Cannot load Norton anti-virus even wd manual installation. Do i have a virus?

Hi FLYN,

You do have at least one infection (a worm), as indicated by this HJT log entry:

O23 - Service: lsass (Local Security Authority System Service) - Unknown owner - C:\WINNT\lsass.exe (file missing)

However, you need to take care of something first:

C:\Documents and Settings\Administrator\Local Settings\Temp\HijackThis.exe

The log entry above indicates that you are running HijackThis from within a Temp/Temporary folder. Please do the following:

Create a folder for HJT outside of any Temp/Temporary folders and move the HijackThis.exe file to that folder now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if HijackThis (and other data that you care about) is living in those Temp folders, it will be erased along with everything else!
Temp/Temporary folders are just that- Temporary. They are not meant for permanent storage, as their contents are often delete in the course of troubleshooting, by running disk clean-up utilities, etc.

-----------------------------------------------------------------------------------------
Once you've moved HJT to a safe folder, please do the following:

You will need to close/quit all web browser programs and disconnect from the Internet for much of the following, so you should print out these instructions or save them into a text file with Notepad.

1. Download and install these utilities (but do not run scans with them yet):

ewido Security Suite (trial version) - http://www.ewido.net/en/download/
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en

- Open ewido. In the main screen, click "Update" and click "Start Update". After the update process completes, exit from Ewido.

- Open MS Antispyware beta. Make sure the "AntiSpyware Autoupdater" feature is enabled, and that it has downloaded the most current antispyware updates. Close the program after you've verified this.

2. Download and install the CCleaner utility, but don't run it yet.

3. Open the Services utility in your Administrative Tools control panel.

- In the list of services, locate the service named "lsass" or "Local Security Authority System Service" and double-click on it.

- In the General tab of the Properties window that opens, click the Stop button if the service is not already stopped.

- Once the service is stopped, choose Disabled in the "Startup Type" drop-down menu and then click OK. Close the Services utility after that.

4. Run HijackTHis again, put a check mark next to the following entry, and then click the "Fix checked" button:

O23 - Service: lsass (Local Security Authority System Service) - Unknown owner - C:\WINNT\lsass.exe (file missing)

- Once HJT finishes the fix, click on the "Config" button in the lower right corner of HijackThis' main window. In the next window click on the "Misc Tools" button at the top then click the "Delete an NT service" button. Type the following in the box and click OK:

lsass

Close HijackThis after that.

5. Reboot into Safe Mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up).

6. Run CCleaner. It may take a while for the program to perform its cleaning, so be patient. Close the program when it has finished.

7. Run Norton, ewido, and MS Antispyware beta consecutively; have the programs fix all malicious items they find.

When ewido finds the first malicious object on your system, it will ask you if it should clean it. When it asks this, put a checkmark in the lower left corner of the box that says "Perform action on all infections", then choose clean and click OK.
Save the log file that ewido will create after it finishes scanning; you'll be including that log in your next post here.

8. Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- Delete the following file if it still exists:
C:\WINNT\lsass.exe

9. Empty your Recycle Bin and reboot normally.

10. Run HijackThis again, and post the new log. Also post the log that ewido generated.

In the list of services, locate the service named "lsass" or "Local Security Authority System Service" and double-click on it.

- In the General tab of the Properties window that opens, click the Stop button if the service is not already stopped.

- Once the service is stopped, choose Disabled in the "Startup Type" drop-down menu and then click OK. Close the Services utility after that.

I can't find lsass" or "Local Security Authority System Service" in the administrative tools ,services shortcut

Please disregard the post previous to this because maybe I cant locate lsas.exe in the administrative tool is because I reformated the pc and installed windows xp.But now the problem is worse because everytime i connect to the internet a window appears that tells me that lsas.exe has encountered some trouble and will restart in 40 mins.I did what you instructed and placed hijackthis in another folder and this is what it ran.

Logfile of HijackThis v1.99.1
Scan saved at 12:09:44 AM, on 1/9/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\MsLX32.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\wlsass.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe
C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe
C:\WINNT\System32\IEXPL0RE.EXE
C:\WINNT\System32\win32.exe
C:\Program Files\Trend Micro\PC-cillin 2000\PNTIOMON.exe
C:\Program Files\Trend Micro\PC-cillin 2000\pccntupd.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\hijackthis\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [wlsass] C:\WINNT\System32\wlsass.exe
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"
O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"
O4 - HKLM\..\Run: [Micrsoft Internet Explorer] IEXPL0RE.EXE
O4 - HKLM\..\Run: [win32] C:\WINNT\System32\win32.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\RunServices: [Micrsoft Internet Explorer] IEXPL0RE.EXE
O4 - HKCU\..\Run: [Micrsoft Internet Explorer] IEXPL0RE.EXE
O4 - HKCU\..\RunServices: [Micrsoft Internet Explorer] IEXPL0RE.EXE
O4 - Global Startup: Real-time Monitor.lnk = ?
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136203677962
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: MsLX32 - Unknown owner - C:\WINNT\MsLX32.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe

Ps. I just installed ewido and have not even run it yet per your instruction when suddenly a window popped and said,

" infected object found

file: Mslx32

path: c:\winnit

infection: backdoor.sdbot

i havent done anything yet and will wait for your advise

I just installed ewido and have not even run it yet per your instruction when suddenly a window popped and said,

" infected object found...

