• Announcements

    • Andrew Browne

      Support for other products than adaware, ad block and Web Companion

      Support for the following products is handled by the Lavasoft support team: Lavasoft Tuneup Kit Lavasoft PC Optimizer Lavasoft Driver Updater Lavasoft Registry Tuner Lavasoft Privacy Toolbox Lavasoft File Shredder Lavasoft Digital Lock


      For help with these products, contact the support team here: http://www.lavasoft.com/support/supportcenter/

Sign in to follow this  
Followers 0
soul

back again with all new problems ...

14 posts in this topic

hello again Gentlepeople ... a friend decided to help me out of my previous problems by installing windows 2000 on my computer, and after a few days of relative peace, my internet connection suddenly started collapsing after like 30 seconds every time i try to get on line. my server says everything's fine on their end, and they tell me i must have some kind of virus or spyware that's causing this, but Ad-Aware says i'm clean; so does Norton Anti-Virus (both of which are freshly updated).

 

in despair i've installed a trial version of Norton Personal Firewall that i happened to have, but i don't want to keep it if i don't have to: although it does allow me to get/stay on line, it slows my system down hugely, and also keeps interrupting me every three seconds because it wants to block lsass.exe, which i understand is (or may be??) a valid/necessary program that shouldn't be blocked.

 

anyway while trying to figure out what's causing the problem, i've tried these steps:

a] i tried the etrust online scan and it says i'm clean (but of course i had the Norton firewall on, in order to maintain a connection, and i don't know if the scanner can do its thing properly with a firewall on);

b] i downloaded SmitFraudFix and append the report below;

c] i'll run Highjack This in a moment, and will post that as well.

 

thank you thank you for any insights ...

 

 

SmitFraudFix v2.113

 

Scan done at 16:04:48.03, Mon 2006-10-23

Run from C:\unzipped\SmitfraudFix\SmitfraudFix

OS: Microsoft Windows 2000 [Wersja 5.00.2195] - Windows_NT

Fix run in normal mode

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\Web

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system32

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\SSSOUL1

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\SSSOUL1\Application Data

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\SSSOUL1\Ulubione

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

 

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]

"Source"="About:Home"

"SubscribedURL"="About:Home"

"FriendlyName"="Moja bieľĄca strona gˆ˘wna"

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler

!!!Attention, following keys are not inevitably infected!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

 

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs

!!!Attention, following keys are not inevitably infected!!!

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""

 

 

»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

 

 

»»»»»»»»»»»»»»»»»»»»»»»» End

Edited by soul

Share this post


Link to post
Share on other sites

here's my Highjack This log:

 

Logfile of HijackThis v1.99.1

Scan saved at 4:35:31 PM, on 2006-10-23

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\WINNT\lsass.exe

c:\winnt\system32\microsoft\user\FireDaemon.EXE

c:\winnt\system32\microsoft\user\dll32.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

c:\winnt\system32\microsoft\user\FireDaemon.EXE

c:\winnt\system32\microsoft\user\dll39.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\slserv.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\Explorer.EXE

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\sistray.EXE

C:\WINNT\system32\khooker.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe

C:\Program Files\Wanadoo\taskbaricon.exe

C:\WINNT\system32\internat.exe

C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE

C:\Program Files\Microsoft Office\Office\OSA.EXE

C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE

C:\Program Files\Wanadoo\EspaceWanadoo.exe

C:\Program Files\Wanadoo\ComComp.exe

C:\Program Files\Wanadoo\Watch.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\unzipped\hjt\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rollingstones.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada Plus - welcome to the Internet

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = L1cza

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Norton Personal Firewall 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton Personal Firewall 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll

O4 - HKLM\..\Run: [siS Tray] C:\WINNT\system32\sistray.EXE

O4 - HKLM\..\Run: [siS KHooker] C:\WINNT\system32\khooker.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

O4 - HKLM\..\Run: [sSC_UserPrompt] "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe

O4 - HKLM\..\Run: [speedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [WOOTASKBARICON] C:\Program Files\Wanadoo\taskbaricon.exe

O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe

O4 - HKCU\..\Run: [internat.exe] internat.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE

O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE

O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE

O9 - Extra button: iFinger - {936E5D60-596C-11D3-BB96-00600816DF55} - C:\WINNT\system32\SHDOCVW.DLL

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1160640790354

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1160657231421

O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{7B0406B9-DC57-4A74-BF16-DD91EC23D6CE}: NameServer = 194.204.152.34 217.98.63.164

O17 - HKLM\System\CS1\Services\Tcpip\..\{7B0406B9-DC57-4A74-BF16-DD91EC23D6CE}: NameServer = 194.204.152.34 217.98.63.164

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ccPwdSvc.exe

O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Us3uga administracyjna Mened?era dysków logicznych (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: LSA Shel (Export Version) - Unknown owner - C:\WINNT\lsass.exe

O23 - Service: FireDaemon Service: MSVC9 (MSVC9) - Unknown owner - c:\winnt\system32\microsoft\user\FireDaemon.EXE

O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE

O23 - Service: FireDaemon Service: QOS (QOS) - Unknown owner - c:\winnt\system32\microsoft\user\FireDaemon.EXE

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: SmartLinkService (SLService) - - C:\WINNT\SYSTEM32\slserv.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Share this post


Link to post
Share on other sites

and for good measure, my Ad-Aware log, which keeps reporting only "negligible objects":

 

Ad-Aware SE Build 1.06r1

Logfile Created on:Monday, October 23, 2006 4:38:58 PM

Created with Ad-Aware SE Personal, free for private use.

Using definitions file:SE1R128 18.10.2006

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

References detected during the scan:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

MRU List(TAC index:0):11 total references

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Ad-Aware SE Settings

===========================

Set : Search for negligible risk entries

Set : Search for low-risk threats

Set : Safe mode (always request confirmation)

Set : Scan active processes

Set : Scan registry

Set : Deep-scan registry

Set : Scan my IE Favorites for banned URLs

Set : Scan within archives

Set : Scan my Hosts file

 

Extended Ad-Aware SE Settings

===========================

Set : Unload recognized processes & modules during scan

Set : Scan registry for all users instead of current user only

Set : Always try to unload modules before deletion

Set : During removal, unload Explorer and IE if necessary

Set : Let Windows remove files in use at next reboot

Set : Delete quarantined objects after restoring

Set : Include basic Ad-Aware settings in log file

Set : Include additional Ad-Aware settings in log file

Set : Include reference summary in log file

Set : Include alternate data stream details in log file

Set : Play sound at scan completion if scan locates critical objects

 

 

2006-10-23 4:38:58 PM - Scan started. (Full System Scan)

 

MRU List Object Recognized!

Location: : C:\Documents and Settings\SSSOUL1\recent

Description : list of recently opened documents

 

 

MRU List Object Recognized!

Location: : software\microsoft\directdraw\mostrecentapplication

Description : most recent application to use microsoft directdraw

 

 

MRU List Object Recognized!

