My secondary computer seems to have some sort of virus...
After turning the computer on.. i realised a sudden change of speed on the computer. I Alt+Ctrl+Dlt'd into task manager and saw that a process called "lsass.exe" was constantly in the range on 50-60CPU. This was very abnormal as it is just the Local Security Authentication Server, which with some research.. a later discovered that there is also a virus about that 'copys' this and uses this process to run undetected.. http://www.liutilities.com/products/wintaskspro/processlibrary/lsass/
After discovering this.. i rebooted into Safe Mode and ran a 'MalwareBytes' scan. It found 3 trojan downloaders. I then removed these and rebooted.
After of which, nothing had changed... So i booted back into safe mode and ran again.. the three trojan's have reappared!
So, i then thought of going to the source of the problem.. so i searched on the computer (including hidden files and folders) "lsass.exe". It returned three results.
One, was situated in the orignal "windows/system32" folder.
Another, "windows/servicepack/xxxnumbers"
and another at a smiliar directory.
I removed the last two as the first one was in the orignal windows file location. Rebooted (not in safemode) and it appared to be running more quickly. However, after i alt+ctrl+dlt'd back into taskmanager the "lsass.exe" was back up and running at 50-60 CPU which was of course now maxing the CPU on the computer....
So yeah... after this i ran another malwarebytes virus scan and it came back clean this time...
So this is where i am now... not sure what is causing this instability...
I have also noticed.. alot of "IEXPLORE.exe's" running at once.. not sure what this is related too.. but worth a check?
------------------------------
Update- I researched a bit.. and found that the 'sasser worm' is related to the process "lsass.exe" and downloaded this removal tool developed by synmantec. http://www.symantec.com/security_response/writeup.jsp?docid=2004-050114-1706-99
Ran this, and it came back that i didn't have the worm.. so who knows what is causing this.. :S
------------------------------
Below are the logs that has been requested. In the following order: DDS>Attach
.
DDS (Ver_11-03-05.01) - NTFSx86 NETWORK
Run by Administrator at 21:31:16.70 on 15/04/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.270 [GMT 1:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe
C:\WINDOWS\Explorer.EXE
c:\program files\teamviewer\version6\TeamViewer.exe
c:\program files\teamviewer\version6\TeamViewer_Desktop.exe
C:\Program Files\TeamViewer\Version6\tv_w32.exe
C:\Documents and Settings\Denise PC\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
.
============== Pseudo HJT Report ===============
.
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\program files\wusshbuy\fbkfreep.exe,
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: CNisExtBho Class: {9ecb9560-04f9-4bbc-943d-298ddf1699e1} - c:\program files\common files\symantec shared\adblocking\NISShExt.dll
BHO: CNavExtBho Class: {bdf3e430-b101-42ad-a544-fadc6b084872} - c:\program files\norton internet security\norton antivirus\NavShExt.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [PCMService] "c:\apps\powercinema\PCMService.exe"
mRun: [ACTIVBOARD] c:\apps\aboard\ABoard.exe
mRun: [ToUcamVProperty] c:\program files\philips toucam camera\VProperty.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windows ... 5882233843
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/aut ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
Notify: AtiExtEvent - Ati2evxx.dll
.
================= FIREFOX ===================
.
FF - ProfilePath -
.
============= SERVICES / DRIVERS ===============
.
R? camvid20;Philips ToUcam Camera; Video
R? PhTVTune;ASUS WDM TV Tuner
S? TeamViewer6;TeamViewer 6
.
=============== Created Last 30 ================
.
2011-04-15 19:26:41 -------- d-----w- c:\docume~1\admini~1.den\applic~1\Malwarebytes
2011-04-15 19:14:41 184691 ----a-w- c:\program files\mozilla firefox\firefoxmgr.exe
2011-04-15 19:14:40 184691 ----a-w- c:\windows\system32\wuaucltmgr.exe
2011-04-15 19:04:34 -------- d-sh--w- c:\documents and settings\administrator.denise\IETldCache
2011-04-15 18:56:49 2396 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2011-04-15 18:55:54 184691 ----a-w- c:\windows\system32\wbem\WMIADAPmgr.exe
2011-04-15 17:07:13 184691 ----a-w- c:\windows\system32\wbem\wmiprvsemgr.exe
2011-04-15 17:06:20 184691 ----a-w- c:\windows\system32\algmgr.exe
2011-04-15 17:05:58 184691 ----a-w- c:\windows\system32\userinitmgr.exe
2011-04-15 17:05:54 184691 ----a-w- c:\program files\internet explorer\IEXPLOREmgr.exe
2011-04-15 17:05:53 184691 ----a-w- c:\windows\system32\logonuimgr.exe
2011-04-15 17:05:52 184691 ----a-w- c:\windows\system32\svchostmgr.exe
2011-04-15 17:05:51 184691 ----a-w- c:\windows\system32\servicesmgr.exe
2011-04-15 17:05:51 184691 ----a-w- c:\windows\system32\lsassmgr.exe
2011-04-15 17:04:53 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-04-15 17:04:53 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-14 17:52:25 -------- d-----w- c:\program files\wusshbuy
2011-04-14 16:23:53 200704 --sha-r- c:\windows\system32\stobjecth.dll
2011-04-14 15:58:30 -------- d-----w- c:\program files\common files\eSellerate
2011-04-14 15:50:21 -------- d-----w- c:\windows\ie8updates
2011-04-14 15:49:59 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2011-04-14 15:49:57 599040 ------w- c:\windows\system32\dllcache\msfeeds.dll
2011-04-14 15:49:57 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2011-04-14 15:49:56 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2011-04-14 15:49:56 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
2011-04-14 15:49:56 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
2011-04-14 15:49:56 11076096 ------w- c:\windows\system32\dllcache\ieframe.dll
2011-04-14 15:48:31 -------- dc-h--w- c:\windows\ie8
2011-04-14 15:44:28 -------- d-----w- c:\program files\Microsoft
2011-04-14 15:44:05 -------- d-----w- c:\program files\Windows Live SkyDrive
2011-04-14 15:41:09 83249512 ----a-w- c:\program files\common files\windows live\.cache\wlc4E.tmp
2011-04-14 12:13:53 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-14 12:13:53 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-04-14 12:13:50 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-14 12:07:35 781272 ------w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-04-14 12:07:35 728024 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-04-14 12:07:35 1874904 ------w- c:\program files\mozilla firefox\mozjs.dll
2011-04-14 12:07:35 15832 ------w- c:\program files\mozilla firefox\mozalloc.dll
2011-04-14 12:07:35 142296 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-04-14 12:07:34 1975768 ----a-w- c:\program files\mozilla firefox\D3DCompiler_42.dll
2011-04-14 12:07:34 1893336 ----a-w- c:\program files\mozilla firefox\d3dx9_42.dll
2011-04-14 12:07:34 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-04-14 11:59:33 719832 ------w- c:\program files\mozilla firefox\mozcpp19.dll
2011-04-14 11:59:33 16856 ----a-w- c:\program files\mozilla firefox\plugin-container.exe
2011-04-14 11:51:36 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-04-14 11:51:36 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2011-04-14 11:41:31 -------- d-----w- c:\program files\TeamViewer
.
==================== Find3M ====================
.
2011-02-02 18:19:39 73728 ----a-w- c:\windows\system32\javacpl.cpl
.
============= FINISH: 21:36:41.51 ===============
/
/
/ Page Breaker: Attach
/
/
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 12/07/2008 17:34:41
System Uptime: 15/04/2011 21:05:44 (0 hours ago)
.
Motherboard: NEC COMPUTERS INTERNATIONAL | | GA-8I915PM
Processor: Intel(R) Pentium(R) 4 CPU 2.93GHz | Socket 775 | 2926/133mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 144 GiB total, 128.561 GiB free.
D: is CDROM ()
E: is CDROM ()
F: is Removable
G: is Removable
H: is Removable
I: is Removable
.
==== Disabled Device Manager Items =============
.
==== Installed Programs ======================
.
Adobe Flash Player 10 Plugin
Adobe Reader 6.0
ATI Display Driver
High Definition Audio Driver Package - KB835221
Hotfix for Windows XP (KB935448)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB976098-v2)
Java 2 Runtime Environment, SE v1.4.2_04
Java Auto Updater
Java(TM) 6 Update 24
Java(TM) 6 Update 7
Junk Mail filter update
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Office Standard Edition 2003
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Works 7.0
Mozilla Firefox 4.0 (x86 en-GB)
MSVCRT
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Philips ToUcam Pro Camera
Realtek High Definition Audio Driver
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB944338-v2)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB976325)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB979309)
Segoe UI
Sonic MyDVD
Sonic RecordNow!
TeamViewer 6
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows XP (KB898461)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
.
==== End Of File ===========================
Well.. that's all i have to share at this moment.. i wont do anything more on the computer untill instructed to do so by a helper on these forums
Thanks for reading my topic, it is much appritiated!!
Best regards,
Makem.
P.s. Going to download Avaster free anti-Virus and run a scan... was suggested to use this free software by a good friend... hopefully i can save you guys some time!
--
Update- 02:44 am 16/04/2011
Avaster apparently found over 2000 infected files, my friend called... i told him this and he said i should pull the ethernet cable asap.. as he thinks the virus is constantly downloading more viruses... So i did this... shortly after "Avaster!" crashed.. and gave me the option to only close the programe. I have turned it off... getting a headache from this bliddy machine!!
Hope this helps? (Not sure how though... lol. Also... i'd like to know if i am to run new software on the machine how will i get it on it? As, it's no longer in my network, so i can't transfer files from my main to it.. nor can i use USB as i'm sure that will get infected too...)
Thanks again for any help!!