Lsass.exe

[rikkkki]

I finally got the lsass.exe plague Saturday!!!!!!!!!!!!! The little window that pops up and tells you "Object Name Not Found" If clicked OK or X it out it will reboot. I did find out that if you wait maybe ten minutes or so that when you close the window it will not reboot. Still a pain. Sunday I went down and bought XP Pro and installed it and guess what? It's still there!!!!!!!!!!!!!!!!! Any ideas on how to rid myself of this pest?????????????? : : :angry5: :angry5: :angry3:

[peepnklown]

lsass.exe = Local Security Authority Service

It is a system process.

It can relate to the Windang.wrom, irc.ratsou.b, Webus B, MyDoom L, Randex AR, Nimos.wrom (so even if you removed these worms lsass.exe is a system process)

[rikkkki]

Well, I have scanned my puter every which way but sideways including in safe mode. Can't find any virus. If I could just get rid of the dialogue box and not the lsass.exe for sure, then I would be in good shape!!!!!!!!!!!!!! :confused4: :confused4: :confused3: :confused2:

[Guest helloimtim]

I would guess there is something in your start up that would cause this. Start up inspector is a handy little free program that will tell you what is starting when your machine does. Hit the consult button and It will tell you what is important and what is not. Here is a link. http://www.windowsstartup.com/  You can disable the start up process useing this program as well. Alot of people will tell you to use msconfig. I do not recomend doing that unless your 100 percent sure you know what your doing You may by acident kill a start up that windows needs. Have you tried hijack this? Thats a really cool program. After you run it you can do 1 of 2 things. Post the log results in a forum and have someone read them. Or there are 2 auto mated sites that will read them for you and suggest what to delete. If you wish I can give you the links. I have used the automated sites for a year or more. Did what they recomended deleting and never crashed windows once.

[peepnklown]

If you are using Windows XP you can disable all of the start up programs (using msconfig) without harming anything.

[cholla]

69 RAT: I don't have XP but I did some web surfing here are some links that might help

http://www.2-spyware.com/file-lsass-exe.html

http://www.enigmasoftwaregroup.com/affiliate/link.php?ref=42&productid=4

http://www.computing.net/cgi-bin/AT-search.cgi?mode=concept&search=Lsass.exe&forum=WindowsXP&sp=sp&x=28&y=3

[Guest helloimtim]

I should of said that a bit diffrent but still think the same. If your not sure what you are doing I really really dont recomend playing with msconfig. While yes chaning the startup will not hurt a thing. Some may tend to think they need to play with the boot files. That could turn into a bad thing. That is why I always try to stear thoes that are unsure away from msconfig.

[cak46]

Sounds like a sasser variant to me.  Heres a link to info on it.  http://vil.nai.com/vil/content/v_125008.htm#Symptoms

download and use this to scan and clean it out: http://download.nai.com/products/mcafee-avert/s-t-i-n-g-e-r.exe

If that doesn't work there is a manual workaround on the first link above. 

Sasser is a pain in the butt but I've removed it from a couple of systems.  If you want, watch the processes under ctrl+alt+delete then processes tab.  If you end the random numbered processes, more will appear.  avserve2.exe is the primary process, but the random processes also will restart avserve2.exe.  If you're quick enough, you can stop the shut down process.  Some systems boot, then auto shutdown within 30 seconds or so of the bootup.  EDIT:  This is what I had to do with one system that needed cleaning...........

[rikkkki]

Wow!!!! So much info!!!! Thank you all!!!!!!!

[netmasta]

From searching on http://support.microsoft.com, ity sounds like it could be related to the Sasser worm. More info here: http://www.microsoft.com/security/incident/sasser.mspx

[cak46]

From searching on http://support.microsoft.com, ity sounds like it could be related to the Sasser worm. More info here: http://www.microsoft.com/security/incident/sasser.mspx

Thought I already said that....

[rikkkki]

Well, I just ran Microsoft's Malicious Software Removal Tool and came up with nada. I sure hope that Microsoft comes

[cak46]

If you want, download and run a scan with hijackthis then post the results.  Might be able to see something running at start up.

Edit:  Link to download hijackthis.... http://www.majorgeeks.com/download3155.html

[rikkkki]

OK, I'll give it a try. Back soon :icon_study:

[rikkkki]

StartupList report, 6/14/2005, 8:49:37 PM I already got rid of "House Call Control" It is not something that I'm familiar with at all 

StartupList version: 1.52.2

Started from : C:Program FilesHIJACKhijackthisHijackThis.EXE

Detected: Windows XP SP2 (WinNT 5.01.2600)

Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)

* Using default options

==================================================

Running processes:

C:WINDOWSSystem32smss.exe

C:WINDOWSsystem32winlogon.exe

C:WINDOWSsystem32services.exe

C:WINDOWSsystem32lsass.exe

C:WINDOWSsystem32svchost.exe

C:WINDOWSSystem32svchost.exe

C:Program FilesAheadInCDInCDsrv.exe

C:WINDOWSsystem32LEXBCES.EXE

C:WINDOWSsystem32spoolsv.exe

C:WINDOWSExplorer.EXE

C:PROGRA~1mcafee.comagentmcagent.exe

C:PROGRA~1McAfee.comPERSON~1MpfTray.exe

C:PROGRA~1mcafee.comvsomcvsshld.exe

c:progra~1mcafee.comvsomcvsescn.exe

C:Program FilesLogitechMouseWaresystemem_exec.exe

C:PROGRA~1McAfee.comPERSON~1MpfAgent.exe

C:Program FilesExecutive SoftwareDiskeeperDkService.exe

c:PROGRA~1mcafee.comvsomcvsrte.exe

C:PROGRA~1McAfee.comPERSON~1MPFSERVICE.exe

C:WINDOWSsystem32nvsvc32.exe

c:PROGRA~1mcafee.comvsomcshield.exe

C:Program FilesOutlook Expressmsimn.exe

C:Program FilesInternet Exploreriexplore.exe

C:Program FilesHIJACKhijackthisHijackThis.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogon]

UserInit = C:WINDOWSsystem32userinit.exe,

--------------------------------------------------

Autorun entries from Registry:

HKLMSoftwareMicrosoftWindowsCurrentVersionRun

Logitech Utility = Logi_MwX.Exe

MCUpdateExe = C:PROGRA~1mcafee.comagentMcUpdate.exe

MCAgentExe = c:PROGRA~1mcafee.comagentmcagent.exe

MPFExe = C:PROGRA~1McAfee.comPERSON~1MpfTray.exe

VirusScan Online = "c:PROGRA~1mcafee.comvsomcvsshld.exe"

NvCplDaemon = RUNDLL32.EXE C:WINDOWSsystem32NvCpl.dll,NvStartup

VSOCheckTask = "c:PROGRA~1mcafee.comvsomcmnhdlr.exe" /checktask

--------------------------------------------------

Load/Run keys from C:WINDOWSWIN.INI:

load=*INI section not found*

run=*INI section not found*

Load/Run keys from Registry:

HKLM..Windows NTCurrentVersionWinLogon: load=*Registry value not found*

HKLM..Windows NTCurrentVersionWinLogon: run=*Registry value not found*

HKLM..WindowsCurrentVersionWinLogon: load=*Registry key not found*

HKLM..WindowsCurrentVersionWinLogon: run=*Registry key not found*

HKCU..Windows NTCurrentVersionWinLogon: load=*Registry value not found*

HKCU..Windows NTCurrentVersionWinLogon: run=*Registry value not found*

HKCU..WindowsCurrentVersionWinLogon: load=*Registry key not found*

HKCU..WindowsCurrentVersionWinLogon: run=*Registry key not found*

HKCU..Windows NTCurrentVersionWindows: load=

HKCU..Windows NTCurrentVersionWindows: run=*Registry value not found*

HKLM..Windows NTCurrentVersionWindows: load=*Registry value not found*

HKLM..Windows NTCurrentVersionWindows: run=*Registry value not found*

HKLM..Windows NTCurrentVersionWindows: AppInit_DLLs=9vs7sxtxnn585u.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll

--------------------------------------------------

Shell & screensaver key from C:WINDOWSSYSTEM.INI:

Shell=*INI section not found*

SCRNSAVE.EXE=*INI section not found*

drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe

SCRNSAVE.EXE=C:WINDOWSsystem32logon.scr

drivers=*Registry value not found*

Policies Shell key:

HKCU..Policies: Shell=*Registry key not found*

HKLM..Policies: Shell=*Registry value not found*

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:Program FilesAdobeAcrobat 7.0ActiveXAcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

(no name) - C:PROGRA~1SPYBOT~1SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}

--------------------------------------------------

Enumerating Task Scheduler jobs:

McAfee.com Update Check (DAVE-Martine).job

--------------------------------------------------

Enumerating Download Program Files:

[QuickTime Object]

InProcServer32 = C:Program FilesQuickTimeQTPlugin.ocx

CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[PCPitstop Utility]

InProcServer32 = C:WINDOWSDownloaded Program FilesPCPitstop.dll

CODEBASE = http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

[{13E23C9E-3018-4AC1-B998-C08BF1814DB0}]

CODEBASE = http://ftp.gurunet.com/pub/cabs/GNInstaller.cab

[iCC Class]

InProcServer32 = C:WINDOWSDownloaded Program FilespcpConnCheck.dll

CODEBASE = http://www.pcpitstop.com/internet/pcpConnCheck.cab

[{3334504D-9980-0010-8000-00AA00389B71}]

CODEBASE = http://download.microsoft.com/download/0/C/8/0C8EDFAB-30BC-4792-898E-2DABE27B2C4D/mp43dmo.CAB

[{33564D57-0000-0010-8000-00AA00389B71}]

CODEBASE = http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

[Microsoft.WinRep]

InProcServer32 = C:WINDOWSSystem32Winrep.dll

CODEBASE = https://webresponse.one.microsoft.com/OAS/ActiveX/winrep.cab

[McAfee.com Operating System Class]

InProcServer32 = C:WINDOWSsystem32mcinsctl.dll

CODEBASE = http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab

[HouseCall Control]

InProcServer32 = C:WINDOWSDOWNLO~1xscan53.ocx

CODEBASE = http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

[DwnldGroupMgr Class]

InProcServer32 = C:WINDOWSsystem32McGDMgr.dll

CODEBASE = http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab

[shockwave Flash Object]

InProcServer32 = C:WINDOWSsystem32macromedflashFlash.ocx

CODEBASE = http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:WINDOWSsystem32SHELL32.dll

CDBurn: C:WINDOWSsystem32SHELL32.dll

WebCheck: C:WINDOWSsystem32webcheck.dll

SysTray: C:WINDOWSsystem32stobject.dll

--------------------------------------------------

End of report, 6,920 bytes

Report generated in 0.016 seconds

Command line options:

[Guest helloimtim]

Try these 2 links. They are safe and really work great. I have trusted both for over a year and I have no idea how to read hijack this logs. Both sites do the for you.  Never crashed my xp once.  http://www.hijackthis.de/  or  http://www.help2go.com/modules.php?name=HJTDetective 

[cak46]

69Rat:  Since you're working with MS, might want to show them this entry

HKLM..Windows NTCurrentVersionWindows: AppInit_DLLs=9vs7sxtxnn585u.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll

Here is information on what the appinit_dlls does.  Could possibly be the problem.

http://support.microsoft.com/default.aspx?scid=kb;en-us;197571

I'll continue to research......

Edit:  Some viruses are know to use this entry in the registry to load on boot.  Try searching for  9vs7sxtxnn585u.*  with  find/seach for files and see what comes up and where it is.  Link for some information on viruses associated with this registry entry..... http://www.google.com/search?hl=en&lr=&client=firefox-a&rls=org.mozilla%3Aen-US%3Aofficial&q=AppInit_DLLs+virus&btnG=Search

BTW:  Make sure if you have rebooted since last hijackthis that you run it again and make sure the file name hasn't changed for this registry entry....

[cholla]

69 rat &cak46 I put in this link http://www.enigmasoftwaregroup.com/affiliate/link.php?ref=42&productid=4

I tried it  & it was a DL for Spy Hunter version 2.0.1086 the  site said it would get rid of the

Lsass.exe.I  ran it on my OS but I do not have the Lsass.exe  virus  so I can't say it will remove it .It looked like just another anti spyware program to me.

One thing  I found said don't delete Lsass.exe  from the system 32 folder

[cak46]

69 rat &cak46 I put in this link http://www.enigmasoftwaregroup.com/affiliate/link.php?ref=42&productid=4

I tried it & it was a DL for Spy Hunter version 2.0.1086 the site said it would get rid of the

Lsass.exe.I ran it on my OS but I do not have the Lsass.exe virus so I can't say it will remove it .It looked like just another anti spyware program to me.

One thing I found said don't delete Lsass.exe from the system 32 folder

Cholla:  I don't think lsass.exe per se is running on your ME machine.  I think it's an NT only program.  Yeah, if you delete that program, you would be in a world of hurt.  It's what authenticates (authorizes) you for access to files, etc for your machine.  See: http://www.iamnotageek.com/a/lsass.exe.php for details.....

[cholla]

cak46 I didn't think it was on my ME but since I had DL a new anti spyware program I ran it anyway.It didn't find anything so I guess spybot & adaware are taking care of spyware alright for my os. Because some members were saying how good Kaspersky is I went to their site.The have a beta web search scan(this is not the same thing as their onlie scan for a single file) anyway it scans your pc for viruses like you had the Kaspersky program it just does it online.I ran it twice & it found zero viruses  so I guess my AVG is finding everything.

[cak46]

cak46 I didn't think it was on my ME but since I had DL a new anti spyware program I ran it anyway.It didn't find anything so I guess spybot & adaware are taking care of spyware alright for my os. Because some members were saying how good Kaspersky is I went to their site.The have a beta web search scan(this is not the same thing as their onlie scan for a single file) anyway it scans your pc for viruses like you had the Kaspersky program it just does it online.I ran it twice & it found zero viruses so I guess my AVG is finding everything.

Good deal.  I've never seen a registry entry like the one 69Rat has.  Very odd.  All those .dll's on the end of the file name are very suspicious.

[cholla]

cak46 I haven't had the chance to look around in a xp registry but I never found anything like that in 98 or ME.I had a trojan that got in with a DL  called Zipitfast an unzipping program.

I did some research & found that stinger would get rid of it in safe mode.Thats when I got stinger & it worked.I don't remember the name of the trojan now .

[cak46]

cak46 I haven't had the chance to look around in a xp registry but I never found anything like that in 98 or ME.I had a trojan that got in with a DL called Zipitfast an unzipping program.

I did some research & found that stinger would get rid of it in safe mode.Thats when I got stinger & it worked.I don't remember the name of the trojan now .

It looks like that option was available as far back as win95, according to the MS KB article.  Self-replicating viruses using RPC and other exploits  are the worst.  One virus I remember propogated between machines as fast as the virus could create random ip's and send itself out.  In a matter of 30 seconds I went from 20 clean machines to 10 at work.  Luckily, I had mostly '98 machines and the virus was built for nt2000 or above.  Can't remember which one it was, but it was quick and efficient.  Used Stinger to get rid of it, like you got rid of yours.

[Guest philp]

You guys should check this page out: http://www.answersthatwork.com/

Click "Task List", click the "L" and then scroll down to "lsass".

Not saying it will fix anything, just saying it should be read first.

[cak46]

Philp:  That's a great resource!  It looks like his lsass.exe is referenced correctly, only difference being that the lsass is not capitalized in his HJT list.  Do you think that is significant?