Should I have two Issas.exe file's running...?

Are you sure about the file names? lssas.exe is not valid no matter where it is running from. lsass.exe is valid if running from C:\windows\system32.

If you are having malware problems, please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, renaming, running, and posting HijackThis logs as attachments.

• Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
• Make sure you check version numbers and get all updates.
• Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

• After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis​

Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.​

• When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:
  • CounterSpy - only for Windows XP, 2K, & NT users
  • AVG Antispyware log - ONLY IF NEEDED you were not able to run CounterSpy. - only for Windows XP, 2K, & NT users
  • Bitdefender - from step 6
  • Panda Scan - from step 6
  • runkeys.txt - the log from GetRunKey.bat
  • newfiles.txt - the log from ShowNew.bat
  • HijackThis

NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!

 

You're welcome! Have you run full antivirus and antispyware scans on your PC?

 

It is a very very bad idea to have multiple antivirus programs installed. Uninstall Norton now!!!

I highly recommend that you complete the instructions given for running the READ & RUN ME and attaching the logs.

 

Okay you are in pretty good shape. We just have a few things to do.

First uninstall the Sunbelt CounterSpy trial program since we are finished with it.

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now delete the below folders which may be left behind:
C:\Documents and Settings\Steven\Application Data\Sunbelt Software
C:\Documents and Settings\All Users\Application Data\Sunbelt Software
C:\Program Files\Sunbelt Software

Now delete the below files:
C:\1F3.tmp
C:\WINDOWS\system32\thxcfg.ini


Run HijackThis (select Do a system scan only) and select the following line if it still exists but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Config\lsass.exe

After clicking Fix, exit HJT.

Now run Ccleaner

Now attach a new log from HijackThis.

Make sure you tell me how things are working now!

 

You must be more specific. Give me the exact word for word message with exact spelling too. HijackThis is not a cure all. It can only fix certain things that it can show. And this is a very limited list.

I don't quite understand this too. You are not being specific. I thought you said you deleted the lsass.exe file from the c:\windows\config folder. Also the other one (the valid one) does not run from "SYSTEM". It runs from C:\Windows\system32 and you can see it in the HJT log process list you just posted. It is the fourth process down under the Running processes title.


What files do you see in the c:\Windows\config folder? Be specific and give exact file names.


You don't appear to have a properly installed and function antivirus program installed. You have some leftover junk from Symantec that is wasting system resources but it is not a functional antivirus and I only said to uninstall it because you said you had AVG7 antivirus installed. Why are you running with no antivirus now? I think perhaps you were confused and thought AVG Antispyware was an antivirus program which it is not. I suggest you uninstall the below (which you may not see both):

LiveUpdate 3.0 (Symantec Corporation)
Symantec KB-DocID:2003093015493306

And then you should unstall an antivirus program like this:AVG Free Edition


Then attach the below new logs so we can see what may remain from Symantec that needs to be cleaned up.

1. GetRunKey
2. ShowNew
3. HijackThis

 

lsasse.exe is a file not a folder. You need to delete this one that is in the c:\windows\config folder and then empty your Recycle Bin. Also you then need to tell me what else you see in the config folder.

But which lsass.exe. If it was the one from system32 it is valid.

 

While I look thru your logs, redo the fixME.reg patch from message number 9 again and then immediately attach a new log from GetRunKey. Also tell me if you receive a success message on adding this to the registry.

 

Okay part of the registry patch work and part did not. Let's see if the below fixes the rest of it.


Okay a couple things from Symantec remain.

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to Symantec Core LC
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Click OK until you get back to Windows.

Now run the procedure in the below link and attach the requested log at the end of the below procedures. This new log is called GetUnKey.txt not to be confused with GetRunKey.txt.

Getting Uninstall Programs List From The Registry



Run HijackThis (select Do a system scan only) and select the following lines (the O23 Service line for Symantec may be gone already) but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Config\lsass.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

After clicking Fix, exit HJT.

Now delete the below folders:
C:\Program Files\Common Files\Symantec Shared
C:\Program Files\Advanced Spyware Remover

Now reboot you PC

Now after reboot, please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT
4. and don't forget the GetUnKey.txt log too.

Make sure you tell me how things are working now!

 

Click refresh a couple of times and see if the Manage Attachments button shows up. If not, then do the below.

To flush your Internet Explorer Cache:

• click Tools
• Internet Options
• Now on the General tab and click Delete Files and select Delete all Offline content too
• Click OK.
• When it finishes Click OK.

Now click refresh and see if you can attach things.

 

Okay here is the final fix for the left over Symantec item.

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

You forgot to say how things are working now. Your logs are clean.

 

You're welcome.


If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix, you can delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, C:\WINDOWS\nircmd.exe, and the C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
6. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
7. If we had you run Avenger, you can delete all files related to Avenger now.
8. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
9. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
10. If you are running Windows XP or Windows ME, do the below:
    • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
    • Then reboot and Enable System Restore to create a new clean Restore Point.
11. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!