Hacktool.Rootkit Problems

Hello ski38off, welcome to DaniWeb :)

Thanks for starting your own thread; you were right in thinking that each person's "fix" is slightly different. In your particular case, you have more than just the hacktool.rootkit infection, so we'll have a bit more work to do.

Before we start to remove your infections, there is one thing you have to take care of first:

C:\Documents and Settings\#1 MOM\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

The log entry above indicates that you are running the HijackThis from within a Temp/Temporary folder. Please do the following:

Create a folder for HJT outside of any Temp/Temporary folders and move the HijackThis.exe file to that folder now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if HijackThis (and other data that you care about) is living in those Temp folders, it will be erased along with everything else!
Temp/Temporary folders are just that- Temporary. They are not meant for permanent storage, as their contents are often delete in the course of troubleshooting, by running disk clean-up utilities, etc.

Once you've done the above:

You will need to close/quit all web browser programs and disconnect from the Internet for much of the following, so you should print out these instructions or save them into a text file with Notepad.

1. Download and install these utilities (but do not run scans with them yet):

ewido Security Suite (trial version) - http://www.ewido.net/en/download/
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en

- Open ewido. In the main screen, click "Update" and click "Start Update". After the update process completes, exit from Ewido.

- Open MS Antispyware beta. Make sure the "AntiSpyware Autoupdater" feature is enabled, and that it has downloaded the most current antispyware updates. Close the program after you've verified this.

- Open Norton Antivirus and use its Live Update feature to make sure that you have the most current virus definitions installed. As with the above programs, don't run a scan with Norton; just close it once it is updated.

2. Download and install the CCleaner utility, but don't run it yet.

3. Run HijackTHis again, put a check mark next to the following entry, and then click the "Fix checked" button. Close HJT once it has finished performing the fix:

O4 - HKLM\..\Run: [AutoLoadervsou1ZPQdPXM] "C:\WINDOWS\System32\cnvenh.exe" /HideDir /HideUninstall /PC="CP.CDT3" /ShowLegalNote="nonbranded"
O4 - HKLM\..\Run: [Windows System32] clsas32.exe
O4 - HKLM\..\Run: [Configuration Loader] sass.exe
O4 - HKLM\..\RunServices: [Windows System32] clsas32.exe
O4 - HKLM\..\RunServices: [Configuration Loader] sass.exe
O4 - HKCU\..\Run: [Windows Services] smsc.exe
O4 - HKCU\..\Run: [Windows System32] clsas32.exe
O4 - HKCU\..\Run: [Configuration Loader] sass.exe
O4 - HKCU\..\RunServices: [Windows Services] smsc.exe
O4 - HKCU\..\RunServices: [Windows System32] clsas32.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/6.../bridge-c15.cab
O23 - Service: clmss (Content List Management Sub System) - Unknown owner - C:\WINDOWS\clms.exe
O23 - Service: msnmgs (Microsoft Message Service XP) - Unknown owner - C:\WINDOWS\msngs.exe

4. Reboot into Safe Mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up).

5. Run CCleaner. It may take a while for the program to perform its cleaning, so be patient. Close the program when it has finished.

6. Run Norton, ewido, and MS Antispyware beta consecutively; have the programs fix all malicious items they find.

When ewido finds the first malicious object on your system, it will ask you if it should clean it. When it asks this, put a checkmark in the lower left corner of the box that says "Perform action on all infections", then choose clean and click OK.
Save the log file that ewido will create after it finishes scanning; you'll be including that log in your next post here.

7. Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- Search your entire C: drive for the following files and delete them if found (ewido and MS Antispyware should have deleted at least some of these already):

C:\WINDOWS\System32\cnvenh.exe
clsas32.exe
sass.exe
smsc.exe
C:\WINDOWS\clms.exe
C:\WINDOWS\msngs.exe
hpdriver.sys
ntfsprotect.exe

8. Empty your Recycle Bin and reboot normally.

9. Run HijackThis again and post the new log. Also post the log that ewido generated.

Ok, I think I have gone through everything suggested here. There were, however, a couple of things I had questions about.

