Questions

HAVE VIRUS ISSUE - PLEASE HELP

Tags:
+
0 Votes
Locked

HAVE VIRUS ISSUE - PLEASE HELP

cruzequities
I had/have the Virus Protector bug on my system, and performed ALL of the removal procedures involved to get rid of this pesky bug. Problem is, I get REDIRECTED to other sites regularly. I?ve used Hijackthis to verify what files I have on my machine (log below) and the only thing I can see that might be the problem is a lsass.exe that is running in the background. Attempted to End the process for this program and tried to delete this file from its location, but to no avail. anyone with a CLEAR understanding of Hijackthis & systems, please advise.

HEEEEEEEEEEEEEEEELP!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:09:34 PM, on 4/10/2010
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\ibmpmsvc.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\DOCUME~1\THINKP~1\LOCALS~1\Temp\RarSFX2\RegCure.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe
C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINNT\system32\taskmgr.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 ? HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R0 ? HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 ? HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R1 ? HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R0 ? HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 ? HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R0 ? HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 ? HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 ? BHO: &Yahoo! Toolbar Helper ? {02478D38-C3F9-4efb-9B51-7695ECA05670} ? C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 ? BHO: AcroIEHelperStub ? {18DF081C-E8AD-4283-A596-FA578C2EBDC3} ? C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 ? BHO: Spybot-S&D IE Protection ? {53707962-6F74-2D53-2644-206D7942484F} ? C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 ? BHO: PCTools Site Guard ? {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} ? C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 ? BHO: PCTools Browser Monitor ? {B56A7D7D-6927-48C8-A975-17DF180C71AC} ? C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 ? BHO: Java(tm) Plug-In 2 SSV Helper ? {DBC80044-A445-435b-BC74-9C25C1C588A9} ? C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 ? BHO: JQSIEStartDetectorImpl ? {E7E6F031-17CE-4C07-BC86-EABFE594F69C} ? C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 ? BHO: SingleInstance Class ? {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} ? C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O3 ? Toolbar: Yahoo! Toolbar ? {EF99BD32-C1FB-11D2-892F-0090271D4F88} ? C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 ? Toolbar: @msdxmLC.dll,-1@1033,&Radio ? {8E718888-423F-11D2-876E-00A0C9082467} ? C:\WINNT\system32\msdxm.ocx
O4 ? HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 ? HKLM\..\Run: [Lexmark X6100 Series] ?C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe?
O4 ? HKLM\..\Run: [Adobe Reader Speed Launcher] ?C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe?
O4 ? HKLM\..\Run: [ACUMon] ?C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe? -a
O4 ? HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 ? HKLM\..\Run: [ISUSScheduler] ?C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe? -start
O4 ? HKLM\..\Run: [SunJavaUpdateSched] ?C:\Program Files\Common Files\Java\Java Update\jusched.exe?
O4 ? HKLM\..\Run: [Zone Labs Client] ?C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe?
O4 ? HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 ? HKLM\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /QS
O4 ? HKCU\..\Run: [Messenger (Yahoo!)] ?C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe? -quiet
O4 ? HKCU\..\Run: [Spyware Doctor] ?C:\Program Files\Spyware Doctor\swdoctor.exe? /Q
O4 ? Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 ? Extra context menu item: E&xport to Microsoft Excel ? res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 ? Extra button: Spyware Doctor ? {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} ? C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O17 ? HKLM\System\CCS\Services\Tcpip\..\{2B7C04D2-0898-43A3-B374-B7AFA580EA23}: NameServer = 93.188.163.113,93.188.161.83
O17 ? HKLM\System\CCS\Services\Tcpip\..\{7A5AF047-9CE4-40A2-8954-F491000044CC}: NameServer = 93.188.163.113,93.188.161.83
O17 ? HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.163.113,93.188.161.83
O17 ? HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 93.188.163.113,93.188.161.83
O17 ? HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 93.188.163.113,93.188.161.83
O17 ? HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.163.113,93.188.161.83
O23 ? Service: avast! iAVS4 Control Service (aswUpdSv) ? ALWIL Software ? C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 ? Service: Ati HotKey Poller ? ATI Technologies Inc. ? C:\WINNT\system32\Ati2evxx.exe
O23 ? Service: avast! Antivirus ? ALWIL Software ? C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 ? Service: avast! Mail Scanner ? ALWIL Software ? C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 ? Service: avast! Web Scanner ? ALWIL Software ? C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 ? Service: Logical Disk Manager Administrative Service (dmadmin) ? VERITAS Software Corp. ? C:\WINNT\System32\dmadmin.exe
O23 ? Service: ThinkPad PM Service (IBMPMSVC) ? Unknown owner ? C:\WINNT\system32\ibmpmsvc.exe
O23 ? Service: Java Quick Starter (JavaQuickStarterService) ? Sun Microsystems, Inc. ? C:\Program Files\Java\jre6\bin\jqs.exe
O23 ? Service: LexBce Server (LexBceS) ? Lexmark International, Inc. ? C:\WINNT\system32\LEXBCES.EXE
O23 ? Service: TrueVector Internet Monitor (vsmon) ? Zone Labs, LLC ? C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 ? Service: Yahoo! Updater (YahooAUService) ? Yahoo! Inc. ? C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

?
End of file ? 7215 bytes
  • +
    0 Votes
    OH Smeg

    Scanning with Malware Bytes

    http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?tag=mncol&cdlPid=10878968

    You need to scan this system in Safe Mode so after installing and updating Malwarebytes reboot the system in Safe Mode by pressing and holding down the F8 Key when the POST Screen is present till you get the White on Black screen with the different options to start Windows in. Using the Arrow Keys navigate to Safe Mode and them press Enter to boot the computer into Safe Mode.

    When Windows has opened run your AV Scanner and Malwarebytes till they either report a clean system or you are unable to remove something.

    Then move onto the next scanner Do Not use both scanners at the same time. If the different scanners report a clean system great but if you are unable to remove something post back with the Name and someone here will help you further.

    OH and lsass.exe is a Windows Security App which should be running particularly if you have a Password on your System.

    Col

    +
    0 Votes
    DKeith45

    OR pull the drive and put it in another system in a Master/Slave combo and boot then scan with that systems software.

    +
    0 Votes
    IC-IT

    O17 ? HKLM\System\CCS\Services\Tcpip\..\{2B7C04D2-0898-43A3-B374-B7AFA580EA23}: NameServer = 93.188.163.113,93.188.161.83
    O17 ? HKLM\System\CCS\Services\Tcpip\..\{7A5AF047-9CE4-40A2-8954-F491000044CC}: NameServer = 93.188.163.113,93.188.161.83
    O17 ? HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.163.113,93.188.161.83
    O17 ? HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 93.188.163.113,93.188.161.83
    O17 ? HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 93.188.163.113,93.188.161.83
    O17 ? HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.163.113,93.188.161.83

    I believe (could be wrong though) that the above TCP/IP addressess are not your normal DNS servers.

    As said below try the Malwarebytes.

    +
    0 Votes
    john.live

    Even though this information is in detail, you don't want to spend a lot of time to if you use this product. I found a software product that is cheap and best from this link. http://c9f7ep1gpz4k7x52mjp889z4yf.hop.clickbank.net/
    I frequently use to protect my computer as someone suggested in virus removal website. I am happy and sure that I am fully protected from hack and viruses of my PC.

  • +
    0 Votes
    OH Smeg

    Scanning with Malware Bytes

    http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?tag=mncol&cdlPid=10878968

    You need to scan this system in Safe Mode so after installing and updating Malwarebytes reboot the system in Safe Mode by pressing and holding down the F8 Key when the POST Screen is present till you get the White on Black screen with the different options to start Windows in. Using the Arrow Keys navigate to Safe Mode and them press Enter to boot the computer into Safe Mode.

    When Windows has opened run your AV Scanner and Malwarebytes till they either report a clean system or you are unable to remove something.

    Then move onto the next scanner Do Not use both scanners at the same time. If the different scanners report a clean system great but if you are unable to remove something post back with the Name and someone here will help you further.

    OH and lsass.exe is a Windows Security App which should be running particularly if you have a Password on your System.

    Col

    +
    0 Votes
    DKeith45

    OR pull the drive and put it in another system in a Master/Slave combo and boot then scan with that systems software.

    +
    0 Votes
    IC-IT

    O17 ? HKLM\System\CCS\Services\Tcpip\..\{2B7C04D2-0898-43A3-B374-B7AFA580EA23}: NameServer = 93.188.163.113,93.188.161.83
    O17 ? HKLM\System\CCS\Services\Tcpip\..\{7A5AF047-9CE4-40A2-8954-F491000044CC}: NameServer = 93.188.163.113,93.188.161.83
    O17 ? HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.163.113,93.188.161.83
    O17 ? HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 93.188.163.113,93.188.161.83
    O17 ? HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 93.188.163.113,93.188.161.83
    O17 ? HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.163.113,93.188.161.83

    I believe (could be wrong though) that the above TCP/IP addressess are not your normal DNS servers.

    As said below try the Malwarebytes.

    +
    0 Votes
    john.live

    Even though this information is in detail, you don't want to spend a lot of time to if you use this product. I found a software product that is cheap and best from this link. http://c9f7ep1gpz4k7x52mjp889z4yf.hop.clickbank.net/
    I frequently use to protect my computer as someone suggested in virus removal website. I am happy and sure that I am fully protected from hack and viruses of my PC.