User Name Password Register
DaniWeb IT Discussion Community
Home
Forums
Tutorials
Blogs
Link Directory
All
What is DaniWeb IT Discussion Community?
You're currently browsing the Viruses, Spyware and other Nasties section within the Tech Talk category of DaniWeb, a massive community of 422,549 software developers, web developers, Internet marketers, and tech gurus who are all enthusiastic about making contacts, networking, and learning from each other. In fact, there are 4,702 IT professionals currently interacting right now! Registration is free, only takes a minute and lets you enjoy all of the interactive features of the site.
Join our community!
Please support our Viruses, Spyware and other Nasties advertiser: Programming Forums

Zone Alarm Security Alerts.

Join Date: Feb 2004
Posts: 133
Reputation: A Monkeys Uncle is an unknown quantity at this point 
Rep Power: 5
Solved Threads: 0
A Monkeys Uncle's Avatar
A Monkeys Uncle A Monkeys Uncle is offline Offline
Junior Poster

Re: Zone Alarm Security Alerts.

  #5  
Jul 20th, 2005
K thanks.


It's lsass.exe, and how do I make sure it is in the correct directory? This particular executable came up as a virus below apparently, either that or it found a virus, I'm really not sure but the log is all here for you.


First I'll post the TSCDebug info...

TSCDebug:

Debug Information Level=0
BackupRegKey[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rdriv]
BackupRegKey[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rdriv\Security]
BackupRegKey[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rdriv\Enum]
BackupFile[C:\WINDOWS\System32\rdriv.sys]

This is the log of the entire scan.

sysclean:


/--------------------------------------------------------------\
| Trend Micro Sysclean Package |
| Copyright 2002, Trend Micro, Inc. |
| http://www.trendmicro.com |
\--------------------------------------------------------------/

2005-07-20, 13:37:37, Auto-clean mode specified.
2005-07-20, 13:37:37, Running scanner "C:\Documents and Settings\Owner\Desktop\Sysclean\TSC.BIN"...
2005-07-20, 13:40:57, Scanner "C:\Documents and Settings\Owner\Desktop\Sysclean\TSC.BIN" has finished running.
2005-07-20, 13:40:57, TSC Log:
Damage Cleanup Engine (DCE) 3.9(Build 1020)
Windows XP(Build 2600: )
Start time : Wed Jul 20 2005 13:37:37
Load Damage Cleanup Template (DCT) "C:\Documents and Settings\Owner\Desktop\Sysclean\tsc.ptn" (version 629) [success]
TROJ_ROOTKIT.E[virus found]
-->delete registry key("HKEY_LOCAL_MACHINE","SYSTEM\CurrentControlSet\Services\rdriv","") success
-->reboot delete file("C:\WINDOWS\System32\rdriv.sys","","") success
Complete time : Wed Jul 20 2005 13:40:23
Execute pattern count(4118), Virus found count(1), Virus clean count(1), Clean failed count(0)
2005-07-20, 13:41:09, An error occurred while scanning file "C:\Documents and Settings\Owner\NTUSER.DAT": Access is denied.
2005-07-20, 13:41:09, An error occurred while scanning file "C:\Documents and Settings\Owner\ntuser.dat.LOG": Access is denied.
2005-07-20, 13:41:21, An error occurred while scanning file "C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat": Access is denied.
2005-07-20, 13:41:21, An error occurred while scanning file "C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG": Access is denied.
2005-07-20, 13:44:22, An error was detected on "C:\System Volume Information\*.*": Access is denied.
2005-07-20, 13:48:10, Could not set file for reading on "C:\WINDOWS\Prefetch\AD-AWARE.EXE-2ED3360E.pf": Access is denied.
2005-07-20, 13:48:10, Could not set file for reading on "C:\WINDOWS\Prefetch\AVGCC.EXE-36A38F59.pf": Access is denied.
2005-07-20, 13:48:10, Could not set file for reading on "C:\WINDOWS\Prefetch\AVGEMC.EXE-361B4758.pf": Access is denied.
2005-07-20, 13:48:10, Could not set file for reading on "C:\WINDOWS\Prefetch\AVGINET.EXE-3038B75E.pf": Access is denied.
2005-07-20, 13:48:10, Could not set file for reading on "C:\WINDOWS\Prefetch\CMD.EXE-087B4001.pf": Access is denied.
2005-07-20, 13:48:10, Could not set file for reading on "C:\WINDOWS\Prefetch\CSRSS.EXE-39B8819D.pf": Access is denied.
2005-07-20, 13:48:10, Could not set file for reading on "C:\WINDOWS\Prefetch\CTDVDDET.EXE-002C6B82.pf": Access is denied.
2005-07-20, 13:48:10, Could not set file for reading on "C:\WINDOWS\Prefetch\CTHELPER.EXE-11B416D5.pf": Access is denied.
2005-07-20, 13:48:10, Could not set file for reading on "C:\WINDOWS\Prefetch\CTSYSVOL.EXE-1D56C447.pf": Access is denied.
2005-07-20, 13:48:10, Could not set file for reading on "C:\WINDOWS\Prefetch\EDOWST3.EXE-196293B7.pf": Access is denied.
2005-07-20, 13:48:10, Could not set file for reading on "C:\WINDOWS\Prefetch\EM_EXEC.EXE-21B4F4A4.pf": Access is denied.
2005-07-20, 13:48:10, Could not set file for reading on "C:\WINDOWS\Prefetch\EXPLORER.EXE-082F38A9.pf": Access is denied.
2005-07-20, 13:48:10, Could not set file for reading on "C:\WINDOWS\Prefetch\EXUL1.EXE-0DA91456.pf": Access is denied.
2005-07-20, 13:48:10, Could not set file for reading on "C:\WINDOWS\Prefetch\FTP.EXE-0FFFB5A3.pf": Access is denied.
2005-07-20, 13:48:10, Could not set file for reading on "C:\WINDOWS\Prefetch\GTBXP.EXE-38A369C2.pf": Access is denied.
2005-07-20, 13:48:10, Could not set file for reading on "C:\WINDOWS\Prefetch\IEXPLORE.EXE-27122324.pf": Access is denied.
2005-07-20, 13:48:10, Could not set file for reading on "C:\WINDOWS\Prefetch\IKERNEL.EXE-078AA887.pf": Access is denied.
2005-07-20, 13:48:10, Could not set file for reading on "C:\WINDOWS\Prefetch\Layout.ini": Access is denied.
2005-07-20, 13:48:10, Could not set file for reading on "C:\WINDOWS\Prefetch\LOGI_MWX.EXE-1B741F45.pf": Access is denied.
2005-07-20, 13:48:10, Could not set file for reading on "C:\WINDOWS\Prefetch\MSCONFIG.EXE-35E4DAE9.pf": Access is denied.
2005-07-20, 13:48:10, Could not set file for reading on "C:\WINDOWS\Prefetch\NOTEPAD.EXE-336351A9.pf": Access is denied.
2005-07-20, 13:48:10, Could not set file for reading on "C:\WINDOWS\Prefetch\NTOSBOOT-B00DFAAD.pf": Access is denied.
2005-07-20, 13:48:10, Could not set file for reading on "C:\WINDOWS\Prefetch\REGEDIT.EXE-1B606482.pf": Access is denied.
2005-07-20, 13:48:10, Could not set file for reading on "C:\WINDOWS\Prefetch\REGSVR32.EXE-25EEFE2F.pf": Access is denied.
2005-07-20, 13:48:10, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-3603C23A.pf": Access is denied.
2005-07-20, 13:48:10, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-42C4EDF2.pf": Access is denied.
2005-07-20, 13:48:10, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-451FC2C0.pf": Access is denied.
2005-07-20, 13:48:10, Could not set file for reading on "C:\WINDOWS\Prefetch\SETUP.EXE-237576F2.pf": Access is denied.
2005-07-20, 13:48:10, Could not set file for reading on "C:\WINDOWS\Prefetch\SETUP_WM.EXE-20455A8E.pf": Access is denied.
2005-07-20, 13:48:10, Could not set file for reading on "C:\WINDOWS\Prefetch\SPYWAREBLASTER.EXE-20CF1E62.pf": Access is denied.
2005-07-20, 13:48:10, Could not set file for reading on "C:\WINDOWS\Prefetch\SVCHOST.EXE-16C7D411.pf": Access is denied.
2005-07-20, 13:48:10, Could not set file for reading on "C:\WINDOWS\Prefetch\SXE7.TMP-04BA793D.pf": Access is denied.
2005-07-20, 13:48:10, Could not set file for reading on "C:\WINDOWS\Prefetch\UNREGMP2.EXE-075872D2.pf": Access is denied.
2005-07-20, 13:48:10, Could not set file for reading on "C:\WINDOWS\Prefetch\UPDATE.EXE-00637380.pf": Access is denied.
2005-07-20, 13:48:10, Could not set file for reading on "C:\WINDOWS\Prefetch\UPDATE.EXE-023F84BE.pf": Access is denied.
2005-07-20, 13:48:10, Could not set file for reading on "C:\WINDOWS\Prefetch\UPDATE.EXE-0588D661.pf": Access is denied.
2005-07-20, 13:48:10, Could not set file for reading on "C:\WINDOWS\Prefetch\UPDATE.EXE-21EE8B6F.pf": Access is denied.
2005-07-20, 13:48:10, Could not set file for reading on "C:\WINDOWS\Prefetch\UPDATE.EXE-23144010.pf": Access is denied.
2005-07-20, 13:48:10, Could not set file for reading on "C:\WINDOWS\Prefetch\UPDATE.EXE-276FE956.pf": Access is denied.
2005-07-20, 13:48:10, Could not set file for reading on "C:\WINDOWS\Prefetch\UPDATE.EXE-3624F1B6.pf": Access is denied.
2005-07-20, 13:48:10, Could not set file for reading on "C:\WINDOWS\Prefetch\VSSTATMN8.EXE-390D657D.pf": Access is denied.
2005-07-20, 13:48:10, Could not set file for reading on "C:\WINDOWS\Prefetch\VZNETSVC.EXE-1403945D.pf": Access is denied.
2005-07-20, 13:48:10, Could not set file for reading on "C:\WINDOWS\Prefetch\WINZIP32.EXE-382A5A28.pf": Access is denied.
2005-07-20, 13:48:10, Could not set file for reading on "C:\WINDOWS\Prefetch\WINZIP90.EXE-1C9DE248.pf": Access is denied.
2005-07-20, 13:48:10, Could not set file for reading on "C:\WINDOWS\Prefetch\WMIPRVSE.EXE-28F301A9.pf": Access is denied.
2005-07-20, 13:48:10, Could not set file for reading on "C:\WINDOWS\Prefetch\WUAUCLT.EXE-399A8E72.pf": Access is denied.
2005-07-20, 13:48:10, Could not set file for reading on "C:\WINDOWS\Prefetch\WZQKPICK.EXE-303401C3.pf": Access is denied.
2005-07-20, 13:48:10, Could not set file for reading on "C:\WINDOWS\Prefetch\ZLCLIENT.EXE-1C550EB2.pf": Access is denied.
2005-07-20, 13:51:18, An error occurred while scanning file "C:\WINDOWS\system32\config\default": Access is denied.
2005-07-20, 13:51:18, An error occurred while scanning file "C:\WINDOWS\system32\config\default.LOG": Access is denied.
2005-07-20, 13:51:18, An error occurred while scanning file "C:\WINDOWS\system32\config\SAM": Access is denied.
2005-07-20, 13:51:18, An error occurred while scanning file "C:\WINDOWS\system32\config\SAM.LOG": Access is denied.
2005-07-20, 13:51:18, An error occurred while scanning file "C:\WINDOWS\system32\config\SECURITY": Access is denied.
2005-07-20, 13:51:18, An error occurred while scanning file "C:\WINDOWS\system32\config\SECURITY.LOG": Access is denied.
2005-07-20, 13:51:18, An error occurred while scanning file "C:\WINDOWS\system32\config\software": Access is denied.
2005-07-20, 13:51:18, An error occurred while scanning file "C:\WINDOWS\system32\config\software.LOG": Access is denied.