Unfortunately, you can get infected within minutes if you do any Web surfing before all of your anti-spyware/anti-virus protections are in place. Judging from your log, that's what has happened in your case. Your new infection is different from the last one, so I've modified my previous instructions to target the current infection:

You will need to close/quit all web browser programs and disconnect from the Internet for much of the following, so you should print out these instructions or save them into a text file with Notepad.

1. Download and install Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en

- Open ewido. In the main screen, click "Update" and click "Start Update". After the update process completes, exit from Ewido.

- Open MS Antispyware beta. Make sure the "AntiSpyware Autoupdater" feature is enabled, and that it has downloaded the most current antispyware updates. Close the program after you've verified this.

2. Download and install the CCleaner utility, but don't run it yet.

3. Open the Services utility in your Administrative Tools control panel.

- In the list of services, locate the service named "MsLX32" and double-click on it.

- In the General tab of the Properties window that opens, click the Stop button if the service is not already stopped.

- Once the service is stopped, choose Disabled in the "Startup Type" drop-down menu and then click OK. Close the Services utility after that.

4. Run HijackTHis again, put a check mark next to the following entries, and then click the "Fix checked" button:

O4 - HKLM\..\Run: [wlsass] C:\WINNT\System32\wlsass.exe
O4 - HKLM\..\Run: [Micrsoft Internet Explorer] IEXPL0RE.EXE
O4 - HKLM\..\Run: [win32] C:\WINNT\System32\win32.exe
O4 - HKLM\..\RunServices: [Micrsoft Internet Explorer] IEXPL0RE.EXE
O4 - HKCU\..\Run: [Micrsoft Internet Explorer] IEXPL0RE.EXE
O4 - HKCU\..\RunServices: [Micrsoft Internet Explorer] IEXPL0RE.EXE
O23 - Service: MsLX32 - Unknown owner - C:\WINNT\MsLX32.exe

- Once HJT finishes the fix, click on the "Config" button in the lower right corner of HijackThis' main window. In the next window click on the "Misc Tools" button at the top then click the "Delete an NT service" button. Type the following in the box and click OK:

MsLX32

Close HijackThis after that.

5. Reboot into Safe Mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up).

6. Run CCleaner. It may take a while for the program to perform its cleaning, so be patient. Close the program when it has finished.

7. Run Norton, ewido, and MS Antispyware beta consecutively; have the programs fix all malicious items they find.

When ewido finds the first malicious object on your system, it will ask you if it should clean it. When it asks this, put a checkmark in the lower left corner of the box that says "Perform action on all infections", then choose clean and click OK.
Save the log file that ewido will create after it finishes scanning; you'll be including that log in your next post here.

8. Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- Delete the following files if they still exist:

C:\WINNT\System32\wlsass.exe
C:\WINNT\System32\win32.exe
C:\WINNT\MsLX32.exe

9. Empty your Recycle Bin and reboot normally.

10. Run HijackThis again, and post the new log. Also post the log that ewido generated.

Hi I followed your instruction except for the norton scan. I can't load norton.
This the ewido log report

ewido anti-malware - Scan report
---------------------------------------------------------

 + Created on:          2:42:40 AM, 1/10/2006
 + Report-Checksum:     4F692771

 + Scan result:

    HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Spyware.Alexa : Cleaned with backup
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\MVMFETKZ\g3[1].exe -> Proxy.Agent.ic : Cleaned with backup
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OP0VM3UP\gold[1].exe -> Proxy.Agent.ic : Cleaned with backup
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\KJ2HOLIF\gold[1].exe -> Proxy.Agent.ic : Cleaned with backup
    C:\g3.exe -> Proxy.Agent.ic : Cleaned with backup
    C:\golden.exe -> Proxy.Agent.ic : Cleaned with backup


::Report End

And this is the hijack report.

Logfile of HijackThis v1.99.1
Scan saved at 3:20:00 AM, on 1/10/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINNT\Explorer.EXE
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe
C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe
C:\Program Files\Trend Micro\PC-cillin 2000\PNTIOMON.exe
C:\Program Files\Trend Micro\PC-cillin 2000\pccntupd.exe
C:\hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"
O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"
O4 - Global Startup: Real-time Monitor.lnk = ?
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [url]http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136203677962[/url]
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe

What exact errors do you encounter when trying to install Norton?

I was refering to the last install before I reinstalled everything. I'll try again. What did the last hijack scan report? Do i still have it?

Norton doesnt work on safe mode

What did the last hijack scan report?

The last HJT log you posted was totally clean. Do we still have issues to work on?

