odd trojans

[icehog06]

So ive been having some issues with my computer. It started about 2 days ago, i was surfing the web and i got hit. my computer started spamming pop ups and my icons and start bar dissapeared. since i have ran vs several times. i keep getting 2 trojans in C:\ WINDOWS\system32\mljGaaya.dll and C:\ system32\lsass.exe (820) My vs can not delete these and i have tried manually to remove them and get Access denied. Im running AVG anti-Virus
and its on xp media center edition. each time it boots up, it runs fine till everything is loaded, then my icons and start bar dissapear, so it is not an issue with them not being there at all, they dissapear after everything is loaded up.

Thank you for any help you can offer.

[icehog06]

also i have tried running explorer.exe as i have seen in many posts and the icons and start bar come back, but only for a min or so, then they dissapear again.

[icehog06]

so do i need to go get another copy of xp for this wipe?

[Niclo Iste]

You should backup your information. However I suggest copying the lsass.exe from another pc with the same version of windows that isn't infected then on the other computer download combofix put it on a CD or a thumb drive, also download malwarebytes from www.malwarebytes.org and put that on the cd or thumbdrive. Reboot your pc in safemode and install malwarebytes, then run combofix. After that run malwarebytes. Once you are done Copy the lsass.exe file. That is if it didn't cause the pc to shut down after you removed it. If it did you need to slave the drive into another pc to replace the lsass.exe If I recall this should work as the lsass.exe isn't a picky file to replace like the other windows directory files.

[CCT]

If you can access another comp, get Hijack This, MalwareBytes and Superantispyware downloaded to a cd and try and install them in Safe Mode.

If they install, run them.

http://www.trendsecure.com/portal/en...kthis/download

http://www.malwarebytes.org/

http://www.superantispyware.com/

edit: IF you are not familiar with these products, have them scan ONLY and then post their log files as attachments here.

[icehog06]

this is a custom build, but the harddrive is from a compaq i had. It had the recovery on a seperate partition but when i tried to run it, it put me into a command/dos screen. I didnt go any futher because i did that type of recovery on my dads computer for him and it was just like installing windows again, i never saw a screen where i had to type in commands. I have already backed up files i would like to keep onto another drive, luckly the files were not infected, so my only concerns were if i had to zero out, and if i needed to get a new copy of xp. First ill try the file removal.

[Ferrit]

So the xp media center is from another computer? specifically a compaq?

[icehog06]

yes, i bought it in '06. is there some other way for me to post the log file? its to long for me to post, and the only formats i can upload are pics.. its a .txt file.

[MobilePCPhysician]

You can break it up into multiple posts.

[icehog06]

!!!!!!!!!!!!!!! Thank you so much!! i ran those programs, and now there is nothing. no dissapearing icons, still have start bar! So, now that we have that squared away, should i just set it on a schedule to scan my computer? or is there any other clean up issues i need to be worried about?

Once again, thank you so much everyone!

[NooNoo]

yes, i bought it in '06. is there some other way for me to post the log file? its to long for me to post, and the only formats i can upload are pics.. its a .txt file.

The compaq windows was sold for use ONLY with the original compaq machine. Unfortunately you are now running an illegal copy.

As for clean up, run a hijackthis log and post it and we can have a look to see if there is anything left over.

[Gabriel]

As a side not I think that UBCD for win should be a part of every technician handbag:
http://www.ubcd4win.com/
custom built with many features - easy to understand and no dependancy on host OS

I never bother of instaling spyware tools on the computer - I always clean with the CD

Cheers,
Gabriel

[capitalmindz]

Just an aside: CCT mentioned installing your Anti-virius apps in SafeMode. Normally Windows won't allow you to install anything in SafeMode but there is a workaround. After booting to SafeMode go to the command prompt and enter the following command :

REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Mi nimal\MSIServer" /VE /T REG_SZ /F /D "Service"


(For SafeMode with Networking)
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Ne twork\MSIServer" /VE /T REG_SZ /F /D "Service"

That will enable you to install most programs in SafeMode. Comes in handy.

Taraje Solomon

[NooNoo]

Welcome to Windrviers Taraje and thanks for the Tip!

[CCT]

Yes Taraje, I did omit that little detail.

Thanks.

There are people working to help all the time - this site has a method of preparing some av for cut/paste (in Safe Mode);

http://forums.techarena.in/security-virus/745438.htm