Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93105 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Check_lsa7.txt


  • Please log in to reply
3 replies to this topic

#1 delestiny

delestiny

    New Member

  • New Member
  • Pip
  • 3 posts

Posted 15 September 2007 - 09:43 AM

Hi.. been having problems with Check_LSA7.txt refusing to be deleted... hope anyone can help!

heres my HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 23:30, on 2007-09-15
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
D:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.getdota.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.singnet.com.sg:8080
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NVRTCLK] C:\WINDOWS\System32\NVRTCLK\NVRTClk.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] D:\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: &Download by Orbit - res://D:\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://D:\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://D:\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://D:\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Sun Microsystems\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Sun Microsystems\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games....GamesPlugin.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {7C5D062A-7A1E-4A46-A02B-A928084CBD66} (MLauncherNew Class) - http://legendofares....LauncherNew.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {EC824758-3CF5-4C32-BF22-D88413B45EFE} (O2runner Control) - http://o2jam.o2jam.c...eX/o2runner.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

additional info:
i have recently been infected also with the WinAntiVirus Pro 2007 and ErrorSafe malware. Spybot S&D had also previously scanned out Torpig, Virtumonde and SmitFruad.C on my computer, even though i was able to fix all of them with Spybot (or so the program says that i had fixed them, but i had a feeling check_lsa7 was a variant of Virtumonde). I had also run Spyhunter from spywareremove.com. It detected Vundo in my registry and traces of WinAntiVirus Pro in my cookies. I had also experienced the same symptoms as others e.g. slow processor speed (may be due to high rate of RAM usage). i have noticed that a number of programs which i execute do not load steadily. For example, for several times my Internet Explorer did not load for a long tme after using the shortcut. After a look at task manager, i found out that the stats of the iexplore.exe (mem usage, vm size, handles, page faults etc.) had "hanged", in the sense that the values stopped changing. However, there are a number of times where i could open the internet explorer with success (the stats did not "freeze").

P.S. its bedtime here in my country, so i should be back in about 9 hours here, where i hope i would get to see your reply and get rid of the txt file as fast as possible!

Thanks.

EDIT: i didnt keep a copy of SpyHunter's log, but i tried to log my PlayOnline System Information results.

Here they are.

=============================== System =================================

CPU = Intel® Celeron® CPU 1.70GHz
CPU Speed = 1770 MHz
No. of CPUs = 1
OS = Microsoft Windows XP Service Pack 2 Ver 5.01.2600
Version of DirectX = DirectX9.0c
Main Memory = Capacity:511MB : Free Space:229MB
Drive [C:\] = Local Disk Free Space:1.42 GB(Capacity:4.88 GB)
Drive [D:\] = Local Disk Free Space:4.83 GB(Capacity:13.76 GB)
PlayOnline Viewer Install Path = Not installed
FINAL FANTASY XI Install Path = Not installed
TETRA MASTER Install Path = Not installed
Graphics Card =
Type of Chip = UnKnown Video Chip
Video Driver =
Version = 0.0.0.0
Updated =
VendorId = 0x0000
DeviceId = 0x0000
SubSysId = 0x0000
Revision = 0
VRAM =
AvailableVidMem = 0.0MB
AvailableTextureMem = 0.0MB
Sound Card = VIA AC'97 Audio (WAVE)
Sound Driver = viaudios.sys
Version = 6.14.01.3870s
Updated = 2003-06-16 11:05
Network Card = VIA Rhine II Fast Ethernet Adapter
Network Driver = fetnd5bv.sys
Version = 3.41.00.0426
Updated = 2004-12-16 13:36
Network Card = Hamachi Network Interface
Network Driver = hamachi.sys
Version = 6.0.2.2
Updated = 2007-06-21 20:32
Motherboard = P4M266-8233
Manufacturer = MICRO-STAR INTERNATIONAL CO., LTD
Version =
Serial Number =

============================ Registry ===================================

\HKEY_LOCAL_MACHINE\SOFTWARE\PlayOnline
\HKEY_LOCAL_MACHINE\SOFTWARE\PlayOnlineUS
\HKEY_LOCAL_MACHINE\SOFTWARE\PlayOnlineEU

============================ Applications ==============================

System Information Ver.1.18.00
Editing Post Check_lsa7.txt - What the Tech - Microsoft Internet Explorer

============================== Processes ===============================

smss.exe
winlogon.exe
services.exe
lsass.exe
svchost.exe
svchost.exe
svchost.exe
vsmon.exe
spoolsv.exe
dllhost.exe
zlclient.exe
nvsvc32.exe
explorer.exe
svchost.exe
IEXPLORE.EXE
PolSystemInfo.exe

========================= Installed Programs ===========================

Windows Driver Package - Nokia Modem (06/12/2006 6.81.0.21)
Adobe Flash Player ActiveX
Adobe Shockwave Player
FLV Player
Hamachi 1.0.2.2
HijackThis 1.99.1
Hijackthis 1.99.1
Nokia Multimedia Player
VeohTV BETA
IrfanView (remove only)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
KongKong Online (English)
Little Fighter 2 1.9c
Messenger Plus! Live
mIRC
Mozilla Firefox (2.0.0.6)
NJStar Chinese Word Processor
Orbit
Counter-Strike1.6
PDF Reader 2
Prism
Quake 3 Arena Demo
Quake III Arena Point Release 1.32
SopCore 1.1.1
Visual Basic 4 Runtime Files
Starcraft
Tasker version 3.13
VIA Audio Driver Setup Program
VIA Rhine-Family Fast Ethernet Adapter
Windows Genuine Advantage Notifications (KB905474)
Windows Media Format 11 runtime
Windows Media Player 10
WinRAR archiver
Microsoft User-Mode Driver Framework Feature Pack 1.0
YAWLE 0.5b
Zion IRC Networking Gaming Tool
ZoneAlarm Pro
Nokia PC Connectivity Solution
AutoUpdate
Launcher
Google Toolbar for Internet Explorer
Java™ 6 Update 2
O2Jam - Song Pack 2 (e-Games)
WebFldrs XP
O2Jam - Song Pack 5 (e-Games)
Nokia PC Suite
Windows Live Messenger
Nokia Connectivity Cable Driver
DivX Codec
O2Jam - Song Pack 1 (e-Games)
DivX Player
Macromedia Flash 8 Video Encoder
Microsoft Office XP Professional with FrontPage
Project64 1.6
O2Jam - Song Pack 3 (e-Games)
O2Jam - Song Pack 4 (e-Games)
DivX Web Player
DivX Content Uploader
O2Jam (e-Games) v.3.50

END


Edited by delestiny, 15 September 2007 - 09:54 AM.

    Advertisements

Register to Remove


#2 delestiny

delestiny

    New Member

  • New Member
  • Pip
  • 3 posts

Posted 15 September 2007 - 11:19 PM

adding on:

even though i had "supposedly" cleared all traces of winantivirus and errorsafe from my desktop, i am still experiencing the regular popups of winantivirus, winantispyware (even though no errorsafe). Also, i have another error, the "buffer overrun detected".

after searching many forums, i found out that this "buffer overrun detected for explorer.exe" was a result of winantivirus. However, i do not have HotBar installed in my computer, neither do i know what HotBar is, and why do many people with HotBar installed have this "buffer overrun detected" problem.

This is another HJT report:

Logfile of HijackThis v1.99.1
Scan saved at 13:14, on 2007-09-16
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
D:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.getdota.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.singnet.com.sg:8080
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NVRTCLK] C:\WINDOWS\System32\NVRTCLK\NVRTClk.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] D:\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: &Download by Orbit - res://D:\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://D:\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://D:\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://D:\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Sun Microsystems\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Sun Microsystems\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games....GamesPlugin.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {7C5D062A-7A1E-4A46-A02B-A928084CBD66} (MLauncherNew Class) - http://legendofares....LauncherNew.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {EC824758-3CF5-4C32-BF22-D88413B45EFE} (O2runner Control) - http://o2jam.o2jam.c...eX/o2runner.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Hoping for help,

Someone In Need



#3 delestiny

delestiny

    New Member

  • New Member
  • Pip
  • 3 posts

Posted 16 September 2007 - 04:15 AM

Threat Resolved. for all those who still have this problem, i solved it by running SAS on my computer. After the scan by SAS, i found out i was just able to delete check_LSA7 - just like that! i suggest those who still have this problem to download SAS and scan your computer right away.

#4 Blair

Blair

    SuperMember

  • Root Admin
  • 2,390 posts

Posted 20 September 2007 - 01:05 AM

FYI...

SAS = http://www.superantispyware.com/
Posted Image

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users