Search:  

 
theme to white backgroundlet page decide theme
HomeFind ServiceReviewsISP NewsFAQsForumsToolsDatabaseAbout 
 
   All ForumsHot TopicsGallery






how-to block ads


 
Forums » Up and Running » Security » Security » HJT Log Lsass.exe stealing all my CPU cycles
Uniqs:
549		 Share Topic:
RSS topic:
toggle:
flat / full
normal / watch
Posting:
Links: ·Hijack This logs? ·Panda Free Tools ·Vundo Removal
A Hacker Is A Criminal »
« Zone Alarm Pro 6.5.737.000  

Soapm

join:2001-07-15
Aurora, CO

HJT Log Lsass.exe stealing all my CPU cycles

If I log on the computers normal profile it is so slow it is not useable. In taskmanager I can see the file Lsass.exe is using 100% of the CPU cycles. If I log on the administrator profile this does not happen and the puters appears normal.

None of the virus scanners find anything.
Spybot found 1800 Solutions
Ad Aware and Ewido both hang on the same directory;

\\my normal profile\application data\microsoft\protect

This directory has one file and one folder. The file is called Credithistory with no ext. It's a 1K file, I can delete it but it just comes back.

The directory is called S-1-5-21-1935655697-682003330-725345543-1005 if I try and delete it I get an error saying it is in use. If tryto look in it I just get the flashlight like it is about to make viewable the files and it will sit like that indefinately. Searching the registry I find there are several entries to this folder in my registry. Some I can remove and some I can't. They all come right back.
....

HJT LOg

Logfile of HijackThis v1.98.1
Scan saved at 9:38:50 AM, on 12/12/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\Program Files\Kerio\Personal Firewall\persfw.exe
C:\Program Files\GM SPO\SI\Apache Group\Apache\Apache.exe
C:\Program Files\GM SPO\SI\TransBase\tbmux32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\JavaSoft\JRE\1.3.1_06\bin\java.exe
C:\Program Files\GM SPO\SI\Apache Group\Apache\Apache.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy LS\Surround Mixer\CTSysVol.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\Program Files\eMule\emule.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\GM SPO\SI\TransBase\tbkern32.exe
C:\Program Files\GM SPO\SI\TransBase\tbkern32.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »accounts.keybank.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy LS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.0\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Froogle - C:\WINDOWS\WEB\Froogle.htm
O8 - Extra context menu item: &Google - C:\WINDOWS\WEB\Google.htm
O8 - Extra context menu item: &Websters - C:\WINDOWS\WEB\dictionary.htm
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{AA667464-71C8-4F19-9CFF-80EAFE3C2BB6}: NameServer = 198.6.100.98,198.6.100.125
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
...

No of the other applications would run completely so I did not get any logs.

Thanks
permalink · 2006-09-09 21:16:51 · Print ·

Soapm

join:2001-07-15
Aurora, CO

Re: HJT Log Lsass.exe stealing all my CPU cycles

Whoops! Wrong forum, can one of the mods please move this to the correct forum please? Or should I copy and paste?
permalink · 2006-09-09 21:18:21 ·

Cudni
La Merma - Vigilado
Premium,MVM
join:2003-12-20
Someshire		 make sure you first followed steps in
»Security Cleanup FAQ »Mandatory Steps Before Requesting Assistance

Cudni
permalink · 2006-09-09 21:28:40 ·

Soapm

join:2001-07-15
Aurora, CO

 I apologize if it didn't seem like I followed all the steps, I tried the best I could. I ran my virus scanner please two from the websites. They found nothing. Only one of the 3 trojan humters would complete and I didn't have the files mentioned to run schredder and the other app.

Can you at leaset poing out which part I missed?
permalink · 2006-09-09 21:33:12 ·

Soapm

join:2001-07-15
Aurora, CO		 Ok, I downloaded and ran both cwshredder and aboutbuster. Neither found anything. Did I miss any other steps? Can this be moved to the correct forum now?
permalink · 2006-09-09 21:50:05 ·

lilhurricane
Crunchin' For Cures
Premium,Mod
join:2003-01-11
Purple Zone
clubs:
·Comcast

Host:
TV over IP
Software
RCN
Inside Insight
Team Discovery

Re: HJT Log Lsass.exe stealing all my CPU cycles

Hiya Soapm See Profile - if you're sure you've followed all the steps in the FAQ..

...please start a new topic in the SCU forum.

Make sure to attach the required/requested logs as outlined.
permalink · 2006-09-09 21:54:35 ·

Cudni
La Merma - Vigilado
Premium,MVM
join:2003-12-20
Someshire		 did you use latest hjt version instead of obsolete 1.98.1 one? Used online Av?

Cudni
permalink · 2006-09-09 21:55:11 ·

lilhurricane
Crunchin' For Cures
Premium,Mod
join:2003-01-11
Purple Zone
clubs:
·Comcast

Host:
TV over IP
Software
RCN
Inside Insight
Team Discovery

Re: HJT Log Lsass.exe stealing all my CPU cycles

said by Cudni See Profile :

did you use latest hjt version instead of obsolete 1.98.1 one? Used online Av?

Cudni
Nice catch
permalink · 2006-09-09 21:58:09 ·

Soapm

join:2001-07-15
Aurora, CO		 Will do, thanks everyone... How do I get to the new version of HJT? I went with the one in the instructions.
permalink · 2006-09-09 22:31:45 ·

lilhurricane
Crunchin' For Cures
Premium,Mod
join:2003-01-11
Purple Zone
clubs:
·Comcast

Host:
TV over IP
Software
RCN
Inside Insight
Team Discovery

Re: HJT Log Lsass.exe stealing all my CPU cycles

said by Soapm See Profile :

Will do, thanks everyone... How do I get to the new version of HJT? I went with the one in the instructions.
That one is the current one v1.99.1
permalink · 2006-09-09 22:39:31 ·
(topic locked)
Forums » Up and Running » Security » SecurityA Hacker Is A Criminal »
« Zone Alarm Pro 6.5.737.000  

Friday, 11-Dec 00:14:40 Terms of Use | Privacy Policy | Hosting by www.nac.net - DSL,Hosting & Co-lo | feedback | contact
over 10 years online! © 1999-2009 dslreports.com.
page compression OFF
Most commented news this week
· [200] Sprint Sued For Distracted Driving Death
· [138] AT&T Launching New 24 Mbps U-Verse Tier
· [87] AT&T Hints At Usage-Based iPhone Data Pricing
· [82] 3G Network Test Says AT&T Is Tops
· [76] WPA Cracker: Test WPA-PSK Networks In 20 Minutes
· [72] Mediacom Unveils 105 Mbps Pricing
· [66] Sprint Poised For A Turnaround?
· [58] Average American Consumes 34 Gigabytes Daily
· [58] AT&T: iPhone Data Pricing Comments 'Taken Out Of Context'
· [52] Sprint, T-Mobile Merger Rumor Lives
Most people now reading
· New Mediacom Email [Mediacom]
· [WIN7] Well, I was dumb, but do I have recourse? [Microsoft Help]
· IMG 1.7 (IMG Updates and Discussion) [Verizon FIOS TV]
· malware has been found hidden inside an Ubuntu screensaver [Security]
· [How to] Install Asterisk on an Asus WL-520GU router [VOIP Tech Chat]
· Windows 7 boot manager editing questions [Microsoft Help]
· What frequency is better for a 25+ mile link [Wireless Service Providers]
· New 5 mans full walk through [World of Warcraft]
· 3.x Feral Druid - Bear Tanking Guide [World of Warcraft]
· FIOS TV Central website access with Non AT Router? [Verizon FIOS TV]