Should I "allow" or "Deny" Zone Alarm to access the internet for svchost.exe, lasass.exe, csrss.exe, and there are two or so more.


Also Internet Explorer seems to be fairly buggy, and my computer seems to lag a bit.

My specs are 3.0Ghz Pentium 4, 512MB or RAM, and I'm running Windows XP Home Edition.

Basically I need to know if I should have Zone Alarm remember these execs So far I've been denying them and I have viruses that AVG keeps finding.

I just reinstalled Windows if that matters, thanks in advance.

Does anyone here know anything about this? I have viruses AVG keeps finding, and as I delete them they keep reappearing.

Hi,
Yes, you can let the svchost.exe and csrss.exe, but make sure that file is located in Windows\System32 folder. And, for lasass.exe, is this the exact filename? or is it lsass.exe?

But it's a better to scan for any viruses/malwares that may be present. Please download Sysclean Pacakge, create a folder named Sysclean on Desktop, and put the downloaded file to that folder.
Next download the pattern file for Windows OS (pattern file will have a name like lpt731.zip ) and extract the contents of the ZIP file to the same Sysclean folder.

Boot in SAFE Mode.

Next, double-click on the sysclean.com file, and after few seconds, the Sysclean window appears. Here make sure that Automatically clean or delete infected files option is selected. Then click "Scan". After the scan is complete it gives a log, save the log file.


Reboot to normal mode, and post the Sysclean log file.

K thanks.


It's lsass.exe, and how do I make sure it is in the correct directory? This particular executable came up as a virus below apparently, either that or it found a virus, I'm really not sure but the log is all here for you.


First I'll post the TSCDebug info...

TSCDebug:

Debug Information Level=0
BackupRegKey[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rdriv]
BackupRegKey[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rdriv\Security]
BackupRegKey[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rdriv\Enum]
BackupFile[C:\WINDOWS\System32\rdriv.sys]

This is the log of the entire scan.

sysclean:


/--------------------------------------------------------------\
| Trend Micro Sysclean Package |
| Copyright 2002, Trend Micro, Inc. |
| http://www.trendmicro.com |
\--------------------------------------------------------------/

2005-07-20, 13:37:37, Auto-clean mode specified.
2005-07-20, 13:37:37, Running scanner "C:\Documents and Settings\Owner\Desktop\Sysclean\TSC.BIN"...
2005-07-20, 13:40:57, Scanner "C:\Documents and Settings\Owner\Desktop\Sysclean\TSC.BIN" has finished running.
2005-07-20, 13:40:57, TSC Log:
Damage Cleanup Engine (DCE) 3.9(Build 1020)
Windows XP(Build 2600: )
Start time : Wed Jul 20 2005 13:37:37
Load Damage Cleanup Template (DCT) "C:\Documents and Settings\Owner\Desktop\Sysclean\tsc.ptn" (version 629) [success]
TROJ_ROOTKIT.E[virus found]
-->delete registry key("HKEY_LOCAL_MACHINE","SYSTEM\CurrentControlSet\Services\rdriv","") success
-->reboot delete file("C:\WINDOWS\System32\rdriv.sys","","") success
Complete time : Wed Jul 20 2005 13:40:23
Execute pattern count(4118), Virus found count(1), Virus clean count(1), Clean failed count(0)
2005-07-20, 13:41:09, An error occurred while scanning file "C:\Documents and Settings\Owner\NTUSER.DAT": Access is denied.
2005-07-20, 13:41:09, An error occurred while scanning file "C:\Documents and Settings\Owner\ntuser.dat.LOG": Access is denied.
2005-07-20, 13:41:21, An error occurred while scanning file "C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat": Access is denied.
2005-07-20, 13:41:21, An error occurred while scanning file "C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG": Access is denied.
2005-07-20, 13:44:22, An error was detected on "C:\System Volume Information\*.*": Access is denied.
2005-07-20, 13:48:10, Could not set file for reading on "C:\WINDOWS\Prefetch\AD-AWARE.EXE-2ED3360E.pf": Access is denied.
2005-07-20, 13:48:10, Could not set file for reading on "C:\WINDOWS\Prefetch\AVGCC.EXE-36A38F59.pf": Access is denied.
2005-07-20, 13:48:10, Could not set file for reading on "C:\WINDOWS\Prefetch\AVGEMC.EXE-361B4758.pf": Access is denied.
2005-07-20, 13:48:10, Could not set file for reading on "C:\WINDOWS\Prefetch\AVGINET.EXE-3038B75E.pf": Access is denied.
2005-07-20, 13:48:10, Could not set file for reading on "C:\WINDOWS\Prefetch\CMD.EXE-087B4001.pf": Access is denied.
2005-07-20, 13:48:10, Could not set file for reading on "C:\WINDOWS\Prefetch\CSRSS.EXE-39B8819D.pf": Access is denied.
2005-07-20, 13:48:10, Could not set file for reading on "C:\WINDOWS\Prefetch\CTDVDDET.EXE-002C6B82.pf": Access is denied.
2005-07-20, 13:48:10, Could not set file for reading on "C:\WINDOWS\Prefetch\CTHELPER.EXE-11B416D5.pf": Access is denied.
2005-07-20, 13:48:10, Could not set file for reading on "C:\WINDOWS\Prefetch\CTSYSVOL.EXE-1D56C447.pf": Access is denied.
2005-07-20, 13:48:10, Could not set file for reading on "C:\WINDOWS\Prefetch\EDOWST3.EXE-196293B7.pf": Access is denied.
2005-07-20, 13:48:10, Could not set file for reading on "C:\WINDOWS\Prefetch\EM_EXEC.EXE-21B4F4A4.pf": Access is denied.
2005-07-20, 13:48:10, Could not set file for reading on "C:\WINDOWS\Prefetch\EXPLORER.EXE-082F38A9.pf": Access is denied.
2005-07-20, 13:48:10, Could not set file for reading on "C:\WINDOWS\Prefetch\EXUL1.EXE-0DA91456.pf": Access is denied.
2005-07-20, 13:48:10, Could not set file for reading on "C:\WINDOWS\Prefetch\FTP.EXE-0FFFB5A3.pf": Access is denied.
2005-07-20, 13:48:10, Could not set file for reading on "C:\WINDOWS\Prefetch\GTBXP.EXE-38A369C2.pf": Access is denied.
2005-07-20, 13:48:10, Could not set file for reading on "C:\WINDOWS\Prefetch\IEXPLORE.EXE-27122324.pf": Access is denied.
2005-07-20, 13:48:10, Could not set file for reading on "C:\WINDOWS\Prefetch\IKERNEL.EXE-078AA887.pf": Access is denied.
2005-07-20, 13:48:10, Could not set file for reading on "C:\WINDOWS\Prefetch\Layout.ini": Access is denied.
2005-07-20, 13:48:10, Could not set file for reading on "C:\WINDOWS\Prefetch\LOGI_MWX.EXE-1B741F45.pf": Access is denied.
2005-07-20, 13:48:10, Could not set file for reading on "C:\WINDOWS\Prefetch\MSCONFIG.EXE-35E4DAE9.pf": Access is denied.
2005-07-20, 13:48:10, Could not set file for reading on "C:\WINDOWS\Prefetch\NOTEPAD.EXE-336351A9.pf": Access is denied.
2005-07-20, 13:48:10, Could not set file for reading on "C:\WINDOWS\Prefetch\NTOSBOOT-B00DFAAD.pf": Access is denied.
2005-07-20, 13:48:10, Could not set file for reading on "C:\WINDOWS\Prefetch\REGEDIT.EXE-1B606482.pf": Access is denied.
2005-07-20, 13:48:10, Could not set file for reading on "C:\WINDOWS\Prefetch\REGSVR32.EXE-25EEFE2F.pf": Access is denied.
2005-07-20, 13:48:10, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-3603C23A.pf": Access is denied.
2005-07-20, 13:48:10, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-42C4EDF2.pf": Access is denied.
2005-07-20, 13:48:10, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-451FC2C0.pf": Access is denied.
2005-07-20, 13:48:10, Could not set file for reading on "C:\WINDOWS\Prefetch\SETUP.EXE-237576F2.pf": Access is denied.
2005-07-20, 13:48:10, Could not set file for reading on "C:\WINDOWS\Prefetch\SETUP_WM.EXE-20455A8E.pf": Access is denied.
2005-07-20, 13:48:10, Could not set file for reading on "C:\WINDOWS\Prefetch\SPYWAREBLASTER.EXE-20CF1E62.pf": Access is denied.
2005-07-20, 13:48:10, Could not set file for reading on "C:\WINDOWS\Prefetch\SVCHOST.EXE-16C7D411.pf": Access is denied.
2005-07-20, 13:48:10, Could not set file for reading on "C:\WINDOWS\Prefetch\SXE7.TMP-04BA793D.pf": Access is denied.
2005-07-20, 13:48:10, Could not set file for reading on "C:\WINDOWS\Prefetch\UNREGMP2.EXE-075872D2.pf": Access is denied.
2005-07-20, 13:48:10, Could not set file for reading on "C:\WINDOWS\Prefetch\UPDATE.EXE-00637380.pf": Access is denied.
2005-07-20, 13:48:10, Could not set file for reading on "C:\WINDOWS\Prefetch\UPDATE.EXE-023F84BE.pf": Access is denied.
2005-07-20, 13:48:10, Could not set file for reading on "C:\WINDOWS\Prefetch\UPDATE.EXE-0588D661.pf": Access is denied.
2005-07-20, 13:48:10, Could not set file for reading on "C:\WINDOWS\Prefetch\UPDATE.EXE-21EE8B6F.pf": Access is denied.
2005-07-20, 13:48:10, Could not set file for reading on "C:\WINDOWS\Prefetch\UPDATE.EXE-23144010.pf": Access is denied.
2005-07-20, 13:48:10, Could not set file for reading on "C:\WINDOWS\Prefetch\UPDATE.EXE-276FE956.pf": Access is denied.
2005-07-20, 13:48:10, Could not set file for reading on "C:\WINDOWS\Prefetch\UPDATE.EXE-3624F1B6.pf": Access is denied.
2005-07-20, 13:48:10, Could not set file for reading on "C:\WINDOWS\Prefetch\VSSTATMN8.EXE-390D657D.pf": Access is denied.
2005-07-20, 13:48:10, Could not set file for reading on "C:\WINDOWS\Prefetch\VZNETSVC.EXE-1403945D.pf": Access is denied.
2005-07-20, 13:48:10, Could not set file for reading on "C:\WINDOWS\Prefetch\WINZIP32.EXE-382A5A28.pf": Access is denied.
2005-07-20, 13:48:10, Could not set file for reading on "C:\WINDOWS\Prefetch\WINZIP90.EXE-1C9DE248.pf": Access is denied.
2005-07-20, 13:48:10, Could not set file for reading on "C:\WINDOWS\Prefetch\WMIPRVSE.EXE-28F301A9.pf": Access is denied.
2005-07-20, 13:48:10, Could not set file for reading on "C:\WINDOWS\Prefetch\WUAUCLT.EXE-399A8E72.pf": Access is denied.
2005-07-20, 13:48:10, Could not set file for reading on "C:\WINDOWS\Prefetch\WZQKPICK.EXE-303401C3.pf": Access is denied.
2005-07-20, 13:48:10, Could not set file for reading on "C:\WINDOWS\Prefetch\ZLCLIENT.EXE-1C550EB2.pf": Access is denied.
2005-07-20, 13:51:18, An error occurred while scanning file "C:\WINDOWS\system32\config\default": Access is denied.
2005-07-20, 13:51:18, An error occurred while scanning file "C:\WINDOWS\system32\config\default.LOG": Access is denied.
2005-07-20, 13:51:18, An error occurred while scanning file "C:\WINDOWS\system32\config\SAM": Access is denied.
2005-07-20, 13:51:18, An error occurred while scanning file "C:\WINDOWS\system32\config\SAM.LOG": Access is denied.
2005-07-20, 13:51:18, An error occurred while scanning file "C:\WINDOWS\system32\config\SECURITY": Access is denied.
2005-07-20, 13:51:18, An error occurred while scanning file "C:\WINDOWS\system32\config\SECURITY.LOG": Access is denied.
2005-07-20, 13:51:18, An error occurred while scanning file "C:\WINDOWS\system32\config\software": Access is denied.
2005-07-20, 13:51:18, An error occurred while scanning file "C:\WINDOWS\system32\config\software.LOG": Access is denied.
2005-07-20, 13:51:21, An error occurred while scanning file "C:\WINDOWS\system32\config\system": Access is denied.
2005-07-20, 13:51:21, An error occurred while scanning file "C:\WINDOWS\system32\config\system.LOG": Access is denied.
2005-07-20, 13:53:56, Running scanner "C:\Documents and Settings\Owner\Desktop\Sysclean\VSCANTM.BIN"...
2005-07-20, 14:03:03, Files Detected:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 7/20/2005 13:53:56
VSAPI Engine Version : 7.510-1002
VSCANTM Version : 1.1-1001
Virus Pattern Version : 737 (104825 Patterns) (2005/07/19) (273700)
Command Line: C:\Documents and Settings\Owner\Desktop\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\Owner\Desktop\Sysclean
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\LHSRUCOF\wv[1].ani [TROJ_ANICMOO.K]
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\SX88VHBC\ws[1].exe [WORM_SDBOT.BBP]
C:\WINDOWS\lsass.exe [WORM_SDBOT.BMB]
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\XRML32TS\mtrslib2[1].js [JS_DOWNLOAD.D]
C:\WINDOWS\system32\rdriv.sys [TROJ_ROOTKIT.E]
C:\WINDOWS\system32\VSStatmn8.exe [WORM_RBOT.GEN]
14124 files have been read.
14124 files have been checked.
12104 files have been scanned.
17572 files have been scanned. (including files in archived)
6 files containing viruses.
Found 6 viruses totally.
Maybe 0 viruses totally.
Stop At : 7/20/2005 14:03:03
---------*---------*---------*---------*---------*---------*---------*---------*
2005-07-20, 14:03:03, Files Clean:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 7/20/2005 13:53:56
VSAPI Engine Version : 7.510-1002
VSCANTM Version : 1.1-1001
Virus Pattern Version : 737 (104825 Patterns) (2005/07/19) (273700)
Command Line: C:\Documents and Settings\Owner\Desktop\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\Owner\Desktop\Sysclean
Success Clean [ TROJ_ANICMOO.K]( 1) from C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\LHSRUCOF\wv[1].ani
Success Clean [ WORM_SDBOT.BBP]( 1) from C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\SX88VHBC\ws[1].exe
Success Clean [ WORM_SDBOT.BMB]( 1) from C:\WINDOWS\lsass.exe
Success Clean [ JS_DOWNLOAD.D]( 1) from C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\XRML32TS\mtrslib2[1].js
Success Clean [ TROJ_ROOTKIT.E]( 1) from C:\WINDOWS\system32\rdriv.sys
Success Clean [ WORM_RBOT.GEN]( 1) from C:\WINDOWS\system32\VSStatmn8.exe
14124 files have been read.
14124 files have been checked.
12104 files have been scanned.
17572 files have been scanned. (including files in archived)
6 files containing viruses.
Found 6 viruses totally.
Maybe 0 viruses totally.
Stop At : 7/20/2005 14:03:03 9 minutes 2 seconds (541.91 seconds) has elapsed.
---------*---------*---------*---------*---------*---------*---------*---------*
2005-07-20, 14:03:03, Clean Fail:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 7/20/2005 13:53:56
VSAPI Engine Version : 7.510-1002
VSCANTM Version : 1.1-1001
Virus Pattern Version : 737 (104825 Patterns) (2005/07/19) (273700)
Command Line: C:\Documents and Settings\Owner\Desktop\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\Owner\Desktop\Sysclean
14124 files have been read.
14124 files have been checked.
12104 files have been scanned.
17572 files have been scanned. (including files in archived)
6 files containing viruses.
Found 6 viruses totally.
Maybe 0 viruses totally.
Stop At : 7/20/2005 14:03:03 9 minutes 2 seconds (541.91 seconds) has elapsed.
---------*---------*---------*---------*---------*---------*---------*---------*
2005-07-20, 14:03:03, Scanner "C:\Documents and Settings\Owner\Desktop\Sysclean\VSCANTM.BIN" has finished running.


That's it, I'll be looking forward to your response, thanks.

Hi,
Yes, in your case, it was a virus. The genuine lsass will be located in C:\windows\System32 folder.


Download CleanUp! and install it.Run CleanUp!, click "Options" button, move the "Quick Setup" slider to "Thorough CleanUp!" and click "Yes" for the warning message and exit from Options.
Click "CleanUp!" to start cleaning. After cleaning, click "Close", and choose "No" to avoid the restart.


Download Ewido and install it. Then run, you will receive a warning message saying "Database not found", click "OK" for this. Next in the main screen, click "Update" and click "Start Update". After the update process, exit from Ewido.

Run Ewido, click on the "Scanner" button in the left menu, then click on the "Start" button.
If ewido finds anything, it will pop up a notification. You can select "Clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK. When the scan finishes, click on "Save Report". This will create a text file.

After this, restart the PC, scan with your AVG AntiVirus, and post back whether it detects any viruses or not.
Also, post whether ZoneAlarm is asking for permission to allow some processes to connect to Internet, along with this please post the Ewido log file.

K, thanks. I did all of the above, when I ran AVG (full system scan) no viruses were found.

One more thing please. When I run Spybot it finds a virus that needs to be deleted at system reboot, but even when Spybot starts at reboot it can't delete the virus.

Also, is there any way to have ewido not remove my "favorites?"

Edit:

One more thing please.

When I ran Ad-Aware SE, after all of the above, this message appeared.

http://img.photobucket.com/albums/v1...w/untitled.jpg

^^^^

Can you post the name of the spyware it is detecting?

There is no direct method to stops Ewido from scanning in the "Favorites". You have to choose the option "None" when it pops up the warning message when it finds anything inside the "Favorites" folder. Also, make sure that you uncheck the option "Perform action with all the infection".

The detected is present in the XP's System Restore Folder. When XP takes a snaphot of the System for the restore purposes, it copies all the files in the folder named System Volume Information, but these files are suitably renamed. When AdAware scanned that file, which was originally a SDBot Virus file, AVG's background scanner picked it up.
Since these files are renamed, they should not pose any threat now, but when you do the System Restore, these files are restored back to their orignal locations with their original filenames, then you would have problem.

You can all the delete the Restore Points except the latest one by doing this, double-click on the "My Computer" and then right-click on the C:\ Drive icon, and click "Properties". Then click "Disk CleanUp". Here click "More Options" tab, and click "Cleanup.." button in the "System Restore" option box and choose "Yes" to delete older Restore Points.

ISearchTech.SideFind is what Spybot finds that can't be removed, even on reboot. Thanks, you're really good at this.

Hi,
Please download FxIstbar, removal tool from Symantec. Close all other running programs, and double-click on the FxIstbar file. Then click "Start" to start the scan.

When the scan is finished, reboot the PC, and perform a scan using SpyBot SnD.
Check whether it detects anything or not. If it detects SideFind ( or any other thing ), fix it. Then click Tools button in the left pane. Here click "View Report" button. Here check all items except "Do not report disabled or legitimate items" option, and click "View Report". When the report is diaplayed, click "Export" and save it.
Open the saved report file in NotePad, and post it's contents here.