My HJT file + questions....

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Aranjuez, Jun 28, 2005.

  1. Aranjuez

    Aranjuez Private E-2

    Hello.. I have completed each step to remove trojans, spyware, malware, etc. Win32.worm.Mytob.AK was very difficult to remove, although I think I got rid of it. I even used the additional virus scans linked in the "posting Hijack logfiles" post.

    My computer is still running very sluggish. I am getting errors stating: "lsass.exe - System Error: Object not found", which causes my computer to shutdown once I press OK.

    The odd thing is that I just formatted my drive yesterday. I was hoping to have a fresh install, but it seems to be worse off than it was before the format. Should I turn off System Restore before formatting the hard-drive? If not, how should I go about formatting in the future?

    Also, I receive error messages each time I try to update windows. Not sure how to avoid this either.

    Anyway, please review my HJT log and let me know what I else I can do. :)

    PS - here is a log from my Bitdefender scan. The two files which bitdefender could not delete were cleaned with EZ anti-virus and they are no longer on my system.

    C:\funny_pic.scr
    Infected with: Win32.Worm.Mytob.AK

    C:\funny_pic.scr
    Deleted

    C:\hellmsn.exe
    Infected with: Backdoor.Faribot.A

    C:\hellmsn.exe
    Disinfection failed

    C:\hellmsn.exe
    Delete failed

    C:\my_photo2005.scr
    Infected with: Win32.Worm.Mytob.AK

    C:\my_photo2005.scr
    Deleted

    C:\see_this!!.scr
    Infected with: Win32.Worm.Mytob.AK

    C:\see_this!!.scr
    Deleted

    C:\WINDOWS\lsass.exe
    Infected with: Backdoor.SDBot.8941BD00

    C:\WINDOWS\lsass.exe
    Deleted

    C:\WINDOWS\system32\bingoo.exe
    Infected with: Win32.Worm.Mytob.AK

    C:\WINDOWS\system32\bingoo.exe
    Deleted

    C:\WINDOWS\system32\eddqjaz.exe
    Infected with: Backdoor.Poebot.B

    C:\WINDOWS\system32\eddqjaz.exe
    Disinfection failed

    C:\WINDOWS\system32\eddqjaz.exe
    Deleted

    C:\WINDOWS\system32\eraseme_68652.exe
    Infected with: Backdoor.SDBot.8941BD00

    C:\WINDOWS\system32\eraseme_68652.exe
    Deleted

    C:\WINDOWS\system32\msmgrxp.exe
    Infected with: Win32.Worm.Mytob.AK

    C:\WINDOWS\system32\msmgrxp.exe
    Disinfection failed

    C:\WINDOWS\system32\msmgrxp.exe

    -Aranjuez
     

    Attached Files:

    Aranjuez, Jun 28, 2005
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please read the announcements and stickies. HijackThis logs should only be posted when they are requested! And note you have not installed HijackThis properly. You must get it installed to c:\program files\hjt

    Do not put it on your Desktop or any sub-folder of c:\documents and settings

    Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
    On the page that opens, scroll down to lsass Service or lsass ... right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

    Next, open up HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

    lsass Service

    Or if that does not work use the short name: lsass

    After doing the above you may be asked to reboot. Do not reboot yet!

    Now exit HJT!

    If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
    For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

    Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.

    C:\WINDOWS\lsass.exe <--- hopefully it is already killed

    After killing all the above processes, click "Back".
    Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O4 - HKLM\..\Run: [xp service pack 2] xpsp2.exe
    O4 - HKLM\..\RunServices: [xp service pack 2] xpsp2.exe
    O4 - HKCU\..\Run: [WINTASK] msmgrxp.exe
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O23 - Service: Windows lsass Service (lsass) - Unknown owner - C:\WINDOWS\lsass.exe

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete:
    C:\WINDOWS\lsass.exe
    C:\WINDOWS\system32\xpsp2.exe
    C:\WINDOWS\system32\msmgrxp.exe

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
    chaslang, Jun 28, 2005
    #2
  3. Aranjuez

    Aranjuez Private E-2

    I ran into a few problems while following you directions step by step (yes... step by step)..
    1. Neither lsass service or lsass were found while running services.msc. I found a Windows lsass service, so I stopped that one.
    2. I could not kill the lsass.exe process with Hijack this, it told me to stop the service, but the service was nowhere to be found.
    3. Once I fixed the entries in Hijack this I rebooted into safe mode. I was able to delete c:/windows/lsass.exe. But both xpsp2.exe and msmgrxp.exe could not be found anywhere on my hard-drive.

    The computer is still straining to run. I can hear my processor from the next room; it gets louder the longer it runs.
    I have spent the last 2 days trying to correct this problem. If you could answer my question about why formatting did not clear my viruses, please do so.

    - Aranjuez
     

    Attached Files:

    Aranjuez, Jun 28, 2005
    #3
  4. Aranjuez

    Aranjuez Private E-2

    no suggestions???? :(
     
    Aranjuez, Jun 28, 2005
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your HijackThis log is clean. As far as why your pc is "straining to run".... this could be hardware problems. Is your hard disk going bad? Is it just your fan making noise?

    Are you sure the disk you use to format you system is not infected itself? You should have deleted the partition and made a new partition and totally started from scratch.
     
    chaslang, Jun 29, 2005
    #5

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds