Jump to content

mcl768

Member
 View Profile  See their activity

  • Posts

    2

  • Joined

  • Last visited

  • Donations

    0.00 USD 

  • Country

    United States

 Content Type 

Posts posted by mcl768

    Deleted NTDETECT.COM - killed WinXP

    in Windows XP

    Posted

    Ok..im back on my computer for now...i think i have a solution

    This is what I did

    Disconnect from the Internet

    Download Process Explorer here http://www.sysinternals.com/Utilities/ProcessExplorer.html From another computer and save it to a disk (if you can get it with the infected computer it will still work), Disconnect after youget it thuogh)

    Run that and look for lsass.exe (if you have the same thing i did it will be running twice)

    Click View>Select Columns, Check "Command Line"

    One of the lsass.exe will be running from C:\WINDOWS..this is the bad one, the other will be wunning in C:\WINDOWS\System32

    Miniamize Process Explorer, and browse to C:\WINDOWS Use the folder options to show hidden and system files

    Find lsass.exe, be sure you are not in the System32 folder

    It wont let you delete the file because it is in use by windows so you have to select it in process explorer and push delete, it will ask you if you want to kill the process, say yes.

    You have to work quickly because lsass.exe will start itself after a few seconds, so what you do is have both windows open, Process explorer and C:\windows, have lsass.exe selected

    Go to the Process Explorer and kill lsass.exe that is running from C:\WINDOWS, then move over to the C:\WINDOWS folder and delete lsass.exe before it has a chance to start again.

    Then delete

    sw.bat

    is.bat

    tb.exe

    xe.exe

    low.exe

    mmxateam.exe

    IELower.exe

    uspupdatesx.exe

    mc-110-12-000169.exe

    from C:\

    Ive seen differant sets of files so there may be files here you dont have, and you may have others.

    After I did that I restarted and the files didnt come back, I connected to the internet gain and waited.....No files its been about an huor and ho problems yet, i hope that is all it was, but there may be more of this...ill post if i find out anymore

    0

    Deleted NTDETECT.COM - killed WinXP

    in Windows XP

    Posted

    Im pretty sure this is a pretty recent thing, there isnt much information about it, im just trying to help out as much as i can since i got it too, Virus scans and spyware scans come up clean (except for lsass.exe running from C:\Windows AND C:\windows\system 32 where it is suposed to run from).

    Nothing in the registry telling it to run, I emptied out the prefetch folder, if im not connected to the internet, I can delete the files I mention later and it works fine, untill about a minute after i plug in the cat5 cable, a dos window pops up and those files come back. Even after a ful format and reinstal of XP on my C:\ drive

    i dont know how i got this or where it came frombut its pretty bad, ive had viruses before and ive managed to fix them pretty easialy...this is differant, ive been working on it for about 4 days now, and i see that others have teh same problems and no one seems to know a solution...hopefully we wil be able to solve this soon.

    Logfile of HijackThis v1.97.7

    Scan saved at 12:35:48 PM, on 11/1/2005

    Platform: Windows XP SP2 (WinNT 5.01.2600)

    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:

    C:\WINDOWS\System32\smss.exe

    C:\WINDOWS\system32\winlogon.exe

    C:\WINDOWS\system32\services.exe

    C:\WINDOWS\system32\lsass.exe

    C:\WINDOWS\System32\Ati2evxx.exe

    C:\WINDOWS\system32\svchost.exe

    C:\WINDOWS\System32\svchost.exe

    C:\WINDOWS\system32\spoolsv.exe

    C:\WINDOWS\lsass.exe---------------------Not Suposed to be here!!!!

    C:\WINDOWS\system32\Ati2evxx.exe

    C:\WINDOWS\system32\ctfmon.exe

    C:\WINDOWS\Explorer.EXE

    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

    C:\WINDOWS\SOUNDMAN.EXE

    C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe

    C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe

    C:\Program Files\WinBar\WinBar.exe

    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

    G:\Mikes stuff\HijackThis.exe

    O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime

    O4 - HKLM\..\Run: [siSUSBRG] C:\WINDOWS\SiSUSBrg.exe

    O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" -quiet

    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

    O4 - Startup: WinBar.lnk = C:\Program Files\WinBar\WinBar.exe

    O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe

    O9 - Extra button: Yahoo! Messenger (HKLM)

    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

    O9 - Extra button: Messenger (HKLM)

    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)

    I also have

    IELower.exe (2kb)

    is.exe (34kb)

    low.exe (2kb)

    mc-110-12-000169.exe(165kb)

    mmxateam.exe (18kb)

    sw.bat (1kb)

    tb.exe (204kb)

    usbupdatesx.exe (461kb)

    xe.exe (24kb)

    in my root directory C:\

    I hope this will help figure out something.

    0
×
×
  • Create New...