First, the Norton Antivirus wouldn't run in safe mode. I have had this problem earlier when trying to fix this virus. It comes up with the following error:

Symantec Integrator

Symantec Integrator has encountered a problem and needs to close.

I was able to copy and save some of the error message. If this is needed, please let me know.

Another question I had was when I was in step 7, and deleting certain files. When I searched for sass.exe, I came up with four responses. I erased 2 of them, but the other 2 were lsass.exe, which I did not remove. Should have I?

Thanks for your help so far, and look forward to your reply. Below are the Ewido Report, and the HiJackThis log file.

Ewido Report:


---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------


+ Created on:           6:36:26 PM, 12/26/2005
+ Report-Checksum:      804B590E


+ Scan result:


HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{9F95F736-0F62-4214-A4B4-CAA6738D4C07} -> Spyware.SaveNow : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{B5AB638F-D76C-415B-A8F2-F3CEAC502212} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{AA4939C3-DECA-4A48-A454-97CD587C0EF5} -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{C285D18D-43A2-4AEF-83FB-BF280E660A97} -> Spyware.SaveNow : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{EEE4A2E5-9F56-432F-A6ED-F6F625B551E0} -> Dialer.Generic : Cleaned with backup
HKLM\SOFTWARE\Classes\MediaAccX.Installer -> Spyware.WinAd : Cleaned with backup
HKLM\SOFTWARE\Classes\MediaAccX.Installer\CLSID -> Spyware.WinAd : Cleaned with backup
HKLM\SOFTWARE\Classes\WUSN.1 -> Spyware.SaveNow : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Rotue -> Spyware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\WhenUSave -> Spyware.SaveNow : Cleaned with backup
HKLM\SOFTWARE\WhenUSave\Partners -> Spyware.SaveNow : Cleaned with backup
HKLM\SOFTWARE\WhenUSave\Partners\EEPE -> Spyware.SaveNow : Cleaned with backup
HKU\S-1-5-21-72185382-3615762775-2885428501-1012\Software\Avenue Media -> Spyware.InternetOptimizer : Cleaned with backup
HKU\S-1-5-21-72185382-3615762775-2885428501-1012\Software\salm -> Spyware.180Solutions : Cleaned with backup
C:\a0h311i.exe -> Worm.Opanki.ao : Cleaned with backup
C:\aimg0xx.exe -> Worm.Opanki.ao : Cleaned with backup
C:\aimg1xx.exe -> Worm.Opanki.ao : Cleaned with backup
C:\aimgxx.exe -> Worm.Opanki.ao : Cleaned with backup
C:\aimn1ghtf34.exe -> Worm.Opanki.ao : Cleaned with backup
C:\aimr1xx.exe -> Worm.Opanki.ao : Cleaned with backup
C:\Documents and Settings\MasterMike\Cookies\mastermike@e-2dj6wjkoklcpmco.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\MasterMike\Cookies\mastermike@e-2dj6wjkoohcpskp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\MasterMike\Cookies\mastermike@e-2dj6wjliqhcpicp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\MasterMike\Cookies\mastermike@e-2dj6wjlyelcpmdo.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\MasterMike\Cookies\mastermike@e-2dj6wjny-1ndpah.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\MasterMike\Cookies\mastermike@e-2dj6wjnyencpkeq.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\MasterMike\Cookies\mastermike@e-2dj6wjnyslazekp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\MasterMike\Cookies\mastermike@e-2dj6wjnyuic5waq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\MasterMike\Cookies\mastermike@e-2dj6wjnyumdpidq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\MasterMike\Cookies\mastermike@msnportal.112.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\MasterMike\Cookies\mastermike@stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\MasterMike\Start Menu\Programs\WhenU -> Spyware.SaveNow : Cleaned with backup
C:\Documents and Settings\MasterMike\Start Menu\Programs\WhenU\Learn More About WhenU Save.url -> Spyware.SaveNow : Cleaned with backup
C:\Documents and Settings\MasterMike\Start Menu\Programs\WhenU\Learn More About WhenU SaveNow.url -> Spyware.SaveNow : Cleaned with backup
C:\Documents and Settings\MasterMike\Start Menu\Programs\WhenU\WhenU.com Website.url -> Spyware.SaveNow : Cleaned with backup
C:\Documents and Settings\Thomas Lausten\Cookies\thomas [email]lausten@adopt.specificclick[1].txt[/email] -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Thomas Lausten\Cookies\thomas [email]lausten@burstnet[1].txt[/email] -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Thomas Lausten\Cookies\thomas [email]lausten@com[2].txt[/email] -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Thomas Lausten\Cookies\thomas [email]lausten@e-2dj6wfkyekd5wfo.stats.esomniture[2].txt[/email] -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Thomas Lausten\Cookies\thomas [email]lausten@e-2dj6wjk4qmdzwkp.stats.esomniture[1].txt[/email] -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Thomas Lausten\Cookies\thomas [email]lausten@e-2dj6wjkocnajoeo.stats.esomniture[1].txt[/email] -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Thomas Lausten\Cookies\thomas [email]lausten@e-2dj6wjlyclcpckq.stats.esomniture[2].txt[/email] -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Thomas Lausten\Cookies\thomas [email]lausten@e-2dj6wjnyepazido.stats.esomniture[2].txt[/email] -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Thomas Lausten\Cookies\thomas [email]lausten@e-2dj6wjnyqndzsgo.stats.esomniture[2].txt[/email] -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Thomas Lausten\Cookies\thomas [email]lausten@e-2dj6wjnyslc5aco.stats.esomniture[1].txt[/email] -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Thomas Lausten\Cookies\thomas [email]lausten@www.burstbeacon[1].txt[/email] -> Spyware.Cookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Thomas Lausten\Cookies\thomas [email]lausten@www.myaffiliateprogram[1].txt[/email] -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
C:\Documents and Settings\Thomas Lausten\Local Settings\Temp\temp.fr840D\actalert.exe -> Downloader.Dyfuca.dp : Cleaned with backup
C:\ninja1m.exe -> Worm.Opanki.ao : Cleaned with backup
C:\njnaim1.exe -> Worm.Opanki.ao : Cleaned with backup
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Spyware.Wheaterbug : Cleaned with backup
C:\Program Files\CxtPls -> Spyware.AproposMedia : Cleaned with backup
C:\Program Files\Jbzbrx\Bqwcdra.exe -> Trojan.Small.cy : Cleaned with backup
C:\WINDOWS\clms.exe -> Trojan.Pakes : Cleaned with backup
C:\WINDOWS\system32\clsas32.exe -> Backdoor.Rbot : Cleaned with backup
C:\WINDOWS\system32\hpdriver.sys -> Trojan.Rootkit.Agent.ae : Cleaned with backup
C:\WINDOWS\wt\wtupdates\wtwebdriver\files\3.3.1.001\npwthost.dll -> Spyware.WildTangent : Cleaned with backup
C:\WINDOWS\wt\wtupdates\wtwebdriver\files\3.3.1.001\wtvh.dll -> Spyware.WildTangent : Cleaned with backup
C:\WINDOWS\wt\wtvh.dll -> Spyware.WildTangent : Cleaned with backup



::Report End


HiJackThis Log File:


Logfile of HijackThis v1.99.1
Scan saved at 7:25:49 PM, on 12/26/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\HiJackThis\ewido anti-malware\ewidoctrl.exe
C:\HiJackThis\ewido anti-malware\ewidoguard.exe
C:\Program Files\Canon\MultiPASS\mpservic.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Canon\MultiPASS\monitr32.exe
C:\Program Files\Canon\MultiPASS\MPTBox.exe
C:\PROGRA~1\CANONC~1\TEXTBR~1\Bin\INSTAN~1.EXE
C:\WINDOWS\wt\updater\wcmdmgr.exe
C:\WINDOWS\System32\FxRedir.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\AOL\1128366424\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1128366424\ee\AOLServiceHost.exe
C:\HiJackThis\MicrosoftSpyware\gcasServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\RAMASST.exe
C:\HiJackThis\MicrosoftSpyware\gcasDtServ.exe
C:\HiJackThis\HijackThis.exe


O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [MP_STATUS_MONITOR] "C:\Program Files\Canon\MultiPASS\monitr32.exe" I
O4 - HKLM\..\Run: [MPTBox] "C:\Program Files\Canon\MultiPASS\MPTBox.exe"
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\CANONC~1\TEXTBR~1\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\CANONC~1\TEXTBR~1\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [PCLEPCI] C:\PROGRA~1\Pinnacle\PPE\ppe.exe
O4 - HKLM\..\Run: [Kelub] C:\Program Files\Jbzbrx\Bqwcdra.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1128366424\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [gcasServ] "C:\HiJackThis\MicrosoftSpyware\gcasServ.exe"
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\CANONC~1\TEXTBR~1\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/013c884dbbd2ffbe6620/netzip/RdxIE2.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: clmss (Content List Management Sub System) - Unknown owner - C:\WINDOWS\clms.exe (file missing)
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\HiJackThis\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\HiJackThis\ewido anti-malware\ewidoguard.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Lexar SG20 (LxrSG20s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSG20s.exe
O23 - Service: msnmgs (Microsoft Message Service XP) - Unknown owner - C:\WINDOWS\msngs.exe (file missing)
O23 - Service: MPService - Canon Information Systems - C:\Program Files\Canon\MultiPASS\mpservic.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

1.

the Norton Antivirus wouldn't run in safe mode. I have had this problem earlier when trying to fix this virus. It comes up with the following error...

Does Norton run properly when booted into Windows normally?

2.

When I searched for sass.exe, I came up with four responses. I erased 2 of them, but the other 2 were lsass.exe, which I did not remove.

Good thinking. "lsass.exe" is a valid Windows file, although there are infections which also use that filename. The legit version of lsass.exe should be found in the C:\WINDOWS\system32 folder, and a backup copy may exist in another folder. Where exactly are your two copies of the file living?

3. Did you intentionally install any Wild Tangent games? Your HJT logs shows a Wild Tangent component running as a Windows startup item; if you didn't knowingly install any Wild Tangent programs, that entry should be deleted.

Give us feedback on the above questions and we'll continue from there.

Thanks for your prompt reply.

First, Norton seems to run alright when Windows is booted normally. I have found that it works best when I am connected to the internet (we have dial-up here). The links on the IE toolbar work great, but the shortcuts on the desktop don't. I was thinking that since we have Norton Internet Security, and the antivirus is part of that, that there might be a connection there. Frankly, the Norton Anti-Virus hasn't seemed to work very well ever since we got it.

Second, 1 of the lsass.exe files is in C:\WINDOWS\system32, and the other in C:\WINDOWS\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989. Hopefully, those are where they should be.

Finally, I have not intentionlly installed any Wild Tangent games, so apparently these should not be there either. Not sure how to fix all of these things.

Hope that helps.

1.

Norton seems to run alright when Windows is booted normally. I have found that it works best when I am connected to the internet

Yes, that's a function of Norton's Live Update feature; it likes to check for updates when Norton first starts up, and at whatever interval it's scheduled to run after that.

2.

The links on the IE toolbar work great, but the shortcuts on the desktop don't.

None of the shortcuts work? Do the icons still look normal? What does happen (if anything) when you double-click on those icons?

3.

I was thinking that since we have Norton Internet Security, and the antivirus is part of that, that there might be a connection there.

There could be- the "Integrator" mentioned in the error message is the piece of the Symantec package that provides the consolidated "control center"-type display from which you can run/configure all of the separate components (firewall, anti-virus, anti-spam, etc.) of the Internet Security software bundle. If, when in Safe Mode, you were attempting to launch the anti-virus component via the Integrator window, try launching it directly instead (assuming you have a direct shortcut to the antivirus program in the Norton/Symantec folder under your Start menu).

4.

Frankly, the Norton Anti-Virus hasn't seemed to work very well ever since we got it.

No *cough!* AVG Free Edition *cough!* comment... ;)

5.

Second, 1 of the lsass.exe files is in C:\WINDOWS\system32, and the other in C:\WINDOWS\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989. Hopefully, those are where they should be.

Yes, those are the valid files.

6. Close all open programs, run HijackThis again, put a check mark next to the following entries, and then click the "Fix checked" button:

O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [Kelub] C:\Program Files\Jbzbrx\Bqwcdra.exe
O23 - Service: clmss (Content List Management Sub System) - Unknown owner - C:\WINDOWS\clms.exe (file missing)
O23 - Service: msnmgs (Microsoft Message Service XP) - Unknown owner - C:\WINDOWS\msngs.exe (file missing)

- In HijackThis' main window, click on Config, then Misc Tools, and then press the Delete an NT service.. button. When it opens, enter the following in the deletion box and press OK:
clmss

- Repeat the above step for this service also:
msnmgs

- Close HijackThis.

7. Reboot into Safe Mode and:

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- Search for the following files and verify that they have really been deleted; if not, delete them now:

C:\WINDOWS\clms.exe
C:\WINDOWS\msngs.exe

- Delete the following folders entirely:

C:\WINDOWS\wt
C:\Program Files\Jbzbrx

8. Empty your Recycle Bin, reboot normally, run HijackThis again, and post the new log.

Ok...sorry for the lengthy delay but I got drawn out of town since the last post here. Unfortunately, my brother has been using the computer since then, which hopefully has not attracted any other less than desirable pests to the computer. Nonetheless...I have taken the steps perscribed in the last reply, and will post the HiJackThis log file below.

One thing to note, the computer seems to be running much better already, and the Norton stuff hasn't been acting up lately, at least that my brother has been able to tell.

Thanks for your help so far, and in advance for anything that might crop up this time.

Here's the hijackthis file:

Logfile of HijackThis v1.99.1
Scan saved at 12:51:48 AM, on 1/13/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\HiJackThis\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Canon\MultiPASS\mpservic.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Canon\MultiPASS\monitr32.exe
C:\Program Files\Canon\MultiPASS\MPTBox.exe
C:\PROGRA~1\CANONC~1\TEXTBR~1\Bin\INSTAN~1.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\AOL\1128366424\ee\AOLHostManager.exe
C:\WINDOWS\System32\FxRedir.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\AOL\1128366424\ee\AOLServiceHost.exe
C:\Program Files\AIM\aim.exe
C:\HiJackThis\MicrosoftSpyware\gcasDtServ.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Common Files\AOL\1128366424\ee\AOLServiceHost.exe
C:\HiJackThis\HijackThis.exe

O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [MP_STATUS_MONITOR] "C:\Program Files\Canon\MultiPASS\monitr32.exe" I
O4 - HKLM\..\Run: [MPTBox] "C:\Program Files\Canon\MultiPASS\MPTBox.exe"
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\CANONC~1\TEXTBR~1\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\CANONC~1\TEXTBR~1\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [PCLEPCI] C:\PROGRA~1\Pinnacle\PPE\ppe.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1128366424\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [gcasServ] "C:\HiJackThis\MicrosoftSpyware\gcasServ.exe"
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\CANONC~1\TEXTBR~1\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [WeatherCast] C:\PROGRA~1\WEATHE~1\Weather.exe /q
O4 - HKCU\..\Run: [WhenUSave] "C:\PROGRA~1\Save\Save.exe"
O4 - HKCU\..\Run: [Windows System32] clsas32.exe
O4 - HKCU\..\Run: [Configuration Loader] sass.exe
O4 - HKCU\..\RunServices: [Windows System32] clsas32.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/013c884dbbd2ffbe6620/netzip/RdxIE2.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: clmss (Content List Management Sub System) - Unknown owner - C:\WINDOWS\clms.exe (file missing)
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\HiJackThis\ewido anti-malware\ewidoctrl.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: msnmgs (Microsoft Message Service XP) - Unknown owner - C:\WINDOWS\msngs.exe (file missing)
O23 - Service: MPService - Canon Information Systems - C:\Program Files\Canon\MultiPASS\mpservic.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

Not much seems to have changed in the new log. Almost all of the original malicious entries are still present, and as a matter of fact, one new piece of adware has been installed as well.

Please follow these instructions fully and completely:

1. Open your Add/Remove Programs control panel and uninstall WeatherCast and any programs you find that are related to "WhenU".

2. Visit at least two of the following sites for an online virus scan:

BitDefender Free Online Virus Scan
http://www.bitdefender.com/scan/licence.php
Make sure you tick AutoClean under Scan Options.

Panda ActiveScan
http://www.pandasoftware.com/active...n_principal.htm
Make sure you tick Disinfect automatically under Scan Options.

Housecall at TrendMicro
http://housecall60.trendmicro.com/e...orp.asp?id=scan
Make sure you tick Auto Clean.

eTrust Antivirus Web Scanner
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx

Also run this online trojan scanner: TrojanScan

3. Update ewido, MS Antispyware, and Spyware Doctor. DOn't run scans yet, though; just close the programs after doing the updates.

4. Open the Services utility in your Administrative Tools control panel.
* In the list of services, locate the service named Content List Management Sub System or clmss and double-click on it.
* In the General tab of the Properties window that opens, click the Stop button.
* Once the service is stopped, choose Disabled drop-down menu and then click in the Startup TypeOK.
* Repeat the above steps for the service named Microsoft Message Service XP or msnmgs.
* Close the Services utility.

5. Run HJT again and have it fix:

O4 - HKCU\..\Run: [WeatherCast] C:\PROGRA~1\WEATHE~1\Weather.exe /q
O4 - HKCU\..\Run: [WhenUSave] "C:\PROGRA~1\Save\Save.exe"
O4 - HKCU\..\Run: [Windows System32] clsas32.exe
O4 - HKCU\..\Run: [Configuration Loader] sass.exe
O4 - HKCU\..\RunServices: [Windows System32] clsas32.exe
O23 - Service: clmss (Content List Management Sub System) - Unknown owner - C:\WINDOWS\clms.exe (file missing)
O23 - Service: msnmgs (Microsoft Message Service XP) - Unknown owner - C:\WINDOWS\msngs.exe (file missing)

* In HijackThis' main window, click on Config, then Misc Tools, and then press the Delete an NT service.. button. When it opens, enter the following in the deletion box and press OK: clmss
* Repeat the above step for this service also: msnmgs
* Close HijackThis.

6. Reboot into Safe Mode again.

* Run ewido, MS Antispyware, and Spyware Doctor; have them fix all malicious items they find. As before, save the ewido log.

* Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- Search for the following files and verify that they have really been deleted; if not, delete them now:

C:\WINDOWS\clms.exe
C:\WINDOWS\msngs.exe

- Delete the following folders entirely:

C:\Program Files\WeatherCast
C:\Program Files\Save

8. Empty your Recycle Bin, reboot normally, run HijackThis again, and post the new log. Also post the new ewido log.