'SITEBAR!' Help!

Discussion in 'Malware Help (A Specialist Will Reply)' started by SleepingYoyo, Oct 20, 2005.

  1. SleepingYoyo

    SleepingYoyo Private E-2

    I have a problem with some program calling itself 'SITEBAR!'. It just popped up yesterday morning when i was sitting on google, in Firefox. It claims to be an internet explorer add on, but it is stopping the internet coming through to my pc at all. I can't visit any sites in Firefox, Internet Explorer or Opera. I have ran all the scans listed in the 'Read and Scan first' thread with no success. The files that are causing this seem to be sitting in my root directory (C:\), I have tried deleteing them, only for them to re-appear and symptoms to persist. I have attached a Jpeg displaying the pop-up (cmd box and SITEBAR! box both appear),the files that I suspect in my root diirectory and a HJT log. Any help would be greatly appreciated.
    Yours
    SleepingYoyo

    ( I couldn't get the attach feature to work correctly so I hosted them at the following location : http://web.ukonline.co.uk/gshyslop/Sitebar.jpeg and http://web.ukonline.co.uk/gshyslop/HJTlog.txt)
     
    SleepingYoyo, Oct 20, 2005
    #1
  2. SleepingYoyo

    SleepingYoyo Private E-2

    Woops, I've posted twice, sorry. I tried to delete it but I couldn't find the option. Appologies again.
    SleepingYoyo
     
    SleepingYoyo, Oct 20, 2005
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please follow ALL the steps in the below because you have not followed them and you definitely skipped how to install HJT:

    - Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

    Make sure you check version numbers and get all updates.

    - Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.



    After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis:

    Downloading, Installing, and Running HijackThis

    Kill the process (why is it running anyway) or delete the entry from your log file and you will be able to attach your file:
    C:\WINDOWS\system32\cmd.exe


    .
     
    chaslang, Oct 20, 2005
    #3
  4. SleepingYoyo

    SleepingYoyo Private E-2

    I have completed all the scans in the tutorial:

    Internet Scanners- Most of the internet scans found no problems, apart from Bit Defender (which found and deleted two problems, listed in the attached log) and Active scan (log also attached) which found multiple entries.

    Downloaded scanners- fixed any problems they found and gave no errors. The problems found in the internet scans may have been solved although I am uncertain.

    The problem still persists, and I have attached a HJT log, created hopefully with a correctly installed HJT.

    In regards to the cmd box which was open, it appears to auto start every time I get the pop-up, unsure why.
     

    Attached Files:

    SleepingYoyo, Oct 21, 2005
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
    On the page that opens, scroll down to Local Security Authority Subsystem Service (if that is not found, look for: lsass). Then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

    Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

    Local Security Authority Subsystem Service

    If that does not work, use the short name: lsass

    Now exit HJT and do not reboot if it asks you to do so. We will reboot further down.

    If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
    For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\lsass.exe (file missing) <--- this should already be gone. So I'm just double checking.

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete    :
    C:\WINDOWS\lsass.exe

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
    chaslang, Oct 21, 2005
    #5
  6. SleepingYoyo

    SleepingYoyo Private E-2

    All seems to have went well, although I could not find the file 'lsass.exe' in the Windows folder or System or System32 (just though i'd check) is there a chance this could already have been deleted ? On the other hand the internet seems to have been restored. Thanks, I have attached the HJT log just so you can double check.
     

    Attached Files:

    SleepingYoyo, Oct 22, 2005
    #6
  7. SleepingYoyo

    SleepingYoyo Private E-2

    Update - 'lsass.exe', is still running, as it is being listed in the processes menu of the Task Manager. But it isn't being listed in the service.msc, and as I said above its not in the Windows folder, but I ran a windows search and turns out its in the System32 folder and 'C:\WINDOWS\ServicePackFiles\i386' although when I try and delete them they say they are already in use, and i try to end the process windows dosen't allow me and says its 'system critical'.
     
    SleepingYoyo, Oct 22, 2005
    #7
  8. SleepingYoyo

    SleepingYoyo Private E-2

    Another update to the situation, 'SITEBAR!' is back and my internet has gone once again.
     
    SleepingYoyo, Oct 22, 2005
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    C:\windows\system32\lsass.exe is a valid Windows process that should be running. I did not ask you to delete it and you should not, but you definitely should be able to see it.

    It should also be in C:\WINDOWS\ServicePackFiles\i386

    You should not be trying to fix anything on your own. That is dangerous since you do not know what belongs on your PC and what does not.
     
    chaslang, Oct 22, 2005
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Post a new HJT log! Your previous log was clean! Where have you been surfing? Perhaps you are getting this from somewhere you are going.
     
    chaslang, Oct 22, 2005
    #10
  11. SleepingYoyo

    SleepingYoyo Private E-2

    Yeah, should have thought of that one :p. I've also re-scanned and the only one that came up with anything was Panda Activescan, results are attached. In regards to somewhere i'm browsing, i'm going no where out of the ordinary. I would compare browser history but I think they've been wiped by CCleaner. Thanks again.
     

    Attached Files:

    SleepingYoyo, Oct 23, 2005
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    What is spyexposer? If it is related to http://www.spyexposer.com/ , you would be better off not using it at all.

    CCleaner should have emptied the stuff in your TIF folder! Why do they still show in your log?

    This C:\WINDOWS\lsass.exe is still on your PC. Make sure you only do exactly what I indicate below.

    Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
    On the page that opens, scroll down to Local Security Authority Subsystem Service (if that is not found, look for: lsass). Then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

    Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

    Local Security Authority Subsystem Service

    If that does not work, use the short name: lsass

    Now exit HJT and do not reboot if it asks you to do so. We will reboot further down.

    If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
    For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

    Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
    C:\WINDOWS\lsass.exe <--- should already be killed
    C:\low.exe

    After killing all the above processes, click "Back".
    Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\lsass.exe     <--- this should already be gone but I'm just double checking.

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete    :
    C:\WINDOWS\lsass.exe
    C:\low.exe

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

    Make sure all the files under the below folder are cleaned up:
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
    Last edited: Oct 24, 2005
    chaslang, Oct 24, 2005
    #12

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds