Help with SITEBAR POPUP

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
On the page that opens, scroll down to Local Security Authority Subsystem Service (if that is not found, look for: lsass). Then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

Local Security Authority Subsystem Service

If that does not work, use the short name: lsass

Now exit HJT and do not reboot if it asks you to do so. We will reboot further down.

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\lsass.exe <--- should already be killed

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\pmkji.dll <--- this may come back! It is Virtumundo! See the Special Removal Procedures sticky thread for a procedure.
O20 - Winlogon Notify: pmkji - C:\WINDOWS\SYSTEM32\pmkji.dll
O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\lsass.exe <--- this should already be gone but I'm just double checking.

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\system32\pmkji.dll
C:\WINDOWS\lsass.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

Look for the below folder and tell me if you find it (just look):
C:\Documents and Settings\LocalService

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

The DLL file you mentioned has changed names. It is part of a Virtumundo infection as I mentioned in message # 3 where I said it would come back. Follow the below steps.

These steps must be run exactly as specfied.

1) Download this Symantec Trojan.Vundo Removal Tool to a location where you can find it later
2) Make sure you do not run anything but what is specified. DO NOT OPEN any browsers during this process below so print or save these unstructions locally so you know what to do while offline.
3) Boot into safe mode and physically unplug your cable to the internet
4) Run the fixvundo.exe tool downloaded above and save the log
5) Immediately reboot in normal mode and run the fixvundo.exe tool again. Save the log.
6) Immediately reboot again into normal mode and now reconnect your cable to the internet.
7) Now run HJT and save a new log
8) Open a browser and come back here and post your logs from running fixvundo and also the new HJT log. Also tell me how these steps went. Any problems?

 

Well for some reason the Symantec tool is not recognizing the infection of your system.

Please print these instructions out for use in Safe Mode.

Please download VundoFix.exe to your desktop.

• Double-click VundoFix.exe to extract the files
• This will create a VundoFix folder on your desktop.
• After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
• Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
• You will first be presented with a warning.
  it should look like this

• At this point press enter one time.
• Next you will see:

• At this point please type the following file path (make sure to enter it exactly as below!):

C:\WINDOWS\system32\mljgd.dll ​

• Press Enter to continue with the fix.

• Next you will see:

• At this point please type the following file path (make sure to enter it exactly as below!):
  

C:\WINDOWS\system32\dgjlm.*​

​

​

• Press Enter to continue with the fix.
• The fix will run then HijackThis will open, if it does not open automatically please open it manually.
• In HiJackThis, please place a check next to the following items and click FIX CHECKED:
  

O2 - BHO: MSEvents Object - {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - C:\WINDOWS\system32\mljgd.dll
O20 - Winlogon Notify: mljgd - C:\WINDOWS\system32\mljgd.dll​

​

​

​

• After you have fixed these items, close Hijackthis.
• Press enter to exit the program then manually reboot your computer.

Once your machine reboots please attach a new HJT log from normal boot mode.

 

Hopefully the problem is fixed and the below just need to be cleaned up.


Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: MSEvents Object - {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - C:\WINDOWS\system32\mljgd.dll (file missing)
O20 - Winlogon Notify: mljgd - C:\WINDOWS\system32\mljgd.dll (file missing)

After clicking Fix, exit HJT.

Now reboot your PC and take a look at a new HJT log and make sure the above two lines are now gone. If not, post a the new log.

Either way, tell me how things are running now.

 

You're welcome! It's gone! I'll assume everything is working okay now. And therefore you should work thru the below to help keep things clean:

How to Protect yourself from malware!

 

It really does not matter. You do not want to use the Windows firewall because it does not provide adequate bidirectional protection. You need to use a firewall like one of the one mentioned in the How to protect link I gave you in my previous message. After installing one of these you do not want the WinXP SP2 firewall enabled anyway. That How to protect link also gives you a link to info on the Windows Firewall. You should be working thru the steps in that link.