Sasser like Virus driving me nuts!

Laptop running XP Home. On boot (before you even log into one of the 2 accounts on the laptop) an error box appears saying there has been an error in lsass.exe initiated by '\' and the machine will close down in 60 seconds. Error -1073741819.

The machine is not connected to a network or the internet. The owner has been using broadband.

So far I have...
1. Patched the machine with the MS sasser patch
2. Run the lateste 'Stinger' from McAfees
3. Run the Nortons sasser removing tool
3. Installed and run the new free version of AVG (version 7)
4. Run PC-Cillin 2002 (this is the installed anti virus software, updated on the 22/12/04)
5.Run the free sasser removal tools supplied by Pandasoft
6. sfc /scannow
7. Checked the registry for anything odd in the 'run' area..nothing there.
8. Run Adaware SE and found and killed several nasties
9. Run Spybot (latest updates) killed a few nasties

All the above have turned up with nothing found. (except the spyware items)

I can start the machine in safe mode and run all the above.

I created a new account. Made it an admin. On start up I disabled loads of items from msconfig so the desktop appeared quick enough for me to get to the run box and type "shutdown -a" which does get rid of the count down. But I don't appear to have admin rights for this new account (although it was set up as an admin) There is also no 'shutdown' button on the start bar under this account. Oh and on 'logging off' this account the laptop seems to just hang with 'saving your settings'.

Help!

 

Can you log on in normal mode using the Administrator account? XP-home and I think you need to do a couple of CTRL-ALT-DEL from the 'friendly' log in screen to get a classic logon box and put in the username Administrator with the password if it has one.

If so, get a copy of Hijackthis v1.99 and unzip it to a normal folder then scan, create a log file, and post the log here.

 

One thing I noticed before shutting down this evening was there was no "log off dialog" and a "stopzilla" window appeared asking if I wanted to buy the item. I also had the 'shut down' button back on the task bar/start button.

I'll try that tomorrow newt but I'm not sure if you can actually do that as the admin account only appears if you start in safe mode for xp home (I think).

Any other thoughts? WIll HJT be of any use in this situation? I have run an older version (1.98) and it didn't show too much apart from the usual nasty spyware. but I'll get the upto date version and see.

 

if you can come up ok in safe mode, there must be something, service, driver, that is causing the problem. Can you use MSCONFIG to strip things down, or disable all nonessential services to see what is causing it?

 

Ok here's the HJT log :-

Logfile of HijackThis v1.99.0
Scan saved at 11:42:15, on 30/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\runservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\PERFECT SERIES\OPTICAL MOUSE\4.0\MOUSE32A.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\windows\system32\taskmgn.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\msiexec.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\support\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/...b/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sp/*http://uk.search.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\naqvv.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\AddOn\AcrobatReader\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: BT Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_17_0.dll (file missing)
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: BT Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra 'Tools' menuitem: BT &Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Broken Internet access because of LSP chain gap (#15 in chain of 18 missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted IP range: (HKLM)
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://downloads.broadbandassist.com/BTYahoo!Help/PreQual/files/MotivePreQual.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: LicCtrl Service - Unknown - C:\WINDOWS\runservice.exe
O23 - Service: PC-cillin PersonalFirewall - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O23 - Service: SmartLinkService - Unknown - slserv.exe (file missing)
O23 - Service: Trend NT Realtime Service - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing)
O23 - Service: Network Security Service - Unknown - C:\WINDOWS\javavg.exe (file missing)



I have tried to strip things down but it was stil lhappening. However it doesn't appear to be doing it this morning. I have removed Stopzilla (eventually)

Any more advice people?

Thanks so far

 

Use HJT to remove these items

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\naqvv.dll/sp.html#28129
** note: that sort of file naming can point to a coolwebsearch infection - don't see other evidence but since this is safe mode, stuff may not show up. CWShredder (quicklinks in my signature) will be a good tool to run at some point.
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
** note: not baddies but system sludge you don't need and I'd remove them from my own PC

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
** note: I think this was real.com at some point

O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball...tgameloader.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://downloads.broadbandassist.com/BTYahoo!Help/PreQual/files/MotivePreQual.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/...ller/dwnldr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
** note: at least two of these are baddies and since any that are still needed will be replaced at the next visit to a site that needs them, I'd remove them all.

************ \/ \/ don't remove yet \/ \/ ***********

O10 - Broken Internet access because of LSP chain gap (#15 in chain of 18 missing)
** note: download LSPFix and run it.


