Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Computer Malware problem... lsass.exe taking 50-60CPU

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Computer Malware problem... lsass.exe taking 50-60CPU

Unread postby makem2203 » April 15th, 2011, 5:23 pm

Hello..

My secondary computer seems to have some sort of virus...

After turning the computer on.. i realised a sudden change of speed on the computer. I Alt+Ctrl+Dlt'd into task manager and saw that a process called "lsass.exe" was constantly in the range on 50-60CPU. This was very abnormal as it is just the Local Security Authentication Server, which with some research.. a later discovered that there is also a virus about that 'copys' this and uses this process to run undetected.. http://www.liutilities.com/products/wintaskspro/processlibrary/lsass/

After discovering this.. i rebooted into Safe Mode and ran a 'MalwareBytes' scan. It found 3 trojan downloaders. I then removed these and rebooted.

After of which, nothing had changed... So i booted back into safe mode and ran again.. the three trojan's have reappared!

So, i then thought of going to the source of the problem.. so i searched on the computer (including hidden files and folders) "lsass.exe". It returned three results.

One, was situated in the orignal "windows/system32" folder.
Another, "windows/servicepack/xxxnumbers"
and another at a smiliar directory.

I removed the last two as the first one was in the orignal windows file location. Rebooted (not in safemode) and it appared to be running more quickly. However, after i alt+ctrl+dlt'd back into taskmanager the "lsass.exe" was back up and running at 50-60 CPU which was of course now maxing the CPU on the computer....

So yeah... after this i ran another malwarebytes virus scan and it came back clean this time...

So this is where i am now... not sure what is causing this instability...

I have also noticed.. alot of "IEXPLORE.exe's" running at once.. not sure what this is related too.. but worth a check?

------------------------------
Update- I researched a bit.. and found that the 'sasser worm' is related to the process "lsass.exe" and downloaded this removal tool developed by synmantec. http://www.symantec.com/security_response/writeup.jsp?docid=2004-050114-1706-99

Ran this, and it came back that i didn't have the worm.. so who knows what is causing this.. :S

------------------------------

Below are the logs that has been requested. In the following order: DDS>Attach


.
DDS (Ver_11-03-05.01) - NTFSx86 NETWORK
Run by Administrator at 21:31:16.70 on 15/04/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.270 [GMT 1:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe
C:\WINDOWS\Explorer.EXE
c:\program files\teamviewer\version6\TeamViewer.exe
c:\program files\teamviewer\version6\TeamViewer_Desktop.exe
C:\Program Files\TeamViewer\Version6\tv_w32.exe
C:\Documents and Settings\Denise PC\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
.
============== Pseudo HJT Report ===============
.
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\program files\wusshbuy\fbkfreep.exe,
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: CNisExtBho Class: {9ecb9560-04f9-4bbc-943d-298ddf1699e1} - c:\program files\common files\symantec shared\adblocking\NISShExt.dll
BHO: CNavExtBho Class: {bdf3e430-b101-42ad-a544-fadc6b084872} - c:\program files\norton internet security\norton antivirus\NavShExt.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [PCMService] "c:\apps\powercinema\PCMService.exe"
mRun: [ACTIVBOARD] c:\apps\aboard\ABoard.exe
mRun: [ToUcamVProperty] c:\program files\philips toucam camera\VProperty.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windows ... 5882233843
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/aut ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
Notify: AtiExtEvent - Ati2evxx.dll
.
================= FIREFOX ===================
.
FF - ProfilePath -
.
============= SERVICES / DRIVERS ===============
.
R? camvid20;Philips ToUcam Camera; Video
R? PhTVTune;ASUS WDM TV Tuner
S? TeamViewer6;TeamViewer 6
.
=============== Created Last 30 ================
.
2011-04-15 19:26:41 -------- d-----w- c:\docume~1\admini~1.den\applic~1\Malwarebytes
2011-04-15 19:14:41 184691 ----a-w- c:\program files\mozilla firefox\firefoxmgr.exe
2011-04-15 19:14:40 184691 ----a-w- c:\windows\system32\wuaucltmgr.exe
2011-04-15 19:04:34 -------- d-sh--w- c:\documents and settings\administrator.denise\IETldCache
2011-04-15 18:56:49 2396 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2011-04-15 18:55:54 184691 ----a-w- c:\windows\system32\wbem\WMIADAPmgr.exe
2011-04-15 17:07:13 184691 ----a-w- c:\windows\system32\wbem\wmiprvsemgr.exe
2011-04-15 17:06:20 184691 ----a-w- c:\windows\system32\algmgr.exe
2011-04-15 17:05:58 184691 ----a-w- c:\windows\system32\userinitmgr.exe
2011-04-15 17:05:54 184691 ----a-w- c:\program files\internet explorer\IEXPLOREmgr.exe
2011-04-15 17:05:53 184691 ----a-w- c:\windows\system32\logonuimgr.exe
2011-04-15 17:05:52 184691 ----a-w- c:\windows\system32\svchostmgr.exe
2011-04-15 17:05:51 184691 ----a-w- c:\windows\system32\servicesmgr.exe
2011-04-15 17:05:51 184691 ----a-w- c:\windows\system32\lsassmgr.exe
2011-04-15 17:04:53 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-04-15 17:04:53 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-14 17:52:25 -------- d-----w- c:\program files\wusshbuy
2011-04-14 16:23:53 200704 --sha-r- c:\windows\system32\stobjecth.dll
2011-04-14 15:58:30 -------- d-----w- c:\program files\common files\eSellerate
2011-04-14 15:50:21 -------- d-----w- c:\windows\ie8updates
2011-04-14 15:49:59 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2011-04-14 15:49:57 599040 ------w- c:\windows\system32\dllcache\msfeeds.dll
2011-04-14 15:49:57 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2011-04-14 15:49:56 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2011-04-14 15:49:56 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
2011-04-14 15:49:56 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
2011-04-14 15:49:56 11076096 ------w- c:\windows\system32\dllcache\ieframe.dll
2011-04-14 15:48:31 -------- dc-h--w- c:\windows\ie8
2011-04-14 15:44:28 -------- d-----w- c:\program files\Microsoft
2011-04-14 15:44:05 -------- d-----w- c:\program files\Windows Live SkyDrive
2011-04-14 15:41:09 83249512 ----a-w- c:\program files\common files\windows live\.cache\wlc4E.tmp
2011-04-14 12:13:53 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-14 12:13:53 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-04-14 12:13:50 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-14 12:07:35 781272 ------w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-04-14 12:07:35 728024 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-04-14 12:07:35 1874904 ------w- c:\program files\mozilla firefox\mozjs.dll
2011-04-14 12:07:35 15832 ------w- c:\program files\mozilla firefox\mozalloc.dll
2011-04-14 12:07:35 142296 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-04-14 12:07:34 1975768 ----a-w- c:\program files\mozilla firefox\D3DCompiler_42.dll
2011-04-14 12:07:34 1893336 ----a-w- c:\program files\mozilla firefox\d3dx9_42.dll
2011-04-14 12:07:34 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-04-14 11:59:33 719832 ------w- c:\program files\mozilla firefox\mozcpp19.dll
2011-04-14 11:59:33 16856 ----a-w- c:\program files\mozilla firefox\plugin-container.exe
2011-04-14 11:51:36 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-04-14 11:51:36 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2011-04-14 11:41:31 -------- d-----w- c:\program files\TeamViewer
.
==================== Find3M ====================
.
2011-02-02 18:19:39 73728 ----a-w- c:\windows\system32\javacpl.cpl
.
============= FINISH: 21:36:41.51 ===============

/
/
/ Page Breaker: Attach
/
/

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 12/07/2008 17:34:41
System Uptime: 15/04/2011 21:05:44 (0 hours ago)
.
Motherboard: NEC COMPUTERS INTERNATIONAL | | GA-8I915PM
Processor: Intel(R) Pentium(R) 4 CPU 2.93GHz | Socket 775 | 2926/133mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 144 GiB total, 128.561 GiB free.
D: is CDROM ()
E: is CDROM ()
F: is Removable
G: is Removable
H: is Removable
I: is Removable
.
==== Disabled Device Manager Items =============
.
==== Installed Programs ======================
.
Adobe Flash Player 10 Plugin
Adobe Reader 6.0
ATI Display Driver
High Definition Audio Driver Package - KB835221
Hotfix for Windows XP (KB935448)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB976098-v2)
Java 2 Runtime Environment, SE v1.4.2_04
Java Auto Updater
Java(TM) 6 Update 24
Java(TM) 6 Update 7
Junk Mail filter update
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Office Standard Edition 2003
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Works 7.0
Mozilla Firefox 4.0 (x86 en-GB)
MSVCRT
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Philips ToUcam Pro Camera
Realtek High Definition Audio Driver
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB944338-v2)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB976325)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB979309)
Segoe UI
Sonic MyDVD
Sonic RecordNow!
TeamViewer 6
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows XP (KB898461)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
.
==== End Of File ===========================

Well.. that's all i have to share at this moment.. i wont do anything more on the computer untill instructed to do so by a helper on these forums :)

Thanks for reading my topic, it is much appritiated!!

Best regards,

Makem.

P.s. Going to download Avaster free anti-Virus and run a scan... was suggested to use this free software by a good friend... hopefully i can save you guys some time! :?

--

Update- 02:44 am 16/04/2011
Avaster apparently found over 2000 infected files, my friend called... i told him this and he said i should pull the ethernet cable asap.. as he thinks the virus is constantly downloading more viruses... So i did this... shortly after "Avaster!" crashed.. and gave me the option to only close the programe. I have turned it off... getting a headache from this bliddy machine!!

Hope this helps? (Not sure how though... lol. Also... i'd like to know if i am to run new software on the machine how will i get it on it? As, it's no longer in my network, so i can't transfer files from my main to it.. nor can i use USB as i'm sure that will get infected too...)

