mcl768

Ok..im back on my computer for now...i think i have a solution This is what I did Disconnect from the Internet Download Process Explorer here http://www.sysinternals.com/Utilities/ProcessExplorer.html From another computer and save it to a disk (if you can get it with the infected computer it will still work), Disconnect after youget it thuogh) Run that and look for lsass.exe (if you have the same thing i did it will be running twice) Click View>Select Columns, Check "Command Line" One of the lsass.exe will be running from C:\WINDOWS..this is the bad one, the other will be wunning in C:\WINDOWS\System32 Miniamize Process Explorer, and browse to C:\WINDOWS Use the folder options to show hidden and system files Find lsass.exe, be sure you are not in the System32 folder It wont let you delete the file because it is in use by windows so you have to select it in process explorer and push delete, it will ask you if you want to kill the process, say yes. You have to work quickly because lsass.exe will start itself after a few seconds, so what you do is have both windows open, Process explorer and C:\windows, have lsass.exe selected Go to the Process Explorer and kill lsass.exe that is running from C:\WINDOWS, then move over to the C:\WINDOWS folder and delete lsass.exe before it has a chance to start again. Then delete sw.bat is.bat tb.exe xe.exe low.exe mmxateam.exe IELower.exe uspupdatesx.exe mc-110-12-000169.exe from C:\ Ive seen differant sets of files so there may be files here you dont have, and you may have others. After I did that I restarted and the files didnt come back, I connected to the internet gain and waited.....No files its been about an huor and ho problems yet, i hope that is all it was, but there may be more of this...ill post if i find out anymore

Passing that out probably gave surfers the idea, normaly they wouldnt have even thought about doing it

Im pretty sure this is a pretty recent thing, there isnt much information about it, im just trying to help out as much as i can since i got it too, Virus scans and spyware scans come up clean (except for lsass.exe running from C:\Windows AND C:\windows\system 32 where it is suposed to run from). Nothing in the registry telling it to run, I emptied out the prefetch folder, if im not connected to the internet, I can delete the files I mention later and it works fine, untill about a minute after i plug in the cat5 cable, a dos window pops up and those files come back. Even after a ful format and reinstal of XP on my C:\ drive i dont know how i got this or where it came frombut its pretty bad, ive had viruses before and ive managed to fix them pretty easialy...this is differant, ive been working on it for about 4 days now, and i see that others have teh same problems and no one seems to know a solution...hopefully we wil be able to solve this soon. Logfile of HijackThis v1.97.7 Scan saved at 12:35:48 PM, on 11/1/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\lsass.exe---------------------Not Suposed to be here!!!! C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\Explorer.EXE C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\WINDOWS\SOUNDMAN.EXE C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe C:\Program Files\WinBar\WinBar.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe G:\Mikes stuff\HijackThis.exe O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime O4 - HKLM\..\Run: [siSUSBRG] C:\WINDOWS\SiSUSBrg.exe O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" -quiet O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Startup: WinBar.lnk = C:\Program Files\WinBar\WinBar.exe O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe O9 - Extra button: Yahoo! Messenger (HKLM) O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM) I also have IELower.exe (2kb) is.exe (34kb) low.exe (2kb) mc-110-12-000169.exe(165kb) mmxateam.exe (18kb) sw.bat (1kb) tb.exe (204kb) usbupdatesx.exe (461kb) xe.exe (24kb) in my root directory C:\ I hope this will help figure out something.