Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Regular LSASS exploit messages on Avast AV logs

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Regular LSASS exploit messages on Avast AV logs

Unread postby grand » December 27th, 2008, 6:29 am

I get regular LSASS exploit messages on my Avast AV logs. I also use Jetico Personal FW.

Logfile of HijackThis v1.99.1
Scan saved at 3:41:17 PM, on 12/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe
C:\WINDOWS\system32\lvhidsvc.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\hMailServer\Bin\hMailServer.exe
C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Jetico\Jetico Personal Firewall\fwsrv.exe
C:\Program Files\Java\jre1.5.0_16\bin\jusched.exe
C:\Program Files\Opera\Opera.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_16\bin\ssv.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [JeticoPFStartup] "C:\Program Files\Jetico\Jetico Personal Firewall\fwsrv.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_16\bin\jusched.exe"
O4 - HKLM\..\RunServices: [LvHidSvc] C:\WINDOWS\system32\lvhidsvc.exe
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Apache2\bin\ApacheMonitor.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_16\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_16\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{68727B36-6B8D-4FB5-8052-4A94AEE4D01F}: NameServer = 202.56.230.5 202.56.250.6
O23 - Service: Apache2.2 - Unknown owner - C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe" -k runservice (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: hMailServer - hMailServer - C:\Program Files\hMailServer\Bin\hMailServer.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Lifeview HID Remote Controller Service (lvhidsvc) - Animation Technologies Inc. - C:\WINDOWS\system32\lvhidsvc.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
grand
Active Member
 
Posts: 6
Joined: December 27th, 2008, 6:06 am
Location: India
Advertisement
Register to Remove

Re: Regular LSASS exploit messages on Avast AV logs

Unread postby Bob4 » December 31st, 2008, 9:11 am

_________________________________
Welcome to the Forums.

The fixes we will use are specific to your problems and should only be used for this issue on this machine.

Please only use this topic to reply to. Do not start another thread.
If any other issues arise let me know.
The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear. So lets do this to the end!


  • Save and quit any work your doing before beginning the fix.
  • All hijackthis logs I ask for should be done in normal mode ( not safe mode)
  • These logs should be done last after you have followed my instructions in the previous post.
  • If I do not hear from you in 5 days from my last post this topic will be closed.


Please if you decide to seek help at another forum let us know. There is a shortage of helpers and tying 2 of us up is a waste of time.
If you have any questions about any advice given here please STOP and ask!





______________________________
RUN HJT

HJT
Run hijackthis and choose scan only and place a check by the following lines if present.
Close all other windows and browsers except HJT before clicking on Fix Checked

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_16\bin\ssv.dll
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -



Close that.







______________________________
Open HJT

this time click on
Misc tools section

then:
Open uninstall Manager
click on save list.
Post that for me.








_________________________________________
Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please post the contents of that log.

    If you accidently close it you may find it here.
    Start -> All Programs -> Malwarebytes' Anti-Malware -> Logs






    _______________

    Please download JavaRa and unzip it to your desktop.

    ***Please close any instances of Internet Explorer before continuing!***

    • Double-click on JavaRa.exe to start the program.
    • From the drop-down menu, choose English and click on Select.
    • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
    • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
    • A logfile will pop up. Please save it to a convenient location.

    Then download and install Java Runtime Environment (JRE) 6 Update 11.




    __________________________________________
    Copy the portion from your Avast log so I can see exactly what it's saying.



    _________________________
    In your next reply I would like to see:
    • A new HJT log Malwarebytes
    • The report from Uninstal list
    • The report from avast

User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6070
Joined: November 12th, 2005, 11:26 am
Location: Florida

Re: Regular LSASS exploit messages on Avast AV logs

Unread postby grand » January 1st, 2009, 8:53 am

Message to MR expert:
As you've probably guessed from the logs, I'm a web developer and regularly work on PHP, JScript, Java, etc. All my projects are on this machine (they're backed up ofcourse). Sadly, I'm still on dial-up and downloading large files will be a pain. This is not a very new machine, but I've set it up to run only the bare minimum services and its doing very fine till now. I'm no malware expert though, and I haven't a clue what LSASS exploit is - however, I must add, the computer has not misbehaved so far. I just want to make sure I'm safe.
Thanks A LOT for your help.

