lsass.exe error with "Restarting in 60 seconds" message

Cousin's laptop got ganked again due to friends installing crap on it (Registry Defender Platinum v5 was present when I started, though MBAM probably removed it). When attempting to boot into Normal Mode, a memory error appears at the XP Welcome Screen followed by an error message stating that lsass.exe has had an error and that Windows will restart in 60 seconds. Safe Mode works, so all the scans have been done from there.

SUPERAntiSpyware could not be run because it cannot be installed from Safe Mode. Could not uninstall and update Java because the Windows Installer Service could not be accessed in Safe Mode.

MBAM ran fine.

ComboFix produced a warning message:

Avast was not running at the time since I was in Safe Mode, so I'm not sure why that warning was shown. I opened avast anyway to check its settings, and the Resident Protection was set to Disabled. There didn't seem to be a way to back out of ComboFix at that point anyhow, since the only button was "OK", so I clicked "OK". It produced another warning message with no way to exit the program reminding me that the real time scanner was still active, so I uninstalled avast, which prompted a restart, so I restarted. Perhaps you could send a note to the author(s) regarding this?

Then, I ran ComboFix. It prompted me to install the Recovery Console, to which I said "Yes" though I had the computer disconnected from the Internet (it's in Safe Mode). As per the instructions, "if it fails, let it continue", I let it continue scanning. ComboFix restarted the computer, and I selected Safe mode again. ComboFix completed, and I then followed the "Manually installing the Windows Recovery Console section" instructions, which entailed running ComboFix again, so I did. I saved both ComboFix logs separately.

RootRepeal ran fine.

I ran MGTools. While on the step "Getting System Information" a notice appeared stating:

I clicked "Don't Send". An Application Error for msinfo32.exe appeared regarding a memory instruction unable to be read.

Finished running scans, now attaching logs.

 

And MGLogs.zip. Awaiting further instructions.

 

Whoops! Old habits, I suppose. I usually keep all the installers together, and I mistakenly lumped MGTools in there. Deleted.

Still booting into Safe Mode because I didn't want anything unnecessarily regenerating itself by attempting to boot normally until you had cleared it.

While running MGTools, the "Getting System Information" step may have failed:

I clicked "Don't Send". An Application Error for msinfo32.exe appeared regarding a memory instruction unable to be read. I clicked "OK".

Requested logs are attached. If you'd like me to boot back into Normal Mode for any steps, please let me know.

 

Given that I couldn't boot into Normal Mode without a forced restart occuring, I was booting in Safe Mode per the instructions in the Readme. I acknowledge that you're more knowledgeable than I am in Malware Removal (you wrote the guide used here). I figured you'd let me know when to boot back into Normal Mode. As it turns out, you did, and that time is now!

Back in Normal Mode (IT WORKS!) now to rerun your instructions properly, and things are sluggish to the point of almost unusable, but at least now it lets me in to Normal Mode at all.

Uninstalled Java 6u13. Reran CFscript.txt on ComboFix. Installed Java 6u16. Reran Ccleaner. Reran C:\MGTools\GetLogs.bat.

STILL got this error while running GetLogs:

Clicked "Don't Send". Got the memory/application error for msinfo32.exe. Clicked "OK".

New logs from Normal Mode are attached. Things are definitely improving. I can boot into Normal Mode without getting the forced restart, and the system is more responsive.

 

It's very likely. This machine was a mess when I got it. I can run msinfo32 from Start>Run, but it just comes up as a blank white window. I'll check in with the Software Forum once we're done here.

Hurray!

I never did install SAS, due to previously only being able to run in Safe Mode at first. Is that a problem?

Successfully uninstalled ComboFix. Deleted unneeded installers for tools/updates. I just realized that I hadn't explicitly mentioned: this computer is running Windows XP Professional SP3. Successfully uninstalled HijackThis.

I did this, though the command prompt window that popped up said something like "Cannot find file specified" before closing the Explorer window I had launched it from and itself. Is that normal?

According to the instructions in the Readme for "House Cleaning", it is recommended to run CCleaner on all user accounts. There is a Guest account enabled on this computer accessible in Normal Boot Mode. I logged into it to run CCleaner, and some RUNDLL warnings popped up:

There were also identical warnings for duwohase.dll and kagokane.dll. Is something still running that's looking for these DLLs? I'll wait until hearing back from you until flushing the restore points because:

Err, after looking up that quote, I realized that you were pointing me to "Step 4: Toggle System Restore" in the Windows XP Cleaning Procedure page, not "Step 3: House Cleaning" in the Readme. No wonder I was confused. My mistake. I hope it's not a problem that I reran CCleaner.

I'm working on collecting the necessary software outlined in How to Protect yourself from malware! (from a different computer, of course). I think I'll try out the new Comodo Internet Security suite since it seems to have improved. However, I'll wait until we're sure there aren't additional things I need to do before installing the new software.

Unreleated to this case: the version of Comodo Personal Firewall linked from the "Protect Yourself" page is outdated. I don't think that Comodo offers separate installers for their antivirus/firewall software anymore, but I do believe that their Comodo Internet Security installer offers individual installations of antivirus, firewall, or both.

Sorry for the long post.

 

Installed and ran SAS. It found and quarantined one thing. I've attached the log in case you feel it's important.

The MGTools folder is gone. Still, it appeared to close the Explorer window that I had open to select the MGclean.bat file. I don't know if MGclean.bat inadvertently caused this, if something else did, or if I accidentally hit the X when moving the mouse (touchpad).

Ah, makes sense.

What is the word on those RUNDLL errors on the Limited Account?

Would removing the Limited Account remove whatever tried to call those DLLs? Or would it be better to determine and remove what caused Windows to look for those DLLs?

 

Alright! I noticed that "View Hidden Files and Folders" was disabled on the Limited Account, so I enabled it. Would MGClean do that?

I ran CCleaner on the Limited Account, and then I ran its Registry Cleaner. It found the dead startup entries in the registry, so I told it to "fix" (remove) them, and those alerts don't appear anymore.

For completeness sake, I tried to rerun the Readme on the Limited Account. I ran SAS and MBAM. I'm attaching those logs in case you feel the need to review them, though it seems that everything that was detected was removed successfully (please correct me if I'm wrong, I'm trying to get a sense for how to read these logs).

ComboFix, RootRepeal, and MGTools would not run, probably because it is a Limited Account. MGTools had lots of "Access is denied" lines in its application window and produced "16-bit MS-DOS Subsystem" errors about:

Again, presumably because it was run on a Limited Account.

Things seem much better now. Since you said before that the system was clean and it was time to set up protection for it. I'm going to do the remainder of the software uninstalls/installs on it that it needs and send it back to my cousin.

Thanks again! I might have more PCs coming in this weekend though. >.<

If I have comments or questions regarding the Readme process itself (the written instructions or tools) not in relation to a specific computer, should I post them here, in a separate thread, or in a PM?

 

Hmm. This machine still exhibits extreme slowness during the first five minutes or so after logging in. Was there anything in the logs to suggest why this might be happening? No processes appear to be spiking in CPU usage, and the memory usage is less than 300MB.

 

Alright then, I'll hop over to the Software Forum and see if they can take a look at what services on this computer are or aren't running and what should be done about those and the msinfo32 issue.

 

Thanks again!