615 replies to this topic

[cak46]

Quote

I had already tried a search with the registry but of course that's not a file. Then I just now tried a search of the value and came up with nothing. The funny thing is this started on Saturday when I was right in middle of researching lsass.exe and when I was " ending process" on task manager. When I clicked on lsass a window came up and told me that this cannot be deleted, so I clicked OK. and that was that. I was having trouble installing a new game, support told me delete everything except explorer and system tray. Well with XP that cannot be done. Later in the afternoon the window started popping up

No, search your hard drive, not the registry, for the file.  Has to be somewhere or it has been removed and the entry, which may be in win.ini, or one of the other ini files, is a dead call. 

Pauls fix:  Looks like he is changing the attribute of the file but not absolutely sure.  If all those files are supposed to use shared then it may function correctly.  Don't know enough about writing batches for command line in XP to say whether it will do what it is supposed to do or not.  Also, I did not see a post in the other forum saying that it had worked for someone either.   If you're at the end of your rope and plan on doing a full blown reinstall anyway, I would try it at that point.  Further down in the other forum it spoke of copying the files back from the xp cd, which might be a good idea as well heres a link to the search suggested in the other forum: http://support.micro...lsass error   I guess it comes down to that in the worst case scenerio you'll need to format your HD, or at least delete the windows directory, and do a full blown re-install but if the batch file works, you're golden.  I would like a copy of the that funky file if you can find it on your hard drive.  Like to kick the tires on it, so to speak. 

[rikkkki]

HI cak46 I guess I was mixing two things with one. I searched the registry for the multiple dll thing and the hard drive for the lsass.exe. Microsoft finally came out of their shell and told me to go ahead and delete the dll entry/no results. I now have two entries on HD for lsass, one is right where it's supposed to be and has no virus and the other is in the Windows/software distribution/download file. Looks legit. They also had me turn off all services except MS and all startups/ no results. I just sent them a screenshot of my screen with the error on it. Still waiting for a word about that. I also noticed that Paul's fix was never replied to Hummmm, I can do what he says, but I'm not sure I could undo it

[cak46]

You could cut and paste the batch file information and send it to ms for a quick once over.  From looking at the search on MS, they have had a good number of problems with lsass.
Edit:
Yeah, thats why I'd only do it as a last resort to prevent the computer from mysteriously going out thru the nearest window  . 

[rikkkki]

If you mean a copy of Pauls "fix" I can do that. I just put the whole thing in notepad and can email it to MS

I sure hope it doesn't come to tossing it out the window. Last resort is clean install Get this, MS told me to make a screen shot of the error and then open mspaint and do some clicking around and then save to an email. Well no matter how you cut it, it ends up an attachment. Well they told me not to send it as an attachment cause it will be lost So I took matters into my own hands (long story short) I opened a new email and went to insert and selected picture went to browse and selected screenshot and clicked OK and guess what? Picture is IN email   It seems that is what they should have a guy do in the first place

[cholla]

69 RAT: I don't think this is a problem you are having with XP but here is something I found while looking about the problem with 98.98SE & ME aparently the capital I in these OS's looks just like the small L. Some hackers were hiding a virus this way I'm going to post examples of how it looks since I have ME I don't know if it will look that way on an XP OS.
Ilsass.exe this one has a capital i for the first letter
llsass.exe this one has 2 small L's
On my PC they look identical.

[cak46]

Quote

If you mean a copy of Pauls "fix" I can do that. I just put the whole thing in notepad and can email it to MS

Couldn't hurt.... Sounds likeMS is a bit baffled with this one.  Maybe you'll be helping them out.    That would be a hoot.  You contact MS and find the fix for them, instead of them fixing it for you.....  I just find that kinda ironic. 

[rikkkki]

Very interesting I just did a system search using a capitol L and came up with same results. BUT I have noticed that on different forums/sites that it is spelled the two different ways and I'm wondering if somewhere there might be a difference. When I type capital L and small l It's two different things as you can see. Hold it. The capitol I is the same as the small l . The mystery continues

[cholla]

69 RAT: what I was saying is the capital I (i) looks like the small l (L) .
This is a capital  I (i)
This is a small l (L)

[rikkkki]

You're right Cholla, they look identical. I caught it myself and edited my previous post. I wonder if our systems could misread this Naaaa do ya think? I'm going to try it right now with another system search using Isass.exe (I just typed that with a cap i  

Update: didn't work, when I typed in a cap i the actual type that showed was a typical i ya know like an i beam. Got no results at all :!:I'm going to go ahead and send MS this batch file change and see what they say.