O15 - Trusted IP range: (HKLM)
** note: this is another that may show detail in normal mode. Don't remove it but we will want to take a careful look when you get to the point you can run HJT with the system in normal operational status and post a new log file.

 

Hi Newt.

Thanks for those pointers. Ok here is the HJT log as it stands now. I have managed to get the laptop online now (here at home). Have run the latest Adaware and Spybot and removed yet more nasties! Have also done an update on the AVG and this keeps finding Trojans it can't get rid of, heal, move nothing (forgot to note names so scanning again)

I managed to run a ravantivirus scan too and this removed about 7 trojans. However the IE home page, such as it is as they have BTyahoo as there isp (and this makes a right mess of IE in my opinion) has been hijacked and I cant get to housecall (trend micro) or panadasoft online scanners.

I only have this eveing and tomorrow morning before the laptop has to go back as well!
Heres the HJT
Logfile of HijackThis v1.99.0
Scan saved at 22:48:40, on 30/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\runservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Grisoft\AVG Free\avgwb.dat
C:\Support\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\AddOn\AcrobatReader\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe "
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O9 - Extra button: BT Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra 'Tools' menuitem: BT &Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.frame.crazywinnings.com
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: LicCtrl Service - Unknown - C:\WINDOWS\runservice.exe
O23 - Service: PC-cillin PersonalFirewall - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O23 - Service: SmartLinkService - Unknown - slserv.exe (file missing)
O23 - Service: Trend NT Realtime Service - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

There is one item that will not get fixed by HJT as well...the 015 one

Thanks for all your help so far Newt

 

Ok AVG removed 9 Trojans that time. However the Browser is now hijacked by 'Search the web' home page. I can not get rid of it. I've done a Google search on it and not had much luck. I tried to search these forums too...but wasn't great at finding the solution (although I know its here as I'm sure I saw it sowm months ago )

Help! I'm running out of time and I want to go to sleep!! (its midnight now! )

 

Ok its 5 to 1am now and I've nearly had enough. I got hold of Adaware away and it removed the browser hijack...until the laptop was rebooted...and it came back So I ran it again and it allowed me to get to Trend Micro and house call (which is running now) I also ran the CE vonline virus scan and that found another 16 Trojans. It removed all bar 2 (1 was in winzips wzqkpick.exe so I removed winzip completely and the other is in ms0s9205.dll which is part of MSMessenger which the owner uses so I can't uninstall it (I did rename the file but then MSM wouldn't start) They'll have to get rid of it themselves.

I'll leave the housecall running now and see whats what in the morning.

 

If you are still unable to get rid of the 015 trusted Zone entry, download this zip file, unzip to it's own folder and open. Run the RemoveDomains.reg then the ResetDomains.reg.

 

Brilliant thanks for that! I have now managed to set th ehome page to be www.google.co.uk instead and after several reboots it hasn't changed (fingers crossed) I've also run house call twice now and it found nothing. I can't get windows updates to work properly but have managed to download and install several security patches from MS. I checked the otehr account on the machine and the windws update works on that one. Only item recommended is XPSp2 so I'll leave that up to the owner
I ran Adaware Away, it removed 10 occurances of the about:blank hijack but on reboot they came straight back??

MSM has a virus in one of the dll's whihc nothing can remove so I'm recommendeing total removal of the software (bloody awful thing if you ask me) I've also stopped MSM and Yahoo messenger starting up straight away.

Thanks for your help with everything. Hopefully the owner will stay away from pron sites from now on and minimise the risk of this all happening again!

 

The file ms0s9205.dll doesn't appear to be associated with MSN Messenger, or anything else. Probably just dropped there to hide. Try using Move-on-Boot to delete it. It will add a right click option once installed, when used on files, to delete on the next boot. Simply tag the file for deletion and reboot.

Doesn't matter which account you are using to get the SP2 update, as it will affect the entire system. If you can install it using another account, do so.

Post a new HJT log too please. (if you still have the machine )

 

Hi Dave and Newt...Happy New Year to both of you. I haven't been on for awhile and I see you both are still doing your great posting.

I have a question on Ponlife's log...I have noticed the R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/...arch.yahoo.com/ in quite a few logs and have noticed 50/50 some (other forums) say remove and some say keep. Can you help me in understanding why.

 

Hi Kent,

Often times when I recommend fixing those red.clientapps entries, it's only because they are hijacks of the Windows default settings, by ISP software installation, and I don't like hijacks..........period. Whether or not I recommend fixing them depends on my mood and/or the user.