Location: : S-1-5-21-507921405-1343024091-14780595-1000\software\microsoft\internet explorer\typedurls

Description : list of recently entered addresses in microsoft internet explorer

 

 

MRU List Object Recognized!

Location: : S-1-5-21-507921405-1343024091-14780595-1000\software\microsoft\microsoft management console\recent file list

Description : list of recent snap-ins used in the microsoft management console

 

 

MRU List Object Recognized!

Location: : S-1-5-21-507921405-1343024091-14780595-1000\software\microsoft\office\8.0\common\open find\microsoft word\settings\open\file name mru

Description : list of recent documents opened by microsoft word

 

 

MRU List Object Recognized!

Location: : S-1-5-21-507921405-1343024091-14780595-1000\software\microsoft\office\8.0\excel\recent file list

Description : list of recent files used by microsoft excel

 

 

MRU List Object Recognized!

Location: : S-1-5-21-507921405-1343024091-14780595-1000\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru

Description : list of recent programs opened

 

 

MRU List Object Recognized!

Location: : S-1-5-21-507921405-1343024091-14780595-1000\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru

Description : list of recently saved files, stored according to file extension

 

 

MRU List Object Recognized!

Location: : S-1-5-21-507921405-1343024091-14780595-1000\software\microsoft\windows\currentversion\explorer\recentdocs

Description : list of recent documents opened

 

 

MRU List Object Recognized!

Location: : S-1-5-21-507921405-1343024091-14780595-1000\software\microsoft\windows\currentversion\explorer\runmru

Description : mru list for items opened in start | run

 

 

MRU List Object Recognized!

Location: : S-1-5-21-507921405-1343024091-14780595-1000\software\nico mak computing\winzip\filemenu

Description : winzip recently used archives

 

 

Listing running processes

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

#:1 [smss.exe]

FilePath : \SystemRoot\System32\

ProcessID : 156

ThreadCreationTime : 2006-10-23 1:52:03 PM

BasePriority : Normal

 

 

#:2 [csrss.exe]

FilePath : \??\C:\WINNT\system32\

ProcessID : 184

ThreadCreationTime : 2006-10-23 1:52:09 PM

BasePriority : Normal

 

 

#:3 [winlogon.exe]

FilePath : \??\C:\WINNT\system32\

ProcessID : 204

ThreadCreationTime : 2006-10-23 1:52:11 PM

BasePriority : High

 

 

#:4 [services.exe]

FilePath : C:\WINNT\system32\

ProcessID : 232

ThreadCreationTime : 2006-10-23 1:52:13 PM

BasePriority : Normal

FileVersion : 5.00.2195.7035

ProductVersion : 5.00.2195.7035

ProductName : System operacyjny Microsoft® Windows ® 2000

CompanyName : Microsoft Corporation

FileDescription : Usługi i aplikacja Kontroler

InternalName : services.exe

LegalCopyright : Copyright © Microsoft Corp. 1981-1999

OriginalFilename : services.exe

 

#:5 [lsass.exe]

FilePath : C:\WINNT\system32\

ProcessID : 244

ThreadCreationTime : 2006-10-23 1:52:13 PM

BasePriority : Normal

FileVersion : 5.00.2195.7011

ProductVersion : 5.00.2195.7011

ProductName : System operacyjny Microsoft® Windows ® 2000

CompanyName : Microsoft Corporation

FileDescription : Biblioteka DLL pliku wykonywalnego i serwera LSA (wersja eksportowa)

InternalName : lsasrv.dll and lsass.exe

LegalCopyright : Copyright © Microsoft Corp. 1981-1999

OriginalFilename : lsasrv.dll and lsass.exe

 

#:6 [svchost.exe]

FilePath : C:\WINNT\system32\

ProcessID : 396

ThreadCreationTime : 2006-10-23 1:52:18 PM

BasePriority : Normal

FileVersion : 5.00.2134.1

ProductVersion : 5.00.2134.1

ProductName : Microsoft® Windows ® 2000 Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : Copyright © Microsoft Corp. 1981-1999

OriginalFilename : svchost.exe

 

#:7 [svchost.exe]

FilePath : C:\WINNT\system32\

ProcessID : 440

ThreadCreationTime : 2006-10-23 1:52:19 PM

BasePriority : Normal

FileVersion : 5.00.2134.1

ProductVersion : 5.00.2134.1

ProductName : Microsoft® Windows ® 2000 Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : Copyright © Microsoft Corp. 1981-1999

OriginalFilename : svchost.exe

 

#:8 [ccsetmgr.exe]

FilePath : C:\Program Files\Common Files\Symantec Shared\

ProcessID : 476

ThreadCreationTime : 2006-10-23 1:52:19 PM

BasePriority : Normal

FileVersion : 104.0.7.3

ProductVersion : 104.0.7.3

ProductName : Client and Host Security Platform

CompanyName : Symantec Corporation

FileDescription : Symantec Settings Manager Service

InternalName : ccSetMgr

LegalCopyright : Copyright © 2000-2005 Symantec Corporation. All rights reserved.

OriginalFilename : ccSetMgr.exe

 

#:9 [ccevtmgr.exe]

FilePath : C:\Program Files\Common Files\Symantec Shared\

ProcessID : 508

ThreadCreationTime : 2006-10-23 1:52:24 PM

BasePriority : Normal

FileVersion : 104.0.7.3

ProductVersion : 104.0.7.3

ProductName : Client and Host Security Platform

CompanyName : Symantec Corporation

FileDescription : Symantec Event Manager Service

InternalName : ccEvtMgr

LegalCopyright : Copyright © 2000-2005 Symantec Corporation. All rights reserved.

OriginalFilename : ccEvtMgr.exe

 

#:10 [ccproxy.exe]

FilePath : C:\Program Files\Common Files\Symantec Shared\

ProcessID : 632

ThreadCreationTime : 2006-10-23 1:52:28 PM

BasePriority : Normal

FileVersion : 104.0.11.1

ProductVersion : 104.0.11.1

ProductName : Client and Host Security Platform

CompanyName : Symantec Corporation

FileDescription : Symantec Network Proxy Service

InternalName : ccProxy

LegalCopyright : Copyright © 2000-2005 Symantec Corporation. All rights reserved.

OriginalFilename : ccProxy.exe

 

#:11 [sndsrvc.exe]

FilePath : C:\Program Files\Common Files\Symantec Shared\

ProcessID : 664

ThreadCreationTime : 2006-10-23 1:52:28 PM

BasePriority : Normal

FileVersion : 6.0.4.402

ProductVersion : 6.0

ProductName : Symantec Security Drivers

CompanyName : Symantec Corporation

FileDescription : Network Driver Service

InternalName : SndSrvc

LegalCopyright : Copyright 2002 - 2006 Symantec Corporation

OriginalFilename : SndSrvc.exe

 

#:12 [spbbcsvc.exe]

FilePath : C:\Program Files\Common Files\Symantec Shared\SPBBC\

ProcessID : 704

ThreadCreationTime : 2006-10-23 1:52:29 PM

BasePriority : Normal

FileVersion : 2.1.0.4

ProductVersion : 2.1.0.4

ProductName : SPBBC

CompanyName : Symantec Corporation

FileDescription : SPBBC Service

InternalName : SPBBCSvc

LegalCopyright : Copyright © 2004, 2005 Symantec Corporation. All rights reserved.

