A nasty virus, Trojan or worm

Discussion in 'malware problems & news' started by jerryk, Jul 17, 2003.

Thread Status:
Not open for further replies.
  1. jerryk

    jerryk Registered Member

    Joined:
    Jul 1, 2003
    Posts:
    22
    I have a nasty something in my computer, I think? It will not allow me to use safe mode or task manager on windows pro 2000. It changes the Norton and other updates. It does not allow them to be installed. I think I got it from trying to download spywareguard. I think it(the virus or something) is called lsass.exe.240 My search does not allow this file name. I have no idea where it installed itself? How do I get rid of it? Here is my HighJack log. I hope I can still see your answers as it will not allow me to see the cexx group. I also notice that it adds the files help group to my page. So I see a bunch of background color stuff as well as your files or posts.

    Logfile of HijackThis v1.95.0 If it ddid not change it.
    Scan saved at 8:30:12 AM, on 7/17/2003
    Platform: Windows 2000 SP3 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\ZoneLabs\vsmon.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\CookieWall\cookie.exe
    C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
    C:\Program Files\webwasher2\wwasher.exe
    C:\Program Files\JGsoft\EditPadLite\EditPad.exe
    C:\PROGRA~1\mozilla.org\Mozilla\Mozilla.exe
    C:\Program Files\HiJack This\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.laceycomputer.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINNT\System32\blank.htm
    O1 - Hosts: 203.161.127.141 www.dcsresearch.com
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [CookieWall] C:\Program Files\CookieWall\cookie.exe
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.5\THGuard.exe"
    O4 - HKCU\..\Run: [Gadwin PrintScreen] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
    O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo
    O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
    O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
    O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37762.2887731481
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


    StartupList report, 7/17/2003, 8:27:41 AM
    StartupList version: 1.52
    Started from : C:\Program Files\HiJack This\HijackThis.EXE
    Detected: Windows 2000 SP3 (WinNT 5.00.2195)
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options
    ==================================================

    Running processes:

    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\ZoneLabs\vsmon.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\CookieWall\cookie.exe
    C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
    C:\Program Files\webwasher2\wwasher.exe
    C:\Program Files\JGsoft\EditPadLite\EditPad.exe
    C:\PROGRA~1\mozilla.org\Mozilla\Mozilla.exe
    C:\Program Files\HiJack This\HijackThis.exe

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Common Startup:
    [C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
    ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINNT\system32\userinit.exe,

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    NAV Agent = C:\PROGRA~1\NORTON~1\navapw32.exe
    CookieWall = C:\Program Files\CookieWall\cookie.exe
    Synchronization Manager = mobsync.exe /logon
    THGuard = "C:\Program Files\TrojanHunter 3.5\THGuard.exe"

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    Gadwin PrintScreen = C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
    Mozilla Quick Launch = "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo

    --------------------------------------------------

    Shell & screensaver key from C:\WINNT\SYSTEM.INI:

    Shell=*INI section not found*
    SCRNSAVE.EXE=*INI section not found*
    drivers=*INI section not found*

    Shell & screensaver key from Registry:

    Shell=Explorer.exe
    SCRNSAVE.EXE=(NONE)
    drivers=*Registry value not found*

    Policies Shell key:

    HKCU\..\Policies: Shell=*Registry key not found*
    HKLM\..\Policies: Shell=*Registry value not found*

    --------------------------------------------------


    Enumerating Browser Helper Objects:

    NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    Symantec NetDetect.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [Update Class]
    InProcServer32 = C:\WINNT\System32\iuctl.dll
    CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37762.2887731481

    [Shockwave Flash Object]
    InProcServer32 = C:\WINNT\System32\macromed\flash\Flash.ocx
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll
    WebCheck: C:\WINNT\System32\webcheck.dll
    SysTray: stobject.dll

    --------------------------------------------------
    End of report, 4,409 bytes
    Report generated in 0.320 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
    Thank you in advance.

    Jerry
     
  2. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    HI Jerry,

    The only thing I see wrong with your HijackThis output is the line

    O1 - Hosts: 203.161.127.141 www.dcsresearch.com

    which you should select and fix (while all windows are closed)

    As regards lsass.exe, that is a critical component of NT/2k/XP OSs as it is the main component of the security subsystem.