Thanks again for any help!! :cry:
makem2203
Regular Member
 
Posts: 85
Joined: June 7th, 2008, 1:44 pm
Advertisement
Register to Remove

Re: Computer Malware problem... lsass.exe taking 50-60CPU

Unread postby Scolabar » April 17th, 2011, 1:06 pm

Hi makem2203,

Firstly, welcome to the Malware Removal Forum. :)
My name is Scolabar, and I'll be helping you with your malware problems.
Logs can take a while to research, so please be patient.

I am currently working under the guidance of the MRU teachers, everything I post to you, will need to be reviewed by them.
This additional review process can add some extra time to my responses, but hopefully not too much.
;)

Please note the following important guidelines before proceeding:
  1. The instructions that will be provided are for YOUR computer and system only!
    Using these instructions on a different computer can cause damage to that computer and possibly render it inoperable
    !
  2. If you have any questions or do not understand something, please do not hesitate to ask, don't guess or assume.
  3. Only post your problem at One help site. Applying fixes from multiple help sites can cause problems.
  4. Only reply to this thread, do not start another. Please, continue responding, until I give you the All Clean.
    Absence of symptoms does not necessarily mean that everything is clear.
  5. DO NOT run any other fix or removal tools unless instructed to do so!
  6. DO NOT install any other software (or hardware) during the cleaning process. This adds more items to be researched.
  7. Print each set of instructions, if possible. Your Internet connection will not be available during some fix processes.
  8. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
  9. Note: No Reply Within 3 Days Will Result In Your Topic Being Closed!

Please Note: If you haven't done so already, please read this topic ALL USERS OF THIS FORUM MUST READ THIS FIRST where the conditions for receiving help here are explained.

Please be aware that removing Malware is a hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

In light of this, it would be advisable for you to back up any important files and folders that you don't want to lose before we start.

If you follow these guidelines, things should proceed smoothly. :)
I am currently reviewing your log and will return, as soon as possible, with additional instructions.

Thank you for your patience.
User avatar
Scolabar
MRU Honors Grad Emeritus
 
Posts: 1172
Joined: April 22nd, 2009, 3:10 pm

Re: Computer Malware problem... lsass.exe taking 50-60CPU

Unread postby makem2203 » April 17th, 2011, 5:25 pm

Hello Scolabar!!

Thank you ever so much for helping me with this issue.

I have backed up the files my mother wanted to keep. (A folder of pictures :P )

Although, i just put it on my USB stick. As i do not have the windows install disk to install that backup software. I am now ready to do anything you instruct :)


I also removed Internet Explorer from the computer. The 5-6 odd process called "IExplore.exe" have gone. However, now there are ruffly the same number of process called, "Firefox.exe". So... i guess uninstalling IE8 didn't actully do anything... :S

Thanks again,

Makem.
makem2203
Regular Member
 
Posts: 85
Joined: June 7th, 2008, 1:44 pm

Re: Computer Malware problem... lsass.exe taking 50-60CPU

Unread postby Scolabar » April 18th, 2011, 6:21 am

Hi Makem,

I am just letting you know that I am awaiting a reply from a Teacher here at MWR and now have to travel north.
The earliest I will be able to come back to you will be 7:00pm (UK time) this evening. I apologise for the delay.

In the meantime, please can I ask you to refrain from any further installations or deletions as advised in my earlier post as doing so will lead to the research and cleanup process taking longer.

Thank you again for your patience. :)

Scolabar
User avatar
Scolabar
MRU Honors Grad Emeritus
 
Posts: 1172
Joined: April 22nd, 2009, 3:10 pm

Re: Computer Malware problem... lsass.exe taking 50-60CPU

Unread postby Scolabar » April 18th, 2011, 3:22 pm

Hi makem2203,

Thank you again for your patience. :)

Please follow the instructions carefully below and post back the requested logs:

Step 1:
ATF Cleaner

Please download ATF Cleaner by Atribune. Alternative download site: here.
This program is for XP and Windows 2000 only! It does not require any installation and uses minimal system resources.
It is set up to clean IE, FireFox and Opera, detecting the browsers you have and graying out the other(s).

  1. Double-click ATF-Cleaner.exe to run the program.
  2. Under the Main tab choose Select All.
    Recommend UNCHECKING COOKIES if you rely on system remembered passwords.
  3. Click on the Empty Selected button.
      If you use the Firefox web browser:
    • Click on the Firefox tab and choose: Select All EXCEPT FIREFOX SAVED PASSWORDS.
    • Click on the Empty Selected button.
      Note: If you would like to keep your saved passwords, please click on No at the prompt.
      If you use the Opera web browser:
    • Click on the Opera tab and choose: Select All EXCEPT COOKIES AND SAVED PASSWORDS.
    • Click on the Empty Selected button.
      Note: If you would like to keep your cookies and saved passwords, please click on No at the prompt.
  4. Reply OK to the total bytes removed box, then click Exit on the Main menu to close the program.

Step 2:
ESET NOD32 Online Scan

Please Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted. Then double-click on it to install.

Please temporarily disable your Anti-virus real-time protection. If active, it could impact the online scan.
Please go to ESET Online Scanner - © ESET All Rights Reserved ... to run an online scan.
** Make sure you are using an account that has Administrative privileges **
    Click on the ESET Online Scanner button.
  1. Check the box next to "YES, I accept the Terms of Use."
  2. Click Start.
    A window will open. It may appear nothing is happening, but please be patient.
  3. Click Yes to the run ActiveX prompt.
  4. Click Install at the install ActiveX prompt.
    Once installed, the scanner will be initialized.
  5. Click on the Start button.
    Make sure that the options:
    • Remove found threats is UNCHECKED
    • Leave the "default" settings under Advanced as they are. If not set, please check:
      • Scan for potentially unwanted applications
      • Scan for potentially unsafe applications
      • Enable Anti-Stealth Technology
  6. Click on the Start button.
    ESET scanner will begin to download the virus signatures database. When the signatures have been downloaded, the scan will start automatically.
  7. Wait for the scan to finish. It may take a while but, again, please be patient. When the scan is finished:
  8. Use Notepad to open the log file located at C:\Program Files\ESET\ESET Online Scanner\log.txt.
  9. Copy and Paste the entire contents of log.txt into your next reply.

Remember to re-enable your Anti-virus protection before continuing!

Step 3:
MGA Diagnostics

  1. Please download this tool from Microsoft and Save it to your Desktop.
  2. Double-click on the MGADiag.exe icon to launch the program.
    If you receive an Open file Security Warning click on the Run button.
  3. Click on the Continue button to proceed.
  4. The program will now run. It will take a short while to complete its diagnosis, please be patient.
  5. When it has finished click on the Copy button.
  6. Open Notepad by clicking Start > Run, type in Notepad then click OK.
  7. Paste the copied contents into the new Notepad window and Save the file as mgadiag.txt to your Desktop.
  8. Click on the OK button to exit the MGA Diagnostics program.
  9. Then Copy and Paste the entire contents of mgadiag.txt into your next reply.

Step 4:
Security Check

  1. Please download Security Check by screen317 and Save it to your Desktop.
    Alternate download site: Link 2
  2. Double-click on the SecurityCheck.exe icon to run the program.
    If you receive an Open file Security Warning click the Run button.
  3. Press the Space Bar when you see the Press any key to continue... message.
    Please Note: This scan will take a short while to complete, so please be patient.
  4. When the scan has completed, a Notepad file will automatically open called checkup.txt.
  5. Save the file checkup.txt to your Desktop.
    Please Note: This output file is NOT automatically saved!
  6. Then Copy and Paste the entire contents of the checkup.txt file into your next reply.

Step 5:
Include in Next Post

  1. Did you have any problems carrying out the instructions?
  2. log.txt.
  3. mgadiag.txt.
  4. checkup.txt.
  5. Do you have the original Windows installation media for your PC?

Scolabar
---------------------------------------------------
No Reply Within 3 Days Will Result In Your Topic Being Closed
User avatar
Scolabar
MRU Honors Grad Emeritus
 
Posts: 1172
Joined: April 22nd, 2009, 3:10 pm

Re: Computer Malware problem... lsass.exe taking 50-60CPU

Unread postby makem2203 » April 18th, 2011, 5:40 pm

Hello, i am replying to your instructions given.

Did you have any problems carrying out the instructions?
Yes. When trying to access the "ESET NOD32 Online Scan" via Firefox it did not load, nor show anything. (just a white page, even tried refreshing the page). I then rebooted the machine into safemode and tried again. I got the same result. White page and didn't load. I also tried Internet Explorer and got the same result.. so i was unable to do step 3

log.txt.
Don't have this, as i couldn't run a "ESET NOD32 Online Scan".

mgadiag.txt.
Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->
Validation Status: Genuine
Validation Code: 0
Cached Validation Code: N/A
Windows Product Key: *****-*****-BFDCC-3BMCY-QGWPD
Windows Product Key Hash: 8dFTlxbCDMH7eCGI/GjBzGT53UI=
Windows Product ID: 55277-OEM-2111907-00109
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 5.1.2600.2.00010300.2.0.hom
ID: {6C255EAB-AF41-4DB7-AA08-29C1BA13D0D3}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: Registered, 1.7.69.2
Signed By: Microsoft
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-230-1
Resolution Status: N/A

Vista WgaER Data-->
ThreatID(s): N/A
Version: N/A

Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 100 Genuine
Microsoft Office Standard Edition 2003 - 100 Genuine
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-230-1_E2AD56EA-765-d003_E2AD56EA-766-0_E2AD56EA-134-80004005_E2AD56EA-765-8009_E2AD56EA-766-2efd_E2AD56EA-148-80004005_16E0B333-89-80004005_B4D0AA8B-1029-80004005

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{6C255EAB-AF41-4DB7-AA08-29C1BA13D0D3}</UGUID><Version>1.9.0027.0</Version><OS>5.1.2600.2.00010300.2.0.hom</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-QGWPD</PKey><PID>55277-OEM-2111907-00109</PID><PIDType>2</PIDType><SID>S-1-5-21-3857089970-3337059838-2822255370</SID><SYSTEM><Manufacturer>Packard Bell NEC</Manufacturer><Model>00000000000000000000000</Model></SYSTEM><BIOS><Manufacturer>Award Software International, Inc.</Manufacturer><Version>10t</Version><SMBIOSVersion major="2" minor="3"/><Date>20040909000000.000000+000</Date><SLPBIOS>NECc_,NECC1,NEC-PC</SLPBIOS></BIOS><HWID>F1213E8701844053</HWID><UserLCID>0809</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>GMT Standard Time(GMT+00:00)</TimeZone><iJoin>0</iJoin><SBID><stat>2</stat><msppid></msppid><name>Packard Bell</name><model>Packard Bell Computer</model></SBID><OEM/><GANotification/></MachineData> <Software><Office><Result>100</Result><Products><Product GUID="{91120409-6000-11D3-8CFE-0150048383C9}"><LegitResult>100</LegitResult><Name>Microsoft Office Standard Edition 2003</Name><Ver>11</Ver><Val>250D487BA4AA068</Val><Hash>uzaKSn1rq+U23j3kSxGcyZcE3MY=</Hash><Pid>70141-052-4564871-56203</Pid><PidType>1</PidType></Product></Products><Applications><App Id="16" Version="11" Result="100"/><App Id="18" Version="11" Result="100"/><App Id="1A" Version="11" Result="100"/><App Id="1B" Version="11" Result="100"/></Applications></Office></Software></GenuineResults>

Licensing Data-->
N/A

Windows Activation Technologies-->
N/A

HWID Data-->
N/A

OEM Activation 1.0 Data-->
BIOS string matches: yes
Marker string from BIOS: 101AA:Packard Bell B.V|101AA:Packard Bell B.V|1FA67:Packard Bell B.V|1FA67:Packard Bell B.V|14420:SYNNEX TECHNOLOGY INTERNATIONAL CORP|14420:SYNNEX TECHNOLOGY INTERNATIONAL CORP|14420:SYNNEX TECHNOLOGY INTERNATIONAL CORP
Marker string from OEMBIOS.DAT: NECc_,NECC1,NEC-PC

OEM Activation 2.0 Data-->
N/A


checkup.txt.

(I ran this during safemode, so i hope that wouldn't affect it?)

Results of screen317's Security Check version 0.99.10
Windows XP Service Pack 2
Out of date service pack!!
Internet Explorer 6 Out of date!
``````````````````````````````
Antivirus/Firewall Check:

Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Enabled!
avast! Free Antivirus
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
Java(TM) 6 Update 24
Java(TM) 6 Update 7
Java 2 Runtime Environment, SE v1.4.2_04
Out of date Java installed!
Adobe Flash Player 10.2.153.1
Adobe Reader 6.0
Out of date Adobe Reader installed!
Mozilla Firefox (x86 en-GB..)
````````````````````````````````
Process Check:
objlist.exe by Laurent

``````````End of Log````````````

Do you have the original Windows installation media for your PC?

If by this you are refeering to the Windows installation disk, i don't. I bought this computer from a store some 5-6 years ago... it was a pre-built computer. (However i do still have the CD-Key for the windows XP operating system, as it's stuck to the side of the case).

Thanks again for all your help!

regards,

Makem.
makem2203
Regular Member
 
Posts: 85
Joined: June 7th, 2008, 1:44 pm

Re: Computer Malware problem... lsass.exe taking 50-60CPU

Unread postby Scolabar » April 20th, 2011, 5:26 am

Hi makem2203,

Thank you for the update and log files. :thumbright:

Let's see if we can make some headway using the following steps:

Step 1:
Rkill

Firstly we will try to stop any active rogue processes that may interfere with the cleanup attempt:

  1. Please download Rkill by Grinler. Save it to your Desktop.
    Alternate download links are available as follows: Two, Three or Four.
    Note: If your security software warns about Rkill, please ignore and allow the download to continue.
  2. Double-click on the Rkill Desktop icon.
  3. A command window will open then disappear upon completion, this is normal.
    • If this does not happen, delete the file, then download and use the next alternative link provided.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    Do not reboot your machine until asked to do so. If no version of Rkill would run, please let me know.
  4. When finished, Notepad will open with a log file, automatically saved at C:\rkill.log.
  5. Copy and Paste the entire contents of the rkill.log file into your next reply.
    Note: Please leave Rkill on the Desktop unless instructed otherwise.
Note: If you get an alert that Rkill is infected, ignore it. The alert is a fake warning given by the rogue software, trying to "protect" itself from being terminated or removed. If you see such a warning, leave the warning on the screen, then run Rkill again. By not closing the warning, this sometimes allows you to bypass the malware's attempt to protect itself, so that Rkill can perform its routine.

Step 2:
Uninstall Old Java RE Versions

Please remove the rogue programs using the instructions below:

  1. Select Start > Control Panel > Add/Remove Programs.
  2. Scroll down the list of installed programs and select the following program:

      Java 2 Runtime Environment, SE v1.4.2_04
      Java(TM) 6 Update 7

  3. Click on the Remove button to uninstall the program.
  4. Click on the Yes button at the prompt.
  5. Close the Add/Remove Programs control panel when the removals have been completed.

Step 3:
ComboFix

Now let's try and run the ComboFix tool:

Do NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is a powerful tool intended by its creator to be used under the guidance and supervision of an expert, NOT for general public or personal use. Using this tool incorrectly could lead to serious problems with your operating system such as preventing it from ever starting again. This site, sUBs and myself will not be responsible for any damage caused to your machine by misusing or running ComboFix on your own. Please read Combofix's Disclaimer.

The first thing you need to do is print out How-To-Use-ComboFix. Read these instructions thoroughly.
You will not have Internet access when you execute ComboFix. All open windows will need to be closed!

If you have previously downloaded ComboFix please delete that version and download it again. This tool is frequently updated.

  1. Please download ImageComboFix.exe by © sUBs and save it to your Desktop. <<--- IMPORTANT!!
    Alternate download sites are available: here or here.
  2. Please disable any Anti-Virus, Anti-Spyware and Firewall programs you have active, as shown in this topic. Please close all open application windows.
    Note: ** Only ** when the above two items in Step 2 have been dealt with should you proceed with the following steps:
  3. Double-click on Combofix.exe to start the program. If you receive the "Open File - Security Warning" message click on the Run button.
  4. Reply Yes to the Disclaimer prompt.
    The ComboFix program screen will appear indicating the program is preparing to run. ComboFix will then by begin creating a System Restore Point and then backup your Registry.
  5. If not already installed reply Yes to the Install Recovery Console prompt.
  6. Reply Yes to the Recovery Console installation results prompt and even if unsuccessful please allow ComboFix to continue the scan.
    Note: Do Not use your keyboard or mouse click anywhere in the ComboFix window, as this may cause the program to stall or crash!
  7. ComboFix will disconnect you from the Internet, may cause your desktop to disappear and also change your clock settings. This is normal, so please don't worry. They will be restored when finished. The ComboFix window data will update as the various "Stages" are completed.
    ComboFix disables the autorun of all CD, floppy and USB devices to assist with malware removal and increase security.
  8. When the program has finished ComboFix will produce a log file called log.txt which will automatically open in Notepad.
  9. Please Copy and Paste the entire contents of the log.txt file into your next reply.

** REMEMBER ** Re-Enable your Antivirus, Anti-Spyware and Firewall programs before reconnecting to the Internet!

Step 4:
Include in Next Post

  1. Did you have any problems carrying out the instructions?
  2. rkill.log.
  3. log.txt.

Scolabar
---------------------------------------------------
No Reply Within 3 Days Will Result In Your Topic Being Closed
User avatar
Scolabar
MRU Honors Grad Emeritus
 
Posts: 1172
Joined: April 22nd, 2009, 3:10 pm

Re: Computer Malware problem... lsass.exe taking 50-60CPU

Unread postby makem2203 » April 20th, 2011, 5:39 pm

Hello! Thank you for helping me! :mrgreen:

Did you have any problems carrying out the instructions?
Yes.... While trying to uninstall "Java(TM) 6 Update 7" via add or removal it gave me the following error: http://img132.imageshack.us/i/errorap.png/

rkill.log.
This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 20/04/2011 at 22:05:40.
Operating System: Microsoft Windows XP


Processes terminated by Rkill or while it was running:



Rkill completed on 20/04/2011 at 22:06:01.

log.txt.

ComboFix 11-04-20.01 - Denise PC 20/04/2011 22:18:21.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.182 [GMT 1:00]
Running from: c:\documents and settings\Denise PC\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Internet Explorer\IEXPLOREmgr.exe
c:\windows\system32\rundll32mgr.exe
c:\windows\system32\Thumbs.db
.
.
((((((((((((((((((((((((( Files Created from 2011-03-20 to 2011-04-20 )))))))))))))))))))))))))))))))
.
.
2011-04-18 21:22 . 2011-04-18 21:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2011-04-17 20:04 . 2011-04-17 20:04 184691 ----a-w- c:\windows\system32\logonmgr.exe
2011-04-17 19:47 . 2011-04-17 19:47 184691 ----a-w- c:\windows\regeditmgr.exe
2011-04-17 19:25 . 2011-04-17 20:27 184691 ----a-w- c:\windows\system32\verclsidmgr.exe
2011-04-16 21:48 . 2011-04-16 21:48 184691 ----a-w- c:\windows\Explorermgr.exe
2011-04-15 22:21 . 2011-04-18 17:17 307288 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-04-15 22:21 . 2011-04-18 17:12 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-04-15 22:21 . 2011-04-18 17:16 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-04-15 22:21 . 2011-04-18 17:13 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-04-15 22:21 . 2011-04-18 17:17 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-04-15 22:21 . 2011-04-18 17:16 102488 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-04-15 22:21 . 2011-04-18 17:16 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-04-15 22:21 . 2011-04-18 17:13 30680 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-04-15 22:19 . 2011-04-18 17:25 40112 ----a-w- c:\windows\avastSS.scr
2011-04-15 22:19 . 2011-04-18 17:25 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-04-15 21:43 . 2011-04-15 22:19 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2011-04-15 21:43 . 2011-04-15 21:43 -------- d-----w- c:\program files\AVAST Software
2011-04-15 19:14 . 2011-04-18 20:56 184691 ----a-w- c:\program files\Mozilla Firefox\firefoxmgr.exe
2011-04-15 19:14 . 2011-04-16 00:14 184691 ----a-w- c:\windows\system32\wuaucltmgr.exe
2011-04-15 18:56 . 2011-04-15 18:56 2396 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2011-04-15 18:55 . 2011-04-15 18:55 184691 ----a-w- c:\windows\system32\wbem\WMIADAPmgr.exe
2011-04-15 17:07 . 2011-04-15 17:07 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2011-04-15 17:07 . 2011-04-18 20:53 184691 ----a-w- c:\windows\system32\wbem\wmiprvsemgr.exe
2011-04-15 17:06 . 2011-04-18 20:53 184691 ----a-w- c:\windows\system32\algmgr.exe
2011-04-15 17:05 . 2011-04-17 19:21 184691 ----a-w- c:\windows\system32\userinitmgr.exe
2011-04-15 17:05 . 2011-04-18 20:52 184691 ----a-w- c:\windows\system32\logonuimgr.exe
2011-04-15 17:05 . 2011-04-18 20:52 184691 ----a-w- c:\windows\system32\svchostmgr.exe
2011-04-15 17:05 . 2011-04-18 20:52 184691 ----a-w- c:\windows\system32\servicesmgr.exe
2011-04-15 17:05 . 2011-04-18 20:52 184691 ----a-w- c:\windows\system32\lsassmgr.exe
2011-04-15 17:04 . 2011-04-15 17:04 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-15 13:06 . 2011-04-15 16:56 -------- d-s---w- c:\documents and settings\Administrator
2011-04-14 20:46 . 2009-11-21 16:36 470528 ------w- c:\windows\system32\dllcache\aclayers.dll
2011-04-14 20:46 . 2010-06-14 14:30 743936 ------w- c:\windows\system32\dllcache\helpsvc.exe
2011-04-14 20:45 . 2010-02-12 10:03 293376 ------w- c:\windows\system32\browserchoice.exe
2011-04-14 17:52 . 2011-04-14 17:52 -------- d-----w- c:\program files\wusshbuy
2011-04-14 16:32 . 2011-04-14 16:32 -------- d-sh--w- c:\documents and settings\Denise PC\IECompatCache
2011-04-14 16:28 . 2011-04-14 16:28 -------- d-sh--w- c:\documents and settings\Denise PC\PrivacIE
2011-04-14 16:23 . 2011-04-14 16:23 200704 --sha-r- c:\windows\system32\stobjecth.dll
2011-04-14 16:10 . 2011-04-14 16:10 -------- d-----w- c:\documents and settings\Denise PC\Application Data\Skype
2011-04-14 15:58 . 2011-04-14 15:58 -------- d-----w- c:\program files\Common Files\eSellerate
2011-04-14 15:57 . 2011-04-14 16:23 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2011-04-14 15:56 . 2011-04-14 16:25 -------- d-----w- c:\documents and settings\Denise PC\Application Data\AmiPic ShareMaster
2011-04-14 15:52 . 2011-04-14 15:52 -------- d-sh--w- c:\documents and settings\Denise PC\IETldCache
2011-04-14 15:50 . 2011-04-16 21:47 -------- d-----w- c:\windows\ie8updates
2011-04-14 15:49 . 2010-05-06 10:41 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2011-04-14 15:49 . 2010-05-06 10:41 599040 ------w- c:\windows\system32\dllcache\msfeeds.dll
2011-04-14 15:49 . 2010-05-06 10:41 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2011-04-14 15:49 . 2010-05-06 10:41 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
2011-04-14 15:49 . 2010-05-06 10:41 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
2011-04-14 15:49 . 2010-05-06 10:41 11076096 ------w- c:\windows\system32\dllcache\ieframe.dll
2011-04-14 15:49 . 2010-05-06 10:41 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2011-04-14 15:48 . 2009-09-25 05:56 81920 ----a-w- c:\windows\system32\ieencode.dll
2011-04-14 15:48 . 2009-09-25 05:56 81920 ----a-w- c:\windows\system32\dllcache\ieencode.dll
2011-04-14 15:48 . 2004-08-04 07:56 848384 ----a-w- c:\program files\Common Files\Microsoft Shared\VGX\vgx.dll
2011-04-14 15:48 . 2004-08-04 07:56 38912 ----a-w- c:\program files\Internet Explorer\hmmapi.dll
2011-04-14 15:47 . 2011-04-20 20:50 -------- d-----w- c:\documents and settings\Denise PC\Tracing
2011-04-14 15:44 . 2011-04-14 15:44 -------- d-----w- c:\program files\Microsoft
2011-04-14 15:44 . 2011-04-14 15:44 -------- d-----w- c:\program files\Windows Live SkyDrive
2011-04-14 15:41 . 2011-04-14 15:41 83249512 ----a-w- c:\program files\Common Files\Windows Live\.cache\wlc4E.tmp
2011-04-14 12:13 . 2011-04-14 12:13 -------- d-----w- c:\documents and settings\Denise PC\Application Data\Malwarebytes
2011-04-14 12:13 . 2011-04-14 12:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-04-14 12:13 . 2010-12-20 17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-14 12:13 . 2010-12-20 17:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-14 12:07 . 2011-04-14 12:07 781272 ------w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-04-14 12:07 . 2011-04-14 12:07 728024 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-04-14 12:07 . 2011-04-14 12:07 1874904 ------w- c:\program files\Mozilla Firefox\mozjs.dll
2011-04-14 12:07 . 2011-04-14 12:07 15832 ------w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-04-14 12:07 . 2011-04-14 12:07 142296 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-04-14 12:07 . 2011-04-14 12:07 1893336 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll
2011-04-14 12:07 . 2011-04-14 12:07 1975768 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll
2011-04-14 12:07 . 2011-04-14 12:07 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-04-14 11:59 . 2011-04-14 12:07 16856 ----a-w- c:\program files\Mozilla Firefox\plugin-container.exe
2011-04-14 11:59 . 2011-04-14 12:07 719832 ------w- c:\program files\Mozilla Firefox\mozcpp19.dll
2011-04-14 11:51 . 2011-02-02 20:40 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-04-14 11:51 . 2011-02-02 20:40 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-04-14 11:41 . 2011-04-14 11:41 -------- d-----w- c:\program files\TeamViewer
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-17 20:10 . 2011-04-17 20:10 184691 ----a-w- c:\windows\pchealth\HelpCtr\Binaries\HelpSvcmgr.exe
2011-02-02 18:19 . 2008-07-12 17:33 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-04-14 12:07 . 2011-04-14 12:07 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-04-18 17:25 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2010-04-16 3872080]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 61952]
"SoundMan"="SOUNDMAN.EXE" [2004-08-12 77824]
"AlcWzrd"="ALCWZRD.EXE" [2004-08-12 2551808]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-04-18 3460784]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-04 15360]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer_Service.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [15/04/2011 23:21 441176]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [15/04/2011 23:21 307288]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [15/04/2011 23:21 19544]
R2 TeamViewer6;TeamViewer 6;c:\program files\TeamViewer\Version6\TeamViewer_Service.exe [15/04/2011 10:43 2280312]
R3 PhTVTune;ASUS WDM TV Tuner;c:\windows\system32\drivers\PhTVTune.sys [01/01/1980 24608]
S3 camvid20;Philips ToUcam Camera; Video;c:\windows\system32\drivers\camdrv21.sys [23/09/2008 15:22 223232]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - TEAMVIEWER6
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Denise PC\Application Data\Mozilla\Firefox\Profiles\iwoxmz17.default\
FF - prefs.js: browser.startup.homepage - google.com
FF - user.js: yahoo.homepage.dontask - true
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-TBXQRHV4KR - c:\windows\Txavya.exe
HKLM-Run-ToUcamVProperty - c:\program files\Philips ToUcam Camera\VProperty.exe
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
AddRemove-AOL Connectivity Services - c:\progra~1\COMMON~1\AOL\ACS\AcsUninstall.exe
AddRemove-AOL Spyware Protection - c:\progra~1\COMMON~1\AOL\AOLSPY~1\UNWISE.EXE
AddRemove-AOLCoach uk - c:\program files\Common Files\aolshare\Coach\AolCInUn.exe
AddRemove-StreetPlugin - c:\program files\Learn2.com\StRunner\stuninst.exe
AddRemove-ViewpointMediaPlayer - c:\program files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-20 22:25
Windows 5.1.2600 Service Pack 2 NTFS
.
detected NTDLL code modification:
ZwQueryDirectoryFile
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
ToUcamVProperty = c:\program files\Philips ToUcam Camera\VProperty.exe??U?c?a?m? ?C?a?m?e?r?a?\?V?P?r?o?p?e?r?t?y?.?e?x?e???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
.
scanning hidden files ...
.
.
c:\documents and settings\Denise PC\Start Menu\Programs\Startup\fbkfreep.exe 184691 bytes executable
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(608)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2011-04-20 22:28:35
ComboFix-quarantined-files.txt 2011-04-20 21:28
.
Pre-Run: 135,635,255,296 bytes free
Post-Run: 135,602,483,200 bytes free
.
- - End Of File - - FB83DCDAE5C2D7F4113A56C943EA6729
makem2203
Regular Member
 
Posts: 85
Joined: June 7th, 2008, 1:44 pm

Re: Computer Malware problem... lsass.exe taking 50-60CPU

Unread postby Scolabar » April 21st, 2011, 5:41 pm

Hi makem2203,

Thank you again for the logs and the feedback. :thumbright:
Don't worry about the Java Runtime Environment for the moment. We'll deal with that later. ;)
Let's see if we can get rid of the remaining visible malware.

Step 1:
ERUNT - Emergency Recovery Utility NT

First we will try to back up the Registry with ERUNT:

Modifying the Registry can create unforeseen problems, so it's always wise to create a backup before doing so.
ERUNT (Emergency Recovery Utility NT) by Lars Hederer is a free program that allows you to create a complete backup of your registry and restore it when needed.

  1. Please download ERUNT and save it to your Desktop.
    Note: VISTA users must right-click on erunt-setup-exe and select "Run As Administrator" to run the installation process.
  2. Double-click on erunt-setup-exe to run the installation process.
    Note: If the Open File - Security Warning window pops up, click on the Run button.
  3. Install ERUNT by following the prompts using the default installation settings.
  4. Make sure the first two check boxes Create ERUNT desktop icon and Create NTREGOPT desktop icon are checked.
  5. When you reach the section that asks you to add ERUNT to the Start-Up folder click on the No button. This later can be enabled later, if required.
  6. In the final screen make sure the Show documentation option is unchecked. Then click on the Finish button.
  7. Click on the OK button in the Welcome! screen.
  8. Choose a location for the backup. Note: the default location is C:\WINDOWS\ERDNT\DD-MM-YYYY (where DD-MM-YYYY is the date of the backup) which is fine.
  9. under Backup options make sure both of the first two options: System registry and Current user registry are checked.
  10. Click on the Yes button to allow the folder to be created.
    After a short duration the Registry backup is complete! pop-up message will appear.
  11. Now click on OK. A registry backup has now been created.

< STOP > If you are unable to complete this step successfully, < STOP > do not continue with any fix steps, let me know immediately in your next post!

Step 2:
TFC

  1. Please download TFC.exe by Old Timer. Save it to your Desktop.
    Print these instructions. Save any unsaved work. TFC will close ALL open programs including your browser!
  2. Double-click on TFC.exe to run it.
  3. TFC will now begin cleaning up the "temp" files.
    Note: This process may take only a few seconds or it could take several minutes, depending on the amount of temp files found.
  4. If prompted to reboot, click on the Yes button to confirm.

! IMPORTANT ! If TFC prompts you to reboot, please do so immediately, before proceeding with any other steps or other use of your computer.

Step 3:
ComboFix - CFScript

WARNING!
This script is for THIS user and computer ONLY!
Using this tool incorrectly could damage your Operating System thereby preventing it from starting again!


You will not have Internet access when you execute ComboFix. All open windows will need to be closed!

  1. Click on Start > Run.
  2. In the text entry box type:
      Notepad
  3. Then click on the OK button.
  4. This will open an empty Notepad file.
  5. Copy and Paste the contents of the box below into the Notepad window:
    Code: Select all
    http://www.malwareremoval.com/forum/viewtopic.php?p=576119#p576119
    
    KillAll::
    
    DDS::
    mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\program files\wusshbuy\fbkfreep.exe,
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
    DPF: {CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/aut ... s-i586.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
    DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
    
    Collect::
    c:\documents and settings\Denise PC\Start Menu\Programs\Startup\fbkfreep.exe
    c:\windows\system32\logonmgr.exe
    c:\windows\regeditmgr.exe
    c:\windows\system32\verclsidmgr.exe
    c:\windows\Explorermgr.exe
    c:\program files\Mozilla Firefox\firefoxmgr.exe
    c:\windows\system32\wuaucltmgr.exe
    c:\windows\system32\wbem\WMIADAPmgr.exe
    c:\windows\system32\wbem\wmiprvsemgr.exe
    c:\windows\system32\algmgr.exe
    c:\windows\system32\userinitmgr.exe
    c:\windows\system32\logonuimgr.exe
    c:\windows\system32\svchostmgr.exe
    c:\windows\system32\servicesmgr.exe
    c:\windows\system32\lsassmgr.exe
    c:\windows\pchealth\HelpCtr\Binaries\HelpSvcmgr.exe
    
    File::
    c:\windows\system32\stobjecth.dll
    
    Folder::
    c:\program files\wusshbuy
    
    Registry::
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    "ToUcamVProperty"=-
    
  6. Save the file to your desktop as CFScript.txt
  7. Please disable any Antivirus or Firewall you have active, as shown in this topic. Please close all open application windows.
  8. Drag the CFScript.txt (icon) onto the ComboFix.exe icon as shown in the image below:

    Image

    This will cause ComboFix to run again.
    Note: Do Not use your keyboard or mouse click anywhere in the ComboFix window, as this may cause the program to stall or crash!
    Do Not touch your computer when ComboFix is running!
  9. When the program has finished ComboFix will produce a log file called log.txt which will automatically open in Notepad.
  10. Please Copy and Paste the entire contents of the log.txt file into your next reply.

** REMEMBER ** Re-Enable your Antivirus, Anti-Spyware and Firewall programs before reconnecting to the Internet!

Step 4:
Include in Next Post

  1. Did you have any problems carrying out the instructions?
  2. log.txt.
  3. How is the computer running now?

Scolabar
---------------------------------------------------
No Reply Within 3 Days Will Result In Your Topic Being Closed
User avatar
Scolabar
MRU Honors Grad Emeritus
 
Posts: 1172
Joined: April 22nd, 2009, 3:10 pm

Re: Computer Malware problem... lsass.exe taking 50-60CPU

Unread postby makem2203 » April 21st, 2011, 9:00 pm

Hello and here's your reply!

Did you have any problems carrying out the instructions?
None :mrgreen:

log.txt.
ComboFix 11-04-21.02 - Denise PC 22/04/2011 1:30.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.257 [GMT 1:00]
Running from: c:\documents and settings\Denise PC\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Denise PC\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
* Created a new restore point
.
FILE ::
