lsass questions

my question is how many lsass.exe should be running on any given machine.
I currently have lsass.exe and lsass .exe(notice there is a space before .exe on the second one)
exe locations are:
lsass.exe --C:\WINDOWS\system32\lsass.exe
lsass .exe- C:\WNDOWS\system32\lsass.exe (this is the one with space before .exe)
the lsass .exe seems to use a lot more processor time than the other(lsass.exe)
any information on this would be greatly appreciated
skitz

 

Hi skitz!
Welcome to the Malware Forum!

You have a new form of Vundo which needs to be removed from your computer ASAP. Please follow the instructions in the READ & RUN ME FIRST paying attention to those which apply to your operating system. Be sure that your msconfig is in normal startup mode as described in the instructions. When you finish, please attach the requested logs.

Note! The infection your computer has mutates and develops with each reboot. Please use your computer as little as possible and do not reboot unnecessarily until we have a chance to give you further instructions. Combofix, which comes after some of the initial setup/cleanup instructions, gets out some of this infection.

abri

 

here are the logs
i believe i did everything correctly. both lsass.exe and lsass .exe are still there
skitz

 

Hi skitz!

Please continue as follows:

• Download and save to RenV.exe to your Desktop (must be on the Desktop)
• Doubleclick RenV.exe
  • When finished, it will produce a new log named Log.txt on the Desktop.
  • Attach this log to your next reply.

abri

 

here is the log you requested/

 

Hi Skitz,
please continue as follows:

Copy the bold text below to notepad. Save it as Log.txt to your desktop.

• Now using your mouse, drag Log.txt onto RenV.exe
• When finished, RenV.exe will produce a new log. Attach the new Log.txt to your next reply.
• Run ComboFix
• Run C:\MGtools\GetLogs.bat by double clicking on it.
• Attach the below new logs:
  • Log.txt
  • C:\ComboFix.txt
  • C:\MGlogs.zip

abri

 

here are the logs...

 

Hi skitz,
I don't think that worked. After you made the log.txt and saved it to your desktop, did you pull the file (without opening it) on top of the RenV.exe (also on your desktop) and allow it to run? It looks like you clicked on the RenV program and simply ran it and that is not what you need to do. You need to point at the Log.txt that you created and pull it across your desktop to the RenV program and put it on top of that one. Please try it again. You will need to make the Log.txt again using the file names I gave you in post 6. Copy them into notepad and save it to the Desktop. Make sure it is the correct one with just the three files in it and no other information. You can open it on the desktop to make sure it's the right one. Then close it again and point at it and move it over to where the RenV program is on the desktop.
abri

 

new log file, hope these are right
the site wont allow me to upload already uploaded files to the site

 

Hi skitz!

I'm expecting a different result than what your attachments are showing. The first attachment was correct after you ran the RenV.exe. From that I made up a set of three files for you to make into a .txt file called log.txt. In the next attachment, it looked like you simply clicked on RenV.exe and ran it again, because that log looks the same as your first one. And now this most recent one looks like the one I asked you to make. You need to take this one, that you just posted (which is completely empty except for the three files) and make sure it is located on your desktop. The icon should look like a pad of paper with a wire scroll at the top and with some writing on the piece of paper. Just pull that icon over on top of the RenV icon. It should run then and produce a new log. And I'm hoping that log is going to look different than what you've posted so far.

If this doesn't work, please tell me exactly what you are doing.

Make sure the log.txt you just attached in this last post is stored on your desktop. If you're not sure if it's stored on your desktop, right-click on it, the pathway will be C:\Documents and Settings\(your name)\Desktop and the icon for it will be on the desktop. If anywhere in the pathname it says link or .lnk, then it's not stored on the desktop. Just point at it with a left-click, hold the left mouse key down and actually drag that icon over on top of the RenV icon (which must also be stored on the desktop).

I'm curious why this isn't working, so hope it will this time.

abri

 

I did as you requested, and it tries to save the log to the file i already have called log.txt.
It does not rewrite the log.txt for some reason, so i renamed it this time to renv_log.txt
I will include all associated logs for you to see.
Oh i almost forgot, all 3 files while trying to access with renv, received a file access denied error....
again it willl not allow me to post the other files as i have already posted them earlier
(renv.exe is on desktop....as is log.txt...dragged log.txt to renv.exe--->accessed denied errors for all 3 files in the log.txt file....)
skitz

 

Hi skitz,
Thanks for being patient. I'm going to ask you to go at this in a different way, but I need to check something first. I'll try to get back to you before long!
abri

 

still waiting patiently...just letting you know.
it seems the lsass .exe has gone, leaving only one lsass.exe
thanks

 

Hi skitz,

Please do the following:

1) Please check if your guest account is disabled. If not, disable it.

2) what is in this folder?

C:\Documents and Settings\michael\Desktop\ÿ

3) Please rename the following from C:\WINDOWS\system32\mlfcache.dat to mlfcache.dat.zzz

4) Next I would like for you to download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop. We will run it later.

5) Now, please print out these instructions so you can disconnect from the internet. After you print these out, please shut down your computer and physically disconnect it from the internet. Then reboot and disable all antivirus and antispyware programs before you continue with the next steps.



6) Go to add/remove programs and uninstall the below:

J2SE Runtime Environment 5.0 Update 6 ​

7) Next disable the following service

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to System Event Agent
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Click OK until you get back to Windows.

• Next, run HJT (it will now be called analyse.exe and you will find it inside the MGTools folder of your root drive), but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/paste System Event Agentinto the box that opens, and press OK
• If you receive any error messages just ignore them and continue.
• Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Now run HJT/analyse.exe (select Do a system scan only) and select the following lines but DO NOT CLICK FIXuntil you exit all browser sessions including the one you are reading in right now:


8) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R3 - URLSearchHook: (no name) - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - (no file)
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - ~EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe

After you click fix checked, just close hijackthis.


9) Next, please run Avenger (which is on the desktop)

• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

10) Run CCleaner at the default setting with the Windows tab as the top one.

11) Install the current version of Sun Java from: Sun Java Runtime Environment


12) Now run C:\MGtools\GetLogs.bat by double clicking on it.

13) Attach the below new logs:

• C:\avenger.txt
• C:\MGlogs.zip
  

Let me know how things are running now?

abri