OriginalFilename : SPBBCSvc.exe

 

#:13 [symlcsvc.exe]

FilePath : C:\Program Files\Common Files\Symantec Shared\CCPD-LC\

ProcessID : 752

ThreadCreationTime : 2006-10-23 1:52:30 PM

BasePriority : Normal

FileVersion : 1.9.1.762

ProductVersion : 1.9.1.762

ProductName : Symantec Core Component

CompanyName : Symantec Corporation

FileDescription : Symantec Core Component

InternalName : symlcsvc

LegalCopyright : Copyright © 2003

OriginalFilename : symlcsvc.exe

 

#:14 [spoolsv.exe]

FilePath : C:\WINNT\system32\

ProcessID : 892

ThreadCreationTime : 2006-10-23 1:52:35 PM

BasePriority : Normal

FileVersion : 5.00.2195.7059

ProductVersion : 5.00.2195.7059

ProductName : Microsoft® Windows ® 2000 Operating System

CompanyName : Microsoft Corporation

FileDescription : Spooler SubSystem App

InternalName : spoolss.exe

LegalCopyright : Copyright © Microsoft Corp. 1981-1999

OriginalFilename : spoolss.exe

 

#:15 [aluschedulersvc.exe]

FilePath : C:\Program Files\Symantec\LiveUpdate\

ProcessID : 916

ThreadCreationTime : 2006-10-23 1:52:36 PM

BasePriority : Normal

FileVersion : 3.0.0.171

ProductVersion : 3.0.0.171

ProductName : LiveUpdate

CompanyName : Symantec Corporation

FileDescription : Automatic LiveUpdate Scheduler Service

InternalName : Automatic LiveUpdate Scheduler Service

LegalCopyright : Copyright © 1996-2005 Symantec Corporation

OriginalFilename : ALUSchedulerSvc.exe

 

#:16 [lsass.exe]

FilePath : C:\WINNT\

ProcessID : 956

ThreadCreationTime : 2006-10-23 1:52:37 PM

BasePriority : Normal

 

 

#:17 [firedaemon.exe]

FilePath : c:\winnt\system32\microsoft\user\

ProcessID : 1028

ThreadCreationTime : 2006-10-23 1:52:39 PM

BasePriority : Normal

 

 

#:18 [dll32.exe]

FilePath : c:\winnt\system32\microsoft\user\

ProcessID : 1040

ThreadCreationTime : 2006-10-23 1:52:40 PM

BasePriority : Normal

 

 

#:19 [navapsvc.exe]

FilePath : C:\Program Files\Norton AntiVirus\

ProcessID : 1048

ThreadCreationTime : 2006-10-23 1:52:40 PM

BasePriority : Normal

FileVersion : 9.05.1015

ProductVersion : 9.05.1015

ProductName : Norton AntiVirus

CompanyName : Symantec Corporation

FileDescription : Norton AntiVirus Auto-Protect Service

InternalName : NAVAPSVC

LegalCopyright : Copyright © 2000-2002 Symantec Corporation. All rights reserved.

OriginalFilename : NAVAPSVC.EXE

 

#:20 [firedaemon.exe]

FilePath : c:\winnt\system32\microsoft\user\

ProcessID : 1096

ThreadCreationTime : 2006-10-23 1:52:41 PM

BasePriority : Normal

 

 

#:21 [dll39.exe]

FilePath : c:\winnt\system32\microsoft\user\

ProcessID : 1112

ThreadCreationTime : 2006-10-23 1:52:41 PM

BasePriority : Normal

 

 

#:22 [regsvc.exe]

FilePath : C:\WINNT\system32\

ProcessID : 1140

ThreadCreationTime : 2006-10-23 1:52:41 PM

BasePriority : Normal

FileVersion : 5.00.2195.6701

ProductVersion : 5.00.2195.6701

ProductName : Microsoft® Windows ® 2000 Operating System

CompanyName : Microsoft Corporation

FileDescription : Remote Registry Service

InternalName : regsvc

LegalCopyright : Copyright © Microsoft Corp. 1981-1999

OriginalFilename : REGSVC.EXE

 

#:23 [mstask.exe]

FilePath : C:\WINNT\system32\

ProcessID : 1168

ThreadCreationTime : 2006-10-23 1:52:45 PM

BasePriority : Normal

FileVersion : 4.71.2195.6972

ProductVersion : 4.71.2195.6972

ProductName : Microsoft® Windows® - Harmonogram zadań

CompanyName : Microsoft Corporation

FileDescription : Aparat Harmonogramu zadań

InternalName : TaskScheduler

LegalCopyright : Copyright © Microsoft Corp. 1997

OriginalFilename : mstask.exe

 

#:24 [slserv.exe]

FilePath : C:\WINNT\system32\

ProcessID : 1220

ThreadCreationTime : 2006-10-23 1:52:46 PM

BasePriority : Normal

FileVersion : 2.80.00(24Apr2000)

ProductVersion : 2.80.00

ProductName : Modem

FileDescription : User-Level Modem Service

InternalName : slserv

LegalCopyright : Copyright © 1999-2000

OriginalFilename : slserv.exe

 

#:25 [winmgmt.exe]

FilePath : C:\WINNT\System32\WBEM\

ProcessID : 1288

ThreadCreationTime : 2006-10-23 1:52:47 PM

BasePriority : Normal

FileVersion : 1.50.1085.0100

ProductVersion : 1.50.1085.0100

ProductName : Instrumentacja zarządzania Windows

CompanyName : Microsoft Corporation

FileDescription : Instrumentacja zarządzania Windows

InternalName : WINMGMT

LegalCopyright : Copyright © Microsoft Corp. 1995-1999

 

#:26 [explorer.exe]

FilePath : C:\WINNT\

ProcessID : 1304

ThreadCreationTime : 2006-10-23 1:52:47 PM

BasePriority : Normal

FileVersion : 5.00.3700.6690

ProductVersion : 5.00.3700.6690

ProductName : Microsoft® Windows ® 2000 Operating System

CompanyName : Microsoft Corporation

FileDescription : Windows Explorer

InternalName : explorer

LegalCopyright : Copyright © Microsoft Corp. 1981-1999

OriginalFilename : EXPLORER.EXE

 

#:27 [svchost.exe]

FilePath : C:\WINNT\system32\

ProcessID : 1352

ThreadCreationTime : 2006-10-23 1:52:49 PM

BasePriority : Normal

FileVersion : 5.00.2134.1

ProductVersion : 5.00.2134.1

ProductName : Microsoft® Windows ® 2000 Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : Copyright © Microsoft Corp. 1981-1999

OriginalFilename : svchost.exe

 

#:28 [svchost.exe]

FilePath : C:\WINNT\system32\

ProcessID : 1392

ThreadCreationTime : 2006-10-23 1:52:51 PM

BasePriority : Normal

FileVersion : 5.00.2134.1

ProductVersion : 5.00.2134.1

ProductName : Microsoft® Windows ® 2000 Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : Copyright © Microsoft Corp. 1981-1999

OriginalFilename : svchost.exe

 

#:29 [sistray.exe]

FilePath : C:\WINNT\system32\

ProcessID : 1480

ThreadCreationTime : 2006-10-23 1:53:00 PM

BasePriority : Normal

FileVersion : 0.0.0.2060

ProductVersion : 0.0.0.2060

ProductName : SiS ® Compatible Super VGA SiSTray application for Windows NT4.0/2000/XP

CompanyName : Silicon Integrated Systems Corporation

FileDescription : SiS Compatible Super VGA Tray Application

InternalName : SISTRAY 2.06.00

LegalCopyright : Copyright © Silicon Integrated Systems Corp. 1998-2002

OriginalFilename : SISTRAY.EXE

Comments : SiS Compatible Super VGA Tray Application

 

#:30 [khooker.exe]

FilePath : C:\WINNT\system32\

ProcessID : 1508

ThreadCreationTime : 2006-10-23 1:53:01 PM

BasePriority : Normal

FileVersion : 0, 0, 0, 2060

ProductVersion : 0, 0, 0, 2060

ProductName : SIS ® Compatible Super VGA keyboard daemon for Windows 2000/XP

CompanyName : Silicon Integrated Systems Corporation

FileDescription : SiS Compatible Super VGA Keyboard Daemon

InternalName : KHOOKER 2.06.50

LegalCopyright : Copyright © Silicon Integrated Systems Corp. 1998-2002

OriginalFilename : KHOOKER.EXE

Comments : SiS Compatible Super VGA Keyboard Daemon

 

#:31 [ccapp.exe]

FilePath : C:\Program Files\Common Files\Symantec Shared\

ProcessID : 1512

ThreadCreationTime : 2006-10-23 1:53:01 PM

BasePriority : Normal

FileVersion : 104.0.7.3

ProductVersion : 104.0.7.3

ProductName : Client and Host Security Platform

CompanyName : Symantec Corporation

FileDescription : Symantec User Session

InternalName : ccApp

LegalCopyright : Copyright © 2000-2005 Symantec Corporation. All rights reserved.

OriginalFilename : ccApp.exe

 

#:32 [dragdiag.exe]

FilePath : C:\Program Files\Alcatel\SpeedTouch USB\

ProcessID : 1624

ThreadCreationTime : 2006-10-23 1:53:08 PM

BasePriority : Normal

FileVersion : 200.7.0.0

ProductVersion : 200.7.0.0

ProductName : SpeedTouch USB

CompanyName : THOMSON multimedia

FileDescription : SpeedTouch Statistics

LegalCopyright : Copyright© THOMSON multimedia 1999-2002

 

#:33 [taskbaricon.exe]

FilePath : C:\Program Files\Wanadoo\

ProcessID : 1596

ThreadCreationTime : 2006-10-23 1:53:10 PM

BasePriority : Normal

FileVersion : 5.5 (1)

ProductVersion : 5.5 (1)

ProductName : Kit de Connexion et de Services

CompanyName : France Télécom R&D

FileDescription : Gestion de l'icône de la barre des tâches

InternalName : TaskBarIcon

LegalCopyright : Copyright © France Télécom R&D 1999 - 2002

OriginalFilename : TaskBarIcon.exe

 

#:34 [internat.exe]

FilePath : C:\WINNT\system32\

ProcessID : 1676

ThreadCreationTime : 2006-10-23 1:53:11 PM

BasePriority : Normal

FileVersion : 5.00.2920.0000

ProductVersion : 5.00.2920.0000

ProductName : System operacyjny Microsoft® Windows ® 2000

CompanyName : Microsoft Corporation

FileDescription : Aplikacja wskaźnika języka klawiatury

InternalName : INTERNAT

LegalCopyright : Copyright © Microsoft Corp. 1994-1999

OriginalFilename : INTERNAT.EXE

 

#:35 [msoffice.exe]

FilePath : C:\Program Files\Microsoft Office\Office\

ProcessID : 1736

ThreadCreationTime : 2006-10-23 1:53:17 PM

BasePriority : Normal

FileVersion : 8.0.3512

ProductVersion : 8.0.3512

ProductName : Microsoft Office

CompanyName : Microsoft Corporation

FileDescription : Microsoft Office Shortcut Bar

InternalName : MSOFFICE

LegalCopyright : Copyright © Microsoft Corp. 1990-1996.

OriginalFilename : MSOFFICE.EXE

 

#:36 [osa.exe]

FilePath : C:\Program Files\Microsoft Office\Office\

ProcessID : 1648

ThreadCreationTime : 2006-10-23 1:53:21 PM

BasePriority : Normal

 

 

#:37 [nscsrvce.exe]

FilePath : C:\Program Files\Common Files\Symantec Shared\Security Console\

ProcessID : 1444

ThreadCreationTime : 2006-10-23 1:56:38 PM

BasePriority : Normal

FileVersion : 2006.1.6.2

ProductVersion : 2006.1.6

ProductName : Norton Security Console

CompanyName : Symantec Corporation

FileDescription : Norton Security Console Norton Protection Center Service

InternalName : NSCService

LegalCopyright : Norton Security Console 2006 for Windows 2000/XP Copyright © 2005 Symantec Corporation. All rights reserved.

OriginalFilename : NSCSrvce.exe

 

#:38 [espacewanadoo.exe]

FilePath : C:\Program Files\Wanadoo\

ProcessID : 1852

ThreadCreationTime : 2006-10-23 1:59:16 PM

BasePriority : Normal

FileVersion : 5.5 (212)

ProductVersion : 5.5(212)

ProductName : Kit de connexion

CompanyName : France Télécom R&D

FileDescription : Espace Client

InternalName : EspaceClient

LegalCopyright : Copyright © France Télécom R&D 1999, 2000, 2001, 2002

OriginalFilename : EspaceClient.exe

 

#:39 [comcomp.exe]

FilePath : C:\Program Files\Wanadoo\

ProcessID : 1844

ThreadCreationTime : 2006-10-23 1:59:18 PM

BasePriority : Normal

FileVersion : 5.5 (257)

ProductVersion : 5.5 (257)

ProductName : Kit de Connexion et de Services

CompanyName : France Télécom R&D

FileDescription : Module de communication

InternalName : ComComp

LegalCopyright : Copyright © France Télécom R&D 1999- 2002

OriginalFilename : ComComp.exe

 

