Jump to content

Lsass.exe


rikkkki

Recommended Posts

Hey guys. Ya answersthatwork.com is the program that I was talking about. I have it and it is VERY helpful with MANY different things. It's called TUT ( The Ultimate Troubleshooter) I was also VERY suspicious about my entry that had all those dlls tagged on the end. Highjack This says that generally Trojan types use this

Link to comment
Share on other sites

  • Replies 615
  • Created
  • Last Reply

Top Posters In This Topic

Just a note: TUT says that if you have lsass.exe in your startups then you have a virus. Mine runs right where it's supposed to, in the tasks and the path is correct...............

Agreed.  You can disable the funky registry entry in msconfig without deleting it.  It would be a good idea to backup your registry first if you decide to do this..

Link to comment
Share on other sites

:!: Well-update, maybe. I told Microsoft yesterday that I had run an HT scan and that it had a suspicious multiple dll listing in the log. Well, they wrote me back and said to go ahead and download HT and run a scan/log and send it to them :!: :!: :!: :!: :!:  Ah, HELLO, Microsoft, how did I run the scan if I didn't have HT in the first place>??? :haha: :haha: After I got done laughing I went ahead and sent them the same thing that I posted here in this forum. Sometimes I think that I am a day ahead of them :!: :!: :!: :!: ;) ;) ;)
Link to comment
Share on other sites

Microsoft is just takin' credit for the work you've done 69Rat  :evil6:  "Oh, thats a good idea, why don't you download HJT, run it, then send the log........"  Leave it to Microsoft.......  :roll:  It is good to be ahead of them, though  :)

Link to comment
Share on other sites

Well Cak46 I hope that they can get ahead of me somewhere along the line  so that we can be on the same page :!: :!: :!: I seriously feel that I do not have a virus. I think it's something like a true system error like the little box says, cause it will not reboot if I wait about ten minutes before I click OK. I mean, it's not the famous "60 second countdown"  :!: :!: :!:

Link to comment
Share on other sites

Yeah, but by the same token, the process that is executing (possibly a virus or other errant action) may not like to be interrupted until it is done doing whatever it was written to do.......  Did you actually find the file with that funky name on your hd?

Link to comment
Share on other sites

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWindowsAppInit_DLLs

Value:  9vs7sxtxnn585u.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll

Here is the actual path in my registry and the value is from the properties and I think that's as far as I can go with it :icon_study: :icon_study: :icon_study:

Unless there is another way to try.

Link to comment
Share on other sites

Haven't used the search feature too much with XP so I got this from here: http://www.cyberwalker.net/columns/aug03/find-file.html

You can just copy and paste the filename from here      9vs7sxtxnn585u.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll

*****************

However here's the detailed search instructions for Windows XP owners. First click the START button (bottom left of your screen) then "Search", then select "For Files or Folders". A window will pop up with a details box on the left hand side that looks like this:

Search box from Windows XP

Next, click on the green arrow next to "All files and folders" unless you know specifically what type on file you have lost. If you have downloaded a picture, a music file or video or a document such as a Word file or PDF then click on the specific search option item that relates to that kind of file.

A new box will pop open. Next type in all or part of the filename in the top field that says: "All or part of the file name". If the file was called "paintprogram.zip" then type it in. If you don't remember, type in part of the name such as "paint". However the less specific you are, the more likely that you'll find all kinds of files like that that are already on your system. If the file was a document you could also type in a few words from the document (maybe you know the title or topic?) into the second box titled: "A word or phrase in the file".

Search Windows XP

Finally, in the "Look in:" field leave your "C drive" selected unless you know for certain that you downloaded the file to another computer drive. If you want to search the all the drives including CD drives and floppy drive (if you have one) click the drop down box and select "My Computer".

Next click the Search button. All the files that match your search criteria will appear on the right side of the Search window. 

***********************

Don't click on it, just note the location.  Most likely that will be ms's next question.

Link to comment
Share on other sites

I had already tried a search with the registry but of course that's not a file. Then I just now tried a search of the value and came up with nothing. The funny thing is this started on Saturday when I was right in middle of researching lsass.exe and when I was " ending process" on task manager. When I clicked on lsass a window came up and told me that this cannot be deleted, so I clicked OK. and that was that. I was having trouble installing a new game, support told me delete everything except explorer and system tray. Well with XP that cannot be done. Later in the afternoon the window started popping up :!: :!: :!:

Link to comment
Share on other sites

Hi out there :!: :!: :!: This time I'm not going to be a "hero" and try this myself without some feedback from you guys :o :o :o try this link and read what Paul Ramsey has to say about how he go rid of the lsass.exe problem. About half way down.

Link to comment
Share on other sites

I had already tried a search with the registry but of course that's not a file. Then I just now tried a search of the value and came up with nothing. The funny thing is this started on Saturday when I was right in middle of researching lsass.exe and when I was " ending process" on task manager. When I clicked on lsass a window came up and told me that this cannot be deleted, so I clicked OK. and that was that. I was having trouble installing a new game, support told me delete everything except explorer and system tray. Well with XP that cannot be done. Later in the afternoon the window started popping up

No, search your hard drive, not the registry, for the file.  Has to be somewhere or it has been removed and the entry, which may be in win.ini, or one of the other ini files, is a dead call. 

Pauls fix:  Looks like he is changing the attribute of the file but not absolutely sure.  If all those files are supposed to use shared then it may function correctly.  Don't know enough about writing batches for command line in XP to say whether it will do what it is supposed to do or not.  Also, I did not see a post in the other forum saying that it had worked for someone either.  If you're at the end of your rope and plan on doing a full blown reinstall anyway, I would try it at that point.  Further down in the other forum it spoke of copying the files back from the xp cd, which might be a good idea as well heres a link to the search suggested in the other forum: http://support.microsoft.com/search/default.aspx?qu=lsass+error  I guess it comes down to that in the worst case scenerio you'll need to format your HD, or at least delete the windows directory, and do a full blown re-install but if the batch file works, you're golden.  I would like a copy of the that funky file if you can find it on your hard drive.  Like to kick the tires on it, so to speak. 

Link to comment
Share on other sites

HI cak46 :!: I guess I was mixing two things with one. I searched the registry for the multiple dll thing and the hard drive for the lsass.exe. Microsoft finally came out of their shell and told me to go ahead and delete the dll entry/no results. I now have two entries on HD for lsass, one is right where it's supposed to be and has no virus and the other is in the Windows/software distribution/download file. Looks legit. They also had me turn off all services except MS and all startups/ no results. I just sent them a screenshot of my screen with the error on it. Still waiting for a word about that. I also noticed that Paul's fix was never replied to :icon_scratch: :icon_scratch: Hummmm, I can do what he says, but I'm not sure I could undo it :!: :!:

Link to comment
Share on other sites

You could cut and paste the batch file information and send it to ms for a quick once over.  From looking at the search on MS, they have had a good number of problems with lsass.

Edit:

Yeah, thats why I'd only do it as a last resort to prevent the computer from mysteriously going out thru the nearest window  :)

Link to comment
Share on other sites

If you mean a copy of Pauls "fix" I can do that. I just put the whole thing in notepad and can email it to MS

:haha: :haha: I sure hope it doesn't come to tossing it out the window. Last resort is clean install :cry: :cry: :cry: Get this, MS told me to make a screen shot of the error and then open mspaint and do some clicking around and then save to an email. Well no matter how you cut it, it ends up an attachment. Well they told me not to send it as an attachment cause it will be lost :!: :!: :!: So I took matters into my own hands (long story short) I opened a new email and went to insert and selected picture went to browse and selected screenshot and clicked OK and guess what? Picture is IN email :!: :!: :!:  :icon_scratch: :icon_scratch: It seems that is what they should have a guy do in the first place

Link to comment
Share on other sites

69 RAT: I don't think this is a problem you are having with XP but here is something I found while looking about the problem with 98.98SE & ME aparently the capital I in these OS's looks just like the small L. Some hackers were hiding a virus this way I'm going to post examples of how it looks since I have ME I don't know if it will look that way on an XP OS.

Ilsass.exe this one has a capital i for the first letter

llsass.exe this one has 2 small L's

On my PC they look identical.

Link to comment
Share on other sites

If you mean a copy of Pauls "fix" I can do that. I just put the whole thing in notepad and can email it to MS

Couldn't hurt.... Sounds likeMS is a bit baffled with this one.  Maybe you'll be helping them out.  :)  That would be a hoot.  You contact MS and find the fix for them, instead of them fixing it for you.....  I just find that kinda ironic.  :)

Link to comment
Share on other sites

Very interesting :!: I just did a system search using a capitol L and came up with same results. BUT I have noticed that on different forums/sites that it is spelled the two different ways and I'm wondering if somewhere there might be a difference. When I type capital L and small l It's two different things as you can see. :icon_scratch: :icon_scratch: Hold it. The capitol I is the same as the small l . The mystery continues

Link to comment
Share on other sites

You're right Cholla, they look identical. I caught it myself and edited my previous post. I wonder if our systems could misread this :?::?: Naaaa do ya think? I'm going to try it right now with another system search using Isass.exe (I just typed that with a cap i :icon_study: :icon_study: 

Update: didn't work, when I typed in a cap i the actual type that showed was a typical i ya know like an i beam. Got no results at all :!: :!:I'm going to go ahead and send MS this batch file change and see what they say.

Link to comment
Share on other sites

If you mean a copy of Pauls "fix" I can do that. I just put the whole thing in notepad and can email it to MS

:haha: :haha: I sure hope it doesn't come to tossing it out the window. Last resort is clean install :cry: :cry: :cry: Get this, MS told me to make a screen shot of the error and then open mspaint and do some clicking around and then save to an email. Well no matter how you cut it, it ends up an attachment. Well they told me not to send it as an attachment cause it will be lost :!: :!: :!: So I took matters into my own hands (long story short) I opened a new email and went to insert and selected picture went to browse and selected screenshot and clicked OK and guess what? Picture is IN email :!: :!: :!::icon_scratch: :icon_scratch: It seems that is what they should have a guy do in the first place

That kind of thing really builds your confidence in MS support doesn't it... :evil6::whaa::angry3:  You're right.  Thats what they should have recommended.  A little surprising that ms doesn't take attachments though...  Must not have much confidence in the security of their OS products either...  :haha: :haha: :haha:

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...