A nasty virus, Trojan or worm

Jooske, Dan et all:
I think I found as way to get it in a round about way.
Here it is, by going yo search I may have found it. By the way Ctrl+ S does not work.
DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for Jerry Keser@LACEY-KESER, 07-22-2003
c:\winnt\system32\autoexec.nt
C:\WINNT\system32\mscdexnt.exe
C:\WINNT\system32\redir.exe
C:\WINNT\system32\dosx.exe
c:\winnt\system32\config.nt
C:\WINNT\system32\himem.sys
c:\winnt\system.ini [boot]\shell
C:\WINNT\Explorer.exe
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
C:\WINNT\Explorer.exe
HKCR\vbsfile\shell\open\command\
C:\WINNT\System32\WScript.exe "%1" %*
HKCR\vbefile\shell\open\command\
C:\WINNT\System32\WScript.exe "%1" %*
HKCR\jsfile\shell\open\command\
C:\WINNT\System32\WScript.exe "%1" %*
HKCR\jsefile\shell\open\command\
C:\WINNT\System32\WScript.exe "%1" %*
HKCR\wshfile\shell\open\command\
C:\WINNT\System32\WScript.exe "%1" %*
HKCR\wsffile\shell\open\command\
C:\WINNT\System32\WScript.exe "%1" %*
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\CookieWall
C:\Program Files\CookieWall\cookie.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Synchronization Manager
mobsync.exe /logon
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Gadwin PrintScreen
C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Mozilla Quick Launch
C:\Program Files\mozilla.org\Mozilla\Mozilla.exe
HKU\.Default\Software\Microsoft\Windows\CurrentVersion\RunOnce\^SetupICWDesktop
C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
C:\WINNT\system32\NETSHELL.dll
C:\WINNT\System32\webcheck.dll
C:\WINNT\system32\stobject.dll
C:\WINNT\Tasks\Symantec NetDetect.job
C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ZoneAlarm Pro.lnk
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
autocheck autochk *
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
C:\WINNT\system32\userinit.exe
HKLM\System\CurrentControlSet\Control\WOW\cmdline
C:\WINNT\system32\ntvdm.exe
HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
C:\WINNT\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
C:\WINNT\System32\dcsws2.dll
C:\WINNT\system32\msafd.dll
C:\WINNT\system32\rsvpsp.dll
HKLM\Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}\
C:\WINNT\System32\shmgrate.exe
HKLM\Software\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS\
RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
HKLM\Software\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\
C:\WINNT\System32\shmgrate.exe
HKLM\Software\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\
rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\mplayer2.inf,PerUserStub.NT
HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\
%ProgramFiles%\Outlook Express\setup50.exe
HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}\
rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
HKLM\Software\Microsoft\Active Setup\Installed Components\{6A5110B5-E14B-4268-A065-EF89FF33C325}\
regsvr32.exe /s /n /i:"S 2 true 3 true 4 true 5 true 6 true 7 true" initpki.dll
HKLM\Software\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}\
%ProgramFiles%\Outlook Express\setup50.exe
HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\
regsvr32.exe /s /n /i:U shell32.dll
HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\
C:\WINNT\System32\ie4uinit.exe
HKLM\Software\Microsoft\Active Setup\Installed Components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}\
C:\WINNT\System32\updcrl.exe -e -u %SystemRoot%\System32\verisignpub1.crl
HKLM\System\CurrentControlSet\Services\AFD\
C:\WINNT\System32\drivers\afd.sys
HKLM\System\CurrentControlSet\Services\Dhcp\
C:\WINNT\System32\services.exe
HKLM\System\CurrentControlSet\Services\dmserver\
C:\WINNT\System32\services.exe
HKLM\System\CurrentControlSet\Services\Dnscache\
C:\WINNT\System32\services.exe
HKLM\System\CurrentControlSet\Services\Eventlog\
C:\WINNT\system32\services.exe
HKLM\System\CurrentControlSet\Services\lanmanserver\
C:\WINNT\System32\services.exe
HKLM\System\CurrentControlSet\Services\lanmanworkstation\
C:\WINNT\System32\services.exe
HKLM\System\CurrentControlSet\Services\LmHosts\
C:\WINNT\System32\services.exe
HKLM\System\CurrentControlSet\Services\NtmsSvc\
C:\WINNT\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\PlugPlay\
C:\WINNT\system32\services.exe
HKLM\System\CurrentControlSet\Services\PolicyAgent\
C:\WINNT\System32\lsass.exe
HKLM\System\CurrentControlSet\Services\ProtectedStorage\
C:\WINNT\system32\services.exe
HKLM\System\CurrentControlSet\Services\RemoteRegistry\
C:\WINNT\system32\regsvc.exe
HKLM\System\CurrentControlSet\Services\RpcSs\
C:\WINNT\system32\svchost -k rpcss
HKLM\System\CurrentControlSet\Services\SamSs\
C:\WINNT\system32\lsass.exe
HKLM\System\CurrentControlSet\Services\SBService\
C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
HKLM\System\CurrentControlSet\Services\Schedule\
C:\WINNT\system32\MSTask.exe
HKLM\System\CurrentControlSet\Services\seclogon\
C:\WINNT\system32\services.exe
HKLM\System\CurrentControlSet\Services\SENS\
C:\WINNT\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Spooler\
C:\WINNT\system32\spoolsv.exe
HKLM\System\CurrentControlSet\Services\TrkWks\
C:\WINNT\system32\services.exe
HKLM\System\CurrentControlSet\Services\vsdatant\
\??\C:\WINNT\System32\vsdatant.sys
HKLM\System\CurrentControlSet\Services\vsmon\
C:\WINNT\system32\ZoneLabs\vsmon.exe -service
HKLM\System\CurrentControlSet\Services\W32Time\
C:\WINNT\System32\services.exe
HKLM\System\CurrentControlSet\Services\WinMgmt\
C:\WINNT\System32\WBEM\WinMgmt.exe
HKLM\System\CurrentControlSet\Services\wuauserv\
C:\WINNT\system32\svchost.exe -k wugroup
Thanks in advance.
jerryk

 

Hi Jerry,

Well done on getting the full output (given that your system is so crippled by this mystery beast) You get a karma cookie for that.

JerryK Gobbling Cookies ->

The output of the program seems clean but if it is a well entrenched trojan it would not show there. After exchanging notes with Jooske, we feel that once you should

1. try an online virus scan such as from here

http://www.pandasoftware.com/activescan/com/activescan_principal.htm

2. uninstall whatever you installed at the time this started occurring (I believe you mentioned SpywareGuard?). SG is definitely a legitimate program but it would not be entirely unheard of if an install went bad, particularly if there was some instability to begin with.

Naturally, given the present state of your machine these steps may not be possible, but see if you can give them a shot since if these fail and you cannot do a scan of your machine or your hard-drive from another machine things are getting pretty much to the point of a reinstall. Still either or both of the above steps may save you from that ordeal.

Please let us know...

Thx

Dan

 

Dan et al:
It will not let me do a panda scan, it's protecting itself. I did uinistall spywareguard after I discovered it had the something. The program moved to the WiNNT folder. I deactivated networking in the activaties folder and it said it has moved elseware in my ask Jeeves program. I wish I knew were it went! I wish I knew its name.
jerryk

 

Can you please explain a bit more about "it moving". What was giving you these indications and how did it indicate it?

Also, what happened when you tried the ActiveScan? Did it just do nothing or did it come up with an error, if the latter, what was the error?

Thx

Dan

 

If you temporary close the TH Guard, will the online scan succeed then?

Which ZoneAlarm version do you run this moment?
Maybe you should temporary allow java and banners and popups and activex and cookies on that site (temporary)
I scan there myself and today i had a few times i didn't succeed, maybe the server was busy, in maintenance or other reasons, as i got a few times the URL would be wrong. But since a few tries no problem at all.
You might like to use the IE browser, and in ZAPro allow the whole lot and even add the site to the trusted zone temporary.
Panda asks you to allow ActiveX, and to install updated databases on your system, both to allow, and you will see with that the scanning process.
Not sure if you configure automated cleansing (i would check there every option there is) or prefer report only to cleanse the finds afterwards. Then choose for a scan of your whole system.
I hope it is possible to save and copy the results log here.

 

Jooske, Dan et al:
I have ZoneAlarm pro. The whatever will not let me press the scan button in Panda with no results. It is very slow otherwise. I can't register in Panda at all. It will not do a scan. Since I lost Program Files and delete programs I'm afraid I will have to delete everything and reinstall everything. I'm sorry I got you into a mess. I don't have the registry entries in Gruel E and F. The thing I do have in the registryis "%01"%" PIFFILE Registry and 01 00 00 00 whatever that means?
jerryk

 

Jooshe. Dan et al:
I disabled Net Logon as Black Viper http://www.blackviper.com/index.html says I could. I still need the commands to uninstall everything and get rid of this thing. It's becoming a pain. My printer is not working so have to copy things by hand. I know it was spywareguard because there were three logfiles or dll that I could not erase, but latter I did and the computer acted funny. I don't remmember the forum that I saw the lead to spywareguard.
jerryk

 

Hi Jerry,

Let's try to eliminate the possibility that you had a bad install and worse uninstall of SpywareGuard.