#:40 [watch.exe]

FilePath : C:\Program Files\Wanadoo\

ProcessID : 1976

ThreadCreationTime : 2006-10-23 1:59:25 PM

BasePriority : Normal

FileVersion : 5.5 (65)

ProductVersion : 5.5 (65)

ProductName : Kit de Connexion et de Services

CompanyName : France Télécom R&D

FileDescription : Surveillance des modifications

InternalName : Watch

LegalCopyright : Copyright © France Télécom R&D 1999-2002

OriginalFilename : Watch.exe

 

#:41 [firefox.exe]

FilePath : C:\Program Files\Mozilla Firefox\

ProcessID : 1816

ThreadCreationTime : 2006-10-23 2:17:31 PM

BasePriority : Normal

 

 

#:42 [ad-aware.exe]

FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\

ProcessID : 1640

ThreadCreationTime : 2006-10-23 2:37:58 PM

BasePriority : Normal

FileVersion : 6.2.0.236

ProductVersion : SE 106

ProductName : Lavasoft Ad-Aware SE

CompanyName : Lavasoft Sweden

FileDescription : Ad-Aware SE Core application

InternalName : Ad-Aware.exe

LegalCopyright : Copyright © Lavasoft AB Sweden

OriginalFilename : Ad-Aware.exe

Comments : All Rights Reserved

 

Memory scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 11

 

 

Started registry scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Registry Scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 11

 

 

Started deep registry scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Deep registry scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 11

 

 

Started Tracking Cookie scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

 

Tracking cookie scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 11

 

 

 

Deep scanning and examining files (C:)

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Disk Scan Result for C:\

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 11

 

 

Deep scanning and examining files (F:)

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Disk Scan Result for F:\

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 11

 

 

Scanning Hosts file......

Hosts file location:"C:\WINNT\system32\drivers\etc\hosts".

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Hosts file scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

1 entries scanned.

New critical objects:0

Objects found so far: 11

 

 

 

 

Performing conditional scans...

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Conditional scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 11

 

4:51:12 PM Scan Complete

 

Summary Of This Scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Total scanning time:00:12:13.875

Objects scanned:75078

Objects identified:1

Objects ignored:1

New critical objects:0

Share this post


Link to post
Share on other sites

You have a suspicious file I'd like to examine further to determine what it is and the best way to remove it.

 

Go here to upload the file as an attachment

http://www.thespykiller.co.uk/forum/index.php?board=1.0

Just press new topic (Make the subject: For CalamityJane from soul at LS ),

fill in a short message & then press the browse button and then navigate to & select this file on your computer, then press the *Post* button to upload the file

 

File to attach for upload:

 

C:\WINNT\lsass.exe (note: do not confuse this one with the legit lsass.exe which located in a different folder, (system32). This one that I suspect is located directly in the C:\WINNT directory

 

(Do not post HJT logs there as they will not get dealt with)

 

You DO NOT need to register to start a topic or upload, anybody can upload the files

 

You will not see the files that have been uploaded as they only show to the authorized users who can download them. I will be able to collect it from there and will reply to you back here with analysis results.

Share this post


Link to post
Share on other sites

thank you very much indeed, Calamity Jane -

i tried to upload that file you asked for, but i'm afraid it isn't the one you're interested in: there's no lsass in sight when i check the WINNT folder (except if i look inside other folders: there's "lsass.exe" in that "RollUpPackUninstall" folder, and LSASS.exe in the system32 folder). i see [below] that it's still in the Highjack This log, so i reckon it's hiding from me when i search for it? if there's something i can do to coax it into view so that i can upload it for you, i'll gladly and gratefully try again ...

 

meanwhile, another friend decided to try to help me out here; he uninstalled all the Norton stuff, installed AVast instead; and also dowloaded a different SmitFraudFix and ran that in safe mode. i can't find a log for what SmitFraudFix did, but here are my latest Highjack This logs, and the logs that Avast generated last night and this morning (it's in Polish, sorry! but i've translated what i hope are the significant bits).

 

the computer seems to be running okay for a while after i start it, but keeps getting painfully slow; i *am* able to get/stay on line, but every time i do Avast reports/quarantines four trojans in a row.

 

many thanks for all your help and advice ...

 

~~~~~~~~~~~~~~~~~~~

 

Logfile of HijackThis v1.99.1

Scan saved at 9:43:47 AM, on 2006-10-24

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINNT\csrss.exe

C:\WINNT\lsass.exe

c:\winnt\system32\microsoft\user\FireDaemon.EXE

c:\winnt\system32\microsoft\user\dll39.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\slserv.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\Explorer.EXE

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINNT\system32\sistray.EXE

C:\WINNT\system32\khooker.exe

C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe

C:\Program Files\Wanadoo\taskbaricon.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\WINNT\system32\internat.exe

C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE

C:\Program Files\Microsoft Office\Office\OSA.EXE

C:\Program Files\Microsoft Office\Office\WINWORD.EXE

C:\unzipped\hjt\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = L1cza

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O4 - HKLM\..\Run: [siS Tray] C:\WINNT\system32\sistray.EXE

O4 - HKLM\..\Run: [siS KHooker] C:\WINNT\system32\khooker.exe

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe

O4 - HKLM\..\Run: [speedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [WOOTASKBARICON] C:\Program Files\Wanadoo\taskbaricon.exe

O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKCU\..\Run: [internat.exe] internat.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE

O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE

O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE

O9 - Extra button: iFinger - {936E5D60-596C-11D3-BB96-00600816DF55} - C:\WINNT\system32\SHDOCVW.DLL

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1160640790354

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1160657231421

O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab

O17 - HKLM\System\CS2\Services\Tcpip\..\{7B0406B9-DC57-4A74-BF16-DD91EC23D6CE}: NameServer = 194.204.152.34 217.98.63.164

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: Us3uga administracyjna Mened?era dysków logicznych (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: Generic Host Process for Win32 Service - Unknown owner - C:\WINNT\csrss.exe

O23 - Service: LSA Shel (Export Version) - Unknown owner - C:\WINNT\lsass.exe

O23 - Service: FireDaemon Service: MSVC9 (MSVC9) - Unknown owner - c:\winnt\system32\microsoft\user\FireDaemon.EXE

O23 - Service: FireDaemon Service: QOS (QOS) - Unknown owner - c:\winnt\system32\microsoft\user\FireDaemon.EXE

O23 - Service: SmartLinkService (SLService) - - C:\WINNT\SYSTEM32\slserv.exe

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

Avast logs:

 

* Raport avast!

* Ten plik jest generowany automatycznie

*

* Użyto zadania 'Osłona rezydentna'

* Uruchomiono 23 październik 2006 19:09:14 = october 23rd 2006 19:09:14

* VPS: 0639-1, 2006-09-25

*

 

c:\winnt\system32\microsoft\user\dll32.exe [L] Win32:Iroffer-011 [Trj] (0)

c:\winnt\system32\microsoft\user\dll32.exe [L] Win32:Iroffer-011 [Trj] (0)

c:\winnt\system32\microsoft\user\dll32.exe [L] Win32:Iroffer-011 [Trj] (0)

c:\winnt\system32\microsoft\user\dll32.exe [L] Win32:Iroffer-011 [Trj] (0)

c:\winnt\system32\microsoft\user\dll32.exe [L] Win32:Iroffer-011 [Trj] (0)

c:\winnt\system32\microsoft\user\dll32.exe [L] Win32:Iroffer-011 [Trj] (0)

c:\winnt\system32\microsoft\user\dll32.exe [L] Win32:Iroffer-011 [Trj] (0)

c:\winnt\system32\microsoft\user\dll32.exe [L] Win32:Iroffer-011 [Trj] (0)

Plik został przeniesiony do kwarantanny z powodzeniem... = the file was successfully quarantined

C:\wen6j4d5.exe [L] Win32:Dialer-gen13 [Trj] (0)

Plik został przeniesiony do kwarantanny z powodzeniem... = the file was successfully quarantined

C:\Documents and Settings\Default User\Ustawienia lokalne\Temporary Internet Files\Content.IE5\T3P5FGN6\Browser[1].exe [L] Win32:Dialer-BZ [Trj] (0)

Plik został przeniesiony do kwarantanny z powodzeniem... = the file was successfully quarantined

C:\j1ho6.exe [L] Win32:Dialer-BZ [Trj] (0)

Plik został przeniesiony do kwarantanny z powodzeniem... = the file was successfully quarantined

*

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

next report:

 

* Raport avast!

* Ten plik jest generowany automatycznie

*

* Użyto zadania 'Osłona rezydentna'

* Uruchomiono 23 październik 2006 21:46:44 = october 23rd 21:46:44

* VPS: 0643-1, 2006-10-23

*

 

C:\Documents and Settings\Default User\Ustawienia lokalne\Temporary Internet Files\Content.IE5\4E9PT612\Browser[1].exe [L] Win32:Dialer-BZ [Trj] (0)

Plik został przeniesiony do kwarantanny z powodzeniem... = the file was successfully quarantined

C:\j1ho6.exe [L] Win32:Dialer-BZ [Trj] (0)

Plik został przeniesiony do kwarantanny z powodzeniem... = the file was successfully quarantined

C:\Documents and Settings\Default User\Ustawienia lokalne\Temporary Internet Files\Content.IE5\T3P5FGN6\adult1[1].exe [L] Win32:Dialer-gen13 [Trj] (0)

Plik został przeniesiony do kwarantanny z powodzeniem... = the file was successfully quarantined

C:\wen6j4d5.exe [L] Win32:Dialer-gen13 [Trj] (0)

Plik został przeniesiony do kwarantanny z powodzeniem... = the file was successfully quarantined

 

~~~~~~~~~~~~~~~~~~~~~~~~~~

this morning:

 

* Raport avast!

* Ten plik jest generowany automatycznie

*

* Użyto zadania 'Osłona rezydentna'

* Uruchomiono 24 październik 2006 07:14:52 = october 24th 07:14:52

* VPS: 0643-1, 2006-10-23

*

 

C:\Documents and Settings\Default User\Ustawienia lokalne\Temporary Internet Files\Content.IE5\LVQCP2IY\Browser[1].exe [L] Win32:Dialer-BZ [Trj] (0)

Plik został przeniesiony do kwarantanny z powodzeniem... = the file was successfully quarantined

C:\Documents and Settings\Default User\Ustawienia lokalne\Temporary Internet Files\Content.IE5\LVQCP2IY\adult1[1].exe [L] Win32:Dialer-gen13 [Trj] (0)

Plik został przeniesiony do kwarantanny z powodzeniem... = the file was successfully quarantined

C:\j1ho6.exe [L] Win32:Dialer-BZ [Trj] (0)

Plik został przeniesiony do kwarantanny z powodzeniem... = the file was successfully quarantined

C:\wen6j4d5.exe [L] Win32:Dialer-gen13 [Trj] (0)

Plik został przeniesiony do kwarantanny z powodzeniem... = the file was successfully quarantined

Share this post


Link to post
Share on other sites

No problem. The file you uploaded was the legitimate one and the bogus file must be hiding.

 

You now have another that is also probably hiding. I have a tool we can use to kill it though. Hold on while I write up the fix. It must be a new worm because Avast isn't detecting it either.

 

I'll be right back. :)

Share this post


Link to post
Share on other sites

Please download the Killbox by Option^Explicit.

http://www.downloads.subratam.org/KillBox.zip

 

Unzip/Extract the contents to your desktop

How to extract (decompress) zipped or compressed files

http://www.lvsonline.com/compresstut/index.shtml

 

1. Open Killbox by clicking on Killbox.exe

 

2. Select *Delete on Reboot* in the first column

 

post-65-1161720811.gif

 

3. Press the *All Files* button IMPORTANT STEP!

 

post-65-1161720858.gif

 

4. Copy the following text shown in bold below to clipboard by highlighting the bold text and press Control + C

 

C:\WINNT\csrss.exe

C:\WINNT\lsass.exe

 

5. In Killbox, select the "File" tab at the top

 

6. Choose "Paste from Clipboard" in the drop down menu

 

post-65-1161720897.gif

 

7. Press the red button with the white x in it.

 

8. You will receive a prompt stating that files will be deleted on next reboot. Do you want to reboot now?

Choose Yes when asked if you want to reboot. If your computer does not restart, please reboot it manually

 

 

Note: Backups will be stored in the following directory created on the Hard-drive (usually C):

C:\!KillBox

 

9. Navigate to the Killbox backup folder:

C:\!KillBox

 

a. Right–click folder !KillBox

 

b. Point to Send To

 

c. Then click Compressed (zipped) Folder

 

This will make a compressed folder, identified by a zipper icon, which displays the same name as the file you compressed.

C:\!KillBox.zip

 

10. Go here to upload the files as attachments

http://www.thespykiller.co.uk/forum/index.php?topic=2882.0

(That's the topic you started earlier - just post a reply)

fill in a short message & then press the browse button and then navigate to & select these files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press the *Post* button to upload the files

 

Files to upload:

 

C:\!KillBox.zip

 

You DO NOT need to be a member to upload, anybody can upload the files.

 

You will not see the files that have been uploaded as they only show to the authorized users who can download them.

...........................

Then please come back here and post a fresh HijackThis log - there will be some remaining entries to take care of but the files should be deleted and cannot run.

Share this post


Link to post
Share on other sites

thank you very very much, Calamity Jane - i will get right on it and report back as soon as i can.

 

in the meantime i located another lsass in my WINNT folder - i've uploaded that to the Spykiller thread in case its of any interest.

 

also in the meantime, i've downloaded a bunch of security tools that i was going to run today:

~ Avast in an English-language version (the Polish one was reporting itself as infected, which didn't sound promising to me; the new one is installed and running);

~ the free Zone Alarm firewall (also installed and running);

~ the free version of AVG Anti-Spyware 7.5 (likewise);

~ Spybot (installed but not yet run)

~ Stinger (ditto)

~ CW Shredder (ditto)

~ VX2finder (ditto)

 

if any of those are tools i don't need or should replace with something better, i'd be very very grateful to know that - i do want to be secure, of course, but i don't want to clutter up my poor benighted little system with stuff that isn't really going to help.

 

i truly appreciate your taking an interest and all your great help. thank you.

Edited by soul

Share this post


Link to post
Share on other sites

well, i tried! i'm not sure what happened or what to do next -

these steps didn't work quite as described:

 

4. Copy the following text shown in bold below to clipboard by highlighting the bold text and press Control + C

C:\WINNT\csrss.exe

C:\WINNT\lsass.exe

5. In Killbox, select the "File" tab at the top

6. Choose "Paste from Clipboard" in the drop down menu

 

doing this left the file-name space blank; i wound up pasting in each file name separately (separated by a comma) using Control+C then Control+V; then i clicked the wrong red button with the white X (i went first for the one in the upper lefthand corner); then i clicked the *right* red button with the white X and chose "yes". after a moment it told me this:

 

PendingFileRenameOperations Registry Data has been Removed by External Process!

 

the only possible response to that was "OK" (well, after staring at it dumbfounded for a while!) - is that normal, okay, expected, etc??

the computer didn't reboot automatically - i'm about to do it manually, but felt i'd better let you know what's going on before i do that. here goes nothing! :]

Edited by soul

Share this post


Link to post
Share on other sites
b. Point to Send To

c. Then click Compressed (zipped) Folder

 

thank you so much, Calamity Jane - i survived the reboot and hope i've managed to upload that file properly over on the Spykiller thread. (the steps described above didn't work for me - in case it's useful for finetuning the instructions for literal-minded know-nothings like me: when i pointed to "send to" i wasn't offered the option you mention; instead i chose "winzip" and the "add to !Killbox.zip" option. i hope it worked!)

 

is it okay for me to delete that !Killbox.zip file now, or ... ?

 

i've just run Highjack This and here's the log - oh and i ought to mention that before i ran Killbox i did a "thorough" scan with Avast in safe mode; it incarcerated 7 items, but i don't know where to find the log of that.

 

Logfile of HijackThis v1.99.1

Scan saved at 5:07:45 PM, on 2006-10-25

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\ZoneLabs\vsmon.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

c:\winnt\system32\microsoft\user\FireDaemon.EXE

c:\winnt\system32\microsoft\user\dll39.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\slserv.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\Explorer.EXE

C:\WINNT\system32\sistray.EXE

C:\WINNT\system32\khooker.exe

C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe

C:\Program Files\Wanadoo\taskbaricon.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\WINNT\system32\internat.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE

C:\Program Files\Microsoft Office\Office\OSA.EXE

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Wanadoo\EspaceWanadoo.exe

C:\Program Files\Wanadoo\ComComp.exe

C:\Program Files\Wanadoo\Watch.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\unzipped\hjt\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rollingstones.com/members/login.php

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada Plus - welcome to the Internet

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = L1cza

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O4 - HKLM\..\Run: [siS Tray] C:\WINNT\system32\sistray.EXE

O4 - HKLM\..\Run: [siS KHooker] C:\WINNT\system32\khooker.exe

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe

O4 - HKLM\..\Run: [speedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [WOOTASKBARICON] C:\Program Files\Wanadoo\taskbaricon.exe

O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKCU\..\Run: [internat.exe] internat.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE

O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE

O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE

O9 - Extra button: iFinger - {936E5D60-596C-11D3-BB96-00600816DF55} - C:\WINNT\system32\SHDOCVW.DLL

O15 - Trusted Zone: www.iorr.org

O15 - Trusted Zone: http://www.rollingstones.com

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1160640790354

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1160657231421

O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwa...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{7B0406B9-DC57-4A74-BF16-DD91EC23D6CE}: NameServer = 194.204.152.34 217.98.63.164

O17 - HKLM\System\CS1\Services\Tcpip\..\{7B0406B9-DC57-4A74-BF16-DD91EC23D6CE}: NameServer = 194.204.152.34 217.98.63.164

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: Us3uga administracyjna Mened?era dysków logicznych (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: Generic Host Process for Win32 Service - Unknown owner - C:\WINNT\csrss.exe (file missing)

O23 - Service: LSA Shel (Export Version) - Unknown owner - C:\WINNT\lsass.exe (file missing)

O23 - Service: FireDaemon Service: MSVC9 (MSVC9) - Unknown owner - c:\winnt\system32\microsoft\user\FireDaemon.EXE

O23 - Service: FireDaemon Service: QOS (QOS) - Unknown owner - c:\winnt\system32\microsoft\user\FireDaemon.EXE

O23 - Service: SmartLinkService (SLService) - - C:\WINNT\SYSTEM32\slserv.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

Edited by soul

Share this post


Link to post
Share on other sites

... and now i've run the gizmos i listed above, all in safe mode: Avast found 7 nasties (i don't know how to locate the log, though); Stinger found nothing; the AVG/ewido program found 20 infected objects (it listed problems like Trojan.Dialer.qy, Trojan.Zapchast.au, Trojan.Zapchast, Backdoor.Sd.Bot.atz and .aad, Worm.Randon.am, Trojan.NoShare.K and Backdoor.Zapchat); Spybot fixed one problem (Alexa-related); Ad-Aware found 7 negligibles; CWShredder found nothing; and VX2Finder ... hm, its report was rather cryptic but since no file names were listed i guess that's good.

 

my Highjack This log now looks like this:

 

Logfile of HijackThis v1.99.1

Scan saved at 7:56:37 PM, on 2006-10-25

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\ZoneLabs\vsmon.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

c:\winnt\system32\microsoft\user\FireDaemon.EXE

c:\winnt\system32\microsoft\user\dll39.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\slserv.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\Explorer.EXE

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\WINNT\system32\sistray.EXE

C:\WINNT\system32\khooker.exe

C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe

C:\Program Files\Wanadoo\taskbaricon.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\WINNT\system32\internat.exe

C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE

C:\Program Files\Microsoft Office\Office\OSA.EXE

C:\Program Files\Wanadoo\EspaceWanadoo.exe

C:\Program Files\Wanadoo\ComComp.exe

C:\Program Files\Wanadoo\Watch.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\unzipped\hjt\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rollingstones.com/members/login.php

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada Plus - welcome to the Internet

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = L1cza

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O4 - HKLM\..\Run: [siS Tray] C:\WINNT\system32\sistray.EXE

O4 - HKLM\..\Run: [siS KHooker] C:\WINNT\system32\khooker.exe

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe

O4 - HKLM\..\Run: [speedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [WOOTASKBARICON] C:\Program Files\Wanadoo\taskbaricon.exe