    There are a couple of things I would do,

    Download and install the trialware version of TDS3, manually download the latest radius3 (definitions update) from their site and set the scan configurations to their max

    Download and install the trialware version of PortExplorer and take a screenshot of all entries on the "Listening" and "Established" tabs but please be sure to edit out of the images any public IP of yours before posting the images here. (A good way of removing text from images is through the freeware IrfanView)

    Both of these items can be downloaded from

    http://www.diamondcs.com.au/

    Irfanview can be had from

    http://www.irfanview.com/

    Thanks,

    Dan

    [late edit] You should also consider doing an online AV scan such as from

    http://www.pandasoftware.com/activescan/com/activescan_principal.htm
     
  3. jerryk

    jerryk Registered Member

    Joined:
    Jul 1, 2003
    Posts:
    22
    High Dan:
    Whatever will not let me upgrade any new files,it will not accept them. It will not update td3, it seems to protect itself. I can't run Norton, since it stops Liveupdate from working. I think the LSASS.exe.240 was chosen so I can't find where it is located. Any of the pocess servers give me a repeating set of 5 diferent names. It will not run a registry clean program without giving me 5 repeating names. I got LSASS.exe.240 from a process server that won't let me delete. I said it was nasty. Thanks for your help.
    Jerry
     
  4. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Hey,

    First, I stand corrected on the hosts entry (thanks Pieter!), that is a workaround implemented by the install of the latest TDS to re-enable access to their redirected forum. NO problems with that line :)

    Jerry, do you have another machine on your local net that you can run scans from?
     
  5. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
  6. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Are you able to download and run AutoStartViewer from

    http://www.diamondcs.com.au/downloads/asviewer.zip

    If you can run this, please go to the MAIN menu and make sure that all three top items are selected and then select SAVE and copy/paste the log here
     
  7. JimIT

    JimIT Registered Member

    Joined:
    Jan 22, 2003
    Posts:
    1,035
    Location:
    Denton, Texas
    "240" sounds like the Process ID. LSASS.EXE in and of itself shouldn't be the problem.

    Perhaps you've installed a program recently that is not "playing nice" with something else. (eg: Norton?)

    :doubt:
     
  8. JimIT

    JimIT Registered Member

    Joined:
    Jan 22, 2003
    Posts:
    1,035
    Location:
    Denton, Texas
    Are you running IIS?

    Do any of these servers look familiar?

    telsa5.mine.nu (Korea)
    irc.logicfive.net (Taiwan)
    moncredo.shacknet.nu (USA)
    telsacredo.shacknet.nu (USA)
    lar.ath.cx (Taiwan)

    Is the lsass.exe file under 10kb? (9700kb or so?)

    Check out this thread:

    http://lists.insecure.org/lists/incidents/2002/Sep/0125.html

    and the definition of Backdoor.Queen on Norton's website.
     
  9. jerryk

    jerryk Registered Member

    Joined:
    Jul 1, 2003
    Posts:
    22
    Everybody:
    I think I downloaded TDS3 the right way, what makes me think so is that I also tried Trojan Hunter with the same results. I don't have another computer that is available. I had a stroke and find it hard to get over to one. I use a walker. :( It has also erased or hid my start up folder and I don't have msconfig on my machine and the taskmaster will not allow me to delete anything. I have four copies of lsass.exe and they are 33,552 bites in c:\WiNT\$Ntuninstall\Q3291145$, c:\WINNTServicePack\irs\i386, and a all caps one in c:\WINNT\System32 and c:\WINNT\system34\dllcache. I'm sorry for the inconvience to you. I may have to format my c drive and hope it goes away, it might also be a hardware problem.
    jerryk
     
  10. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Hi Jerry,

    Were you able to download and run AutoStartViewer as I asked in one of the previous posts? Jim's find of the backdoor.queen may well be the culprit and if so, the AutoStartViewer may enable us to remove it.

    THanks,

    Dan
     
  11. jerryk

    jerryk Registered Member

    Joined:
    Jul 1, 2003
    Posts:
    22
    Thank you Dan:
    I will try to try it.
    Jerryk
     
  12. jerryk

    jerryk Registered Member

    Joined:
    Jul 1, 2003
    Posts:
    22
    Dan:
    I downloaded asviewer as directed and placed in WINNT as directed. It seems not to be automatic, I restarted the computer and it did nothing. I then left clicked on c:\WINNT\Systems\WScript.exe "%1"%, which looks fishy. It took me to two choices, more info and regedit. Looking in the regidtry is very confusing. Do I delete all the Reg-S2 settings? There must be hundreds of them. There are 6 copies of C;|WINNT etc. files. Do I have to delete all os the S2 or SZ settings
    I am confused as what to do.
    jerryk?
     
  13. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Do not remove nothing at all,
    just fire up the autostartviewer by clicking the asviewer.exe
    click main and select all three first options
    save the output
    post as txt here.
    Then wait for further instructions from the guys.

    so now you did come into the registry. just don't do anything there, only post the asviewer output as Dan requested.
     
  14. jerryk

    jerryk Registered Member

    Joined:
    Jul 1, 2003
    Posts:
    22
    Jooske et al:
    I will try to do as requested. It might take me some time. By the way it was a right click that got me to the registry folders.
    My typeing is horrible since the stroke. It is the folders with a lot of subunits. I also think it is REG--SZ (value not set). The registry folders are:DEFAULT ( it is no longer showing REG-SZ), folder S-1-5-21-73586283-1682526488-106028498-1000, folder---S-1-5-26-73586283-1682526488-1060284298-CLASSES, folder HKEY-CURRENT-CONFIG. I hope it causes the upper folders to cancel the lower entries. It is a lot of typeing. Do I check the boxes, so it will be deleted? This thing keeps changing all the time. I do wish the author bad luck.
    jerryk
     
  15. jerryk

    jerryk Registered Member

    Joined:
    Jul 1, 2003
    Posts:
    22
    To everybody:
    I now don't think it is backdoor.queen. Norton states that a file called QoSServer.dll and .exe should be present. My search does not find the files. I hope the program does not stop working. I no longer see my startup file other than using the australian program.
    jerryk
     
  16. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    The technical part i leave all to Dan, who's doing a fine job so to see (all time! see his growing karma cookie mountain and the good works!)

    For the typing: the result is not bad, still very readable (i make more typo's a day then you in all your postings till now) but i don't know of course how you get it on screen and with which sacrifices.
    I wonder if you have practised with speech engines and programs which work on dictation and voice recognition/ command?
    I came to that world via TDS which uses the speech technology of the msagents. For gratitude i scripted several funscripts of which one ships with TDS (Innerpeace)
    XP has a lot of speech possibilities, and there are several programs in that area.
    You might like to practise if this is something for you.
    For free install all the stuff from the msagents and speech engines etc at http://www.microsoft.com/msagent
    where on the pages you can test if all is working properly. For that part you need the SAPI4 engines and runtimes, with the other stuff.
    XP works with the SAPI5 engine which is more advanced and can be installed on the same system, but works different and is no update of the sapi4.
    SAPI5 can be installed on every windows version btw, with more or less success.
    If you like it, you might like to get the whole sapi4sdk (the large 40mb thing) which has all the dictation etc in it, but you might like to use the easier sapi5 for that part.
    You can try which serves your needs the best on your win2000 system.
    This part is all free.

    I never used the special commercial programs for this technology which might work even easier, not sure.
    You need in all cases to have the software installed, and a microphone on your system and the system must be able to understand your spoken commands.
    If speaking became a bit problematic after a stroke, this might not be the way to go to get the texts posted, only for enjoyment (as those crazy agents do make me happy in several scripts -- and there is a special program ChipSpeaking to have agents do the talking for those who can't do themselves, etc.)
    Not sure if you've noticed the DCS programs like TDS and Port Explorer: they try to be all users friendly and avoid the need of using the mouse by pressing Alt + an underlined characer of the menu's so you can glide through the menu's as easy as possible or some hotkeys with contr+ some character or number.

    The mobility problems might be a sacrifice, but i applaud for you for being here and keeping your system ok and being in contact with the internet community.
    So i'm sure the problems with the infection will be solved soon so internet communication will be a happy experience for you again too!
    First of all continue the cleansing path before you install anything new like the speech and msagents parts etc.!
     
  17. jerryk

    jerryk Registered Member

    Joined:
    Jul 1, 2003
    Posts:
    22
    Everybody:
    Here is my asvier.exe file:
    DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for Jerry Keser@LACEY-KESER, 07-20-2003
    c:\winnt\system32\autoexec.nt
    C:\WINNT\system32\mscdexnt.exe
    C:\WINNT\system32\redir.exe
    C:\WINNT\system32\dosx.exe
    c:\winnt\system32\config.nt
    C:\WINNT\system32\himem.sys
    c:\winnt\system.ini [boot]\shell
    C:\WINNT\Explorer.exe
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
    C:\WINNT\Explorer.exe
    HKCR\vbsfile\shell\open\command\
    C:\WINNT\System32\WScript.exe "%1" %*
    HKCR\vbefile\shell\open\command\
    C:\WINNT\System32\WScript.exe "%1" %*
    HKCR\jsfile\shell\open\command\
    C:\WINNT\System32\WScript.exe "%1" %*
    HKCR\jsefile\shell\open\command\
    C:\WINNT\System32\WScript.exe "%1" %*
    HKCR\wshfile\shell\open\command\
    C:\WINNT\System32\WScript.exe "%1" %*
    HKCR\wsffile\shell\open\command\
    C:\WINNT\System32\WScript.exe "%1" %*
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NAV Agent
    C:\PROGRA~1\NORTON~1\navapw32.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\CookieWall
    C:\Program Files\CookieWall\cookie.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Synchronization Manager
    mobsync.exe /logon
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Gadwin PrintScreen
    C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Mozilla Quick Launch
    C:\Program Files\mozilla.org\Mozilla\Mozilla.exe
    HKU\.Default\Software\Microsoft\Windows\CurrentVersion\RunOnce\^SetupICWDesktop
    C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop
    HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
    C:\WINNT\system32\NETSHELL.dll
    C:\WINNT\System32\webcheck.dll
    C:\WINNT\system32\stobject.dll
    C:\WINNT\Tasks\Symantec NetDetect.job
    C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ZoneAlarm Pro.lnk
    C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
    HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
    autocheck autochk *
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
    C:\WINNT\system32\userinit.exe
    HKLM\System\CurrentControlSet\Control\WOW\cmdline
    C:\WINNT\system32\ntvdm.exe
    HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
    C:\WINNT\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
    C:\WINNT\system32\msafd.dll
    C:\WINNT\system32\rsvpsp.dll
    jerryk
     
  18. jerryk

    jerryk Registered Member

    Joined:
    Jul 1, 2003
    Posts:
    22
    Everybody:
    Hi. My computer is very slow and it might not let me copy the asversion.exe file.
    Everybody:
    Here is my asvier.exe file:
    DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for Jerry Keser@LACEY-KESER, 07-20-2003
    c:\winnt\system32\autoexec.nt
    C:\WINNT\system32\mscdexnt.exe
    C:\WINNT\system32\redir.exe
    C:\WINNT\system32\dosx.exe
    c:\winnt\system32\config.nt
    C:\WINNT\system32\himem.sys
    c:\winnt\system.ini [boot]\shell
    C:\WINNT\Explorer.exe
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
    C:\WINNT\Explorer.exe
    HKCR\vbsfile\shell\open\command\
    C:\WINNT\System32\WScript.exe "%1" %*
    HKCR\vbefile\shell\open\command\
    C:\WINNT\System32\WScript.exe "%1" %*
    HKCR\jsfile\shell\open\command\
    C:\WINNT\System32\WScript.exe "%1" %*
    HKCR\jsefile\shell\open\command\
    C:\WINNT\System32\WScript.exe "%1" %*
    HKCR\wshfile\shell\open\command\
    C:\WINNT\System32\WScript.exe "%1" %*
    HKCR\wsffile\shell\open\command\
    C:\WINNT\System32\WScript.exe "%1" %*
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NAV Agent
    C:\PROGRA~1\NORTON~1\navapw32.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\CookieWall
    C:\Program Files\CookieWall\cookie.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Synchronization Manager
    mobsync.exe /logon
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Gadwin PrintScreen
    C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Mozilla Quick Launch
    C:\Program Files\mozilla.org\Mozilla\Mozilla.exe
    HKU\.Default\Software\Microsoft\Windows\CurrentVersion\RunOnce\^SetupICWDesktop
    C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop
    HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
    C:\WINNT\system32\NETSHELL.dll
    C:\WINNT\System32\webcheck.dll
    C:\WINNT\system32\stobject.dll
    C:\WINNT\Tasks\Symantec NetDetect.job
    C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ZoneAlarm Pro.lnk
    C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
    HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
    autocheck autochk *
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
    C:\WINNT\system32\userinit.exe
    HKLM\System\CurrentControlSet\Control\WOW\cmdline
    C:\WINNT\system32\ntvdm.exe
    HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
    C:\WINNT\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
    C:\WINNT\system32\msafd.dll
    C:\WINNT\system32\rsvpsp.dll
    jerryk
     
  19. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Hi Jerry,

    It appears that you did not select the three top options of the "Main" menu within asviewer, as requested, before saving the log. Can you please reattempt this and post the expanded log? It is in these "missing" entries that I had hoped to find the item causing the problems.

    Thanks!

    Dan
     
  20. jerryk

    jerryk Registered Member

    Joined:
    Jul 1, 2003
    Posts:
    22
    Jooske and Dan et al:
    I'm sorry but I don't have a sound system on my machine. Here are the first three choices of asviewer main that I could get. Diamondcs installed a window that comes up when I press Ctrl plus A they want me to dowmload their products. I had to download their
    Port Explorer, it still will not allow me to use trl plus A. Iwill have to find a way to get rid of it. I'm sorry but diamondcs will not allow me to do it. It takes control of my pointer.
    jerryk
     
  21. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    You do have the Autostartviewer already, Dan only asked you to fire the thing up again with all the options checked, save the output and paste it in the next posting again.
    Why wouldn't all the three options be checkable and not in your posting?
    Just click them from the Main and you'll see a V appear before the checked options. If that mouse doesn't work use the F2, F3, F4 buttons for those three options.

    In the ASViewer, the contr+A only brings up the "About" screen, telling which version you have and three buttons to get to the other products sites and downloads.
    Nowhere is said you are obliged to get them and why would (and where) DCS block that?
    Very confusing story.
    Can you tell step by step what you're doing and from where?
    Port Explorer you should just get the evaluation version and install and look at it.
    If you tried before and your evaluation period has finished you can download and install it but you won't be able to use it anymore unregistered.

    Sorry you have no soundsystem as this could maybe be of good help in your situation.
     
  22. jerryk

    jerryk Registered Member

    Joined:
    Jul 1, 2003
    Posts:
    22
    Hi Dan and Jooske et al:
    Diamondcs or whatever I have is still preventing me from sending the asviewer.exe page. When I go to it it allows me to check the three areas with a checkmark, but I can't e-mail. It highlights a subject but with the Ctrl + A out I can not highlite the page to do a Ctrl+ v to email it. Im afraid I will be blocked from this site soon by the Trojan or whatever I have. So if I don't answer it is because of this and not all the troble you went through. Thanks again. I had to get a new host file from gorilla which I hope it works.
    jerryk
     
  23. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    how about using the "save" menu option or if you prefer contr+S to save to TXT file?
    you succeeded before as your posting is here above in the thread.
    Normally it would be contr+C to select the whole page and contr+V to paste it in your posting here.
    In ASV contr+A is a hotkey to see the About console.
    So please use the menu options as given in the menu when you open the "main"
     
  24. jerryk

    jerryk Registered Member

    Joined:
    Jul 1, 2003
    Posts:
    22
    Jooske et al:
    Now the whatever blocks my access to my Program Files folder and my WiNNT folder where asviewer.exe is located. I may have to reformat my drives and will not be able to connect here. I forgoton what the commands are, I'm sure that it's not in the help file. Thanks for your help. The pointer works in this program, so that I can use the pointer to select everything.
    jerryk
     
  25. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Are you able to do an online virus scan, for instance at www.pandasoftware.com
    click the free scan and allow it to upload fresh databases and have the scan done.

    The other thing what worried me you said in your first message it all started with the spywareguard you installed. Did you have that thing automatic immunisize your system or blocking the registry or such a thing which could be deselected?
    If nothing can be selected or settings changed in that one you might like to unisntall it and see if things go better then.

    I'm sure Dan is still very much interested in your autostartviewer log
    start ASV with just clicking asview.exe, click main
    check the first three options
    it will display what there is
    click save and remember that name, it is a TXT file,
    which you might like to save on your desktop , open that file, select all (right click with the mouse on it, select all, click copy or contr+C, open a reply here in the forum and click paste or contr+V and click the send button,
    do it now as quick as you can as Dan is waiting for your file to be able to advice you further.

    Did you use any other system protection tools like hta stop or any other?

    More questions:
    How did you come to Lsass.exe.240?
    why do you think of the install with the spywareguard?
    did you get any error messages for any of those?
    How long are you running TH Guard, recently or long time without problems?
    Did you close the TH Guard during the install of other software?
    Did you try to close it now and get it from the autostart reboot and see how all is behaving then?
    If nothing changes uninstall spywareguard, reboot and see how it is doing then.
    With that situation i'm sure Dan is urging for your autostartviewer or if that still troubles you try a complete hijackthis, but Dan asked for the ASViewer log.

    Have you thought of a softwareconflict? any error messges indicating such?
    I'm not saying spywareguard or TH Guard is the cause but thse are very protective tools so starting with those.
     
Loading...
Thread Status:
Not open for further replies.