elphaba

Report 3 of 3 - HiJackThis (didn't see the "Generate StartupList log" option to click on but I did get this info in notepad. Hope that's correct) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:02:11 AM, on 11/24/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16735) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\PrevxCSI\prevxcsi.exe C:\Program Files\Prevx2\PXAgent.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe C:\Program Files\Prevx2\PXConsole.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\PrevxCSI\prevxcsi.exe C:\downloads\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://*.pandasecurity.com O15 - Trusted Zone: http://download.windowsupdate.com O15 - Trusted Zone: http://update.zonelabs.com O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab O16 - DPF: {2F003D51-39FD-4D18-9016-95CF70B92ABE} - http://download.movienetworks.com/install/US/altpmtscab.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1192905573843 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1192905533796 O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111...all/xscan53.cab O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37380.cab O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JSCDL/jd...ows-i586-jc.cab O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab O21 - SSODL: contrabandists - {dfa61db1-388e-4c87-8d56-540fa229bcb4} - (no file) O23 - Service: CSIScanner - Prevx - C:\Program Files\PrevxCSI\prevxcsi.exe O23 - Service: PREVXAgent - Prevx - C:\Program Files\Prevx2\PXAgent.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe -- End of file - 8879 bytes

Report 2 of 3 - ActiveScan (Directions posted on this forum for how to get report from a Panda Scan are out of date. I collected the following by selecting an option for "export to". FYI - There was no "my computer" option for the scan. If I remember correctly, I selected "full scan".) ;******************************************************************************* ******************************************************************************** * ******************* ANALYSIS: 2008-11-24 07:50:50 PROTECTIONS: 2 MALWARE: 5 SUSPECTS: 0 ;******************************************************************************* ******************************************************************************** * ******************* PROTECTIONS Description Version Active Updated ;=============================================================================== ================================================================================ = =================== Windows Defender 1.1.4104.0 No No Zone Alarm Security Suite 7.0.483.000 No No ;=============================================================================== ================================================================================ = =================== MALWARE Id Description Type Active Severity Disinfectable Disinfected Location ;=============================================================================== ================================================================================ = =================== 00020302 adware/ncase Adware No 0 Yes No c:\windows\system32\fleok 00024343 adware/keenvalue Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlSearchHooks\{0199df25-9820-4bd5-9fee-5a765ab4371e} 00047660 adware/sqwire Adware No 0 Yes No hkey_local_machine\software\microsoft\windows\currentversion\app management\arpcache\tsa 00207862 Cookie/did-it TrackingCookie No 0 Yes No C:\Documents and Settings\The Man\Cookies\the man@did-it[2].txt 03839851 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP101\A0018387.sys ;=============================================================================== ================================================================================ = =================== SUSPECTS Sent Location F ;=============================================================================== ================================================================================ = =================== ;=============================================================================== ================================================================================ = =================== VULNERABILITIES Id Severity Description F ;=============================================================================== ================================================================================ = =================== 182048 HIGH MS07-069 F 182043 HIGH MS07-064 F 120815 HIGH MS06-022 F ;=============================================================================== ================================================================================ = ===================

(I ran sysbot search & destroy - didn't see in instructions anywhere that log output required for that, hope I didn't read wrong) Here is output from Malwarebytes' Anti-Malware program (I installed new version even though it was already installed on my system, your instructions seemed to indicate you wanted us to do a new download of the program...) Malwarebytes' Anti-Malware 1.30 Database version: 1419 Windows 5.1.2600 Service Pack 2 11/23/2008 7:09:15 PM mbam-log-2008-11-23 (19-09-15).txt Scan type: Quick Scan Objects scanned: 57531 Time elapsed: 7 minute(s), 3 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)

Same thing is happening on my system. I just noticed that I think I've been removing this same worm for some time. I just didn't notice it was the same one everytime I scan. I read up on it at Symantec and found that it isn't considered a "very dangerous" worm (or virus?) but that doesn't keep me from wanting it removed. I checked the processes that first come on line when I boot up. lsass.exe is one of them. Seems that this is a legitimate process and not one you want to remove but it also seems that that is one that the downloader trojan hijacks in the process of it doing its thing. I found info at symantec interesting, maybe helpful. While trying to see what we hear back on this forum, I plan to try some of their suggestions by doing a full scan in "safe mode". Also, by adding the three hosts they specify as common hosts used by the downloader trojan into my hosts file (see www.mvps.org if you want more info on your hosts file). Symantec's virus info on the downloader trojan is at: http://www.symantec.com/security_response/...-011710-3138-99 Even if you don't have the full solution, any hints or tips are welcome. I'm also trying to search this forum for others who have had this same problem, I've gotten numerous hits on "downloader trojan" and lsass , trying to work several paths of troubleshooting at the same time.