ms04-011 lsass exploit, running amok

Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

Please follow the steps below:

- Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

Make sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis

.

 

I read it but saw no reference to trying to run the READ & RUN ME. All I saw was what you wrote about your problem and you said you tried using HijackThis (which is not the first step). You also said something about

And you also mentioned not knowing how to turn off system restore. But none of this mentions trying to run the READ & RUN ME. If you cannot figure out which things mean what, how do you expect us to help you when we cannot see the PC at all.

 

Yes!

 

If you cannot run the READ & RUN ME, try downloading an unzipped version of HijackThis from the below link and see if you can run it.

http://216.180.233.162/~merijn/files/HijackThis.exe

Attach your log!

 

Other than the below, there are no problems showing in your HJT log.

O4 - HKCU\..\Run: [Spyware Cleaner] "C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe" /boot
O23 - Service: SpywareCleanerService - Secure Computer, LLC - C:\Program Files\Spyware Cleaner\SCService.exe

Did you install this SpywareCleaner program? If so, uninstall it.

 

Does this mean you uninstalled it? If so, reboot and then make sure those two lines no longer appear in your HJT log.

If your log is clean, you will have to run scans to see if anything else can be found. Otherwise I would have to ask if there is something on your PC that you have used to put it into a mode to show chinese text. I do see the below running which is normally related to stuff like this:

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

This is part of Microsoft\'s Input Message Editor (IME) for translating Japanese/Chinese text in IE, Outlook and Word

 

There are no special icons. There are just folders and then check boxes and radio buttons. Right now you do not even need to worry about this because we have nothing that we need to even delete yet.

 

So are you saying the PC was always like this?

If so, why are you coming to the malware forum for help. This would not be malware?

Or is your real reason because of the mass emailing?

 

Let's see if you can get to the Regional and Languages Options form normal accessed from Control Panel. But try it this way, open Windows Explorer and enter the below into the addess bar:

c:\windows\system32\intl.cpl

And hit enter. Now the trick is to see if you can find the English (Unisted States) selection in the top box on this form. You also would have to select United States in the very bottom box.

If this does not work, try asking for suggestions in the Software Forum on this. This is not malware since your PC is installed with a Chinese OS.

As far as Hidden files, if you are on that form, the very top item is a Folder and the english text would be Files and Folders. There should be 7 check boxes under it and then another folder icon. This is the icon lableed Hidden files and folders. Under it there are two radio buttons. The upper one should be unchecked and the lower one should be checked. Below this second radio button make sure the next two check boxes are also unchecked. Then click Apply (the apply button should be at the lower right corner of the Window).

 

I guess you did not notice the below:

O4 - HKCU\..\Run: [Spyware Cleaner] "C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe" /boot

Have HJT fix this line. And look for the C:\Program Files\Spyware Cleaner folder and delete it.

 

No! That should be all you need to delete.

You mean things like: "MajorGeeks.com - Geek it 'till it MHz!"
The owners put a whole bunch of them into a script that randomly chooses one to show.

Did you try what I said in message # 21 yet?

Gotta go now! Bed time!

 

Post exactly what PC-Cillin is finding!

Is it the antivirus or the firewall that is giving you messages?

If you cannot run the READ & RUN ME, there is not much else we can do for you to locate any viruii or trojans. You will have to get some one to translate for you.

Why are you using a PC that is setup for Chinese if you do not understand Chinese?

You could give the below a run but I'm not sure we will find anything.


Please download WinPFind

Extract it to the root folder of drive C ( C:\ ). This will create a folder called WinPFind in the C:\ folder. Inside C:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.

When it is done, it will show the results of the scan. Click on the Copy to Clipboard button and then paste the contents of the log in your clipboard. Then save it to a file using notepad and upload the text file here as an attachment.

Good night! (I'm really done this time! )

 

These look like firewall related messages. Have you used this PC to purchase stuff via the web? If so, from what sites? Are you sure you are not misinterpreting the messages? Is your credit card info really in the messages? Also note that whatever they are, they firewall is blocking them. You should look in the log or messages from the firewall to see what application is sending this and when. Is it only when on line?

penton.us.intellitxt.com is related to Vibrant Media. An advertising type adware company. Did you buy anything from them?

This by106fd.bay106.hotmail.msn.com is a hotmail account related to MS.
This support.webroot.com the support site for Webroot (the creators of SpySweeper and other tools).

This us.f321.mail.yahoo.com is for Yahoo Email.
I have no idea what the last one is: red.as1.falkag.de

 

Just run Spybot and then click Update. When the list of possible updates comes up, look towards the top menu area. And to the right of Search for Updates is a pulldown box where you can choose from a different list of servers. Just try different ones until it works.

 

Please be more specific! What program or programs are you talking about? Are you saying Trend Micro does not work? Or are you having a problem with Spy Sweeper? What is it that does not work? Describe what you are doing and what action that you expect does not occur.

And exactly what have you run and did any of the scans find anything?

You also did not run WinPfind that I gave you in message #28.