Please re-download it from here

http://www.spywareinfoforum.com/downloads/swguard/spywareguardsetup.exe

Before setting it up, close out of all other apps, including those in the systray and then install SG. Once yu do and are in the program, go to "options". If all three items are already selected unselect all of them and close out of the interface. Then go to Add/Remove Programs and uninstall from there.

After a reboot retry the Panda link and see if it can run the scan (as Jooske mentioned you may need to try a few different times).

Thanks,

Dan

 

Jooske, Dan et al:
I don't trust the alternative site message I'm getting. It might be the virus or whatever. I will try later. I hope he fixes his site. It might be a bad install or uninstall, but the three undeletabe dll files might give a clue.
jerryk

 

Can you please email me a copy of those three dlls?

Send it to my account at danperez@operamail.com

Thanks

As to the message, both of the redirects lead to Wilders servers so there shoud be no issue.

 

Dan et al:
Spywareguard will not run anymore for me. I get a runtime error and I use add/remove because I can't see it, it is blank. I no longer have the three files. I erased the program. I did have a hard time erasing those files. I never thought to save them. Sorry.
jerryk

 

HI Jerry,

Well, there is a possibility that you have a well-entrenched trojan or virus but I am far more inclined to believe that the issue is due to some instability (perhaps from a bad install and removal of SG). I definitely cannot rule out a trojan or virus but, like I said, I feel it far less likely. One other thing you might try is to redownload and apply SP3 for Win2K and then reinstall IE6, as a lot of times the refresh of the files plus the re-establishment of these reg settings will fix instability issues. If this doesn't work you might want to have a tech look at your system as it is FAR, FAR easier to troubleshoot something like this directly rather than through a forum environment.

Given that there is even a "slight" chance of a well -entrenched malware there is the reload possibility to consider but I don't know how much of an issue this would be for you and it is partly for this reason I recommend a tech actually look at the machine. But the judgement call is yours to make. If you DO decide on a reload, plan it carefully and make sure beforehand you have all of the info and data you will need before you actually wipe the system.

Please let me know if you have any questions regarding this.

Thanks,

Dan

 

Dan et al:
This may be my very last message. Thanks for the help. I have a restore file with some viri on it and I had trouble with my phone then. I hope I hope I have enough information on the phone system to be of help. I wrote the system administrator but got no reply. I think spybot will take care of the spystuff. I still think it is a virus be cause of the size of my lsass.exe file. If I can't can't get on the internet it might be a blessing, the way it has become.
jerryk

 

Jerryk, i'm sure you find better solutions.
Restore file from what? You are not running XP so i wonder ..?
a tech around might be a very good solution; you said the system admin, is this a computer in a network or stand alone (you wrote the other time some about closing the network which i think is wise with a possible infected system)
I think once you get your system clean, better protected, stable again you will soon enjoy internet again.
Everybody can go through difficult issues, it's not only you! And somehow we all get through it.
In these forums we can learn from each other's experiences and tips. I'm sure you get it solved, but do get a tech li8ke Dan advised.
Wonder if you can get the original isass.exe file from the install cd-rom or elsewhere?
Fingers crossed!


Edited:
Found this nice page with explanations of the files in the startup
http://camica.netfirms.com/services.htm
And i wonder if this item Q308421 from the MS knowledgebase works for you as well to regain ownership over folders again?
http://support.microsoft.com/?kbid=308421
worth a try before formatting!
(hard typing with fingers crossed on both hands now)

 

Jooske and Dan et al:
Thankyou for your help. I was off the internet for a while. I did a backup restore and had a tech look at my machine. What surprized me is that the restore kept all my installed files. The may be a conflict with ZoneAlarm Pro, or that is what the tech said. I am at leadt back on the internet, for what it's worth.
JerryK

 

Hi Jerry!

It's good to hear from you again! So, after the restore and the tech visit you have lost all those annoying issues? That's great!

We look forward to your continued participation on the board!

Warm Regards,

Dan

 

Hey Jerry,
What I see is that your computer has been inadvertedly infected and has disabled some of your computer's function. I recently had to deal with an xxx toolbar and the constant pop ups would freeze up my computer. You should download SpyHunter from the website

http://www.spywareremove.com/index2.htm

Adaware and Spybot couldn't even begin to remove my viruses. I'm pretty sure that it will remove lsass.exe.240. Hope I was of any help!

 

If it was spyware it would have shown itself in HijackThis whis was otherwise clean.

 

That's because they are not antivirus programs

 

Everybody:
I tried SpyHunter, but I must have had a copy of it before the stroke because it (the computer) said I had a newer copy of some file. It gives a runtime error and it will not work. I will try again latter and say no instead. Sorry about that.
jerryk

 

Everybody:
I restarted the computer but I got a runtime error again saying I'm out of stringspace and SpyHunter will not run. The file is in WiNNT and is called mscomctl.ocx, I think. It might catch the culprit if it was able to work.
jerryk