O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKCU\..\Run: [internat.exe] internat.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE

O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE

O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE

O9 - Extra button: iFinger - {936E5D60-596C-11D3-BB96-00600816DF55} - C:\WINNT\system32\SHDOCVW.DLL

O15 - Trusted Zone: www.iorr.org

O15 - Trusted Zone: http://www.rollingstones.com

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1160640790354

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1160657231421

O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwa...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{7B0406B9-DC57-4A74-BF16-DD91EC23D6CE}: NameServer = 194.204.152.34 217.98.63.164

O17 - HKLM\System\CS1\Services\Tcpip\..\{7B0406B9-DC57-4A74-BF16-DD91EC23D6CE}: NameServer = 194.204.152.34 217.98.63.164

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: Us3uga administracyjna Mened?era dysków logicznych (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: Generic Host Process for Win32 Service - Unknown owner - C:\WINNT\csrss.exe (file missing)

O23 - Service: LSA Shel (Export Version) - Unknown owner - C:\WINNT\lsass.exe (file missing)

O23 - Service: FireDaemon Service: MSVC9 (MSVC9) - Unknown owner - c:\winnt\system32\microsoft\user\FireDaemon.EXE

O23 - Service: FireDaemon Service: QOS (QOS) - Unknown owner - c:\winnt\system32\microsoft\user\FireDaemon.EXE

O23 - Service: SmartLinkService (SLService) - - C:\WINNT\SYSTEM32\slserv.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

Share this post


Link to post
Share on other sites

The files you uploaded are ok - and killbox didn't capture anything - just the log.

 

However, something you ran got the two baddies I was looking for and I suspect they were a trojan (SDbot perhaps). But they seem to be gone now.

 

Here is the difference.

 

These are (were) the "bad" guys:

 

C:\WINNT\csrss.exe <---bad

C:\WINNT\lsass.exe <-- bad

 

See how they are located directly in the WINNT directory?

 

The legitimate windows files of the same name are located in the proper location which is in the System32 folder (and NOT directly in the WINNT directory).

 

C:\WINNT\system32\lsass.exe <---ok

C:\WINNT\system32\csrss.exe <---ok

 

And internat.exe was ok - that is the legitimate one.

 

There are some remaining registry entries showing in the HijackThis log that were left behind.

 

Click Start > Run and type in Services.msc

Click OK

In the Sevices box, click the Extended tab.

Scroll down to:

 

LSA Shel (note that it is spelled with only one L in the word "Shel")

 

Right click on it and select *Properties*

Click Stop to stop the service, then change the Startup Type to: Disabled

Click Apply.

 

Next

Scroll down to:

Generic Host Process for Win32 Service

 

Right click on it and select Properties

Click Stop to stop the service, then change the Startup Type to: Disabled

Click Apply, then click OK.

 

Then close out of that

 

Open HijackThis and do a *system scan only*

 

When it finishes, checkmark the following entries and then press the *fix checked* button

 

O23 - Service: LSA Shel (Export Version) - Unknown owner - C:\WINNT\lsass.exe (file missing)

 

O23 - Service: Generic Host Process for Win32 Service - Unknown owner - C:\WINNT\csrss.exe (file missing)

 

The tools you downloaded and ran are ok, except Vx2finder is a very old, obsolete tool no longer in use. You can get rid of it.

 

Next question: Did you install FireDaemon?

 

That is a legitimate program but it can also be installed and used by a remote attacker, so that is why I'm asking.

Share this post


Link to post
Share on other sites

thank you so much, Calamity Jane!

 

sorry those files i uploaded weren't what you were seeking, but i'm very glad to know that internat.exe is legitimate, especially since it's been on my computer right from the get-go.

 

i followed your instructions above - thank you! - but when i got to having Highjack This fix those two O23s, i didn't find them in the list. i ran the free a-squared download while i was waiting for further input, so maybe that wiped them out? (i also had HJT fix those extra IE "main pages" that i never asked for.)

 

as for FireDaemon: i've asked the guy who installed windows 2000 for me whether he installed that, but he hasn't replied yet. i'll nudge him again.

 

all kinds of blessings on you for your wonderful and patient help, Calamity Jane! and here's my current HTJ log:

 

Logfile of HijackThis v1.99.1

Scan saved at 11:19:21 PM, on 2006-10-25

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\ZoneLabs\vsmon.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

c:\winnt\system32\microsoft\user\FireDaemon.EXE

c:\winnt\system32\microsoft\user\dll39.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\slserv.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\Explorer.EXE

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\WINNT\system32\sistray.EXE

C:\WINNT\system32\khooker.exe

C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\WINNT\system32\internat.exe

C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE

C:\Program Files\Microsoft Office\Office\OSA.EXE

C:\Program Files\Wanadoo\EspaceWanadoo.exe

C:\Program Files\Wanadoo\ComComp.exe

C:\Program Files\Wanadoo\Watch.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\unzipped\hjt\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rollingstones.com/members/login.php

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O4 - HKLM\..\Run: [siS Tray] C:\WINNT\system32\sistray.EXE

O4 - HKLM\..\Run: [siS KHooker] C:\WINNT\system32\khooker.exe

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe

O4 - HKLM\..\Run: [speedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKCU\..\Run: [internat.exe] internat.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE

O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE

O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE

O9 - Extra button: iFinger - {936E5D60-596C-11D3-BB96-00600816DF55} - C:\WINNT\system32\SHDOCVW.DLL

O15 - Trusted Zone: www.iorr.org

O15 - Trusted Zone: http://www.rollingstones.com

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1160640790354

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1160657231421

O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwa...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{7B0406B9-DC57-4A74-BF16-DD91EC23D6CE}: NameServer = 194.204.152.34 217.98.63.164

O17 - HKLM\System\CS1\Services\Tcpip\..\{7B0406B9-DC57-4A74-BF16-DD91EC23D6CE}: NameServer = 194.204.152.34 217.98.63.164

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: Us3uga administracyjna Mened?era dysków logicznych (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: FireDaemon Service: MSVC9 (MSVC9) - Unknown owner - c:\winnt\system32\microsoft\user\FireDaemon.EXE

O23 - Service: FireDaemon Service: QOS (QOS) - Unknown owner - c:\winnt\system32\microsoft\user\FireDaemon.EXE

O23 - Service: SmartLinkService (SLService) - - C:\WINNT\SYSTEM32\slserv.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

Edited by soul

Share this post


Link to post
Share on other sites

Good! Your hijackThis log looks fine now. Something else may have taken out the remaining items in the registry we were seeing.

 

Here is the information about FireDaemon and how to remove it if it was not installed on purpose.

firedaemon.exe: System Cleanup After Trojan/Worm Compromise

http://forums.firedaemon.com/viewtopic.php?t=18

 

Firedaemon itself is not harmful but should be removed it it was installed via a trojan infection.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0