Soapm
join:2001-07-15
Aurora, CO
| HJT Log Lsass.exe stealing all my CPU cycles
If I log on the computers normal profile it is so slow it is not useable. In taskmanager I can see the file Lsass.exe is using 100% of the CPU cycles. If I log on the administrator profile this does not happen and the puters appears normal.
None of the virus scanners find anything.
Spybot found 1800 Solutions
Ad Aware and Ewido both hang on the same directory;
\\my normal profile\application data\microsoft\protect
This directory has one file and one folder. The file is called Credithistory with no ext. It's a 1K file, I can delete it but it just comes back.
The directory is called S-1-5-21-1935655697-682003330-725345543-1005 if I try and delete it I get an error saying it is in use. If tryto look in it I just get the flashlight like it is about to make viewable the files and it will sit like that indefinately. Searching the registry I find there are several entries to this folder in my registry. Some I can remove and some I can't. They all come right back.
....
HJT LOg
Logfile of HijackThis v1.98.1
Scan saved at 9:38:50 AM, on 12/12/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\Program Files\Kerio\Personal Firewall\persfw.exe
C:\Program Files\GM SPO\SI\Apache Group\Apache\Apache.exe
C:\Program Files\GM SPO\SI\TransBase\tbmux32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\JavaSoft\JRE\1.3.1_06\bin\java.exe
C:\Program Files\GM SPO\SI\Apache Group\Apache\Apache.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy LS\Surround Mixer\CTSysVol.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\Program Files\eMule\emule.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\GM SPO\SI\TransBase\tbkern32.exe
C:\Program Files\GM SPO\SI\TransBase\tbkern32.exe
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »accounts.keybank.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy LS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.0\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Froogle - C:\WINDOWS\WEB\Froogle.htm
O8 - Extra context menu item: &Google - C:\WINDOWS\WEB\Google.htm
O8 - Extra context menu item: &Websters - C:\WINDOWS\WEB\dictionary.htm
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{AA667464-71C8-4F19-9CFF-80EAFE3C2BB6}: NameServer = 198.6.100.98,198.6.100.125
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
...
No of the other applications would run completely so I did not get any logs.
Thanks |
|
Soapm
join:2001-07-15
Aurora, CO | Whoops! Wrong forum, can one of the mods please move this to the correct forum please? Or should I copy and paste? |
|
Cudni
La Merma - Vigilado
Premium,MVM
join:2003-12-20
Someshire | reply to Soapm
make sure you first followed steps in
»Security Cleanup FAQ »Mandatory Steps Before Requesting Assistance
Cudni |
|
Soapm
join:2001-07-15
Aurora, CO
| reply to Soapm
I apologize if it didn't seem like I followed all the steps, I tried the best I could. I ran my virus scanner please two from the websites. They found nothing. Only one of the 3 trojan humters would complete and I didn't have the files mentioned to run schredder and the other app.
Can you at leaset poing out which part I missed? |
|
Soapm
join:2001-07-15
Aurora, CO | reply to Soapm
Ok, I downloaded and ran both cwshredder and aboutbuster. Neither found anything. Did I miss any other steps? Can this be moved to the correct forum now? |
|
lilhurricane
Crunchin' For Cures
Premium,Mod
join:2003-01-11
Purple Zone
clubs: 
 ·Comcast
Host:
TV over IP
Software
RCN
Inside Insight
Team Discovery
| Hiya Soapm  - if you're sure you've followed all the steps in the FAQ..
...please start a new topic in the SCU forum.
Make sure to attach the required/requested logs as outlined. |
|
Cudni
La Merma - Vigilado
Premium,MVM
join:2003-12-20
Someshire | reply to Soapm
did you use latest hjt version instead of obsolete 1.98.1 one? Used online Av?
Cudni |
|
lilhurricane
Crunchin' For Cures
Premium,Mod
join:2003-01-11
Purple Zone
clubs:
·Comcast
Host:
TV over IP
Software
RCN
Inside Insight
Team Discovery
| said by Cudni :did you use latest hjt version instead of obsolete 1.98.1 one? Used online Av? Cudni Nice catch  |
|
Soapm
join:2001-07-15
Aurora, CO | reply to Soapm
Will do, thanks everyone... How do I get to the new version of HJT? I went with the one in the instructions. |
|
lilhurricane
Crunchin' For Cures
Premium,Mod
join:2003-01-11
Purple Zone
clubs:
·Comcast
Host:
TV over IP
Software
RCN
Inside Insight
Team Discovery
| said by Soapm :Will do, thanks everyone... How do I get to the new version of HJT? I went with the one in the instructions. That one is the current one v1.99.1 |
|
