TechSpot

Hijack This Log Please help

By MrBrains
Oct 25, 2005
  1. I recently installed a version of limewire downloaded as a torrent which I think has messed up my system. I am sure that I had a virus and think I may still have one, but don't know what to do except run all the tools we know and love. Spybot etc

    One other thing to note is that my firewall just will not enable...since the virus problems...

    Anyway here is my log file

    Also I have tried to repair the lsass file missing error but it just will not fix!!!!

    Thanks in advance as I have already read how you guys reall do help
     

    Attached Files:

  2. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    First Read: Only use these HJT-instructions when asked!
    /P/ Process needs to be stopped
    /S/ Service needs to be stopped
    The text between the dotted lines underneath goes between the dotted lines of that post.
    Make sure to follow ALL instructions, and in HJT tick/fix ALL lines!
    ...................................................................................................
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1130286494500
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1130286469750

    O23 - Service: Adobe Version Cue CS2 - Unknown owner - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe" -win32service (file missing)
    O23 - Service: Alias Documentation Server (aliasdocserver) - Unknown owner - C:\Program Files\Alias\Maya6.0\docs\Wrapper.exe" -s "C:\Program Files\Alias\Maya6.0\docs/Wrapper.conf (file missing)

    /P/S/ O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\U1lTVEVN\command.exe

    O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\lsass.exe (file missing)
    O23 - Service: Maya 6.5 Documentation Server (maya65docserver) - Unknown owner - C:\Program Files\Alias\Maya6.5\docs\wrapper.exe" -s "C:\Program Files\Alias\Maya6.5\docs\Wrapper.conf (file missing)
    O23 - Service: Maya 7.0 Documentation Server (maya70docserver) - Unknown owner - C:\Program Files\Alias\Maya7.0\docs\wrapper.exe" -s "C:\Program Files\Alias\Maya7.0\docs\Wrapper.conf (file missing)
    ...................................................................................................
     
  3. MrBrains

    MrBrains TS Rookie Topic Starter

    Still not working

    Thanks for your quick reply...

    Unfortunately I don't seem to be having any luck with this...

    I have deleted the directory you mentioned. That seems fine. Thanks

    The lsass service cannot be stopped in Task manager and I have noticed in services it is actually listed as being stopped, and no matter what i try it won't start. It says file missing

    What did you want me to do with these

    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microso...b?1130286494500
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microso...b?1130286469750

    I fixed them and then tried to run the windows update.

    Its says I need. 1.1 net framework, but when I install it it just freezes... how long should this install take?

    I am attaching a new log for you, but don't know if that will help you any

    Thanks again
     
  4. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    Did anybody tell you to STOP lsass.exe? NO
    Did anybody tell you to DELETE lsass.exe? NO
    Did anybody tell you to FIX a HJT-line with lsass.exe? YES

    The official lsass.exe (XP-SP2 size=13,312) resides in windows\system32
    Any other locations is a trojan/virus.
    So get the original back from e.g. windows\servicepackfiles\i386 and restart the service.

    And next time FOLLOW advice exactly!
     
  5. MrBrains

    MrBrains TS Rookie Topic Starter

    sorry dude

    i didn't want to delete or stop the service as I realize it is an important system service... i jwas just trying to give you info on where I stood...

    anyway i still have a problem.

    the lsass.exe is in the correct place as you mentioned... thanks (where did you learn all of this stuff?)

    How can i replace this file with the one in the service pack folder? The service is in use so I won't be able to copy and paste will I?

    Also I went to the services and noticed that the service is actually pointing to

    "C:\WINDOWS\lsass.exe"

    and is stopped. I have not stopped it and can't restart it as it says it has an error.

    Error 2 the system cannot find the specified file.

    Do you have any ideas why my windows updates are freezing? or why i can't uninstall .net and then reinstall... it gives me an error on the uninstall and freezes on the install...weird.

    sorry to keep bothering you... I usually am quite good with computers, but this side of things is not my field.

    As a side note...whould it just be best to do a clean install of xp and if so how would you recommend i go about it without losing all my work?
     
  6. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    Download PocketKillbox here: http://www.downloads.subratam.org/KillBox.zip. Extract it from the zip file, remember where it goes.
    Double-click on Killbox.exe to run it. In the "Paste Full Path of File to Delete" box, fill in the full path/filename you want to delete = C:\WINDOWS\lsass.exe
    Click on the Action menu and choose "Delete on Reboot". In the Action menu select "Process and Reboot".
    When prompted to reboot, do so.
    Then start the real lsass.exe service, and set startup-type to Automatic.

    See how things go afterwards.
    Post a fresh HJT-log from Safe Mode.
     
  7. MrBrains

    MrBrains TS Rookie Topic Starter

    Still no luck :(

    Hello again Black stuff,

    You must be getting bored with me now!

    Ok I tried to run Killbox but it ends up with an error:

    "PendingFileRenameOperations Registry Data has been Removed by an External Process!"

    I did a quick search on the net to see if anyone else had encountered this error and how they dealt with it. I did find one instance and the expert there suggested doing the removal like you said and then just rebooting manually if the error occured.

    http://www.geekstogo.com/forum/Many_Spyware_Infections_JHT_Log-t40205.html

    I did what you said and then rebooted manually to safe mode.

    When I tried to start the lsass service it still won't work but i did notice that it is pointing to wrong location "C:\WINDOWS\lsass.exe"

    In my travels looking at the services I noticed that Remote Procedure Call is set to Log On with

    This Account
    NT Authority\NetworkService
    password
    confirm password

    is this normal? Sorry if it is and I am just being a pest by looking at pointless stuff. I just feel violated and undressed by the whole experience and want to feel kinda safe once again :(

    Here is the HJT log
     
  8. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    C:\Documents and Settings\Jon.DELL1\Desktop\HijackThis.exe
    put HijackThis in e.g C:\Program Files\HJT and NOT in Temp or on the Desktop!.

    Look in your registry for ANY occurrences of lsass.exe
    If they do not point to C:\WINDOWS\system32\lsass.exe, delete them.
    Check in Start/Run, type msconfig + OK, if it is there pointing wrong as well.

    Run HJT in Safe Mode and just TICK these and let HJT fix them:

    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1130340228171
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1130363574406
    O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\lsass.exe (file missing)
    O23 - Service: Maya 6.5 Documentation Server (maya65docserver) - Unknown owner - C:\Program Files\Alias\Maya6.5\docs\wrapper.exe" -s "C:\Program Files\Alias\Maya6.5\docs\Wrapper.conf (file missing)
    O23 - Service: Maya 7.0 Documentation Server (maya70docserver) - Unknown owner - C:\Program Files\Alias\Maya7.0\docs\wrapper.exe" -s "C:\Program Files\Alias\Maya7.0\docs\Wrapper.conf (file missing)

    How many more times do I have to tell you, dammit!
     
  9. DonNagual

    DonNagual TechSpot Ambassador Posts: 2,404

    I love it!

    He may be nasty, but damn he is good! ;)

    All hail Blacky! [Nagual bows before him]
     
  10. MrBrains

    MrBrains TS Rookie Topic Starter

    how do i do this?

    sorry man my bad!

    how do I do this...do a find in regedit? I did that and found one thing, but wan't sure if that is what you wanted me to do. do you want me to attach a screengrab?

    where exactly is lsass supposed to show here? in services? if so, how can i see where it is pointing?

    I am slowly getting there, with your help. btw I did remove those items in safe mode but they keep on coming back?
     
  11. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    If you find lsass.exe in the Registry, AND it is under the Run/RunOnce, then delete it if it does NOT say c:\windows\system32\lsass.exe in the right-hand key.

    If you find it in MSCONFIG (only under Startup), it should give the proper path (as in bold above). If not, stop it and delete it.

    If it's no longer installed, delete the C:\Program Files\Alias directory with everything in it. Then fix with HJT.

    PS: you sure you picked the correct username?
     
  12. MrBrains

    MrBrains TS Rookie Topic Starter

    heres the new log...

    Thanks for clarifying that BlackStuff

    I have attached a new log which has eliminated everything except the lsass.exe problem... I ran the fix twice in safe mode and restarted and had no luck, that one is so weird. Do you have any idea why it is refusing to fix?

    The firewall is ok I think as Norton (urgghhhh) is taking over the policy so I can't do anything to change the windows one as the Norton Firewall is active instead.

    Registry looked pretty clean to me and also msconfig came through ok
     
  13. MrBrains

    MrBrains TS Rookie Topic Starter

    I think I may be fixed???

    Hi Black stuff

    Please see my previous post also.

    I have attached a log from hijack and will include a link to show you where I got part of the fix from

    http://forum.iamnotageek.com/showthread.php?t=1819090404

    In this thread the user also had the lsass issue which was sorted. I followed this method and it appears that everything is now clean. I hope you don't feel that I jumped ship on you as I have got everything fixed before this all from your excellent help. I thought thread may be of interest to you.

    Here is the log for you. Do I look fix now? Please say yes!!!!! :)

    Also seeing your previous advice to others I am now running only Firefox and use AVG for anti-virus. Can you recommend your best firewall?

    Thanks
     
  14. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    Your log is clean for now.

    Would you mind telling me EXACTLY, which advice (give me the Post # on the right side) from that link did the trick for you?
     
  15. MrBrains

    MrBrains TS Rookie Topic Starter

    Hello again,

    So glad to hear that you have given my log the all clear. You are a genius!!!

    Here is the info I used. PLEASE NOTE THIS INFO IS FOR BLACK STUFF ONLY DO NOT REPLICATE THIS UNLESS YOU HAVE BEEN INSTRUCTED TO OR HAVE GONE THROUGH YOUR CASE TO ENSURE IT FITS BOTH THEIR PROBLEM AND MY PROBLEM EXACTLY, otherwise you may do more harm than good

    I have removed non critical info that was of no use to my problem
    ... means that some non critical info has been removed

    BEGINNING OF POST NUMBER 8 FROM http://forum.iamnotageek.com/showthread.php?t=1819090404

    Please print out or save these instructions locally so that you can Disconnect from the Internet and operate with All Browser Windows CLOSED.
    Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled.

    Now scan with HijackThis and Check the Boxes for the following, if they remain:

    ...

    O23 - Service: Windows lsass Service (lsass) - Unknown owner - C:\WINDOWS\lsass.exe (file missing)

    ...

    Again, make sure All Browser Windows are Closed when you Click FIX.

    NOW:
    Please boot into Safe Mode with the Viewing of Hidden Files Enabled and navigate to and DELETE the following if they should remain:

    ...

    C:\WINDOWS\lsass.exe



    **Again, delete these only from the WINDOWS Folder!

    NEXT:
    Run CCleaner and Spybot S&D (from the Read Me First Sticky ) and have Spybot fix what it finds.


    Reboot to Normal Windows and Scan with HijackThis and attach that log.

    NOW:
    If those 023 entries from the list above still remain, please do the following:

    FIRST:
    Click Start > Run > type services.msc and Click OK

    Locate Windows lsass Service (lsass) and RightClick on it to bring up the Service Properties Window.
    First: Stop the service by clicking the Stop Button.
    Next: Disable it by changing the Startup Type to Disabled and click Apply.

    ...

    *Note: These may already be disabled . . ..

    NEXT:
    Run HijackThis and open the Misc Tools section and select Delete an NT service and follow the instructions to enter and remove those entries.



    Let me know of any problems you may have encountered with the above instructions and how your computer is running now. I will try to check back as time permits.

    Best luck
    PP

    END OF POST NUMBER 8 http://forum.iamnotageek.com/showthread.php?t=1819090404


    Hope this lets you know exactly what I found useful...

    AND THANK YOU ONCE AGAIN YOU HAVE BEEN A GREAT HELP! :grinthumb

    Do you have any advice on a good firewall?
     
  16. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    There's nothing in there that I did not tell you already.
    His advice to 'kill' the lsass-service (the real one) does not make sense to me.
    Does this mean you have NO lsass.exe running at all now?

    As for firewalls: personally I use (bought) Agnitum Outpost Pro from www.agnitum.com. They also have a good free version.
    I also use a router with built-in hardware FW. I have switched off the useless Windows XP firewall.

    Alternatively, get the free Sygate Personal firewall now, before Symantec turns it into crippleware (like anything else they get their dirty mitts on). http://soho.sygate.com
    The free (and good) Kerio FW will no longer be supported after December 2005, and ZoneAlarm, though not bad, is a resource hog that I am not particularly keen on myself.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...