FBI virus and lsass.exe system error

kuttus

Level 2
Verified
Oct 5, 2012
2,697
Stage -1
  • Download Norton Bootable Recovery Tool from this link.
  • Save the Norton Bootable Recovery Tool on your computer Desktop.
  • After completing the Download Open the File that you saved on the Desktop. It will start the Norton Download Manager as shown below.

    http://123pcworld.com/MalwareTips/DownloadManager.PNG
  • When the download finishes, the Norton Bootable Recovery Tool Wizard starts automatically.
  • In the Norton Bootable Recovery Tool Wizard, click Agree & Install to accept the User License Agreement.

    If you want to change the default install location, click Install Options, and then click Browse to locate the new install location.
  • Follow the on-screen instructions to create the Norton Bootable Recovery Tool on a CD/DVD media or USB key.

    http://123pcworld.com/MalwareTips/NBRT.PNG
  • It will by Default Select your CD/DVD Writer , if it is not select your CD/DVD Writer and click on Next...

    http://123pcworld.com/MalwareTips/NBRT-2.PNG
  • Now you have to Insert a Blank CD/DVD into your CD/DVD Writer and press on Ok. It will take some time to complete the Bootable Recovery Drive Creation.

    http://123pcworld.com/MalwareTips/NBRT-3.PNG


Stage -2
  • Insert the recovery media in the infected computer and start your computer from the recovery media. The recovery media can be a Norton Bootable Recovery Tool CD, DVD, USB key.
    Note : If you do not know how to set your computer to boot from CD follow the steps here
  • Read the License Agreement, type your product key, and then click I Agree. (I will send you product key in PM )
  • In the Norton Bootable Recovery Tool window, click Norton Advanced Recovery Scan.
  • Click Start Scan.
  • When the scan finishes, remove the recovery media from the drive or USB port, and restart your computer.

<hr />
 

melissawski

New Member
Thread author
Verified
Jan 11, 2013
31
kuttus said:
Stage -1
  • Download Norton Bootable Recovery Tool from this link.
  • Save the Norton Bootable Recovery Tool on your computer Desktop.
  • After completing the Download Open the File that you saved on the Desktop. It will start the Norton Download Manager as shown below.

    http://123pcworld.com/MalwareTips/DownloadManager.PNG
  • When the download finishes, the Norton Bootable Recovery Tool Wizard starts automatically.
  • In the Norton Bootable Recovery Tool Wizard, click Agree & Install to accept the User License Agreement.

    If you want to change the default install location, click Install Options, and then click Browse to locate the new install location.
  • Follow the on-screen instructions to create the Norton Bootable Recovery Tool on a CD/DVD media or USB key.

    http://123pcworld.com/MalwareTips/NBRT.PNG
  • It will by Default Select your CD/DVD Writer , if it is not select your CD/DVD Writer and click on Next...

    http://123pcworld.com/MalwareTips/NBRT-2.PNG
  • Now you have to Insert a Blank CD/DVD into your CD/DVD Writer and press on Ok. It will take some time to complete the Bootable Recovery Drive Creation.

    http://123pcworld.com/MalwareTips/NBRT-3.PNG


Stage -2
  • Insert the recovery media in the infected computer and start your computer from the recovery media. The recovery media can be a Norton Bootable Recovery Tool CD, DVD, USB key.
    Note : If you do not know how to set your computer to boot from CD follow the steps here
  • Read the License Agreement, type your product key, and then click I Agree. (I will send you product key in PM )
  • In the Norton Bootable Recovery Tool window, click Norton Advanced Recovery Scan.
  • Click Start Scan.
  • When the scan finishes, remove the recovery media from the drive or USB port, and restart your computer.

<hr />

just completed this. scan found two Trojans. one was trojan.gen.2 and the other trojan.tracur I rebooted the laptop and still have the same "lsass.exe invalid parameter error". how can I stop the xp repair installation so i can see the desktop?
 

kuttus

Level 2
Verified
Oct 5, 2012
2,697
Is the Windows CD Still on the CD Drive? If Yes Remove the Windows CD from the CD Drive and keep the computer as Off for 5 minutes and start the computer back...
 

kuttus

Level 2
Verified
Oct 5, 2012
2,697
kuttus said:
Is the Windows CD Still on the CD Drive? If Yes Remove the Windows CD from the CD Drive and keep the computer as Off for 5 minutes and start the computer back...

Are you able to Start the computer now? If you are not able to start the computer Boot the computer from the OTLPE Standard REATOGO Windows Recovery Environment once again.

Download Norton Powers Eraser and save it to a Flash Drive.. After that run the Norton Powers Eraser from the OTLPE Desktop and start a scan.

Download Norton Power Eraser from http://www.norton.com/npe
 

melissawski

New Member
Thread author
Verified
Jan 11, 2013
31
kuttus said:
kuttus said:
Is the Windows CD Still on the CD Drive? If Yes Remove the Windows CD from the CD Drive and keep the computer as Off for 5 minutes and start the computer back...

Are you able to Start the computer now? If you are not able to start the computer Boot the computer from the OTLPE Standard REATOGO Windows Recovery Environment once again.

Download Norton Powers Eraser and save it to a Flash Drive.. After that run the Norton Powers Eraser from the OTLPE Desktop and start a scan.

Download Norton Power Eraser from http://www.norton.com/npe

I booted the computer to the reatogo disk and opened the NPE from my flash drive and it opened and said "an error has occured. this program runs windows xp vista and 7. the opperating system you are using is no supported" or something like that.
 

kuttus

Level 2
Verified
Oct 5, 2012
2,697
Okay.. Do one more thing Run one more Fresh scan using Farbar Recovery Scan and send me the Log Files...
 

kuttus

Level 2
Verified
Oct 5, 2012
2,697
Hi,

Open notepad and copy & paste the following:

start
HKLM\...\Run: [SonyAgent] C:\WINDOWS\Temp\temp35.exe [x]
HKU\Default User\...\Run: [3DVIA] rundll32 "C:\Documents and Settings\Wlasniewski\Local Settings\Application Data\Ahead\3DVIA\smjoebg.dll",DllRegisterServerW [x]
HKU\NetworkService\...\Run: [Adobe CS Manager] C:\Documents and Settings\NetworkService\Application Data\e88ea456-8171-467e-a64d-c7a2745eed9479\eeaeadcaeed.exe [0 2013-01-10] ()
HKLM\...\Policies\Explorer\Run: [44163] C:\DOCUME~1\ALLUSE~1\LOCALS~1\Temp\msyauoi.bat [x]
Tcpip\Parameters: [DhcpNameServer] 209.18.47.61 209.18.47.62 192.168.1.1
2 0240861319997418mcinstcleanup; [x]
C:\Documents and Settings\Wlasniewski\Application Data\Ixha
C:\Documents and Settings\Wlasniewski\Application Data\Ruqe
C:\057fdcfdf366da90b2895ec50c47
C:\WINDOWS\Temp\temp35.exe
C:\Documents and Settings\Wlasniewski\Local Settings\Application Data\Ahead\3DVIA\smjoebg.dll
C:\Documents and Settings\NetworkService\Application Data\e88ea456-8171-467e-a64d-c7a2745eed9479\eeaeadcaeed.exe
C:\DOCUME~1\ALLUSE~1\LOCALS~1\Temp\msyauoi.bat
2013-01-10 08:14 - 2013-01-10 08:14 - 00000000 ____D C:\Documents and Settings\LocalService\Application Data\e88ea456-8171-467e-a64d-c7a2745eed9479
2013-01-10 07:39 - 2013-01-10 07:39 - 00000000 ____D C:\Documents and Settings\NetworkService\Application Data\e88ea456-8171-467e-a64d-c7a2745eed9479
C:\Documents and Settings\Wlasniewski\Local Settings\Application Data\Ahead
end

and save it as fixlist.txt onto your flash drive.

Then, boot to OTLPE, plug in your flash drive, open FRST and click fix. Post the generated log.
 

melissawski

New Member
Thread author
Verified
Jan 11, 2013
31
kuttus said:
Hi,

Open notepad and copy & paste the following:

start
HKLM\...\Run: [SonyAgent] C:\WINDOWS\Temp\temp35.exe [x]
HKU\Default User\...\Run: [3DVIA] rundll32 "C:\Documents and Settings\Wlasniewski\Local Settings\Application Data\Ahead\3DVIA\smjoebg.dll",DllRegisterServerW [x]
HKU\NetworkService\...\Run: [Adobe CS Manager] C:\Documents and Settings\NetworkService\Application Data\e88ea456-8171-467e-a64d-c7a2745eed9479\eeaeadcaeed.exe [0 2013-01-10] ()
HKLM\...\Policies\Explorer\Run: [44163] C:\DOCUME~1\ALLUSE~1\LOCALS~1\Temp\msyauoi.bat [x]
Tcpip\Parameters: [DhcpNameServer] 209.18.47.61 209.18.47.62 192.168.1.1
2 0240861319997418mcinstcleanup; [x]
C:\Documents and Settings\Wlasniewski\Application Data\Ixha
C:\Documents and Settings\Wlasniewski\Application Data\Ruqe
C:\057fdcfdf366da90b2895ec50c47
C:\WINDOWS\Temp\temp35.exe
C:\Documents and Settings\Wlasniewski\Local Settings\Application Data\Ahead\3DVIA\smjoebg.dll
C:\Documents and Settings\NetworkService\Application Data\e88ea456-8171-467e-a64d-c7a2745eed9479\eeaeadcaeed.exe
C:\DOCUME~1\ALLUSE~1\LOCALS~1\Temp\msyauoi.bat
2013-01-10 08:14 - 2013-01-10 08:14 - 00000000 ____D C:\Documents and Settings\LocalService\Application Data\e88ea456-8171-467e-a64d-c7a2745eed9479
2013-01-10 07:39 - 2013-01-10 07:39 - 00000000 ____D C:\Documents and Settings\NetworkService\Application Data\e88ea456-8171-467e-a64d-c7a2745eed9479
C:\Documents and Settings\Wlasniewski\Local Settings\Application Data\Ahead
end

and save it as fixlist.txt onto your flash drive.

Then, boot to OTLPE, plug in your flash drive, open FRST and click fix. Post the generated log.

here are the results
 

Attachments

  • Fixlog.txt
    1.7 KB · Views: 114

kuttus

Level 2
Verified
Oct 5, 2012
2,697
Okay Thank you...

Now please try to Boot the computer Normally and Check if you are getting any Errors.
 

melissawski

New Member
Thread author
Verified
Jan 11, 2013
31
kuttus said:
Okay Thank you...

Now please try to Boot the computer Normally and Check if you are getting any Errors.

still the same lsass.exe error. tried all the safe modes, last good config, and start windows normal. it keeps going back to the repair installation. that wont stop coming up.
 

melissawski

New Member
Thread author
Verified
Jan 11, 2013
31
kuttus said:
Do you Try Safe mode with Command Prompt?

yes. any option i choose does the same thing. lsass.exe error invalid parameter, click ok, it goes to the installation screen and resets.
 

kuttus

Level 2
Verified
Oct 5, 2012
2,697
Okay.

Please run a OTL Scan from OTLPE once again and in the custom scan/ fixes, type:

lsass.exe

then press Run scan
 

melissawski

New Member
Thread author
Verified
Jan 11, 2013
31
kuttus said:
Okay.

Please run a OTL Scan from OTLPE once again and in the custom scan/ fixes, type:

lsass.exe

then press Run scan

here is the log from scan. same results when rebooting.
 

Attachments

  • OTL1.txt
    134.5 KB · Views: 115

kuttus

Level 2
Verified
Oct 5, 2012
2,697
Melissa, that one didn't work...

Please run a OTL Scan from OTLPE once again and in the custom scan/ fixes, type:

/md5start
lsass.exe
/md5stop


then press Run scan
 

melissawski

New Member
Thread author
Verified
Jan 11, 2013
31
kuttus said:
Melissa, that one didn't work...

Please run a OTL Scan from OTLPE once again and in the custom scan/ fixes, type:

/md5start
lsass.exe
/md5stop


then press Run scan

here is the new log
 

Attachments

  • OTL2.txt
    135.5 KB · Views: 125

melissawski

New Member
Thread author
Verified
Jan 11, 2013
31
melissawski said:
kuttus said:
Melissa, that one didn't work...

Please run a OTL Scan from OTLPE once again and in the custom scan/ fixes, type:

/md5start
lsass.exe
/md5stop


then press Run scan

here is the new log
i rebooted after a few minutes and still got the lsass.exe error but another pop up came and it asked me to insert the windows xp disk which I have yet to see! but i didn't get a chance to put it in because it keeps resetting like normal.
 

melissawski

New Member
Thread author
Verified
Jan 11, 2013
31
kuttus said:
Okay. If it is asking you the Disk insert it in... Let's see what happens...

same thing :( i don't know if i mentioned this but when i choose any of the safe modes, a screen pops up that's black and white and says a bunch of windows files and the all end in DRIVERS/ and then every one is a different random word/letters. i can email pictures if you would like.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top