNT\csrss.exe (file missing)
O23 - Service: LSA Shel (Export Version) - Unknown owner - C:\WINNT\lsass.exe (file missing)
O23 - Service: FireDaemon Service: MSVC9 (MSVC9) - Unknown owner - c:\winnt\system32\microsoft\user\FireDaemon.EXE
O23 - Service: FireDaemon Service: QOS (QOS) - Unknown owner - c:\winnt\system32\microsoft\user\FireDaemon.EXE
O23 - Service: SmartLinkService (SLService) - - C:\WINNT\SYSTEM32\slserv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

#12 LS CalamityJane

LS CalamityJane

    Former Lavasoft Staff

  • Members
  • PipPipPip
  • 8814 posts

Posted 25 October 2006 - 09:31 PM

The files you uploaded are ok - and killbox didn't capture anything - just the log.

However, something you ran got the two baddies I was looking for and I suspect they were a trojan (SDbot perhaps). But they seem to be gone now.

Here is the difference.

These are (were) the "bad" guys:

C:\WINNT\csrss.exe <---bad
C:\WINNT\lsass.exe <-- bad

See how they are located directly in the WINNT directory?

The legitimate windows files of the same name are located in the proper location which is in the System32 folder (and NOT directly in the WINNT directory).

C:\WINNT\system32\lsass.exe <---ok
C:\WINNT\system32\csrss.exe <---ok

And internat.exe was ok - that is the legitimate one.

There are some remaining registry entries showing in the HijackThis log that were left behind.

Click Start > Run and type in Services.msc
Click OK
In the Sevices box, click the Extended tab.
Scroll down to:

LSA Shel (note that it is spelled with only one L in the word "Shel")

Right click on it and select *Properties*
Click Stop to stop the service, then change the Startup Type to: Disabled
Click Apply.

Next
Scroll down to:
Generic Host Process for Win32 Service

Right click on it and select Properties
Click Stop to stop the service, then change the Startup Type to: Disabled
Click Apply, then click OK.

Then close out of that

Open HijackThis and do a *system scan only*

When it finishes, checkmark the following entries and then press the *fix checked* button

O23 - Service: LSA Shel (Export Version) - Unknown owner - C:\WINNT\lsass.exe (file missing)

O23 - Service: Generic Host Process for Win32 Service - Unknown owner - C:\WINNT\csrss.exe (file missing)


The tools you downloaded and ran are ok, except Vx2finder is a very old, obsolete tool no longer in use. You can get rid of it.

Next question: Did you install FireDaemon?

That is a legitimate program but it can also be installed and used by a remote attacker, so that is why I'm asking.
Please do NOT send Private Messages to Staff or helpers to request assistance! We do not give a personal support via PM The way to request help is to post a NEW TOPIC in the appropriate forum.

Look for the *New Topic* Button near the top right when viewing the forums.

Here in the forums, replies are posted to topics only. Thank you for your understanding and cooperation!
Plus and Pro Ad-Aware users (only) may use the Support Center for personal assistance:
Support Center


Microsoft MVP/Windows - Security 2003-2009

#13 soul

soul

    Member

  • Members
  • PipPip
  • 22 posts

Posted 25 October 2006 - 10:25 PM

thank you so much, Calamity Jane!

sorry those files i uploaded weren't what you were seeking, but i'm very glad to know that internat.exe is legitimate, especially since it's been on my computer right from the get-go.

i followed your instructions above - thank you! - but when i got to having Highjack This fix those two O23s, i didn't find them in the list. i ran the free a-squared download while i was waiting for further input, so maybe that wiped them out? (i also had HJT fix those extra IE "main pages" that i never asked for.)

as for FireDaemon: i've asked the guy who installed windows 2000 for me whether he installed that, but he hasn't replied yet. i'll nudge him again.

all kinds of blessings on you for your wonderful and patient help, Calamity Jane! and here's my current HTJ log:

Logfile of HijackThis v1.99.1
Scan saved at 11:19:21 PM, on 2006-10-25
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\winnt\system32\microsoft\user\FireDaemon.EXE
c:\winnt\system32\microsoft\user\dll39.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\slserv.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINNT\system32\sistray.EXE
C:\WINNT\system32\khooker.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Wanadoo\EspaceWanadoo.exe
C:\Program Files\Wanadoo\ComComp.exe
C:\Program Files\Wanadoo\Watch.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\unzipped\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rollingst...mbers/login.php
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [SiS Tray] C:\WINNT\system32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINNT\system32\khooker.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: iFinger - {936E5D60-596C-11D3-BB96-00600816DF55} - C:\WINNT\system32\SHDOCVW.DLL
O15 - Trusted Zone: www.iorr.org
O15 - Trusted Zone: http://www.rollingstones.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1160640790354
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1160657231421
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.mac...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7B0406B9-DC57-4A74-BF16-DD91EC23D6CE}: NameServer = 194.204.152.34 217.98.63.164
O17 - HKLM\System\CS1\Services\Tcpip\..\{7B0406B9-DC57-4A74-BF16-DD91EC23D6CE}: NameServer = 194.204.152.34 217.98.63.164
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Us3uga administracyjna Mened?era dysków logicznych (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: FireDaemon Service: MSVC9 (MSVC9) - Unknown owner - c:\winnt\system32\microsoft\user\FireDaemon.EXE
O23 - Service: FireDaemon Service: QOS (QOS) - Unknown owner - c:\winnt\system32\microsoft\user\FireDaemon.EXE
O23 - Service: SmartLinkService (SLService) - - C:\WINNT\SYSTEM32\slserv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

Edited by soul, 25 October 2006 - 10:26 PM.


#14 LS CalamityJane

LS CalamityJane

    Former Lavasoft Staff

  • Members
  • PipPipPip
  • 8814 posts

Posted 25 October 2006 - 10:50 PM

Good! Your hijackThis log looks fine now. Something else may have taken out the remaining items in the registry we were seeing.

Here is the information about FireDaemon and how to remove it if it was not installed on purpose.
firedaemon.exe: System Cleanup After Trojan/Worm Compromise
http://forums.fireda...wtopic.php?t=18

Firedaemon itself is not harmful but should be removed it it was installed via a trojan infection.
Please do NOT send Private Messages to Staff or helpers to request assistance! We do not give a personal support via PM The way to request help is to post a NEW TOPIC in the appropriate forum.

Look for the *New Topic* Button near the top right when viewing the forums.

Here in the forums, replies are posted to topics only. Thank you for your understanding and cooperation!
Plus and Pro Ad-Aware users (only) may use the Support Center for personal assistance:
Support Center


Microsoft MVP/Windows - Security 2003-2009




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users