Persistent Big Hijack Problem

salraphael56 · #1 (**permalink**) 08-10-2005, 02:15 PM

Dear Experts,

Please Help!!

An indefatigable sasser (I think) worm has taken over my computer. It kicks in about 2-3 minutes after the computer has started up. First a MS dialogue box appears saying that "LSA SHell (Export Version) encountered problems and needed to close", then a red box (hereafter the evil box) appears saying that "C:/Windows/System32/lsass.exe" failed unexpectedly with status code 1073741819 and the computer has to reboot".

Since encountering the problem several days ago, I have tried numerous rememdies to kill the Sasser worm. After the first reboot, I sent an error report, then clicked on "more information".* I downloaded and ran Microsoft's Malicious Software Removal, but it found no viruses. Then the evil box appeared a few minutes later. At subsequent start ups I tried to run Avast!Antivirus, but never had enough time before the evil box appeared and shut the computer down.

I then tried Symantec's Sasser Removal Tool and Stinger which I could run from a floppy disc (I tried Symantec's tool in regular mode and again later in safe mode). All of them reported "no viruses found", but the problem has persisted. I also tried to run a Panda Active Scan, but due to the problem with the internet connection spurring the virus (see below), I haven't been able to do so.

Regarding the internet spurring the virus, when I turn on my computer without the internet plug in, the evil box doesn't appear. Rather, I just get the microsoft error window indicating that there was a problem with the LSA Shell and it has to shut down, but if I just ignore the box, I can use the computer just fine. The evil box usually shows up, but sometimes it does not, such as when I start the computer without the internet cable plugged into the computer. Since I needed internet access in order to run Panda active scan, I kept trying to start the scan before the evil box appeared and today had to start and shut down the computer nearly 15 times each time encountering the evil box without ever being able to run the panda active scan. I also tried to run some other virus killers again in safe mode and decided to try safe mode with networking to see if this might enable internet access (which it didn't--Idon't know what I can and cannot do in safe mode, but the lack of internet access may be due ot the fact that my network connections are set up under a different user profile than the one I am able to use in safe mode). Well,when I was in safe mode with networking, the evil box appeared and shut down my computer. It was exactly when I was trying to get the updates for one of my adware programs (thus trying to make an internet connection).

So, I'm wondering if the internet connection is the source of this problem (ie. it keeps reinfecting at start-up), or is this somekind of Sasser imposter which is immune to Sasser remedies?

Any other ideas of what Icould try that doesn't require the internet?

I also read somewhere that you should turn off the system restore when running virus checks because the system might keep the virus on your computer. Should I do this before running any further virus killer tools?

Thanks!!

FYI. Here's my HJT Log.
Logfile of HijackThis v1.99.1
Scan saved at 11:47:52 AM, on 10/5/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\System32\atievxx.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\WINDOWS\system32\dumprep.exe
C:\WINDOWS\System32\dwwin.exe
A:\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = proxy-int.euv-ffo.de:3128
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1124834936397
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/components/ocx/...or/Outside.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe

salraphael56 · #2 (**permalink**) 08-10-2005, 05:11 PM

By the way, here's my new HJT Log (from today). The one posted in my first message is from several days ago.

Logfile of HijackThis v1.99.1
Scan saved at 8:27:06 AM, on 10/8/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\System32\atievxx.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\WINDOWS\system32\dumprep.exe
C:\WINDOWS\System32\dwwin.exe
C:\Documents and Settings\My Meggie Harris\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = proxy-int.euv-ffo.de:3128
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1124834936397
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/components/ocx/...or/Outside.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe

Neal · #3 (**permalink**) 08-10-2005, 08:55 PM

This is strange alright. Did you install the microsoft security patch for this then run the removal tool?

http://www.microsoft.com/security/incident/sasser.mspx

Do you have a firewall? Do you have microsoft firewall enabled? Third link at bottom shows how.

Here is a good free one if you do not:

Consider using a free firewall if you are not already using one. Some good free ones are:
Sygate: http://smb.sygate.com/products/spf_standard.htm

Panda should get that also if you could do the scan also I think BitDefender get's also if you could get on the internet.

also check this out:

http://www.washingtonpost.com/wp-dyn...-2004May3.html

http://us.mcafee.com/virusInfo/defau...virus_k=125007

http://support.gateway.com/s/Misc/Vi...GE01su27.shtml

salraphael56 · #4 (**permalink**) 09-10-2005, 04:51 PM

Hi.

Maybe I just got lucky today because I didn't do anything differently from the day before. After gathering all sorts of informational resources from the web at work yesterday, I tried my computer this morning. At first I started in safe mode and looked around for the AVSERVE.exe file and other bad files. Nothing was there.

Then, I restarted in regular mode without the internet connection and looked there for the bad files. Nothing found. I also checked to see that my internet firewall was on. It turns out that it wasn't enabled and it wouldn't let me enable it. I also wasn't sure if I had ever installed the Microsoft Patch for Sasser. I assumed that I was relatively caught up on updates because I had downloaded all critical updates from MS about two months ago. [I'm not sure if my computer has the necessary RAM to download all of SP2 (it's got 68 MB and is running XP Pro SP1). Adding memory is one of my priorities, but this is an old laptop that I don't plan to use much more than a couple of years longer].

So, the plan, if I could get an internet connection, was to 1. download the Microsoft patch 2. download Sygate's Firewall 3. Run the Panda Scan.
4. Run Lavasoft's SE Adaware

When I started the computer in regular mode (without Internet) it displayed the Lsass.exe failure box, but the box forcing shutdown didn't appear. I was able to access the internet and to do all the tasks I was planning.

The Panda scan found two malicious items, both of which I couldn't figure out how to fix/delete:
Incident Status Location
Adware:Adware/Comet No disinfected C:\WINNT\Downloaded Program Files\CC-Rel.inf

Adware:Adware/Comet No disinfected C:\WINNT\SYSTEM32\Comet\Bin\csbho.dll

The AdAware Scan found three serious items, each of which I quarantined and deleted. You can look at the log below, if it is at all useful.

I don't think that the problem is really solved, but at least this means that I can occasionally download remedies from the internet.

The outstanding questions I have at this point are:

1. how to activate the Internet Firewall on my system (if Sygate's firewall is there an working maybe it doesn't matter, but it seems that turning on the switch for "protect my comuter from stuff from the Internet" under "internet connection settings" is imperative to future protection. On the other hand, I am connected to a university network which has its own firewall.

2. how to delete the items found in the panda scan

3. how to tell if the Microsoft Patch for Sasser has been installed properly (and do I need to rerun their Malicious Software Removal Tool)?

4. What other Microsoft Updates I absolutely have to download (could I do this selectively considering my Ram limitations)? I have to do it manually because my network prevents automatic updates.

5. Whether to turn off System Restore? I was going to do it today, but then saw in the warning that it eliminates all previous restore points. I an hesitant to do this since it might be a good solution to restore my computer to an earlier point, such as the restore point I created about two months ago--if it might get rid of the current problem??

Many thanks!

-------------------------
The Ad Aware Scan Results:
10-9-2005 5:32:56 AM - Scan started. (Full System Scan)
MRU List Object Recognized!
Location: : C:\Documents and Settings\My Meggie Harris\Application Data\microsoft\office\recent
Description : list of recently opened documents using microsoft office

MRU List Object Recognized!
Location: : C:\Documents and Settings\My Meggie Harris\recent
Description : list of recently opened documents

MRU List Object Recognized!
Location: : S-1-5-21-2025429265-1677128483-1060284298-1007\software\adobe\acrobat reader\5.0\avgeneral\crecentfiles
Description : list of recently used files in adobe reader

MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplicatio n
Description : most recent application to use microsoft directdraw

MRU List Object Recognized!
Location: : S-1-5-21-2025429265-1677128483-1060284298-1007\software\microsoft\internet explorer
Description : last download directory used in microsoft internet explorer

MRU List Object Recognized!
Location: : S-1-5-21-2025429265-1677128483-1060284298-1007\software\microsoft\internet explorer\typedurls
Description : list of recently entered addresses in microsoft internet explorer