[cak46]

Quote

If you mean a copy of Pauls "fix" I can do that. I just put the whole thing in notepad and can email it to MS

I sure hope it doesn't come to tossing it out the window. Last resort is clean install Get this, MS told me to make a screen shot of the error and then open mspaint and do some clicking around and then save to an email. Well no matter how you cut it, it ends up an attachment. Well they told me not to send it as an attachment cause it will be lost So I took matters into my own hands (long story short) I opened a new email and went to insert and selected picture went to browse and selected screenshot and clicked OK and guess what? Picture is IN email It seems that is what they should have a guy do in the first place

That kind of thing really builds your confidence in MS support doesn't it...   You're right.  Thats what they should have recommended.  A little surprising that ms doesn't take attachments though...  Must not have much confidence in the security of their OS products either... 

[rikkkki]

Boy, you got it I'm right now trying  to get a clean copy of Paul's fix into an email and send it to MS. Some of the symbols are changing in the translation so I think I'll just send them the link so they can read it for themselves. I hope I don't have to show them how to do that

[cak46]

Quote

Boy, you got it I'm right now trying to get a clean copy of Paul's fix into an email and send it to MS. Some of the symbols are changing in the translation so I think I'll just send them the link so they can read it for themselves. I hope I don't have to show them how to do that

Sounds like a plan!  (you may have to show them by the sounds of the tech you're dealin' with.......)
BTW:  Did you find that .dll.dll.dll file on your hard drive?

[rikkkki]

Yes, I just cleared the last registry key a minute ago. This was the one thing that MS told me to do. That dll entry thing is gone.

[cak46]

Quote

Yes, I just cleared the last registry key a minute ago. This was the one thing that MS told me to do. That dll entry thing is gone.

Good.  But did you search your hard drive for the file?  Even though the entry is gone from your registry, the file will still exist on your hard drive.  If you want, do a seach for it and see if it's there.  If it is, do another post and attach it.  I'd like to take a look at it. 

[rikkkki]

Well I cleaned the system earlier today with HJT and selected FIX and it went away. For some reason it did not save to backup Wait a minute. I might be able to find it in a log file and select and paste it in the search box although I think I did this already but forgot. I shall try and see......................

Back again. I did try it before. No dice. "Not a valid file",,,,,,,,,,,,,,,,,,,

[cholla]

69 RAT Glad the i L wasn't the problem like I posted it was probably for ME & older/But it didn't hurt to check.I guess MS worked out the i L bug with XP.Aparently XP uses an i beam type i thats how it always should have been.On a system where they look identical it would hide it pretty well.

[rikkkki]

Ya dead end there.    I might get some action tomorrow from MS , I don't know but I sent them the "batch file fix" link and a pic of my screen, maybe they'll come up with something.

Here's a link to the screen shot if you've never seen one.

http://home.Comcast....lric/test_2.JPG

I just noticed the pic is kinda broken, I don't know why. I just listed two items on Ebay and those pics are also not 100%. I don't know what the term would be, just some of the "lettering" is not clear.

[resijs]

That's funny, I get over 36,000 results with isass.exe and 338,000 with Lsass.exe, top pick for isass.exe was some information on a virus. There's also another virus called mydoom that is Lsass.exe.

http://www.auditmypc...ocess/lsass.asp


Update : I found that it is indeed an L.

http://www.liutiliti...slibrary/lsass/

Also, here is your exact problem on another forums, you must sign up for it though, and it costs $10 a month just to view. =(

http://www.experts-e...Q_20958211.html



Here we go! Sasser worm, I'm sure you've heard of it and it must be manually uninstalled.

http://securityrespo...moval.tool.html

Use that and see if it gets rid of it!

IMPORTANT :  You must make sure you are fully updated with Windows or else it'll keep on coming back!

More information here.

http://securityrespo...ser.b.worm.html

and

http://securityrespo...asser.worm.html

And lastly, and most importantly.

http://www.ozzu.com/ftopic24247.html

I hope this all helps, if not... Then I'm stumped!


make sure to turn "off" system restore.


Also, if "that" didn't work... Then disable RPC.

1- start-programs-administrative tools-services
2- locate the: Remote Procedure Call (RPC) and open it
3- choose recovery botton then select -Take No Action- for the three pulldown menus


Hope this helps.

[rikkkki]

Hi all Well I just ran Paul Ramsey's "fix" twice and it didn't work For those of you are not familiar with this, the link is on page three about half way down.I typed it in exactly as written but no results. I tried disabeling one of the rpc's in my services, one that looked suspicious, and that got rid of it (the error) and my task  tray and 90% of my services stopped working as well So back to square one. I'm very sure it's not a virus, I do not get the 60 second countdown and I can still do all of my puter needs and after a few I can just delete the error and it goes away,,,,,,,,,, till next boot. I now have XP Pro. It started when I had Home  the day before I updated to Pro. No word from MS today but  yesterday they told me ( believe this or not)  to go ahead and RUN Paul Ramsey's fix and see if it helps   Hummmmmmmmmmmm. I wonder if they have anything else up their sleeve? Except the dreaded " Well, we suggest that we make a clean install" 

[resijs]

You didn't check for the sasser? DO IT