1) HJT log post MBAM install, scan and repair
------
Logfile of HijackThis v1.99.1
Scan saved at 5:47:09 PM, on 1/1/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe
C:\WINDOWS\system32\lvhidsvc.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\hMailServer\Bin\hMailServer.exe
C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Jetico\Jetico Personal Firewall\fwsrv.exe
C:\Program Files\Opera\Opera.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Administrator.PINEWOOD-083S87\Desktop\msgr9in.exe
C:\DOCUME~1\ADMINI~1.PIN\LOCALS~1\Temp\nsh5C.tmp\ymsgr_suite_setup.exe
C:\DOCUME~1\ADMINI~1.PIN\LOCALS~1\Temp\GLB5D.tmp
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\Program Files\Hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [JeticoPFStartup] "C:\Program Files\Jetico\Jetico Personal Firewall\fwsrv.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_16\bin\jusched.exe"
O4 - HKLM\..\RunServices: [LvHidSvc] C:\WINDOWS\system32\lvhidsvc.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Apache2\bin\ApacheMonitor.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_16\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_16\bin\ssv.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{68727B36-6B8D-4FB5-8052-4A94AEE4D01F}: NameServer = 202.56.230.5 202.56.250.6
O23 - Service: Apache2.2 - Unknown owner - C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe" -k runservice (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: hMailServer - hMailServer - C:\Program Files\hMailServer\Bin\hMailServer.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Lifeview HID Remote Controller Service (lvhidsvc) - Animation Technologies Inc. - C:\WINDOWS\system32\lvhidsvc.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)

-------

2) Uninstall list

---------
@BIOS Ver.2.03
7-Zip 4.42
Ad-Aware SE Personal
Adobe Flash Player 10 Plugin
Adobe PageMaker 7.0
Adobe Photoshop 7.0
Adobe Reader 7.0
Advanced WindowsCare Personal
Alarm 2.0.1
Apache HTTP Server 2.2.3
avast! Antivirus
CCleaner (remove only)
ConTEXT
Delta Force 2
Download Accelerator Plus (DAP)
e-Sword
Ext2 IFS 1.11 for Windows XP
Google Talk (remove only)
Hijackthis 1.99.1
HijackThis 1.99.1
hMailServer 4.4.1-B273
J2SE Runtime Environment 5.0 Update 16
Java 2 SDK, SE v1.4.0
Java Web Start
Jetico Personal Firewall 1.0
KM400 Display Driver and Utilities
Light PHP Edit 0.9
Macromedia Shockwave Player
Microsoft Office XP Professional with FrontPage
Modem Setup for Nokia 30
Motorola C261 USB-Handset Manager
Mozilla Firefox (1.5.0.12)
MP3 Player Utilities 4.00
MySQL Server 5.0
Nero PhotoShow Express
Nero Suite
Opera 9.24
PHP 5.1.4
Power MP3 WMA Converter 1.14
QuickTime
Return to Castle Wolfenstein
S3 S3Display
S3 S3Gamma2
S3 S3Info2
S3 S3Overlay
Spybot - Search & Destroy 1.4
Test Drive 5
TVR
Uniblue ProcessScanner
VIA Audio Driver Setup Program
Winamp (remove only)
Windows Media Format Runtime
Windows Media Player 10
WinZip

-------------

3) Avast 'Last Attacks' log
--------------
27.05.2008 18:48:48 LSASS Exploit (EXP) attack
from 93.81.20.241:445
25.08.2008 21:54:30 LSASS Exploit (SXP) attack
from 117.20.158.238:445
26.08.2008 16:46:51 LSASS Exploit (EXP) attack
from 200.204.3.211:445
27.08.2008 15:19:29 LSASS Exploit (EXP) attack
from 78.92.104.116:445
27.08.2008 18:15:16 LSASS Exploit (EXP) attack
from 78.106.195.167:445
27.08.2008 18:49:49 LSASS Exploit (EXP) attack
from 60.254.233.14:445
28.08.2008 22:37:11 LSASS Exploit (EXP) attack
from 78.106.143.171:445
02.12.2008 20:18:59 LSASS Exploit (EXP) attack
from 89.44.28.97:445
30.12.2008 12:12:24 LSASS Exploit (EXP) attack
from 68.175.28.132:445
01.01.2009 14:17:41 LSASS Exploit (EXP) attack
from 118.101.24.3:445

-----------------------

4) EXTRA - Only one infection found by MBAM
I hope this wasn't created by HJT.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

---------------------
grand
Active Member
 
Posts: 6
Joined: December 27th, 2008, 6:06 am
Location: India

Re: Regular LSASS exploit messages on Avast AV logs

Unread postby grand » January 1st, 2009, 8:53 am

Message to MR expert:
As you've probably guessed from the logs, I'm a web developer and regularly work on PHP, JScript, Java, etc. All my projects are on this machine (they're backed up ofcourse). Sadly, I'm still on dial-up and downloading large files will be a pain. This is not a very new machine, but I've set it up to run only the bare minimum services and its doing very fine till now. I'm no malware expert though, and I haven't a clue what LSASS exploit is - however, I must add, the computer has not misbehaved so far. I just want to make sure I'm safe.
Thanks A LOT for your help.

1) HJT log post MBAM install, scan and repair
------
Logfile of HijackThis v1.99.1
Scan saved at 5:47:09 PM, on 1/1/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe
C:\WINDOWS\system32\lvhidsvc.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\hMailServer\Bin\hMailServer.exe
C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Jetico\Jetico Personal Firewall\fwsrv.exe
C:\Program Files\Opera\Opera.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Administrator.PINEWOOD-083S87\Desktop\msgr9in.exe
C:\DOCUME~1\ADMINI~1.PIN\LOCALS~1\Temp\nsh5C.tmp\ymsgr_suite_setup.exe
C:\DOCUME~1\ADMINI~1.PIN\LOCALS~1\Temp\GLB5D.tmp
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\Program Files\Hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [JeticoPFStartup] "C:\Program Files\Jetico\Jetico Personal Firewall\fwsrv.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_16\bin\jusched.exe"
O4 - HKLM\..\RunServices: [LvHidSvc] C:\WINDOWS\system32\lvhidsvc.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Apache2\bin\ApacheMonitor.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_16\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_16\bin\ssv.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{68727B36-6B8D-4FB5-8052-4A94AEE4D01F}: NameServer = 202.56.230.5 202.56.250.6
O23 - Service: Apache2.2 - Unknown owner - C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe" -k runservice (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: hMailServer - hMailServer - C:\Program Files\hMailServer\Bin\hMailServer.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Lifeview HID Remote Controller Service (lvhidsvc) - Animation Technologies Inc. - C:\WINDOWS\system32\lvhidsvc.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)

-------

2) Uninstall list

---------
@BIOS Ver.2.03
7-Zip 4.42
Ad-Aware SE Personal
Adobe Flash Player 10 Plugin
Adobe PageMaker 7.0
Adobe Photoshop 7.0
Adobe Reader 7.0
Advanced WindowsCare Personal
Alarm 2.0.1
Apache HTTP Server 2.2.3
avast! Antivirus
CCleaner (remove only)
ConTEXT
Delta Force 2
Download Accelerator Plus (DAP)
e-Sword
Ext2 IFS 1.11 for Windows XP
Google Talk (remove only)
Hijackthis 1.99.1
HijackThis 1.99.1
hMailServer 4.4.1-B273
J2SE Runtime Environment 5.0 Update 16
Java 2 SDK, SE v1.4.0
Java Web Start
Jetico Personal Firewall 1.0
KM400 Display Driver and Utilities
Light PHP Edit 0.9
Macromedia Shockwave Player
Microsoft Office XP Professional with FrontPage
Modem Setup for Nokia 30
Motorola C261 USB-Handset Manager
Mozilla Firefox (1.5.0.12)
MP3 Player Utilities 4.00
MySQL Server 5.0
Nero PhotoShow Express
Nero Suite
Opera 9.24
PHP 5.1.4
Power MP3 WMA Converter 1.14
QuickTime
Return to Castle Wolfenstein
S3 S3Display
S3 S3Gamma2
S3 S3Info2
S3 S3Overlay
Spybot - Search & Destroy 1.4
Test Drive 5
TVR
Uniblue ProcessScanner
VIA Audio Driver Setup Program
Winamp (remove only)
Windows Media Format Runtime
Windows Media Player 10
WinZip