MRU List Object Recognized!
Location: : S-1-5-21-2025429265-1677128483-1060284298-1007\software\microsoft\mediaplayer\player\recentf ilelist
Description : list of recently used files in microsoft windows media player

MRU List Object Recognized!
Location: : S-1-5-21-2025429265-1677128483-1060284298-1007\software\microsoft\mediaplayer\preferences
Description : last playlist loaded in microsoft windows media player

MRU List Object Recognized!
Location: : S-1-5-21-2025429265-1677128483-1060284298-1007\software\microsoft\microsoft management console\recent file list
Description : list of recent snap-ins used in the microsoft management console

MRU List Object Recognized!
Location: : S-1-5-21-2025429265-1677128483-1060284298-1007\software\microsoft\office\11.0\common\general
Description : list of recently used symbols in microsoft office

MRU List Object Recognized!
Location: : S-1-5-21-2025429265-1677128483-1060284298-1007\software\microsoft\office\11.0\common\open find\microsoft office word\settings\open\file name mru
Description : list of recent documents opened by microsoft word

MRU List Object Recognized!
Location: : S-1-5-21-2025429265-1677128483-1060284298-1007\software\microsoft\office\11.0\common\open find\microsoft office word\settings\save as\file name mru
Description : list of recent documents saved by microsoft word

MRU List Object Recognized!
Location: : S-1-5-21-2025429265-1677128483-1060284298-1007\software\microsoft\search assistant\acmru
Description : list of recent search terms used with the search assistant

MRU List Object Recognized!
Location: : S-1-5-21-2025429265-1677128483-1060284298-1007\software\microsoft\windows\currentversion\app lets\regedit
Description : last key accessed using the microsoft registry editor

MRU List Object Recognized!
Location: : S-1-5-21-2025429265-1677128483-1060284298-1007\software\microsoft\windows\currentversion\exp lorer\comdlg32\lastvisitedmru
Description : list of recent programs opened

MRU List Object Recognized!
Location: : S-1-5-21-2025429265-1677128483-1060284298-1007\software\microsoft\windows\currentversion\exp lorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension

MRU List Object Recognized!
Location: : S-1-5-21-2025429265-1677128483-1060284298-1007\software\microsoft\windows\currentversion\exp lorer\recentdocs
Description : list of recent documents opened

MRU List Object Recognized!
Location: : S-1-5-21-2025429265-1677128483-1060284298-1007\software\microsoft\windows\currentversion\exp lorer\runmru
Description : mru list for items opened in start | run

MRU List Object Recognized!
Location: : S-1-5-21-2025429265-1677128483-1060284298-1007\software\microsoft\windows media\wmsdk\general
Description : windows media sdk

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 632
ThreadCreationTime : 10-9-2005 9:50:21 AM
BasePriority : Normal

#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 696
ThreadCreationTime : 10-9-2005 9:50:24 AM
BasePriority : Normal

#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 720
ThreadCreationTime : 10-9-2005 9:50:25 AM
BasePriority : High

#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 764
ThreadCreationTime : 10-9-2005 9:50:27 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe
#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 776
ThreadCreationTime : 10-9-2005 9:50:27 AM
BasePriority : Normal
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe
#:6 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 948
ThreadCreationTime : 10-9-2005 9:50:29 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription :

Neal · #5 (**permalink**) 09-10-2005, 06:40 PM

Hello,

Go into add/remove and scroll thru and look for comet cursor and remove if there.

Let's leave system restore alone for now and do that only as a last resort.

C:\WINNT\Downloaded Program Files\CC-Rel.inf ---look in downloaded program files folder for this file and delete

C:\WINNT\SYSTEM32\Comet\Bin\csbho.dll---look for this folder in bold in the system32 folder and delete, this is comet cursor and is spyware

If you are going to use sygate I would not activate your other firewall

sasser patch I believe should show up in add/remove just like other security updates do.

I would not even consider SP2 with that kind of space, I personally don't like it anyway and use SP1 only but also use the best in prevention and never had a bug.

You can pick and choose what update you want, I don't take anything except critical updates