I was able to find and remove a file on friday.
Lsass.exe located in C:\Documents and Settings\username\Application Data\SystemProc\
Registry entry [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"RTHDBPL"="C:\\Documents and Settings\\username\\Application Data\\SystemProc\\lsass.exe"
Virus Total reported this file here
It is named several different things apparently though the most common name is Koobface.
I have tried running the following tools which will NOT run
Malwarebytes (runs but doesn't find anything)
FSecure Blacklight (anti rootkit)
Dr Web Cure it
OTL (if I do the custom scan it comes up with an error (invalid flag [mp] must be numerical)
Internet Explorer and Firefox are hit and miss if I try to lookup Anti rootkit software all of the sudden I get timeouts and page cannot be displayed. Once that starts I have no choice but to reboot the pc. The computer will not reboot on its own and will not shut down on its own I have to hold the power button but it doesnt cause chkdisk to be initiated.
When typing in run box the letters come up very delayed.
Unable to access the control panel most of the time, also unable to access add/remove programs in control panel
Timeouts in Internet Explorer or it freezes or never lauches (firefox has the same the same problem)
Malwarebytes find nothing on the system
it was fowarding to the following sites (this seems to be resolved since removing the above mentioned file:
Won't allow anti virus or anti malware tools to run.
Cannot Load the Etrust Interface (uses Internet Explorer)
Internet Explorer is running in the background when the computer is first started before any websites are open...
I can't see anything in the log files
Anyone have any ideas?
I was going to try bootkit detector however I have a recovery partition and do not want to destroy that.
OK so even more problems...
Add/remove programs is showing up BLANK at times.
I have tried to run SFC /SCANNOW no hard drive activity no anything, status bar does not move.
I tried running Service Pack 3 again to see if if would fix possible broken files (no dice it starts the install but just sits there with inspecting system)
Whenever I now run Groupwise 7.x I get an error when I close it in ntdll.dll
Internet Explorer is freezing up on the website http://www.marketwatch.com whenever you try to get a quote or go to a different page other then the main page. Firefox doesn't have this problem.
I ran RootRepeal and the only thing it found was this
Object: Hidden Code [ETHREAD: 0x86c2b020]
Process: System Address: 0x86f9a7ca Size: 159
Object: Hidden Code [ETHREAD: 0x86c5e020]
Process: System Address: 0x86f9a57c Size: 555
Object: Hidden Code [ETHREAD: 0x86ca3020]
Process: System Address: 0x86f9b57d Size: 1174
Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x86f9afc5 Size: 60
I don't know how to go further with this at this point.
I tried a windows repair install since copying and pasting was causing an error in ntdll.dll. Since the repair install the computer hangs on a black screen with the cursor for 5 minutes and then loads the desktop. The initial install did not go well either it came up to the please wait while windows starts and never finished so I had to hard reboot it.
Edited by thebouncer, 20 July 2010 - 09:26 AM.