-------------

3) Avast 'Last Attacks' log
--------------
27.05.2008 18:48:48 LSASS Exploit (EXP) attack
from 93.81.20.241:445
25.08.2008 21:54:30 LSASS Exploit (SXP) attack
from 117.20.158.238:445
26.08.2008 16:46:51 LSASS Exploit (EXP) attack
from 200.204.3.211:445
27.08.2008 15:19:29 LSASS Exploit (EXP) attack
from 78.92.104.116:445
27.08.2008 18:15:16 LSASS Exploit (EXP) attack
from 78.106.195.167:445
27.08.2008 18:49:49 LSASS Exploit (EXP) attack
from 60.254.233.14:445
28.08.2008 22:37:11 LSASS Exploit (EXP) attack
from 78.106.143.171:445
02.12.2008 20:18:59 LSASS Exploit (EXP) attack
from 89.44.28.97:445
30.12.2008 12:12:24 LSASS Exploit (EXP) attack
from 68.175.28.132:445
01.01.2009 14:17:41 LSASS Exploit (EXP) attack
from 118.101.24.3:445

-----------------------

4) EXTRA - Only one infection found by MBAM
I hope this wasn't created by HJT.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

---------------------
grand
Active Member
 
Posts: 6
Joined: December 27th, 2008, 6:06 am
Location: India

Re: Regular LSASS exploit messages on Avast AV logs

Unread postby Bob4 » January 1st, 2009, 10:58 am

I hope this wasn't created by HJT.

Nope it wasn't

________________________________________


I do believe your OK.
The LSASS Exploit is very old and as long as your windows is patched and up to date your OK.
I know Dial up is slow but take some time to be sure to get all the latest security updates or windows service pack 3.
In fact ordering a CD from Microsoft for Service pack 3 would be the best idea. Especially as you use this machine for work.
Trying to download that from dial up would take a month of Sundays.

order CD


___________________________
Symantec actually still has a removal tools for removal of the sasser and blaster worm which exploits the vulnerability in windows.
This is the Lsass exploit.

Blaster tool
http://www.symantec.com/content/en/us/g ... xBlast.exe

Sasser tool
http://www.symantec.com/content/en/us/g ... Sasser.exe

Their small enough for you to download and run although I see no signs of them in your log. .


________________________________________
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_16\bin\jusched.exe

Make sure Java is updated as it too can be a serious security risk. As with your work be sure the current version is going to do what ever it is you need to.

download and install Java Runtime Environment (JRE) 6 Update 11 It is the latest version.

Once that is done go to add/remove programs and uninstall
J2SE Runtime Environment 5.0 Update 16


_____________________________________________

Your log shows you have Download Accelerator Plus (DAP or dap.exe) installed.
DAP is not technically malware, but it may include malware and allow it into your system. Note that the free version is adware based. If it is the free, ad-supported version, then
I recommend that you switch to Leechget 2006 Download Manager - this is adware-free freeware. Another free, and
spyware free, alternative is
Star Downloader. Should you choose to remove it, uninstall it through Control Panel=>Add/Remove Programs.
These are the items to fix in HijackThis:

O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm



____________________________________

Looks like you were installing Yahoo messenger while working on the fix.
Please post 1 more HJT log so I can see if something is gone.

Also let me know if you have any other questions..and is everything still running OK ?
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6070
Joined: November 12th, 2005, 11:26 am
Location: Florida

Re: Regular LSASS exploit messages on Avast AV logs

Unread postby grand » January 2nd, 2009, 2:18 am

Bob4 wrote:I do believe your OK.


That's a relief.

1) Service Pack 3 - I think I'll order the CD.
2) I've used the Symantec tools before. I currently use a similar tool from Avira. But I don't mind scanning it again with Symantec.
3) JRE 6.11 - Done that. I knew I was late with this one.
4) Thanks for the alternatives to DAP. I had always wanted to try alternatives but was too lazy to download them, especially since DAP is quite efficient with what it does.
5) Yahoo Msg - I abandoned the install.

HJT Log post JRE 6 update
--------------------
Logfile of HijackThis v1.99.1
Scan saved at 11:22:30 AM, on 1/2/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe
C:\WINDOWS\system32\lvhidsvc.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\hMailServer\Bin\hMailServer.exe
C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Jetico\Jetico Personal Firewall\fwsrv.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [JeticoPFStartup] "C:\Program Files\Jetico\Jetico Personal Firewall\fwsrv.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\RunServices: [LvHidSvc] C:\WINDOWS\system32\lvhidsvc.exe
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Apache2\bin\ApacheMonitor.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{68727B36-6B8D-4FB5-8052-4A94AEE4D01F}: NameServer = 202.56.230.5 202.56.250.6
O23 - Service: Apache2.2 - Unknown owner - C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe" -k runservice (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: hMailServer - hMailServer - C:\Program Files\hMailServer\Bin\hMailServer.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: Lifeview HID Remote Controller Service (lvhidsvc) - Animation Technologies Inc. - C:\WINDOWS\system32\lvhidsvc.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)

Thanks for your help. I hope I get the 'all-clear' next time.
grand
Active Member
 
Posts: 6
Joined: December 27th, 2008, 6:06 am
Location: India

Re: Regular LSASS exploit messages on Avast AV logs

Unread postby Bob4 » January 2nd, 2009, 8:54 am

Your log looks clean.

If you remove DAP make sure these 3 lines are gone after you uninstall it.

O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm

___________________________________

A few things to help you stay secure.


Windows Updates
Be certain automatic updates is turned on for XP. - For Vista Or if you like to do it manually be sure to visit http://update.microsoft.com/ regularly. This requires internet explorer to do so.

This will ensure your computer has always the latest security updates available installed on your computer.
If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
___________________________________

SpywareBlaster

Install SpywareBlaster

SpywareBlaster will add a large list of programs and sites to your Browser settings that will protect you from accidentally running or downloading known malicious programs.
After the installation, click Download Latest Protection Updates. When it finishes, click Enable All Protection.

___________________________________
Download and Install a HOSTS File
A Hosts file is a plain text file which prevents your computer from connecting to malware and spyware sites by redirecting the connection request to 127.0.0.1, which is your local address. If you use a proxy server, or if you are on AOL, be sure to read the special instructions.
You can download the MVPS Hosts File and see a HOSTS file tutorial here :
This website also contains useful tips, and links to other resources and utilities.


___________________________________
Make your Internet Explorer more secure
1. From within Internet Explorer click on the Tools menu and then click on Options.
2. Click on the Security tab
3. Click the Internet icon so it becomes highlighted.
4. Click on Default Level and click Ok
5. Click on the Custom Level button.

Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialise and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.

6. Next press the Apply button and then the OK to exit the Internet Properties page.


Here's a site with great advise on how to AVOID malware. Much easier to do than removing it.


Safe and Happy Surfing. :)
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6070
Joined: November 12th, 2005, 11:26 am
Location: Florida

Re: Regular LSASS exploit messages on Avast AV logs

Unread postby grand » January 2nd, 2009, 11:50 pm

1) Windows Update - I usually update manually.
2) Spyware Blaster - I'll definitely use that. Thanks for the info.
3) HOSTS file - I have been using that for a long time.
4) IE - I usually don't use IE (though I have to test my projects for all browsers without any bias). My favourite browser is Opera.
5) Thanks for the link to the page on 'Prevention'.

Belated Happy New Year to You and all at MR.
grand
Active Member
 
Posts: 6
Joined: December 27th, 2008, 6:06 am
Location: India

Re: Regular LSASS exploit messages on Avast AV logs

Unread postby NonSuch » January 3rd, 2009, 4:38 pm

As this issue appears to be resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27302
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 30 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware