DaniWeb IT Discussion Community

DaniWeb IT Discussion Community (http://www.daniweb.com/forums/index.php)
-   Viruses, Spyware and other Nasties (http://www.daniweb.com/forums/forum64.html)
-   -   "lsass.exe", HOTMAIL/MSN, Trojan'd up the WAZOOOO. [Help!] (http://www.daniweb.com/forums/thread18134.html)

Precious_JiNi Feb 6th, 2005 4:23 am
"lsass.exe", HOTMAIL/MSN, Trojan'd up the WAZOOOO. [Help!]
 
I already posted in the other forum, but I believe I have serious problems with my Windows XP. (I'll be pasting what I wrote in the other forum)


First time poster... and I figured this is the best place to ask my questions

Most of it pertains to HOTMAIL/MSN messenger, but I figured someone out there must know about this more than I do, so this post is rather long (and i've provided screen-shots)... so please read it all

PROBLEMS WITH "LSASS.EXE"

I have several problems with my computer... it was totally infected up the wazoo, so i did the "WIPE IT" program, re-installed/upgraded Windows XP.

I thought "WIPE IT" wiped everything out, but i guess not. Not even 5 minutes after it was re-installed, I get this weird pop up about "lsass.exe" and it gave me 60 seconds before it shut off... eventually i clicked on "Run" and typed in "shutdown -a" which eventually took it off (until i re-booted at least... then it always pops up within 5 minutes of my computer turning on).


PROBLEMS WITH MSN MESSENGER


Then i downloaded MSN 6.2 on my comp (that's the same one i had before i did the "WIPE IT") and i've started having problems.

I took Screen shots of the pop up that keeps coming up (and it still does)...

-THIS is what's been popping up frequently:

http://img.photobucket.com/albums/v2...essMessage.jpg


But up until last night... MSN Messenger was working fine for me...until 2 nights ago... and all day today. And i even copied/pasted that "updatepatch.info" thing to my browser, and all the links in there that were suppose to help were broken and didn't work.

I also keep getting weird "windows messenger" pop-up alerts telling me I have infected crap on my computer...etc.


-Then THIS is what kept popping up everytime i tried to log on MSN (and i noticed that the sign-on thingie was a lil weird) ... I have since then UNINSTALLED Messenger 6.2 from my computer, then i RE-INSTALLED 7.0... and i STILL get the same pop up as the pic i posted above... and THIS is what i get...

On this ScreenShot... notice the log-in thingie... it's all stretched and weird... (it was doing that before, when all the problems started)

http://img.photobucket.com/albums/v2.../Betalogin.jpg


And once again... THIS is what i'm stuck with... (before i re-installed MSN, it kept saying my "password was incorrect" or that "your user name does not exhist") ... but this time the 'system is unavailable' ::: cries :::




http://img.photobucket.com/albums/v2...Ni/MSNbeta.jpg


The weird thing is, I've deleted all my cookies on this brower, ran a gazillion anti-virus/spyware/adware stuff (all of them deleted, and I've since downloaded McAfee Virus Scan)... and I'm still having problems with HOTMAIL/MSN.

- I have since then went to "control panel" and deleted/uninstalled ALL msn messenger... but somehow, after I re-booted... it logged me on to the old MSN messenger. O_o (weird, since i un-installed it).

My friends have logged me on their computers just fine, but it won't work with mine. (It worked for 2 seconds after i deleted my cookies from my computer, then it went back to the same crap).


PROBLEMS WITH HOTMAIL

I've been having problems with logging into HOTMAIL (my primary email account). Then again, it worked fine when my friends logged into my account from their computers. I had it working for a few secs. after i deleted cookies from my browser.

I took Screen Shots of what happens when I log onto HOTMAIL. First is the log on page, second is what i get after i log on.


http://img.photobucket.com/albums/v2...Ni/hotmail.jpg




http://img.photobucket.com/albums/v2...i/hotmail2.jpg





THESE problems keep arising with my computer... what can i do about all that i listed?


Help. :ph34r: :( :( :( :( :unsure:




~ JiNi

caperjack Feb 6th, 2005 6:32 am
Re: "lsass.exe", HOTMAIL/MSN, Trojan'd up the WAZOOOO. [Help!]
 
First I didn't reall all you post just the first part about reinstall and Lsasser ,after a fresh install if you don't have and install SP2 or at least the right security patches before you go online you will immatetly get those trojan/worm . If you are connected to a direct internet connedctio when install windows you will get them even befor you finisjh the install ,as soon as windows install setsup the networking section .bang you got it unless you are behind a router firewall .
I would diconnect from the internet and reinstall againg ,but make sure you get sp3 or the securitys needed .
Security releated downloads ,you will have to use another computer no dought ,
http://www.microsoft.com/downloads/s...displaylang=en

dlh6213 Feb 8th, 2005 6:38 am
Re: "lsass.exe", HOTMAIL/MSN, Trojan'd up the WAZOOOO. [Help!]
 
(Link to original thread: http://www.daniweb.com/techtalkforums/thread18068.html)

I know you don't really want to reinstall, so do this so we can see exactly what you have -- get Hijackthis from here:

http://www.merijn.org/files/hijackthis_sfx.exe

Close all browser windows, scan with hijackthis and save the log. Copy and paste the log here in this thread.

Precious_JiNi Feb 8th, 2005 2:09 pm
Re: "lsass.exe", HOTMAIL/MSN, Trojan'd up the WAZOOOO. [Help!]
 
^ Thanks ... here's the log...



Logfile of HijackThis v1.99.0
Scan saved at 1:06:39 PM, on 2/8/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\INTERN~1\iexplore.exe
C:\Documents and Settings\Randy\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Windows DLL Loader] C:\WINDOWS\system32\defragfatx.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Microsoft System Checkup] libsysmgr.exe
O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\RunServices: [Microsoft System Checkup] libsysmgr.exe
O4 - HKLM\..\RunServices: [Windows Compliant] winole.exe
O4 - HKCU\..\Run: [dlmMgr] "C:\Program Files\Common Files\Adobe\ESD\AdobeDownloadManager.exe" restart=1
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: Win32 Classes -
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...4/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...21/mcgdmgr.cab
O23 - Service: AntiVir Service - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NT login service - Unknown - C:\WINDOWS\System32\libsysmgr.exe (file missing)

caperjack Feb 8th, 2005 2:19 pm
Re: "lsass.exe", HOTMAIL/MSN, Trojan'd up the WAZOOOO. [Help!]
 
you need to unzip hijackthis not run it from the zip program !
Your copy of HijackThis needs to be in a folder of it's own. When HJT fixes anything, it makes backups of the original files in the folder it is in. Since Temporary folders are emptied now and then (the files are DELETED), it would not be a good idea to have your backups there. Those backups would be VITAL to restoring your system if something went wrong in the FIX process!


1. Please go to you're 'My Documents' folder, right-click and select 'New > Folder' then name the folder 'HJT'.

2. Copy and paste or unzip HijackThis.exe to the new folder.

3. Close ALL windows except HJT

4. SCAN with HJT

5. POST the new log in this thread using 'Add Reply'

DO NOT MAKE ANY CHANGES OR CLICK "FIX CHECKED" UNTIL WE CHECK THE LOG, AS SOME OF THE FILES ARE LEGIT AND VITAL TO YOUR COMPUTER'S HEALTH

caperjack Feb 8th, 2005 2:30 pm
Re: "lsass.exe", HOTMAIL/MSN, Trojan'd up the WAZOOOO. [Help!]
 
Make sure you have put hijackthis in it own folder before fixing ,and be sure to get to windows updates quick if you can .
,,,,,,,,,,,,,,,,,,,,,,,,,,,
Have Hijack This fix the following by placing a check in the appropriate boxes and selecting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.
You might want to print out or copy & paste to notePad , these instructions as you will need to close this browser window to fix with hijackthis !

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm

O4 - HKLM\..\Run: [Windows DLL Loader] C:\WINDOWS\system32\defragfatx.exe

O4 - HKLM\..\Run: [Microsoft System Checkup] libsysmgr.exe

O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe

O4 - HKLM\..\RunServices: [Microsoft System Checkup] libsysmgr.exe

O4 - HKLM\..\RunServices: [Windows Compliant] winole.exe

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O16 - DPF: Win32 Classes -

O23 - Service: NT login service - Unknown - C:\WINDOWS\System32\libsysmgr.exe (file missing)



Now reboot into safe mode and delete the following files and folders If found .

C:\WINDOWS\system32\defragfatx.exe,,,,,,,, delete file

libsysmgr.exe,,,,,, delete file

syslog32.exe,,,,,, delete file

libsysmgr.exe,,,,,, delete file

winole.exe,,,,,, delete file


to delete the above files and folder you will need to do the following
go to
Show hidden files & folders

"Fix Checked"...Reboot to SAFE mode to delete files
How to start computer in safe mode

reboot computer and post a new log

caperjack Feb 8th, 2005 2:36 pm
Re: "lsass.exe", HOTMAIL/MSN, Trojan'd up the WAZOOOO. [Help!]
 
Also it not recomended or do you need to run 2 antivirus programs pick the one you like the most and uninstall the other .

Precious_JiNi Feb 8th, 2005 6:24 pm
Re: "lsass.exe", HOTMAIL/MSN, Trojan'd up the WAZOOOO. [Help!]
 
Ok... i'm back... deleted/uninstalled VirusScan. (since i have McAfee now...)


I put HJT in it's own folder... along with the new log... (i wasn't sure if i was suppose to post the new log before i fixed anything... but hmm... i guess i'll take that risk)


here's the scan (looks the same as before) :cheesy: WHen it's time, I'll scan it, and "fix checked", then run it in safe mode.


Logfile of HijackThis v1.99.0
Scan saved at 5:15:55 PM, on 2/8/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\SYSTEM32\notepad.exe
C:\PROGRA~1\INTERN~1\iexplore.exe
C:\Documents and Settings\Randy\My Documents\HJT\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Windows DLL Loader] C:\WINDOWS\system32\defragfatx.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Microsoft System Checkup] libsysmgr.exe
O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\RunServices: [Microsoft System Checkup] libsysmgr.exe
O4 - HKLM\..\RunServices: [Windows Compliant] winole.exe
O4 - HKLM\..\RunOnce: [delus] C:\DOCUME~1\Randy\LOCALS~1\Temp\delus.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: Win32 Classes -
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...4/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...21/mcgdmgr.cab
O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NT login service - Unknown - C:\WINDOWS\System32\libsysmgr.exe (file missing)

caperjack Feb 8th, 2005 6:47 pm
Re: "lsass.exe", HOTMAIL/MSN, Trojan'd up the WAZOOOO. [Help!]
 
Quote:
Originally Posted by Precious_JiNi
Ok... i'm back... deleted/uninstalled VirusScan. (since i have McAfee now...)


I put HJT in it's own folder... along with the new log... (i wasn't sure if i was suppose to post the new log before i fixed anything... but hmm... i guess i'll take that risk)


here's the scan (looks the same as before) :cheesy: WHen it's time, I'll scan it, and "fix checked", then run it in safe mode.
Not sure what you did ,but you would need to fix what i suggested in other post then run hijackthis again after the fix and post a new log .anyother way and it would just be the same as the first log !:(


All times are GMT -4. The time now is 9:13 am.

Forum system based on vBulletin Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
©2003 - 2009 DaniWeb® LLC