"c:\windows\system32\stobjecth.dll"
.
file zipped: c:\documents and settings\Denise PC\Start Menu\Programs\Startup\fbkfreep.exe
file zipped: c:\program files\Mozilla Firefox\firefoxmgr.exe
file zipped: c:\windows\Explorermgr.exe
file zipped: c:\windows\pchealth\HelpCtr\Binaries\HelpSvcmgr.exe
file zipped: c:\windows\regeditmgr.exe
file zipped: c:\windows\system32\algmgr.exe
file zipped: c:\windows\system32\logonmgr.exe
file zipped: c:\windows\system32\logonuimgr.exe
file zipped: c:\windows\system32\lsassmgr.exe
file zipped: c:\windows\system32\servicesmgr.exe
file zipped: c:\windows\system32\svchostmgr.exe
file zipped: c:\windows\system32\userinitmgr.exe
file zipped: c:\windows\system32\verclsidmgr.exe
file zipped: c:\windows\system32\wbem\WMIADAPmgr.exe
file zipped: c:\windows\system32\wbem\wmiprvsemgr.exe
file zipped: c:\windows\system32\wuaucltmgr.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Denise PC\Start Menu\Programs\Startup\fbkfreep.exe
c:\program files\Mozilla Firefox\firefoxmgr.exe
c:\program files\wusshbuy
c:\windows\Explorermgr.exe
c:\windows\pchealth\HelpCtr\Binaries\HelpSvcmgr.exe
c:\windows\regeditmgr.exe
c:\windows\system32\algmgr.exe
c:\windows\system32\logonmgr.exe
c:\windows\system32\logonuimgr.exe
c:\windows\system32\lsassmgr.exe
c:\windows\system32\servicesmgr.exe
c:\windows\system32\stobjecth.dll
c:\windows\system32\svchostmgr.exe
c:\windows\system32\userinitmgr.exe
c:\windows\system32\verclsidmgr.exe
c:\windows\system32\wbem\WMIADAPmgr.exe
c:\windows\system32\wbem\wmiprvsemgr.exe
c:\windows\system32\wuaucltmgr.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-03-22 to 2011-04-22 )))))))))))))))))))))))))))))))
.
.
2011-04-22 00:14 . 2011-04-22 00:14 -------- d-----w- c:\program files\ERUNT
2011-04-18 21:22 . 2011-04-18 21:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2011-04-15 22:21 . 2011-04-18 17:17 307288 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-04-15 22:21 . 2011-04-18 17:12 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-04-15 22:21 . 2011-04-18 17:16 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-04-15 22:21 . 2011-04-18 17:13 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-04-15 22:21 . 2011-04-18 17:17 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-04-15 22:21 . 2011-04-18 17:16 102488 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-04-15 22:21 . 2011-04-18 17:16 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-04-15 22:21 . 2011-04-18 17:13 30680 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-04-15 22:19 . 2011-04-18 17:25 40112 ----a-w- c:\windows\avastSS.scr
2011-04-15 22:19 . 2011-04-18 17:25 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-04-15 21:43 . 2011-04-15 22:19 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2011-04-15 21:43 . 2011-04-15 21:43 -------- d-----w- c:\program files\AVAST Software
2011-04-15 17:07 . 2011-04-15 17:07 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2011-04-15 17:04 . 2011-04-15 17:04 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-15 13:06 . 2011-04-15 16:56 -------- d-s---w- c:\documents and settings\Administrator
2011-04-14 20:46 . 2009-11-21 16:36 470528 ------w- c:\windows\system32\dllcache\aclayers.dll
2011-04-14 20:46 . 2010-06-14 14:30 743936 ------w- c:\windows\system32\dllcache\helpsvc.exe
2011-04-14 20:45 . 2010-02-12 10:03 293376 ------w- c:\windows\system32\browserchoice.exe
2011-04-14 16:32 . 2011-04-14 16:32 -------- d-sh--w- c:\documents and settings\Denise PC\IECompatCache
2011-04-14 16:28 . 2011-04-14 16:28 -------- d-sh--w- c:\documents and settings\Denise PC\PrivacIE
2011-04-14 16:10 . 2011-04-14 16:10 -------- d-----w- c:\documents and settings\Denise PC\Application Data\Skype
2011-04-14 15:58 . 2011-04-14 15:58 -------- d-----w- c:\program files\Common Files\eSellerate
2011-04-14 15:57 . 2011-04-14 16:23 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2011-04-14 15:56 . 2011-04-14 16:25 -------- d-----w- c:\documents and settings\Denise PC\Application Data\AmiPic ShareMaster
2011-04-14 15:52 . 2011-04-14 15:52 -------- d-sh--w- c:\documents and settings\Denise PC\IETldCache
2011-04-14 15:50 . 2011-04-16 21:47 -------- d-----w- c:\windows\ie8updates
2011-04-14 15:49 . 2010-05-06 10:41 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2011-04-14 15:49 . 2010-05-06 10:41 599040 ------w- c:\windows\system32\dllcache\msfeeds.dll
2011-04-14 15:49 . 2010-05-06 10:41 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2011-04-14 15:49 . 2010-05-06 10:41 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
2011-04-14 15:49 . 2010-05-06 10:41 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
2011-04-14 15:49 . 2010-05-06 10:41 11076096 ------w- c:\windows\system32\dllcache\ieframe.dll
2011-04-14 15:49 . 2010-05-06 10:41 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2011-04-14 15:48 . 2009-09-25 05:56 81920 ----a-w- c:\windows\system32\ieencode.dll
2011-04-14 15:48 . 2009-09-25 05:56 81920 ----a-w- c:\windows\system32\dllcache\ieencode.dll
2011-04-14 15:48 . 2004-08-04 07:56 848384 ----a-w- c:\windows\system32\dllcache\vgx.dll
2011-04-14 15:48 . 2004-08-04 07:56 848384 ----a-w- c:\program files\Common Files\Microsoft Shared\VGX\vgx.dll
2011-04-14 15:48 . 2004-08-04 07:56 38912 ----a-w- c:\windows\system32\dllcache\hmmapi.dll
2011-04-14 15:48 . 2004-08-04 07:56 38912 ----a-w- c:\program files\Internet Explorer\hmmapi.dll
2011-04-14 15:47 . 2011-04-22 00:40 -------- d-----w- c:\documents and settings\Denise PC\Tracing
2011-04-14 15:44 . 2011-04-14 15:44 -------- d-----w- c:\program files\Microsoft
2011-04-14 15:44 . 2011-04-14 15:44 -------- d-----w- c:\program files\Windows Live SkyDrive
2011-04-14 15:41 . 2011-04-14 15:41 83249512 ----a-w- c:\program files\Common Files\Windows Live\.cache\wlc4E.tmp
2011-04-14 12:13 . 2011-04-14 12:13 -------- d-----w- c:\documents and settings\Denise PC\Application Data\Malwarebytes
2011-04-14 12:13 . 2011-04-14 12:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-04-14 12:13 . 2010-12-20 17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-14 12:13 . 2010-12-20 17:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-14 12:07 . 2011-04-14 12:07 781272 ------w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-04-14 12:07 . 2011-04-14 12:07 728024 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-04-14 12:07 . 2011-04-14 12:07 1874904 ------w- c:\program files\Mozilla Firefox\mozjs.dll
2011-04-14 12:07 . 2011-04-14 12:07 15832 ------w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-04-14 12:07 . 2011-04-14 12:07 142296 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-04-14 12:07 . 2011-04-14 12:07 1893336 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll
2011-04-14 12:07 . 2011-04-14 12:07 1975768 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll
2011-04-14 12:07 . 2011-04-14 12:07 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-04-14 11:59 . 2011-04-14 12:07 16856 ----a-w- c:\program files\Mozilla Firefox\plugin-container.exe
2011-04-14 11:59 . 2011-04-14 12:07 719832 ------w- c:\program files\Mozilla Firefox\mozcpp19.dll
2011-04-14 11:51 . 2011-02-02 20:40 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-04-14 11:51 . 2011-02-02 20:40 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-04-14 11:41 . 2011-04-14 11:41 -------- d-----w- c:\program files\TeamViewer
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-02 18:19 . 2008-07-12 17:33 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-04-14 12:07 . 2011-04-14 12:07 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-04-18 17:25 122512 ------w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2010-04-16 3872080]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 61952]
"SoundMan"="SOUNDMAN.EXE" [2004-08-12 77824]
"AlcWzrd"="ALCWZRD.EXE" [2004-08-12 2551808]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-04-18 3460784]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-04 15360]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
fbkfreep.exe [2011-4-18 184691]
.
c:\documents and settings\Administrator.DENISE\Start Menu\Programs\Startup\
fbkfreep.exe [2011-4-18 184691]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer_Service.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [15/04/2011 23:21 441176]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [15/04/2011 23:21 307288]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [15/04/2011 23:21 19544]
R2 TeamViewer6;TeamViewer 6;c:\program files\TeamViewer\Version6\TeamViewer_Service.exe [15/04/2011 10:43 2280312]
R3 PhTVTune;ASUS WDM TV Tuner;c:\windows\system32\drivers\PhTVTune.sys [01/01/1980 24608]
S3 camvid20;Philips ToUcam Camera; Video;c:\windows\system32\drivers\camdrv21.sys [23/09/2008 15:22 223232]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Denise PC\Application Data\Mozilla\Firefox\Profiles\iwoxmz17.default\
FF - prefs.js: browser.startup.homepage - google.com
FF - user.js: yahoo.homepage.dontask - true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-22 01:40
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(624)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(2232)
c:\windows\System32\MSCTF.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\windows\SOUNDMAN.EXE
c:\windows\ALCWZRD.EXE
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\TeamViewer\Version6\TeamViewer.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-04-22 01:46:37 - machine was rebooted
ComboFix-quarantined-files.txt 2011-04-22 00:46
ComboFix2.txt 2011-04-20 21:28
.
Pre-Run: 135,067,889,664 bytes free
Post-Run: 135,052,206,080 bytes free
.
- - End Of File - - A4F240DBDD6BA1971087E920FD168CA5
Upload was successful


How is the computer running now?
My computer is BACK!! Well.... almost :o I can now log into MSN however, can not use FireFox to browse the web. It still comes as a blank white page... despite now being able to browse the internet fine on the new "Internet Explorer" short cut on my desktop. Is it possible to get Firefox working ? Thank you ever so much for your help... you have no idea how much i am thankful for all of your help! :cheers:
makem2203
Regular Member
 
Posts: 85
Joined: June 7th, 2008, 1:44 pm

Re: Computer Malware problem... lsass.exe taking 50-60CPU

Unread postby Scolabar » April 22nd, 2011, 8:21 pm

Hi makem2203,

makem2203 wrote:My computer is BACK!! Well.... almost :o I can now log into MSN however, can not use FireFox to browse the web. It still comes as a blank white page... despite now being able to browse the internet fine on the new "Internet Explorer" short cut on my desktop. Is it possible to get Firefox working ?

That's good news! :thumbright: We will deal with the Firefox issue at the same time as Java Runtime Environment once we have cleared all signs of malware from your system.

makem2203 wrote:Thank you ever so much for your help... you have no idea how much i am thankful for all of your help! :cheers:

You are very welcome. :)

Please follow the instructions below:

Step 1:
Re-Run TFC

Print these instructions. Save any unsaved work. TFC will close ALL open programs including your browser!

  1. Double-click on TFC.exe to run it.
  2. TFC will now begin cleaning up the "temp" files.
    Note: This process may take only a few seconds or it could take several minutes, depending on the amount of temp files found.
  3. If prompted to reboot, click on the Yes button to confirm.

! IMPORTANT ! If TFC prompts you to reboot, please do so immediately, before proceeding with any other steps or other use of your computer.

Step 2:
Re-Run ComboFix - CFScript

WARNING!
This script is for THIS user and computer ONLY!
Using this tool incorrectly could damage your Operating System thereby preventing it from starting again!


You will not have Internet access when you execute ComboFix. All open windows will need to be closed!

  1. Click on Start > Run.
  2. In the text entry box type:
      Notepad
  3. Then click on the OK button.
  4. This will open an empty Notepad file.
  5. Copy and Paste the contents of the box below into the Notepad window:
    Code: Select all
    http://malwareremoval.com/forum/viewtopic.php?f=11&t=56497&p=576274#p576274
    
    KillAll::
    
    Collect::
    c:\documents and settings\Default User\Start Menu\Programs\Startup\fbkfreep.exe
    c:\documents and settings\Administrator.DENISE\Start Menu\Programs\Startup\fbkfreep.exe
    
  6. Save the file to your desktop as CFScript.txt
  7. Please disable any Anti-Virus or Firewall you have active, as shown in this topic. Please close all open application windows.
  8. Drag the CFScript.txt (icon) onto the ComboFix.exe icon as shown in the image below:

    Image

    This will cause ComboFix to run again.
    Note: Do Not use your keyboard or mouse click anywhere in the ComboFix window, as this may cause the program to stall or crash!
    Do Not touch your computer when ComboFix is running!
  9. When the program has finished ComboFix will produce a log file called log.txt which will automatically open in Notepad.
  10. Please Copy and Paste the entire contents of the log.txt file into your next reply.

** REMEMBER ** Re-Enable your Antivirus, Anti-Spyware and Firewall programs before reconnecting to the Internet!

Step 3:
Malwarebytes' Anti-Malware

Please save any items you have been working on and close any open programs. You may be asked to reboot your machine.

  1. Launch Malwarebytes' Anti-Malware
  2. You will be asked to update the program before performing a scan. Please do so.
    • If an update is found, the program will automatically downoad and install the update.
    • Click on the OK button to close that box and continue.
    • If you have any problems downloading updates download them manually from here and double-click on mbam-rules.exe to complete the installation.

On the Scanner tab:
  1. Make sure the Perform quick scan option is selected.
  2. Then click on the Scan button.
  3. If asked to select the drives to scan, leave all the drives selected and then click on the Start Scan button.
  4. The scan will begin and Scan in progress will show at the top. It may take some time to complete so please be patient.
  5. When the scan is finished, a message box will be displayed saying The scan completed successfully. Click 'Show Results' to display all objects found.
  6. Click on the OK button to close the message box and continue with the removal process.

Back at the main Scanner screen:
  1. Click on the Show Results button to see a list of any malware that was found.
  2. Check all items except items in the C:\System Volume Information folder and then click on the Remove Selected button.
    The System Volume Information items will be taken care of later.
  3. When the removal has been completed, a log report will open in Notepad and you may be prompted to restart your computer. (See Note below).
  4. The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
    The log can also be found here:
    C:\Documents and Settings\Account Name\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  5. Please Copy and Paste the entire contents of mbam-log-date (time).txt into your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either prompt and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Step 4:
Include in Next Post

  1. Did you have any problems carrying out the instructions?
  2. log.txt.
  3. mbam-log-date (time).txt.

Scolabar
---------------------------------------------------
No Reply Within 3 Days Will Result In Your Topic Being Closed
User avatar
Scolabar
MRU Honors Grad Emeritus
 
Posts: 1172
Joined: April 22nd, 2009, 3:10 pm

Re: Computer Malware problem... lsass.exe taking 50-60CPU

Unread postby makem2203 » April 23rd, 2011, 10:02 am

Did you have any problems carrying out the instructions?
I have had no problems following your instructions... however, i would like to make sure you understand how i am carrying out your instructions.. as i can not acces nor download files directly onto the infected machine. As a result of this, i am having to download all the needed software you state onto my other main computer then transfer the software onto the infected Computer via USB. I hope this doesn't mess up the removal process as i don't know how else we can do this... thanks again.

log.txt.
ComboFix 11-04-22.03 - Denise PC 23/04/2011 14:17:32.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.234 [GMT 1:00]
Running from: c:\documents and settings\Denise PC\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Denise PC\Desktop\CFScript.txt.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
file zipped: c:\documents and settings\Administrator.DENISE\Start Menu\Programs\Startup\fbkfreep.exe
file zipped: c:\documents and settings\Default User\Start Menu\Programs\Startup\fbkfreep.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator.DENISE\Start Menu\Programs\Startup\fbkfreep.exe
c:\documents and settings\Default User\Start Menu\Programs\Startup\fbkfreep.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-03-23 to 2011-04-23 )))))))))))))))))))))))))))))))
.
.
2011-04-23 13:07 . 2011-04-23 13:25 -------- d-----w- c:\program files\wusshbuy
2011-04-22 00:14 . 2011-04-22 00:14 -------- d-----w- c:\program files\ERUNT
2011-04-18 21:22 . 2011-04-18 21:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2011-04-15 22:21 . 2011-04-18 17:17 307288 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-04-15 22:21 . 2011-04-18 17:12 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-04-15 22:21 . 2011-04-18 17:16 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-04-15 22:21 . 2011-04-18 17:13 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-04-15 22:21 . 2011-04-18 17:17 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-04-15 22:21 . 2011-04-18 17:16 102488 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-04-15 22:21 . 2011-04-18 17:16 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-04-15 22:21 . 2011-04-18 17:13 30680 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-04-15 22:19 . 2011-04-18 17:25 40112 ----a-w- c:\windows\avastSS.scr
2011-04-15 22:19 . 2011-04-18 17:25 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-04-15 21:43 . 2011-04-15 22:19 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2011-04-15 21:43 . 2011-04-15 21:43 -------- d-----w- c:\program files\AVAST Software
2011-04-15 17:07 . 2011-04-15 17:07 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2011-04-15 17:04 . 2011-04-15 17:04 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-15 13:06 . 2011-04-15 16:56 -------- d-s---w- c:\documents and settings\Administrator
2011-04-14 20:46 . 2009-11-21 16:36 470528 ------w- c:\windows\system32\dllcache\aclayers.dll
2011-04-14 20:46 . 2010-06-14 14:30 743936 ------w- c:\windows\system32\dllcache\helpsvc.exe
2011-04-14 20:45 . 2010-02-12 10:03 293376 ------w- c:\windows\system32\browserchoice.exe
2011-04-14 16:32 . 2011-04-14 16:32 -------- d-sh--w- c:\documents and settings\Denise PC\IECompatCache
2011-04-14 16:28 . 2011-04-14 16:28 -------- d-sh--w- c:\documents and settings\Denise PC\PrivacIE
2011-04-14 16:10 . 2011-04-14 16:10 -------- d-----w- c:\documents and settings\Denise PC\Application Data\Skype
2011-04-14 15:58 . 2011-04-14 15:58 -------- d-----w- c:\program files\Common Files\eSellerate
2011-04-14 15:57 . 2011-04-14 16:23 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2011-04-14 15:56 . 2011-04-14 16:25 -------- d-----w- c:\documents and settings\Denise PC\Application Data\AmiPic ShareMaster
2011-04-14 15:52 . 2011-04-14 15:52 -------- d-sh--w- c:\documents and settings\Denise PC\IETldCache
2011-04-14 15:50 . 2011-04-16 21:47 -------- d-----w- c:\windows\ie8updates
2011-04-14 15:49 . 2010-05-06 10:41 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2011-04-14 15:49 . 2010-05-06 10:41 599040 ------w- c:\windows\system32\dllcache\msfeeds.dll
2011-04-14 15:49 . 2010-05-06 10:41 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2011-04-14 15:49 . 2010-05-06 10:41 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
2011-04-14 15:49 . 2010-05-06 10:41 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
2011-04-14 15:49 . 2010-05-06 10:41 11076096 ------w- c:\windows\system32\dllcache\ieframe.dll
2011-04-14 15:49 . 2010-05-06 10:41 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2011-04-14 15:48 . 2009-09-25 05:56 81920 ----a-w- c:\windows\system32\ieencode.dll
2011-04-14 15:48 . 2009-09-25 05:56 81920 ----a-w- c:\windows\system32\dllcache\ieencode.dll
2011-04-14 15:48 . 2004-08-04 07:56 848384 ----a-w- c:\windows\system32\dllcache\vgx.dll
2011-04-14 15:48 . 2004-08-04 07:56 848384 ----a-w- c:\program files\Common Files\Microsoft Shared\VGX\vgx.dll
2011-04-14 15:48 . 2004-08-04 07:56 38912 ----a-w- c:\windows\system32\dllcache\hmmapi.dll
2011-04-14 15:48 . 2004-08-04 07:56 38912 ----a-w- c:\program files\Internet Explorer\hmmapi.dll
2011-04-14 15:47 . 2011-04-23 13:26 -------- d-----w- c:\documents and settings\Denise PC\Tracing
2011-04-14 15:44 . 2011-04-14 15:44 -------- d-----w- c:\program files\Microsoft
2011-04-14 15:44 . 2011-04-14 15:44 -------- d-----w- c:\program files\Windows Live SkyDrive
2011-04-14 15:41 . 2011-04-14 15:41 83249512 ----a-w- c:\program files\Common Files\Windows Live\.cache\wlc4E.tmp
2011-04-14 12:13 . 2011-04-14 12:13 -------- d-----w- c:\documents and settings\Denise PC\Application Data\Malwarebytes
2011-04-14 12:13 . 2011-04-14 12:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-04-14 12:13 . 2010-12-20 17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-14 12:13 . 2010-12-20 17:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-14 12:07 . 2011-04-14 12:07 781272 ------w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-04-14 12:07 . 2011-04-14 12:07 728024 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-04-14 12:07 . 2011-04-14 12:07 1874904 ------w- c:\program files\Mozilla Firefox\mozjs.dll
2011-04-14 12:07 . 2011-04-14 12:07 15832 ------w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-04-14 12:07 . 2011-04-14 12:07 142296 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-04-14 12:07 . 2011-04-14 12:07 1893336 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll
2011-04-14 12:07 . 2011-04-14 12:07 1975768 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll
2011-04-14 12:07 . 2011-04-14 12:07 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-04-14 11:59 . 2011-04-14 12:07 16856 ----a-w- c:\program files\Mozilla Firefox\plugin-container.exe
2011-04-14 11:59 . 2011-04-14 12:07 719832 ------w- c:\program files\Mozilla Firefox\mozcpp19.dll
2011-04-14 11:51 . 2011-02-02 20:40 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-04-14 11:51 . 2011-02-02 20:40 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-04-14 11:41 . 2011-04-14 11:41 -------- d-----w- c:\program files\TeamViewer
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-02 18:19 . 2008-07-12 17:33 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-04-14 12:07 . 2011-04-14 12:07 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-04-18 17:25 122512 ------w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2010-04-16 3872080]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 61952]
"SoundMan"="SOUNDMAN.EXE" [2004-08-12 77824]
"AlcWzrd"="ALCWZRD.EXE" [2004-08-12 2551808]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-04-18 3460784]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-04 15360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,,c:\program files\wusshbuy\fbkfreep.exe"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer_Service.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Internet Explorer\\iexplore.exe"=
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [15/04/2011 23:21 441176]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [15/04/2011 23:21 307288]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [15/04/2011 23:21 19544]
R2 TeamViewer6;TeamViewer 6;c:\program files\TeamViewer\Version6\TeamViewer_Service.exe [15/04/2011 10:43 2280312]
R3 PhTVTune;ASUS WDM TV Tuner;c:\windows\system32\drivers\PhTVTune.sys [01/01/1980 24608]
S3 camvid20;Philips ToUcam Camera; Video;c:\windows\system32\drivers\camdrv21.sys [23/09/2008 15:22 223232]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Denise PC\Application Data\Mozilla\Firefox\Profiles\iwoxmz17.default\
FF - prefs.js: browser.startup.homepage - google.com
FF - user.js: yahoo.homepage.dontask - true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-23 14:26
Windows 5.1.2600 Service Pack 2 NTFS
.
detected NTDLL code modification:
ZwQueryDirectoryFile
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\documents and settings\Denise PC\Start Menu\Programs\Startup\fbkfreep.exe 184691 bytes executable
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(608)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(2600)
c:\windows\System32\MSCTF.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\windows\SOUNDMAN.EXE
c:\windows\ALCWZRD.EXE
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\TeamViewer\Version6\TeamViewer.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-04-23 14:33:47 - machine was rebooted
ComboFix-quarantined-files.txt 2011-04-23 13:33
ComboFix2.txt 2011-04-22 00:48
ComboFix3.txt 2011-04-20 21:28
.
Pre-Run: 134,908,825,600 bytes free
Post-Run: 134,836,342,784 bytes free
.
- - End Of File - - 45B2384C0814937280324A25F2F8C92F
Upload was successful


mbam-log-date (time).txt.

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6424

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

23/04/2011 14:53:55
mbam-log-2011-04-23 (14-53-55).txt

Scan type: Quick scan
Objects scanned: 163226
Time elapsed: 7 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\0ESKOMO9JO (Trojan.FakeAlert.SA) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\TBXQRHV4KR (Trojan.FakeAlert.SA) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\denise pc\desktop\tfcmgr.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\denise pc\start menu\Programs\Startup\fbkfreep.exe (Trojan.Agent) -> Delete on reboot.
makem2203
Regular Member
 
Posts: 85
Joined: June 7th, 2008, 1:44 pm

Re: Computer Malware problem... lsass.exe taking 50-60CPU

Unread postby Scolabar » April 23rd, 2011, 3:20 pm

Hi makem2203,

I am afraid I have bad news for you. :(

Your computer is infected with: W32/Ramnit.R.
This is a file infector virus which given time will infect every html and exe file on your computer, including system files. File infectors are notoriously difficult to remove, they are polymorphic and polyencrypted and it is practically impossible to remove them from your computer without causing more problems than we resolve.

The only realistic course of action that is open to you is to back up your non-executable personal files and folders (using a DVD-R or CD-R) then re-format your hard drive and re-install Windows. If you have connected any external drives to your computer (USB or flash drives) then they should also be re-formatted.

Because Ramnit is also a Trojan Backdoor, you are strongly advised to do the following:
  1. Disconnect the computer from the Internet and from any networked computers until it is cleaned.
  2. Call all your banks, financial institutions, credit card companies and inform them that you may be a victim of identity theft and put a watch on your accounts. It will be a hassle but you should probably change all your account numbers.
  3. From a clean computer, change all your passwords: (Internet login, your email address(es), financial accounts, PayPal, eBay, Amazon... any online activities you carry out which require a username and password).
    Do NOT change your passwords from this computer, an attacker can still get all the new passwords and transaction records.
  4. Back up all your important data except programs. The programs can be reinstalled back from the original disc or from the Net.

Due to its Backdoor - rootkit - file infector functionality, your computer is very likely to have been compromised and there is no way that it can be trusted again. Many experts in the security community believe that once infected with this type of malware, the best course of action would be to reformat and re-install the operating system (OS). This decision will have to be made by you...

To help you understand more, please take some time to read the following articles:
When should I re-format and reinstall my OS
What are Remote Access Trojans and why are they dangerous
How do I respond to a possible identity theft and how do I prevent it
How and Where to backup your files
Restoring your backups

If you are not confident of re-formatting your computer on your own, then most repair shops will do it for a reasonable fee, alternatively one of the "general purpose" help forums will talk you through the process. We are a Malware removal forum and our expertise is solely restricted to removing Malware.

Below are links to a number of forums that can help you with a re-format, the quality of help at them is generally of a high standard ....

http://forums.whatthetech.com/index.php?showtopic=91962
http://forums.whatthetech.com/index.php ... wforum=119

http://www.geekstogo.com/forum/forum/5- ... 0-2003-nt/

http://www.bleepingcomputer.com/forums/forum56.html

http://www.techsupportforum.com/forums/f10/

makem2203 wrote:Did you have any problems carrying out the instructions?
I have had no problems following your instructions... however, i would like to make sure you understand how i am carrying out your instructions.. as i can not acces nor download files directly onto the infected machine. As a result of this, i am having to download all the needed software you state onto my other main computer then transfer the software onto the infected Computer via USB. I hope this doesn't mess up the removal process as i don't know how else we can do this... thanks again.
Given the information you have provided above it is very likely that your other main PC has also been similarly infected and will need to be dealt with in the same manner as described above.

It is not my purpose to abandon you, however it would not be right for me to give you some false hope that this infection can be successfully cleaned from your machine. I have seen lots of proposed cleanups for file infector infections and have yet to see one that was truly effective or didn't leave the computer user with a number of problems afterwards. They were also all much more time consuming than a re-format and re-install, which will leave you with a computer totally clean and free of infection.

I am very sorry I couldn't be the bearer of better news.

Scolabar
---------------------------------------------------
No Reply Within 3 Days Will Result In Your Topic Being Closed
User avatar
Scolabar
MRU Honors Grad Emeritus
 
Posts: 1172
Joined: April 22nd, 2009, 3:10 pm

Re: Computer Malware problem... lsass.exe taking 50-60CPU

Unread postby makem2203 » April 23rd, 2011, 4:13 pm

Well thank you ever so much.. for spending your free time in attempting to help my situation. I have decided i will go ahead and reformat the Drive. However... in-order to do this, do i not need the original windows disk?

In a previous post i did say i don't have any of the documenation for this specific computer nor any of the windows disks (I do have the product key on the side of the case). So will this still be possible for me to reformat the drive?

Thank you again... all your help is so very much appritiated!

Regards,

Makem.
makem2203
Regular Member
 
Posts: 85
Joined: June 7th, 2008, 1:44 pm

Re: Computer Malware problem... lsass.exe taking 50-60CPU

Unread postby Scolabar » April 24th, 2011, 3:50 pm

Hi makem2203,

I'm afraid without the original recovery/installation media the CD-Key won't help. :(

As it is highly unlikely you will be unable to obtain installation media from either Microsoft or Packard Bell, you are left with the following options:
  1. See if you can borrow a "generic" OEM installation disk that matches the PC's product key version (Windows XP Home).
    This must be a plain vanilla OEM disk - not associated with any brand name like Compaq, Dell, HP, Gateway, etc.
  2. Contact the original system builder (- the company/person you bought the computer from) and ask them if they can provide you with a replacement installation disk for your system.

Please Note: You will also need an equivalent set of recovery/installation disks for your other PC, unless it is exactly the same make and model of PC. If that PC is also running Windows XP and you do not have the installation media either you will need to follow the same procedure to obtain a "generic" OEM installation disk that matches that PC's product key version.

In addition, you will also need to consider upgrading the RAM in the PC we have been working on. 500Mb of RAM is the minimum recommended amount to run the system and you will struggle running that computer with Windows XP Home Service Pack 3 which you will need to apply in order to to ensure the system has all the latest critical security updates and fixes.
Note: Microsoft ceased to support Windows XP SP2 on 13 July 2010.

Further Guidelines

Please follow these simple guidelines in order to help keep your computer systems more secure:

Update your Antivirus programs and other programs regularly.
Online Secunia Software Inspector - Copyright © Secunia.
Refer to F-secure Health Check - Copyright © F-Secure Corporation.

Visit Microsoft often
Keep on top of critical updates, as well as other updates for your computer.
How to configure and use Automatic Updates in Windows XP
Using Windows Update for Windows XP
Microsoft Update Home

Install additional (free) programs, that can help improve security.
Many feel that having a "layered" protection scheme is beneficial, you'll have to decide what works best for your situation.
Here are a few you may like to look into, if you wish. :)

SpywareBlaster
Download it from © Javacool Software LLC.
A SpywareBlaster knowledgebase can be found Here.

WinPatrol
Download it from Copyright © BillP Studios.
Information about how WinPatrol works, is available Here.
(The free version of WinPatrol provides limited real-time protection.)

Hosts File
For added protection you may also like to add a hosts file. A simple explanation of what a Hosts file does is provided here and for more information regarding hosts files read here.

Third Party Firewall
As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access from the outside world.
Firewalls protect against hackers and malicious intruders.
I strongly recommend you download a free (for personal use) firewall NOW that monitors traffic in both directions from one of these excellent vendors:

  1. Online Armor Free (A free version is available at the bottom of the page (XP/Vista/W7 (32bit). 64bit version not yet available. Some reported conflicts with Avira AntiVir).
  2. ZoneAlarm (Uncheck the ZoneAlarm Spy Blocker option during installation if you choose this one.)
  3. Ashampoo

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a very basic firewall. This firewall is NO replacement for a dedicated software solution.
Remember to install and have active, only one firewall at the same time.


To learn more about firewalls a tutorial can be found here.

Read, stay informed.
To help minimize the chances of becoming re-infected, please read:
Computer Security - a short guide to staying safer online


Unless there are other malware questions or concerns, this topic will be closed as resolved.


Good Luck! :)
Scolabar
User avatar
Scolabar
MRU Honors Grad Emeritus
 
Posts: 1172
Joined: April 22nd, 2009, 3:10 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 377 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware