I get an annoying LSASS message saying that my system will be shut down in 1 minute. I delete the %system% files in the registry and it goes away--temporarily. But each time I turn on my computer I get something new, such as a barrage of messages about buying diplomas, online gambling, etc. Sometimes, my IE automatically tries to go to a website that's not of my choosing. I even tried reinstalling Windows XP, which ultimately resulted in losing everything on my hard drive--except the bad stuff.

According to the Symantic website, my computer has the following viruses:
w32.randex.gen; w32.pinfi; w32.spybot.worm; w32.welchia.gen.
A virus scan by another product--I don't recall which one--found these:
keylog-briss; w32.sdbot.worm.gen.n

Here is my June 19 HijackThis log. I'm hoping you can help me rid my computer of these problems. Also, I'd like to hear any recommendations for anti-virus or similar software solutions that can keep me from getting zapped in the future.



Melissa1959

Logfile of HijackThis v1.97.7
Scan saved at 6:30:36 PM, on 6/19/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuamgrd.exe
C:\WINDOWS\System32\rasmngr.exe
C:\WINDOWS\System32\wugrds.exe
C:\WINDOWS\System32\PDSched.exe
C:\WINDOWS\System32\drivers\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wpabaln.exe
C:\Program Files\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Microsoft Update] wuamgrd.exe
O4 - HKLM\..\Run: [RasCon Remote Access Service Manager] rasmngr.exe
O4 - HKLM\..\Run: [win updates] wugrds.exe
O4 - HKLM\..\Run: [Microsoft DirectX] PDSched.exe
O4 - HKLM\..\RunServices: [Microsoft Update] wuamgrd.exe
O4 - HKLM\..\RunServices: [RasCon Remote Access Service Manager] rasmngr.exe
O4 - HKLM\..\RunServices: [win updates] wugrds.exe
O4 - HKLM\..\RunServices: [Microsoft DirectX] PDSched.exe
O4 - HKCU\..\Run: [Microsoft Update] wuamgrd.exe
O4 - HKCU\..\Run: [RasCon Remote Access Service Manager] rasmngr.exe
O4 - HKCU\..\Run: [win updates] wugrds.exe
O4 - HKCU\..\Run: [Microsoft DirectX] PDSched.exe
O4 - HKLM\..\RunOnce: [Ad-aware] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-aware.exe" "+b1"
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...367/mcfscan.cab

Hi melissa1959,

My goodness, you do have quite a mess there. I'm sure we can help you get cleaned up but it is going to take a number of steps. First, without some firewall protection and security updates to your Operating System, you are only going to get infected again within minutes of connecting to the internet. So, do the following first:

1. Enable the Windows Internet Connection Firewall
http://www.microsoft.com/windowsxp/using/n...rnmore/icf.mspx

2. Reboot your PC into SAFE MODE
How to start the computer in Safe mode
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

3. Scan with HijackThis and checkmark these entries, then press *fix checked*

O4 - HKLM\..\Run: [Microsoft Update] wuamgrd.exe
O4 - HKLM\..\Run: [RasCon Remote Access Service Manager] rasmngr.exe
O4 - HKLM\..\Run: [win updates] wugrds.exe
O4 - HKLM\..\Run: [Microsoft DirectX] PDSched.exe
O4 - HKLM\..\RunServices: [Microsoft Update] wuamgrd.exe
O4 - HKLM\..\RunServices: [RasCon Remote Access Service Manager] rasmngr.exe
O4 - HKLM\..\RunServices: [win updates] wugrds.exe
O4 - HKLM\..\RunServices: [Microsoft DirectX] PDSched.exe
O4 - HKCU\..\Run: [Microsoft Update] wuamgrd.exe
O4 - HKCU\..\Run: [RasCon Remote Access Service Manager] rasmngr.exe
O4 - HKCU\..\Run: [win updates] wugrds.exe
O4 - HKCU\..\Run: [Microsoft DirectX] PDSched.exe

Stay in Safe Mode and delete the following files
wuamgrd.exe
rasmngr.exe
wugrds.exe
PDSched.exe

4. Reboot back into normal mode with the Windows firewall enabled. Go immediately to the Windows Updates site and get ALL the critical security updates recommended for your Operating system and IE
http://v4.windowsupdate.microsoft.com/en/default.asp

5. To finish cleaning up your infections, go get an online scan at one (preferably two) of the following free online AV scanners. Let them remove any infected files found and reboot between each cleaning. It may take more than one scan to get them all.

6. Get an Antivirus Program. Here are two Free AVs you can download, pick one and do a full system scan after updating them (very important to get the updates before scanning).

AVG 6.0 Free Edition
http://www.grisoft.com/us/us_dwnl_free.php

AntiVir (Free Edition)
http://www.free-av.com/

7. After cleaning up, getting the Windows Updates, get the latest updates from Adaware. The newest update is Reference file #01R322 20.06.2004 Update and then scan using these settings:

please update the program. Just open Adaware and click on *Check for Updates Now* and then *Connect*. It will find a new reference-file. Click *ok* and let it download and install the updates by clicking on *Finish* .This will return you to the main screen. You should now see Reference File # : 01R321 19.06.2004 or higher listed.

In Ad-aware click the Gear to go to the Settings area.

The following items should be on a green check, not on a red X.

Under the Scanning button:

Scan within archives

Under Memory & Registry, Check EVERYTHING

In Check Drives & Folders, make sure all of your hard drives are selected

Under the Advanced button, check ALL under Log detail level (this makes it easier for visitors to the Lavasoft Support Forums to see what options you have selected should you require assistance.)

Under the Tweak button...

Some of these may not be an available option, depending on your version of Ad-aware and your version of Windows. Do not be concerned if you cannot select a certain item.

In Scanning Engine:

Unload recognized processes during scanning


Include info about ignored objects in logfile, if detected in scan

Include basic Ad-aware settings in logfile

Include additional Ad-aware settings in logfile

Include used command line parameters in logfile

In Cleaning Engine:

XP/2000: Allow unloading explorer to unload shell extensions prior to deletion

Let Windows remove files in use at next reboot

UNCHECK: Automatically try to unregister objects prior to deletion

Click Proceed to save these settings.

Don't scan yet, please. We need to do the next steps in SAFE MODE, so please copy these instructions so you have them handy since you will probably not be able to get online in safe mode.

Now, Reboot into safe mode

Open Adaware, Press *scan now* and put a dot in the box next to *use Custom scanning options*, then click *Next* to start your scan.

Checkmark any items found after scanning to remove (this will actually put them in quarantine and can recover from backup if any should not be removed).

Reboot your PC after cleaning with Adaware and scan again. Repeat the process until no further items are found as bad.

8. Scan once more with Hijackthis and don't remove anything yet in the log. Post it back here so we can see what may remain to be fixed :)

My computer now scans clean with Trend Micro and Panda Active virus scanners and my last Ad-aware was clean. Here is my new HijackThis log. I notice that some of the same files that I initially removed have returned. Is this normal?

Logfile of HijackThis v1.97.7
Scan saved at 12:36:03 PM, on 6/20/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\System32\rasmngr.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet T Series\Bin\HPOstr05.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet T Series\bin\HPOVDX05.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\hpoipm07.exe
C:\Program Files\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [RasCon Remote Access Service Manager] rasmngr.exe
O4 - HKLM\..\RunServices: [RasCon Remote Access Service Manager] rasmngr.exe
O4 - HKCU\..\Run: [Microsoft Update] wuamgrd.exe
O4 - HKCU\..\Run: [RasCon Remote Access Service Manager] rasmngr.exe
O4 - HKCU\..\Run: [win updates] wugrds.exe
O4 - HKCU\..\Run: [Microsoft DirectX] PDSched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: HP OfficeJet T Series Startup.lnk = C:\Program Files\Hewlett-Packard\HP OfficeJet T Series\Bin\HPOstr05.exe
O16 - DPF: {10ABC6DB-E091-4EAE-98DD-21B5A2460714} (DetInstaller Class) - http://www.pandasoftware.es/avchecker/cont...s/AvDetInst.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...367/mcfscan.cab

Hi melissa,

Please check your private message box at the top of this forum. I've sent you a message requesting a file (put it in a zip file first please) and my email address to send it to. I need to get it analyzed.

Meanwhile, I'll go over your log and we can fix some of the entries, but there is one file still there that is very suspicious.

Go to your Windows Task Manager (ctrl/Alt/Del) and look for the entry:

rasmngr.exe

Highlight it and click on *end process*

Scan again with HijackThis. Make sure ALL browsers are closed - nothing open with HijackThis. Checkmark these items

O4 - HKLM\..\Run: [RasCon Remote Access Service Manager] rasmngr.exe
O4 - HKLM\..\RunServices: [RasCon Remote Access Service Manager] rasmngr.exe
O4 - HKCU\..\Run: [Microsoft Update] wuamgrd.exe
O4 - HKCU\..\Run: [RasCon Remote Access Service Manager] rasmngr.exe
O4 - HKCU\..\Run: [win updates] wugrds.exe
O4 - HKCU\..\Run: [Microsoft DirectX] PDSched.exe

Reboot your PC back into safe mode. Find this file: rasmngr.exe

Rightclick on it and choose *rename* . Name it to: rasmngr.old.

Look for these files and make sure they are gone:
Stay in Safe Mode and delete the following files, if found

wuamgrd.exe
wugrds.exe
PDSched.exe

Reboot back into normal mode and scan this file at the following free online scanners:

rasmngr.old.

Dr.Web online scan
http://www.dials.ru/english/www_av/

Single file check (KAV)
http://www.kaspersky.com/remoteviruschk.html

Please copy the reports given at the end of each and copy them back here :)

Hi melissa,

I recieved your email but that is the wrong file.

Can you resubmit to me please? Go to your System32 folder under C:\Windows (click on Show Files to see the folders there) and get the file: C:\WINDOWS\System32\rasmngr.exe <--this file which you should have now renamed to have the .old extension so the file name should now be rasmngr.old. Put that in a zip file and email to me.

Hi Melissa,

I just now got your email containing the sample of rasmngr.exe

It is definitely infected (was brand new on June 19, however most AV/AT programs can now detect and remove this worm)

http://uk.trendmicro-europe.com/enterprise...YBOT.EM&VSect=T

Get an online AV scan and let it remove any infected files found. Additionally update your resident Antivirus program and do a full system scan.

Make sure you have deleted the rasmngr.exe, as I noticed you did not follow my steps to disable then rename the files to rasnmgr.old.

Scan with HijackThis and post a fresh log please. We need to make sure that file is not still running on your system.