At work laptop w/problems... HiJackThis log posted

We have an employee for whom our company purchased a laptop. She seems to have no idea where the problem originated, but the laptop shuts down with the LSASS.EXE error: "LSA Shel (Export version) has encountered a problem and needs to close. " every time it is connected to her broadband EarthLink connection.
Presumably, the problem has to do with the Sasser virus. NAVCE8 does not find any viruses. Norman.com's SasserFix2 didn't find any viruses (though it did kill a process called "dadapp ").
When she brought the laptop to me, I turned off the System Restore feature and then applied the MS04-011 patch. Ran NAV and Norman.com's SasserFix2. Nothing found. Also checked for open UDP ports -- none found. Spybot 1.3 found 20 items and Ad-aware 6 found 24 items -- all removed.

The situation now is that I cannot find ANYTHING that tells me there is still a problem. However, I do not trust putting this laptop on our network to test whether or not it will shut down with an LSA error when accessing the Internet.

SO, I come here asking you folks to assist me. Here is the HiJackThis log (in hopes it gives us some needed info):

Logfile of HijackThis v1.97.7
Scan saved at 11:06:33 AM, on 6/22/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\usbpad.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
C:\PROGRA~1\ACDSYS~1\ACDSee\CAMDET~1.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\HiJackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O4 - HKLM\..\Run: [CHotKey] C:\WINDOWS\usbpad.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [Camera Detector] C:\PROGRA~1\ACDSYS~1\ACDSee\CAMDET~1.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/Sasser/20/SassCln.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A9E3D784-8BE7-42E0-A1EE-686EF532F22D}: NameServer = 206.74.254.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{DFF80C4A-857B-4A24-806F-0BB724C68AE6}: NameServer = 206.74.254.2

THANKS for your assistance!

 

If all of your NT systems are fully patched they won't be harmed so I really don't see a downside of hooking the laptop back to the network for a quick look-see. Or if it is brand new, you could always wipe the drive and reload the OS.

If the device was put on the network before being fully patched and that is a normal practice, you can expect lots more of this. Sasser and Blaster both do lots of probing and can often hit an upatched PC before it can even get the patches downloaded and installed from the internet. Best practice is to have the patches available on removable media (CD maybe) to protect the system when you first get it.

SP1 would probably be a great idea on this laptop as well.

 

I wish... but...

We have a few hundreds PCs on the network. The vast majority are Win9x -- and none are completely updated and patched. Most all of the W2K & WinXP boxes are patched. Therefore, it's not a safe bet to try the laptop on the network until I *know* it is clean.

 

Well, 9X isn't affected by Sasser or Blaster. Can get infected and spread them around but not harmed by either.

If you have NT4/5/5.1 systems that aren't up to date on the security patches, the only real question is when (not if) your network is gonna be hit.

What firewall are you using on the laptop? It may be possible to lock it down where it is safe for the other LAN devices using that.

 

I appreciate the feedback. I also understand that 9x can't get infected, but it can spread the viruses/worms around -- like to our not-fully-patched W2K and XP boxes. That is why I want to be sure the laptop is clean before I put it on the network.

I was hoping someone would take a look at the HJT log and give me some feedback. ???

As for the firewall in use on the laptop, it's WinXP ICF. Please let me know if you have any suggestions (on the firewall or the HJT log).

THANKS!

 

Sorry CharlieJ - I should have started my first response by saying I didn't see anything exciting in the HJT log. I'm assuming that since these threads get a good looking over, no one else with more experience reading these things did either else we'd both have seen comments.

Firewall - As a practical matter, most companies that buy laptops for some employees do so with the expectation that those PCs will leave the safety of the corporate network from time to time, connect to the internet from wherever, and be brought back in from their trips into the outside world. If that is the case with yours, they are machines that will absolutely need a really good firewall and AV installed. ICF was not designed to be that sort of firewall. We use Black Ice Defender for our laptops but there are other good apps out there. You need one.

Based on the log you posted, the machine looks safe enough to test on your network.

There are lots of things that will not show on in a Hijackthis log so it being clean is no guarantee of safety.

I dunno about you but an approach that I always enjoyed as a Sys Admin was point out to upper management the potential problem areas, make recommendations for dealing with those, have them refuse because they didn't want to spend the money, and then wait for a disaster caused by them ignoring the recommendation. Usually got the money spent pretty quickly after that.

 

THANKS Newt! I was hoping that was the case, but didn't want to assume anything.

Wholeheartedly agreed! However, the powers that be buy the laptops and hand them out (from time to time) without IT input or deliberation of any sort. Thus, we end up with the situation we have now -- a wayward machine with who-knows-what lurking on it.

I completely understand. HJT has its place, but is not a catch-all for problems.

Boy, you hit the nail on the head with this one! This very thought process is the reason we still have 9x boxes and unpatched 2K/XP boxes. With 300+ users, we cannot run around to each machine and patch it. We don't have all of the boxes logging on the network, so there's no way to push patches -- except NAV def files. The only bright side is Websense EIM -- which is a bit of help on the Internet front.
As for funding -- We have yet to receive proper funding to purchase additional 2K/XP CALs, new PCs and/or centralized management software for the network that is presently in place.
So, I do what I can and wait for the other boot to drop... Oh, did I mention that our IT staff also fights malware fires on a daily basis? Yep, I spend a lot of my workdays (lately) fixing problems generated by a too-loose Internet policy set in place to appease certain folks within our organization. ::sigh::

I DO love my job, though. It's a challenge.

 

I see nothing bad in the log, but I do see something that is not found on Google, but it is a new laptop, and this executable may be new also. It appears to be for the keyboard.
O4 - HKLM\..\Run: [CHotKey] C:\WINDOWS\usbpad.exe

 

...Finis

Guys, THANKS for your help. Looks like the laptop is clean from bugs. I have it on the network now. All MS Critical Updates & incremental patches and MBSA 1.2 alerts are being applied. It should be ready to go back to the user tomorrow -- with some notes of caution on Internet/email usage.

If no one had anything else to add, we can close this thread. THANKS again!

 

CharlieJ - we don't close them unless they turn nasty. Left open for any later comments.

If you have subscribed, you might want to open the thread and unsubscribe so you don't get an email every time someone comments though.