Uhm I connected the pc to the internet and then a timer appeared that said that I have encountered a problem and that the system would shut down in 45 minutes and would restart again.

i think i'm still infected

You can:

A) Open the Event Viewer utility in your Administrative Tools control panel. Look through the Application and System logs for "Error" or "Warning" entries; double-clicking on the entries will open a properties window with more details. If you see any entries whose details look like they might relate to the problem, post the full and complete contents of the details window(s) here. Here's the easiest way to post those details:

- In the Properties window, click on the button with the graphic of two pieces of paper on it; the button is at the right of the window just below the up arrow/down arrow buttons. You won't see anything happen when you click the button, but it will copy all of the details to the Windows clipboard.
- Paste the details into your next post in the same way that you paste your HijackThis log- by choosing "Paste" from the "File" menu or by hitting CTRL+V.

B) Run another set of scans with ewido and MS antispyware. Post the new log from ewido, as well as a new HJT log.

This is the error log from the administrative window,

Event Type: Error
Event Source: Disk
Event Category: None
Event ID: 11
Date: 1/16/2006
Time: 10:39:31 PM
User: N/A
Computer: tower
Description:
The driver detected a controller error on \Device\Harddisk1\D.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 03 04 68 00 01 00 b6 00 ..h...¶.
0008: 00 00 00 00 0b 00 04 c0 .......À
0010: 01 01 00 00 85 01 00 c0 ......À
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 c2 9f 9d 01 00 00 00 .Â....
0028: 8a 0d 00 00 00 00 00 00 .......
0030: ff ff ff ff 01 00 00 00 ÿÿÿÿ....
0038: 40 00 00 8f 02 00 00 00 @......
0040: ff 20 0a 12 4c 03 20 40 ÿ ..L. @
0048: 00 00 00 00 0a 00 00 00 ........
0050: 00 20 54 3c 80 26 e0 80 . T<&à
0058: 00 00 00 00 f8 a7 e3 80 ....ø§ã
0060: 02 00 00 00 e1 cf ce 00 ....áÎ.
0068: 28 00 00 ce cf e1 00 00 (..Îá..
0070: 08 00 00 00 00 00 00 00 ........
0078: f0 00 04 00 00 00 00 0b ð.......
0080: 00 00 00 00 08 03 00 00 ........
0088: 00 00 00 00 00 00 00 00 ........

And here's another one

Event Type: Error
Event Source: Disk
Event Category: None
Event ID: 11
Date: 1/16/2006
Time: 10:39:30 PM
User: N/A
Computer: tower
Description:
The driver detected a controller error on \Device\Harddisk1\D.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 03 03 68 00 01 00 b6 00 ..h...¶.
0008: 00 00 00 00 0b 00 04 c0 .......À
0010: 01 01 00 00 00 00 00 00 ........
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 c2 9f 9d 01 00 00 00 .Â....
0028: 6a 0d 00 00 00 00 00 00 j.......
0030: ff ff ff ff 03 00 00 00 ÿÿÿÿ....
0038: 40 00 00 8f 02 00 00 00 @......
0040: ff 20 0a 12 4c 03 20 40 ÿ ..L. @
0048: 00 00 00 00 0a 00 00 00 ........
0050: 00 20 54 3c 80 26 e0 80 . T<&à
0058: 00 00 00 00 f8 a7 e3 80 ....ø§ã
0060: 02 00 00 00 e1 cf ce 00 ....áÎ.
0068: 28 00 00 ce cf e1 00 00 (..Îá..
0070: 08 00 00 00 00 00 00 00 ........
0078: f0 00 04 00 00 00 00 0b ð.......
0080: 00 00 00 00 08 03 00 00 ........
0088: 00 00 00 00 00 00 00 00 ........

Not good; those errors could indicate a hardware problem with the drive or motherboard electronics; they could also indicate a problem with the motherboard's IDE driver. Here are some things to try:

* Reinstall/upgrade your motherboard's IDE controller driver software.
* Check the data and power cables. Make sure they are seated firmly, and that there is no physical damage (nick, cuts, etc.) to them. Try different cables if possible.
* Remove the drive and physically inspect the circuitry on the drive's controller card. Check for burned/cracked/discolored components. Use your nose- sniff around for that distinctive, telltale smell of overheated silicon.
* Install the drive as a slave drive and see if it still exhibits problems. Make sure to pay attention to Master/Slave/Cable Select jumper settings on the drives.

Will try. But the funny thing about it is this. When The pc is on and isnt connected to the internet then there's no problem of any window shut down. But the moment I connect to the internet ,the window appears and it says problem with the lsas and that the pc would shut down and restart in 40 seconds.

Ok, I see. Are there any other kinds of error or warning messages in the Event Viewer?

I was able to load the norton and updated it.Then a window popped up and it said that i had a virus and it is located in C:\winnt\system32\eraseme.03556.exe.Norton said that it cant get rid of it and acess to the file is denied. What should i do?

Norton says its the w32 spybot in C:\winnt\system32\eraseme.03556.exe