lsass.exe "may" be 1 of the "suspect" viruses...b4 running some of the AV and Spy utils I was also seeing ccApp being renamed to CCAPP and causing the known prob of not being able to term prog's or shutdown normally...
Attached are HJL and Startup
HJL:
Logfile of HijackThis v1.99.1
Scan saved at 8:34:27 AM, on 8/13/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft...=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - D:\Program Files\Siber Systems\RoboForm AI\roboform.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - D:\Program Files\Siber Systems\RoboForm AI\roboform.dll
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinPatrol] D:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [Free Download Manager] d:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - Global Startup: HP LaserJet 3150 Status.lnk = C:\jetsuite\JETSTAT.EXE
O4 - Global Startup: Internet Sharing Server.lnk = D:\Program Files\Intel\AnyPoint\iss_srvr.exe
O4 - Global Startup: Microsoft Office.lnk.disabled
O8 - Extra context menu item: &Download with &DAP - D:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Customize Menu - file://D:\Program Files\Siber Systems\RoboForm AI\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Download &all with DAP - D:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://D:\Program Files\Siber Systems\RoboForm AI\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://D:\Program Files\Siber Systems\RoboForm AI\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://D:\Program Files\Siber Systems\RoboForm AI\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://D:\Program Files\Siber Systems\RoboForm AI\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://D:\Program Files\Siber Systems\RoboForm AI\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://D:\Program Files\Siber Systems\RoboForm AI\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://D:\Program Files\Siber Systems\RoboForm AI\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://D:\Program Files\Siber Systems\RoboForm AI\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://D:\Program Files\Siber Systems\RoboForm AI\RoboFormComShowToolbar.html
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - d:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - d:\Program Files\PartyPoker\PartyPoker.exe
O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - https://a248.e.akama...qt/qtplugin.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....sa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://zone.msn.com/...bGameLoader.cab
O16 - DPF: {55A548B3-AFA8-41E3-8057-FD24931C6388} (FXExec Control) - http://216.87.37.188/app/FXCtrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1107406207266
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yim...ctl_0_0_0_1.ocx
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.micro...n7/dlhelper.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....sa/SymAData.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AnitVirus\AVPersonal\AVGUARD.EXE
O23 - Service: AnyPoint Service - Intel Corporation - d:\Program Files\Intel\AnyPoint\APSERVER.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AnitVirus\AVPersonal\AVWUPSRV.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - d:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: jsdaemon - JetFax, Inc. - c:\jetsuite\jsdaemon.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - D:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\Script Blocking\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - D:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - D:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Startup:
StartupList report, 8/13/2005, 8:39:48 AM
StartupList version: 1.52
Started from : F:\The Download Directory\StartupList.EXE
Detected: Windows XP (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 (6.00.2600.0000)
* Using default options
==================================================
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
D:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\taskmgr.exe
C:\WINDOWS\System32\msdtc.exe
d:\Program Files\Intel\AnyPoint\APSERVER.EXE
C:\Program Files\AnitVirus\AVPersonal\AVWUPSRV.EXE
d:\Program Files\ewido\security suite\ewidoctrl.exe
c:\jetsuite\jsdaemon.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
D:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
D:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\Fast.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\System32\mqtgsvc.exe
D:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\WINDOWS\System32\taskswitch.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\Free Download Manager\fdm.exe
C:\jetsuite\JETSTAT.EXE
D:\Program Files\ewido\security suite\SecuritySuite.exe
c:\jetsuite\JSFMAN.EXE
C:\PROGRA~1\MOZILLA FIREFOX\FIREFOX.EXE
F:\The Download Directory\HiJackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
F:\The Download Directory\StartupList.exe
--------------------------------------------------
Listing of startup folders:
Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
HP LaserJet 3150 Status.lnk = C:\jetsuite\JETSTAT.EXE
Internet Sharing Server.lnk = D:\Program Files\Intel\AnyPoint\iss_srvr.exe
Microsoft Office.lnk.disabled
--------------------------------------------------
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
NvMediaCenter = RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
WinPatrol = D:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
CoolSwitch = C:\WINDOWS\System32\taskswitch.exe
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
Zone Labs Client = C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Free Download Manager = d:\Program Files\Free Download Manager\fdm.exe -autorun
--------------------------------------------------
Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:
Shell=
SCRNSAVE.EXE=C:\WINDOWS\System32\Beach Islands Screensaver.scr
drivers=
Shell & screensaver key from Registry:
Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\plusdavn.scr
drivers=*Registry value not found*
Policies Shell key:
HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*
--------------------------------------------------
Enumerating Browser Helper Objects:
(no name) - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - D:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - (no file) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}
(no name) - D:\Program Files\Siber Systems\RoboForm AI\roboform.dll - {724d43a9-0d85-11d4-9908-00400523e39a}
Norton Internet Security - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll - {9ECB9560-04F9-4bbc-943D-298DDF1699E1}
NAV Helper - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}
--------------------------------------------------
Enumerating Task Scheduler jobs:
Norton AntiVirus - ALL Local Drive Scan - Bob.job
Norton AntiVirus - Scan my computer - Bob.job
Norton AntiVirus - Scheduled Key C-drv folders and Fs The Download Dir 071505 - Bob.job
Norton Disk Doctor.job
Speed Disk.job
Spybot - Search & Destroy - Scheduled Task.job
Symantec NetDetect.job
--------------------------------------------------
Enumerating Download Program Files:
[QuickTime Object]
InProcServer32 = f:\Program Files\QuickTime\QTPlugin.ocx
CODEBASE = https://a248.e.akama...qt/qtplugin.cab
[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll
CODEBASE = http://fpdownload.ma...director/sw.cab
[MSSecurityAdvisor Class]
InProcServer32 = C:\WINDOWS\System32\mssecadv.dll
CODEBASE = http://protect.micro...b?1116039129297
[LSSupCtl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\LSSupCtl.dll
CODEBASE = http://www.symantec....sa/LSSupCtl.cab
[Symantec AntiVirus scanner]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\avsniff.dll
CODEBASE = http://security.syma...bin/AvSniff.cab
[{3334504D-9980-0010-8000-00AA00389B71}]
CODEBASE = http://download.micr...C4D/mp43dmo.CAB
[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.micr...922/wmv9VCM.CAB
[WebGameLoader Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ReflexiveWebGameLoader.dll
CODEBASE = http://zone.msn.com/...bGameLoader.cab
[FXExec Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\FXCtrl.ocx
CODEBASE = http://216.87.37.188/app/FXCtrl.cab
[WUWebControl Class]
InProcServer32 = C:\WINDOWS\System32\wuweb.dll
CODEBASE = http://v5.windowsupd...b?1107406207266
[Symantec RuFSI Utility Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\rufsi.dll
CODEBASE = http://security.syma...n/bin/cabsa.cab
[ExentInf Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\exentctl_0_0_0_1.ocx
CODEBASE = http://us.games2.yim...ctl_0_0_0_1.ocx
[SassCln Object]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\SassCln.dll
CODEBASE = http://www.microsoft.../20/SassCln.CAB
[WebHandler Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\dlhelper.dll
CODEBASE = http://activex.micro...n7/dlhelper.cab
[ZoneIntro Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ZIntro.ocx
CODEBASE = http://zone.msn.com/...ro.cab34246.cab
[ActiveDataInfo Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\SymAData.dll
CODEBASE = http://www.symantec....sa/SymAData.cab
[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://fpdownload.ma...ash/swflash.cab
[HeartbeatCtl Class]
InProcServer32 = C:\WINDOWS\DOWNLO~1\CONFLICT.1\hrtbeat.ocx
CODEBASE = http://fdl.msn.com/z...s/heartbeat.cab
[ActiveDataObj Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ActiveData.dll
CODEBASE = https://www-secure.s.../ActiveData.cab
--------------------------------------------------
Enumerating Winsock LSP files:
NameSpace #1: C:\WINDOWS\System32\iss_slsp.dll
Protocol #1: C:\WINDOWS\System32\iss_slsp.dll
Protocol #2: C:\WINDOWS\System32\iss_slsp.dll
Protocol #3: C:\WINDOWS\System32\iss_slsp.dll
Protocol #14: C:\WINDOWS\System32\iss_slsp.dll
--------------------------------------------------
Enumerating ShellServiceObjectDelayLoad items:
PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll
--------------------------------------------------
End of report, 9,659 bytes
Report generated in 0.280 seconds
Please tell me what else i can supply to help....
TY ALL FOR YOUR HELP....
Edited by BobHJersey, 13 August 2005 - 06:47 AM.