2005-07-20, 13:51:21, An error occurred while scanning file "C:\WINDOWS\system32\config\system": Access is denied.
2005-07-20, 13:51:21, An error occurred while scanning file "C:\WINDOWS\system32\config\system.LOG": Access is denied.
2005-07-20, 13:53:56, Running scanner "C:\Documents and Settings\Owner\Desktop\Sysclean\VSCANTM.BIN"...
2005-07-20, 14:03:03, Files Detected:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 7/20/2005 13:53:56
VSAPI Engine Version : 7.510-1002
VSCANTM Version : 1.1-1001
Virus Pattern Version : 737 (104825 Patterns) (2005/07/19) (273700)
Command Line: C:\Documents and Settings\Owner\Desktop\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\Owner\Desktop\Sysclean
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\LHSRUCOF\wv[1].ani [TROJ_ANICMOO.K]
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\SX88VHBC\ws[1].exe [WORM_SDBOT.BBP]
C:\WINDOWS\lsass.exe [WORM_SDBOT.BMB]
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\XRML32TS\mtrslib2[1].js [JS_DOWNLOAD.D]
C:\WINDOWS\system32\rdriv.sys [TROJ_ROOTKIT.E]
C:\WINDOWS\system32\VSStatmn8.exe [WORM_RBOT.GEN]
14124 files have been read.
14124 files have been checked.
12104 files have been scanned.
17572 files have been scanned. (including files in archived)
6 files containing viruses.
Found 6 viruses totally.
Maybe 0 viruses totally.
Stop At : 7/20/2005 14:03:03
---------*---------*---------*---------*---------*---------*---------*---------*
2005-07-20, 14:03:03, Files Clean:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 7/20/2005 13:53:56
VSAPI Engine Version : 7.510-1002
VSCANTM Version : 1.1-1001
Virus Pattern Version : 737 (104825 Patterns) (2005/07/19) (273700)
Command Line: C:\Documents and Settings\Owner\Desktop\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\Owner\Desktop\Sysclean
Success Clean [ TROJ_ANICMOO.K]( 1) from C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\LHSRUCOF\wv[1].ani
Success Clean [ WORM_SDBOT.BBP]( 1) from C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\SX88VHBC\ws[1].exe
Success Clean [ WORM_SDBOT.BMB]( 1) from C:\WINDOWS\lsass.exe
Success Clean [ JS_DOWNLOAD.D]( 1) from C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\XRML32TS\mtrslib2[1].js
Success Clean [ TROJ_ROOTKIT.E]( 1) from C:\WINDOWS\system32\rdriv.sys
Success Clean [ WORM_RBOT.GEN]( 1) from C:\WINDOWS\system32\VSStatmn8.exe
14124 files have been read.
14124 files have been checked.
12104 files have been scanned.
17572 files have been scanned. (including files in archived)
6 files containing viruses.
Found 6 viruses totally.
Maybe 0 viruses totally.
Stop At : 7/20/2005 14:03:03 9 minutes 2 seconds (541.91 seconds) has elapsed.
---------*---------*---------*---------*---------*---------*---------*---------*
2005-07-20, 14:03:03, Clean Fail:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 7/20/2005 13:53:56
VSAPI Engine Version : 7.510-1002
VSCANTM Version : 1.1-1001
Virus Pattern Version : 737 (104825 Patterns) (2005/07/19) (273700)
Command Line: C:\Documents and Settings\Owner\Desktop\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\Owner\Desktop\Sysclean
14124 files have been read.
14124 files have been checked.
12104 files have been scanned.
17572 files have been scanned. (including files in archived)
6 files containing viruses.
Found 6 viruses totally.
Maybe 0 viruses totally.
Stop At : 7/20/2005 14:03:03 9 minutes 2 seconds (541.91 seconds) has elapsed.
---------*---------*---------*---------*---------*---------*---------*---------*
2005-07-20, 14:03:03, Scanner "C:\Documents and Settings\Owner\Desktop\Sysclean\VSCANTM.BIN" has finished running.


That's it, I'll be looking forward to your response, thanks.
Gamer Tag: Xaminor
Reply With Quote  
Advertising Opportunities on DaniWeb
Contact Us - Newsletter Archive - Sitemap - Privacy Statement
All times are GMT -4. The time now is 12:45 pm.
Forum system based on vBulletin Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
©2003 - 2008 DaniWeb® LLC