Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Help from lsass replicating processes virus

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Help from lsass replicating processes virus

Unread postby bldzam » March 12th, 2010, 1:49 am

Hi, more power to malware...would like to ask assistance in cleaning up the worm virus that infected my laptop a week ago. Some pretty lad of mine has transferred a file process on this laptop without knowing it is a sort of a virus. The file says it's an images but when you click it, it opens another hidden process that can only be viewed when on opening the task manager..been trying to delete the file but it keeps on replicating whenever i open the laptop. Please help me. Thanks...
The needed files are posted below. Thanks.

HJTLog

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:39:01 PM, on 3/12/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\USB Disk Security\USBGuard.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe

--
End of file - 964 bytes

Uninstall_List

ESET Online Scanner v3
ESET Smart Security
HijackThis 2.0.2
Microsoft Office Professional Edition 2003
Mozilla Firefox (3.5.8)
USB Disk Security 5.1.0.15
bldzam
Active Member
 
Posts: 3
Joined: March 11th, 2010, 11:34 pm
Advertisement
Register to Remove

Re: Help from lsass replicating processes virus

Unread postby Katana » March 14th, 2010, 9:26 am

Please note that all instructions given are customised for this computer only,
the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.


Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:
  1. Please Read All Instructions Carefully
  2. If you don't understand something, stop and ask! Don't keep going on.
  3. Please do not run any other tools or scans whilst I am helping you
  4. Failure to reply within 5 days will result in the topic being closed.
  5. Please continue to respond until I give you the "All Clear"
    (Just because you can't see a problem doesn't mean it isn't there)
If you can do those few things, everything should go smoothly Image

Some of the logs I request will be quite large, You may need to split them over a couple of replies.

Please Note, your security programs may give warnings for some of the tools I will ask you to use.
Be assured, any links I give are safe

----------------------------------------------------------------------------------------



Download and Run RSIT
  • Please download Random's System Information Tool by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open:
    • log.txt will be opened maximized.
    • info.txt will be opened minimized.
  • Please post the contents of both log.txt and info.txt.
    ( They can also be found in the C:\RSIT folder )


GMER Rootkit Detector

Please download GMER Rootkit Scanner from Here or Here

***Please close any open programs ***
  • Extract the contents of the zip file to your desktop.
  • Disable your onboard Anti Virus and any other Active protection programs you have installed.
  • Double-click gmer.exe. The program will begin to run.

    Note:- If GMER doesn't run, please Reboot and then rename gmer.exe to Look.exe and try again

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security Analyst


  • If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO,
  • Now use the following settings for a more complete scan..

    Image
    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once the scan is complete, you may receive another notice about rootkit activity. If you recive it, click OK.
  • Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.


DO NOT touch the PC at ALL for Whatever reason/s until it has 100% completed its scan, or attempted scan in case of some error etc !

Please post the results from the GMER scan in your reply.


----------------------------------------------------------------------------------------
Logs/Information to Post in Reply
Please post the following logs/Information in your reply
Some of the logs I request will be quite large, You may need to split them over a couple of replies.
  • RSIT Logs
  • GMER Log
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: Help from lsass replicating processes virus

Unread postby bldzam » March 15th, 2010, 3:45 am

Hi Katana..thanks for the help. Here are the needed files.

RSIT Logfile

Logfile of random's system information tool 1.06 (written by random/random)
Run by User_XP at 2010-03-15 13:48:54
Microsoft Windows XP Professional Service Pack 2
System drive C: has 7 GB (72%) free of 10 GB
Total RAM: 111 MB (11% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:52:00 PM, on 3/15/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\USB Disk Security\USBGuard.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\User_XP\My Documents\Downloads\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\User_XP.exe

O4 - HKLM\..\Run: [USB Antivirus] C:\Program Files\USB Disk Security\USBGuard.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [(Default)] C:\WINDOWS\System32\drivers\16771\csrss.exe
O4 - HKLM\..\Run: [WindowsLogon] C:\WINDOWS\winlogon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe

--
End of file - 1940 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"USB Antivirus"=C:\Program Files\USB Disk Security\USBGuard.exe [2008-09-23 798720]
"egui"=C:\Program Files\ESET\ESET Smart Security\egui.exe [2008-07-01 1447168]
"(Default)"=C:\WINDOWS\System32\drivers\16771\csrss.exe [2007-02-12 32768]
"WindowsLogon"=C:\WINDOWS\winlogon.exe [2007-02-12 32768]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0cba7be0-e57e-11de-a6b3-000ae6bb3bb4}]
shell\AutoRun\command - F:\l61yyp.exe
shell\open\command - F:\l61yyp.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{35be9b60-da7a-11de-a6b1-000ae6bb3bb4}]
shell\AutoRun\command - F:\l61yyp.exe
shell\open\command - F:\l61yyp.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{74a69ef3-b5b0-11de-8381-806d6172696f}]
shell\AutoRun\command - C:\winlogon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{74a69ef4-b5b0-11de-8381-806d6172696f}]
shell\AutoRun\command - D:\csrss.exe


======List of files/folders created in the last 1 months======

2010-03-15 13:48:53 ----D---- C:\rsit
2010-03-12 13:36:32 ----D---- C:\Program Files\Trend Micro
2010-02-27 18:16:28 ----A---- C:\WINDOWS\PCTeamRulez.bat
2010-02-27 08:59:59 ----SH---- C:\winlogon.exe
2010-02-27 08:59:59 ----SH---- C:\WINDOWS\winlogon.exe
2010-02-27 08:59:59 ----SH---- C:\svchost.exe
2010-02-27 08:59:59 ----SH---- C:\services.exe
2010-02-27 08:59:59 ----SH---- C:\PCTeam Rulez.exe
2010-02-27 08:59:59 ----SH---- C:\lsass.exe
2010-02-27 08:59:59 ----SH---- C:\explorer.exe
2010-02-27 08:59:59 ----SH---- C:\csrss.exe

======List of files/folders modified in the last 1 months======

2010-03-12 14:01:24 ----A---- C:\WINDOWS\SchedLgU.Txt

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 Crusoe;Transmeta Crusoe Processor Driver; C:\WINDOWS\system32\DRIVERS\crusoe.sys [2004-08-04 36480]
R1 easdrv;easdrv; C:\WINDOWS\system32\DRIVERS\easdrv.sys [2008-07-01 53256]
R1 epfwtdi;epfwtdi; C:\WINDOWS\system32\DRIVERS\epfwtdi.sys [2008-07-01 54280]
R2 eamon;EAMON; C:\WINDOWS\system32\DRIVERS\eamon.sys [2008-07-01 39944]
R2 epfw;epfw; C:\WINDOWS\system32\DRIVERS\epfw.sys [2008-07-01 71688]
R3 aliadwdm;ALi Audio Accelerator WDM driver; C:\WINDOWS\system32\drivers\ac97ali.sys [2004-08-03 231552]
R3 Epfwndis;Eset Personal Firewall; C:\WINDOWS\system32\DRIVERS\Epfwndis.sys [2008-07-01 30728]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\RTL8139.SYS [2004-08-03 20992]
R3 SiS315;SiS315; C:\WINDOWS\system32\DRIVERS\sisgrp.sys [2001-08-17 104064]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-04 26624]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2004-08-04 17024]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-04 20480]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 ekrn;Eset Service; C:\Program Files\ESET\ESET Smart Security\ekrn.exe [2007-12-21 468224]
S3 EhttpSrv;Eset HTTP Server; C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe [2008-07-01 19200]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]

-----------------EOF-----------------

RSIT Infotxt

info.txt logfile of random's system information tool 1.06 2010-03-15 13:52:38

======Uninstall list======

-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
ESET Online Scanner v3-->C:\Program Files\ESET\ESET Online Scanner\OnlineScannerUninstaller.exe
ESET Smart Security-->MsiExec.exe /I{FBF09842-EB7F-4BC2-BD32-DDE2572B2195}
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Mozilla Firefox (3.5.8)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
USB Disk Security 5.1.0.15-->"C:\Program Files\USB Disk Security\unins000.exe"

======Security center information======

AV: ESET Smart Security 3.0
FW: ESET Personal firewall

======System event log======

Computer Name: BLD_ZAMBOANGA
Event Code: 7023
Message: The Computer Browser service terminated with the following error:
This operation returned because the timeout period expired.


Record Number: 147
Source Name: Service Control Manager
Time Written: 20091022164632.000000+480
Event Type: error
User:

Computer Name: BLD_ZAMBOANGA
Event Code: 7023
Message: The Computer Browser service terminated with the following error:
This operation returned because the timeout period expired.


Record Number: 130
Source Name: Service Control Manager
Time Written: 20091020090748.000000+480
Event Type: error
User:

Computer Name: BLD_ZAMBOANGA
Event Code: 10010
Message: The server {1BE1F766-5536-11D1-B726-00C04FB926AF} did not register with DCOM within the required timeout.

Record Number: 128
Source Name: DCOM
Time Written: 20091020090502.000000+480
Event Type: error
User: NT AUTHORITY\SYSTEM

Computer Name: BLD_ZAMBOANGA
Event Code: 7023
Message: The Computer Browser service terminated with the following error:
This operation returned because the timeout period expired.


Record Number: 97
Source Name: Service Control Manager
Time Written: 20091018094050.000000+480
Event Type: error
User:

Computer Name: MYN1029-CAE0EF7
Event Code: 7023
Message: The Computer Browser service terminated with the following error:
This operation returned because the timeout period expired.


Record Number: 71
Source Name: Service Control Manager
Time Written: 20091017083832.000000+480
Event Type: error
User:

=====Application event log=====

Computer Name: MYN1029-CAE0EF7
Event Code: 5603
Message: A provider, Rsop Planning Mode Provider, has been registered in the WMI namespace, root\RSOP, but did not specify the HostingModel property. This provider will be run using the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests. Ensure that provider has been reviewed for security behavior and update the HostingModel property of the provider registration to an account with the least privileges possible for the required functionality.

Record Number: 18
Source Name: WinMgmt
Time Written: 20091010160451.000000+480
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: MYN1029-CAE0EF7
Event Code: 5603
Message: A provider, Rsop Planning Mode Provider, has been registered in the WMI namespace, root\RSOP, but did not specify the HostingModel property. This provider will be run using the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests. Ensure that provider has been reviewed for security behavior and update the HostingModel property of the provider registration to an account with the least privileges possible for the required functionality.

Record Number: 17
Source Name: WinMgmt
Time Written: 20091010160451.000000+480
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: MYN1029-CAE0EF7
Event Code: 63
Message: A provider, CmdTriggerConsumer, has been registered in the WMI namespace, Root\cimv2, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

Record Number: 13
Source Name: WinMgmt
Time Written: 20091010155627.000000+480
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: MYN1029-CAE0EF7
Event Code: 63
Message: A provider, CmdTriggerConsumer, has been registered in the WMI namespace, Root\cimv2, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

Record Number: 12
Source Name: WinMgmt
Time Written: 20091010155627.000000+480
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: MYN1029-CAE0EF7
Event Code: 63
Message: A provider, HiPerfCooker_v1, has been registered in the WMI namespace, Root\WMI, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

Record Number: 11
Source Name: WinMgmt
Time Written: 20091010155613.000000+480
Event Type: warning
User: NT AUTHORITY\SYSTEM

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=5
"PROCESSOR_IDENTIFIER"=x86 Family 5 Model 4 Stepping 3, GenuineTMx86
"PROCESSOR_REVISION"=0403
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP

-----------------EOF-----------------

GmerLogfile

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-15 15:34:36
Windows 5.1.2600 Service Pack 2
Running: look.exe; Driver: C:\DOCUME~1\User_XP\LOCALS~1\Temp\awdiikod.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\Tcpip \Device\Ip epfwtdi.sys (Eset Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdi.sys (Eset Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\Udp epfwtdi.sys (Eset Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\RawIp epfwtdi.sys (Eset Personal Firewall TDI filter/ESET)
AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET)

---- Processes - GMER 1.0.15 ----

Process C:\WINDOWS\system32\cmd.exe (*** hidden *** ) 1260

---- EOF - GMER 1.0.15 ----
bldzam
Active Member
 
Posts: 3
Joined: March 11th, 2010, 11:34 pm

Re: Help from lsass replicating processes virus

Unread postby Katana » March 16th, 2010, 4:09 am

==============================WARNING==============================
There is some evidence of what may be a very nasty infection.
If the Computer has been used for any important data, you are strongly advised to do the following, immediately:
  • If you have ever used this computer for shopping, banking, or any transactions relating to your financial well being:
    Call all of your banks, credit card companies, and financial institutions, informing them that you may be a victim of identity theft, and to put a watch on your accounts or change all your account numbers.
  • From a clean computer, change ALL your online passwords -- for ISP login, email, banks, financial accounts, PayPal, eBay, online companies, and any online forums or groups you belong to.
  • DO NOT change passwords or do any transactions while using the infected computer because the attacker will get the new password and transaction information.
  • Take any other steps you think appropriate for an attempted identity theft.
==============================WARNING==============================


----------------------------------------------------------------------------------------

Please ensure that any USB/Flash/External drives are connected whilst we are cleaning your machine.

Explanation: USB storage devices are all the USB devices that get their own partition letter at connecting to the PC, e.g. flash drives (thumb/pen drives, USB sticks), external HDDs, MP3/MP4 players, digital cameras, memory cards (SD cards, Sony Memory Stick, MultiMedia Cards etc.), some mobile phones, some GPS navigation devices etc.

----------------------------------------------------------------------------------------
Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- This scan is best done from IE (Internet Explorer)

NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Go Here http://www.kaspersky.com/kos/eng/partne ... bscan.html

Read the Requirements and limitations before you click Accept.
Once the database has downloaded, click My Computer in the left pane
Now go and put the kettle on !
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.


**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs.
  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: Help from lsass replicating processes virus

Unread postby bldzam » March 17th, 2010, 9:03 pm

Hi Katana....It is with most regret that I have to discontinue the process of fixing my laptop or rather the office laptop. My Admin Head had brought the laptop last night to a Comp doctor without telling me and have undergone a re-format. I am sorry for this. But let me thank you for giving me your time and assistance in analyzing and fixing the laptop, I always do trust your site and the admins who work here....

Once again, thank you and more power to malware removal university.

With regrets, You can now close this topic...
bldzam
Active Member
 
Posts: 3
Joined: March 11th, 2010, 11:34 pm

Re: Help from lsass replicating processes virus

Unread postby Katana » March 18th, 2010, 6:20 pm

May I draw your attention to THIS topic, which you should have read before posting for help.

The section Posting for help for business machines explains why we do not offer help for such computers.

This topic is now closed
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 148 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware