lsass.exe infected, no internet

[TwinHeadedEagle]

What happens when you try to boot into Safe Mode? As soon as you start your computer, keep pressing F8, until you get image like this:

Are you getting this?

 

[dreamz]

i couldnt get it into safe mode but i logged in under different user and got a screen. i have trash cash, 3 shortcuts to google chrome, open office and yahoo messenger. i will try to get to promt from here but it wont be under admin privies. do you want me to run check disk and bootrec as before under this account? i am able to under open as admin. will see what happens with that first to see if i can get you a log.

 

[dreamz]

i just ran chkdsk c:/r from admin prompt. message came back saying cant be run bc volume is in use by another process. would i like to schedule this volume to be check the next time system restarts. i am going to click yes.

i am going to run the bootrec that you asked before as well.

i will then go into bios and make sure i am still able to get into safe mode as i had to set p/w in order for this to be enabled.

 

[dreamz]

ok, i was able to get this done. i noticed that after i restarted that i lose more functions, text looks different, etc. afraid to turn off. will wait for instructions

 

[TwinHeadedEagle]

I think your problem can be solved now when you gave me reports from Normal windows. Where did you run check disk from? Try to run it from Normal mode again and to schedule it after next restart. Then try to boot to your ordinary account.

Please apply this fix from Normal mode:

Fix with Farbar Recovery Scan Tool

This fix was created for this user for use on that particular machine.

Running it on another one may cause damage and render the system unstable.

​

Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

• Right-click on
  
  icon and select
  
  Run as Administrator to start the tool.
  (XP users click run after receipt of Windows Security Warning - Open File).
• Press the Fix button just once and wait.
• If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
• When finishes FRST will generate a log on the Desktop, called Fixlog.txt.

Please attach it to your reply.



Check Disk

• Press the
  
  on your keyboard. Type cmd and right click >> Run as Administrator.
• Copy/Enter the command below and press Enter:

• chkdsk C: /r

• You should get a message to schedule Check Disk at next system restart. Please type Y and press Enter.
• All you should do now is to restart your PC and let the Check Disk process finish uninterrupted.

Check Disk report:

• Press the
  
  + R on your keyboard at the same time. Type eventvwr and click OK.
• In the left panel, expand Windows Logs and then click on Application.
• Now, on the right side, click on Filter Current Log.
• Under Event Sources, check only Wininit and click OK.
• Now you'll be presented with one or multiple Wininit logs.
• Click on an entry corresponding to the date and time of the disk check.
• On the top main menu, click Action > Copy > Copy Details as Text.
• Paste the contents into your next reply.

 

[dreamz]

ran from new account i made when all this started. has admin privies. only thing is still not loading windows. you want check disk first, fix list then check disk /r. my windows key does not work. and boot manager still locked.

 

[TwinHeadedEagle]

I don't understand. You say still not loading Windows or that account? There is a difference if you can login into other account.

Run FRST fix first and then check disk after it.

 

[dreamz]

the fixlist is empty

 

[TwinHeadedEagle]

No, it isn't.

 

[dreamz]

the start button does not work, however windows key work now. i am going to try to set up my internet while you look this over. again, thanks. i really don't know what i would've done. as i go through files i notice that under $windows.~bt there are still files. when i right click that file and go to properties the size, size on disk and contains the numbers are rapidly changing and is a shared file folder. network path \\desktop80vdk55\$windows.~bt. also, the program data file is lightened and numbers move rapidly. and that i need user account and password to access these folders. i did not open as i am sure this is where the virus was or still is.

 

[TwinHeadedEagle]

Have you performed FRST fix?

 

[dreamz]

yes i did...on tha account administrator. that is not my main account. owner isnt even the original admin. that one got delete. i was able to log on administrator. i logged onto owner and all the glitches began again. i was able to run frst before it got out of hand. files attached. do you want me to run chskdsk /r on owner? it doesnt have admin privies. i found a spot that shows me how to get the hidden admin going, but if this virus still there?

 

[dreamz]

forgot, still no internet

 

[TwinHeadedEagle]

I would like you to do this operation:

System File Checker

• Press the
  
  on your keyboard. Type cmd and right click >> Run as Administrator.
• Copy/Enter the command below and press Enter:

• sfc /scannow

• Windows will begin with system scan.
• When done, please reboot your system.

System File Checker report:

• Press
  
  + R on your keyboard at the same time. Type cmd and click OK.
• Copy/Enter the command below and press Enter:

• findstr /c:"[SR]" %windir%\Logs\CBS\CBS.log >"%userprofile%\Desktop\sfcdetails.txt"

• Attach sfcdetails.txt from your Desktop in your next reply.

 

[dreamz]

its not taking that code. i tried several times. i wrote down the code cmd gave me to retrieve, here it is. im running a new frst as well, only because ran fix in recovery last night. I actually got the blue windows screen and didnt have that 1st screen that would slide up. in task manager i could see the virus opening closing all over. i did copy/paste files and usage...didnt know if that would be something or not. when windows loaded i keep getting MSC 0x80070426 error and to contact systems admin. keeping it short. ill keep trying to run that code, i input characters/spaces just the want you had it. says file too big. im sending these 2 for now, will break down cbs into smaller files. i noticed this when looking for details i could c/p: fel [DIRSD OWNER WARNING]

 

[dreamz]

i will keep trying to get to the detail file, in the meantime here is the full file in 3 parts, very sorry. in a name of a folder path path, what is -k mean?

 

[TwinHeadedEagle]

What is the current account you are logged on? Is it fully functional?

 

[dreamz]

What is the current account you are logged on? Is it fully functional?

administrator, for the most part. administrators is the one that seems to have it all.i need an updated frst64.exe and will run new scan. is there an avyou can rec for me for me to put on usb to help get rid of it, seems to be getting worse

again, thanks for all you do
jenn

 

[TwinHeadedEagle]

Can you create a new account and see if it is going to work? I don't think you will be able to access the other account.

 

[dreamz]

Can you create a new account and see if it is going to work? I don't think you will be able to access the other account.

i will see if i can. i have the jenn account that i might be able to give admin privies to? all i know is i check netstat and there are 2 pid's that match. resources are high. i need an updated version of frst64 too, says out of date and need to update