worm/virus attack

[2003crush]

Help!  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/ohmy.gif\' class=\'bbc_emoticon\' alt=\'\' /> I know that I have a virus or worm in my system, since yeseterday, my system generated an error message referring to the rpc service and nt authority system and did a spontaneous shutdown. I went to the rpc service properties, then recovery, and set all failures to "take no action" to stop the spontaneous shutdown. I had the same symptom last month 'coz my system was infected by the nachi worm. But I got rid of it using my AVG antivirus program and the stinger.exe removal tool from McAfee. But now, I can't get rid of whatever this virus/worm is 'coz I don't know what it is! I already updated my AVG, ran it, and I also ran almost all the virus removal tools from Symantec and McAfee, to no avail. I scanned for spyware using Spybot and it got rid of all the spyware and adware it detected. I also checked all the processes that were running in my system, and they seem to be valid. Finally, I ran HijackThis and here's the log. Please tell me what could have infected my system. Please, please, pleasssse!!! I don't wanna have to reformat my hard drive. Thanks in advance  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/wink.gif\' class=\'bbc_emoticon\' alt=\'\' />

Logfile of HijackThis v1.97.7
Scan saved at 12:22:54 PM, on 1/10/2004
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\CTSvcCDA.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Creative\Audio2K\PROGRAM\CTMIX32.EXE
C:\WINDOWS\GeniusKB.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Alset\HelpExpress\Roanne\HXDL.EXE
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\GetRight\GETRIGHT.EXE
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\unzipped\hijackthis\HijackThis.exe

O2 - BHO: SysShield IE Popup Blocker - {9A23B8A4-C6C9-4A68-8FA6-5F905DC8FF80} - C:\Program Files\SysShield Tools\Internet Eraser\PKExt.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [CreativeMixer] C:\Program Files\Creative\Audio2K\PROGRAM\CTMIX32.EXE /t
O4 - HKLM\..\Run: [CHotKey] GeniusKB.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [HELPEXP.EXE] C:\Program Files\Alset\HelpExpress\Roanne\Client\HelpExp.exe
O4 - HKCU\..\Run: [HXDL.EXE] C:\Program Files\Alset\HelpExpress\Roanne\HXDL.EXE -from="HXIUL.EXE" -to="HXIUL.EXE"
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download with NetPumper - C:\Program Files\NetPumper\AddUrl.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: CuteShield Internet Eraser (HKCU)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...ector/swdir.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.napster.com/client/isetup.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8510B699-9C96-49EA-9175-FB4765BEC5A6}: NameServer = 210.14.16.5 202.57.125.1

[Guest]

Bump for this guy - I have exactly the same damn problem!!!

[Monkey_Drone]

If it says lsass.exe is shutting down the system then you are problably getting a LDAP attack.

http://support.microsoft.com/default.aspx?...kb;EN-US;255897

Download the latest service pack and get some sort of firewall.

[Guest]

If it says lsass.exe is shutting down the system then you are problably getting a LDAP attack.

If this is true (the lsass part) you have tha Sasser Worm mate. Read the bit on the worm in the tech clinic i wrote. The lsass.exe in a exploition of the vulnrability in windows. You need to get it sorted before youre hacked.

hope this helps.

[Guest]

go to

securty response.com and get the tool remover

[sundar]

I had the same damn problem too.The name of the virus is 'LSASS.EXE'.It is found in the windows/system32 directory or winnt/system32 directory respectively.


                               You cannot delete this file(lsass.exe) because it is a critical system process.You can see in the taskmanager processes tab.you cannot end this process.



Solution:    
               The only solution i know is connect your hard drive to another system running windows xp.Then explore windows/system32 directory through that system
and delete the file/virus    'lsass.exe'.


               Run the updated version of your antivirus program and install the windows xp critical security update.

Make sure that you turned on the internet connection firewall on all of your internet connections so that you can prevent further virus attacks. http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/ph34r.gif\' class=\'bbc_emoticon\' alt=\':ph34r:\' />

               i heard from someone that these viruses come from the site 'www.4t.hidro.com' or 'www.hidro.4t.com'.


              Other viruses i know are  :


               1)  Enbiei.exe
               2)  Msblast.exe
               3)  Penis.exe
               
these viruses are also found in the same windows/system32 or winnt/system32
directory. http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/cool.gif\' class=\'bbc_emoticon\' alt=\'B)\' />

[tasinet]

i HOPE you are joking [even though i dont get/like your sense of humour]
If you are not [in which case you are insanelly stupid]

"   

WinTasks Process Library

lsass - lsass.exe - Process Information

Process File: lsass or lsass.exe
Process Name: Local Security Authority Service
Description: Windows Local Security Authority Server Process handles Windows security mechanisms. It verifies the validity of user logons to your computer or server. Technically, the software generates the process that is responsible for authenticating users for the Winlogon service.
Company: Microsoft Corp.
System Process: Yes
Security Risk ( Virus/Trojan/Worm/Adware/Spyware ): [color=\"red\"]No[/color]
Common Errors: N/A "
from http://www.liutilities.com/products/wintas...slibrary/lsass/

[Adware & Spyware protection&]

Search all here:
Adware: Adware removal, Adware Software
Spyware: Spyware removal, Spyware remover, Spyware protection

[Guest_Spike]

I think you all have forgotten what he was asking, it was RPC not lsass.exe.  First off I have the lsass problem, and it's pissing me right off....

Next off... the Blaster worm is the one that attacks the RPC.  Symantec has a removal tool, just run it, reboot, then run it again to comfirm.....  

Good Luck

[Guest]

I bet you are using DSL (maybe even SBC?) I was working on a PC which had this problem this weekend, Virus Scans showed nothing. Within 5 minutes of being connected to SBC Yahoo DSL I got the lsass.exe / system shutdown in 60 secs message.

I ended up taking the PC home, and putting it behind a firewall on my home network using dial up from an ISP other than SBC, and what do you know? No more Lsass.exe issue. Installed Service Pack 2, took it back to the owner and reconnected it to DSL, no more issues there either.

[Guest]

IM HAVING SAME PROBLEM.
So my computer keeps popping up a message right after i boot up that says NT AUTHORITY\SYSTEM C:\WINDOWS\system32\lsass.exe then it says it is going to shutdown in 60 seconds and it countsdown and shuts off.
Heres my hijack this log

Logfile of HijackThis v1.98.2
Scan saved at 4:27:10 PM, on 11/14/2004
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\taskmgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\DjGotPho\LOCALS~1\Temp\Rar$EX00.544\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchwww.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchwww.com/bar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F3 - REG:win.ini: load=???
   
?
?????
F3 - REG:win.ini: run=???
   
?
?????
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [webscan] C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe -k
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [StopSignStatus] Rundll32.exe "C:\Program Files\Common Files\eAcceleration\Installer\stopsinfo.dll",VerifyStatus
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Antivirus Platinum\Inicio.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PPMemCheck] c:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] c:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [KAZAA] "C:\Program Files\Kazaa Lite\kpp.exe" "C:\Program Files\Kazaa Lite\kazaalite.kpp" /SYSTRAY
O4 - HKLM\..\Run: [EanthologyApp] "C:\Program Files\Common Files\eAcceleration\eanthology.exe" /b Startup
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsc...76/mcinsctl.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/support/includes/cabs/si.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmg...,16/mcgdmgr.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files...abasetup145.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...352/mcfscan.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.companion....ebio5_1_6_0.cab





HELP ME PLEASE. EMAIL ME A RESULT WHEN U CAN TO SkynetbreakerEmail Removed

PLEASE HELP