Lsass.exe

[rikkkki]

Yes I saw hidden stuff and I think I posted some of them, but I don't remember what. Wait I think it had something to do with my network connections, remember that( Via vs Nvidia) that's all I remember at this time. I just ran Ewido and came up with one reg cooty. Atomica was all I got out of it and I cleaned it. I'm getting "Anti" poor. Everything you said is true(above post) but lets not forget the "stupid" I did when I tried to end process on lsass on the day that the error popped up.That still puzzles me a great deal. The 60 sec doom only happened once which still makes no sense at all. Will look at mail now

EDIT Nothing in the MS mail, just wants me to update them on my :"progress"  :roll:

[cak46]

If you ended that process today, the 60 second message would come up.  Now, if something was updating like anti something, or adware something when you ended that process, maybe that triggered the corruption?  I have to sign off for the eve but will return tomorrow. 

[rikkkki]

If you ended that process today, the 60 second message would come up.

[cak46]

No, cause I tried that later and it did not end or give me the doom, it just came up and said "important for windows to run, etc"

EDIT Sorry you had to go but it's late for sure. I just got a flash, my AdWatch MIGHT have been running and it is one thing I have not U/Installed, cause it is a pain in the butt to do so,,,,,,,,,, still,,,,,,,,,,,it's a thought. I just ran AdWatch and AdAaware and on both ditties I got 3 different warnings that McAfart was trying to alter and or connect to the internet, which doesn't make too much sense since McAfart is supposed to be GONE I will run a search right now and check that out, Nighty Nite

If I would have realized that before....... :oops:  Damn, I'm gettin' old....  You probably ended a "cootie" as you call it.  In the mean time, run your scans and Ewido, from safe mode, no networking.  Try to update ewido first before you boot to safe mode.  Something just ain't right in texas.  One question, when your machine is just idling, (your not doing anything, do you have any activity on your cablem modem or router? (Make sure the kit. machine is down to look at this).    Some bugs are good at staying ahead of the anti- virus, adware, etc.  They update themselves automatically, and the remote servers can push an update if the spyware, etc. is running.......  Also, before you reboot, shut down internet explorer or any other browser and wait a few minutes.  Now, go to a command prompt and type netstat.  This utility shows what ports are open and the remote and/or local machine ip address or computer name.  If your machine does have active ports, list the foreign host and port names. 

BTW:  This is my computer talking to itself......

You sould have no ports open.  It will look something like this if there are ports open

[cholla]

cak46 I checked out the Ewido link unfortunatly its for 2K up.I'm not having a spyware problem that I know of but it might have found something adaware & spybot haven't.

[cak46]

Cholla:  Yeah, the problem is that even if you view your processes (2K or above, in TaskManager, the smart ones hit as a sub-process under Explorer or some other normal system process.  We have msdos, we don't need ewido....

[rikkkki]

Hi guys. cak46. I will try what you said. Avast! so far has been updating defs everyday  :D They seem to be on top of it, for sure. Also I will post my netstat now for the running part and then post the "non-running" part later.

I also have to write to MS and skate on that deal for the time being,,, :roll:

[cak46]

Any idea why you would have a secure connection to an unamed microsoft server?  See arin results for the https entry:

IP Whois Results:

    Connecting to whois.arin.net...

    OrgName:    Microsoft Corp

    OrgID:      MSFT

    Address:    One Microsoft Way

    City:      Redmond

    StateProv:  WA

    PostalCode: 98052

    Country:    US

    NetRange:  207.46.0.0 - 207.46.255.255

    CIDR:      207.46.0.0/16

    NetName:    MICROSOFT-GLOBAL-NET

    NetHandle:  NET-207-46-0-0-1

    Parent:    NET-207-0-0-0-0

    NetType:    Direct Assignment

    NameServer: NS1.MSFT.NET

    NameServer: NS5.MSFT.NET

    NameServer: NS2.MSFT.NET

    NameServer: NS3.MSFT.NET

    NameServer: NS4.MSFT.NET

    Comment:   

    RegDate:    1997-03-31

    Updated:    2004-12-09

    TechHandle: ZM39-ARIN

    TechName:  Microsoft

    TechPhone:  +1-425-882-8080

    TechEmail:  [email protected]

Could not resolve the hostname or ping the server or net device (timed out)??

[rikkkki]

No. And I just ran same netstat after being off my browser and mail. One entry remained and it is the same 207,,,,, address as above listing. I don't get it at all. Could it be an MS cootie    I also ran PC rescue and had a hell of a time getting rid of the last two McAfart reg entries. Both start-up items. AdWatch popped up with both of them, too. Seems to be gone now, though.

[php]

maybe automatic updates?

[rikkkki]

maybe automatic updates?

Hey php I just checked my update status and I had the middle choice "notify me before installing update" so I just now turned it off.

I'll check later and see if that made a diff.

[rikkkki]

Any idea why you would have a secure connection to an unamed microsoft server?

[rikkkki]

I have pinged the ip from two different places( TUT and command prompt) and all attempts timed out. And unfortunatley I cannot block it with the ZoneAlarm freebie that I have, if that would make any difference in the first place.

[cak46]

Yeah, I think php is right.  With the mcafee, good that they are gone!  Been working on that hp for a while.  Keeps coming up with a trojan-dropper, but ewido intercepts it.  Still getting the error on boot after getting rid of the mcafee on-boot loads?

PHP is probably right, especially since update was active on your machine.  (Good Catch, PHP!)

[rikkkki]

Yeah, I think php is right.

[php]

Yeah, I think php is right. With the mcafee, good that they are gone! Been working on that hp for a while. Keeps coming up with a trojan-dropper, but ewido intercepts it. Still getting the error on boot after getting rid of the mcafee on-boot loads?

PHP is probably right, especially since update was active on your machine. (Good Catch, PHP!)

Thanks.. I thought of it because the machine I'm working on has a nasty virus that blocks explorer.exe, iexplore.exe, and Automatic Updates from running (maybe more that I haven't found yet)

[rikkkki]

OH BOY. I thought we may have had something there for a minute

[cak46]

I will reboot now and see what happens. BTW, TUT does not have anything good to say about any auto-updates. says that they can cause problems down the road,,,,,,,I will make sure one more time that Mcafart is gone and then re-boot. BTW I'm sure it was running when the error came up as I have always had it operational.

Do a search for the two files being referenced.  If they are there, then it might not be them... If they aren't, it is possible the keys are the issue.  Disable system restore and try killbox to remove the files.  (You can disable adwatch temporarily while you edit the reg., I believe)

http://www.scancomplete.com/download/killbox/

I must bid you adeiu for the night.  5:00 am eastern comes pretty quick.  If you could, run another bootlog.txt  (Hit F8 then select boot logging and then post it.  Also note if it drops you into safe mode or regular boot.  Might want to consider manually removing entries for dlls, exes that don't load when the system boots.  This depends on whether you go into safemode or not, and I can't remember.  That samsung cd driver comes to mind.    Do you remember if that was the manufacturer of your prior cd-rom?

Catchya in the afternoon......(your time)  Your machine is makin' me    :haha:

[rikkkki]

Do a search for the two files being referenced.

[cak46]

Had to post again.  My post number was at 666, not a good number to leave it on. 

Good evening!

[rikkkki]

Well, this is NOT good news. I can't run bootlog  :? It takes me straight to Windows and the desktop  The first time it took me to the DT so I clicked on my wheel button to bring up the window for shutdown/restart/sleep, etc, like I always do and all of a sudden the error went away and it re-booted  So I did it again, selected "enable bootlogging", and hit enter and it took me to the DT again    What the hey. I don't figure this at all, I mean, it's a boot thing, it's not supposed to be in windows,,,,

BTW McAfart is gone so no need to run the Kill thing, but this other problem has ME  :icon_shaking:

BTWX2 My DVD Rom(old unit) and my combo drive(new unit) are both LiteOn brands. The DVD Rom drive is JVC LiteOn (mfg) and I'm assuming that the combo is too. But if I had to find out for sure, I would have to take it out of the machine to take a peek. Any ideas  :?

[cak46]

If you selected bootlogging after hitting F8, then there should be a new log entry in the bootlog.txt for that boot. 

Try this to increase the amount of info put into your event logs and possibly the bootlog.txt file:

Obtained from: http://www.windowsnetworking.com/kbase/WindowsTips/Windows2000/RegistryTips/Eventlog/W2KXP.NETenableverboseeventmessages.html 

Use reistry editor and change/add this DWORD value:

go to HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciessystem

See if this DWORD already exists and if not, add it by right mouse clicking on the system(folder shaped in left window) then select New DWORD then name it VerboseStatus    Next, double click on the new verbosestatus entry and set it to 1

If it already existed, change the value to 1

Now, go ahead and check for this under the same key (system):

 

An additional value called "DisableStatusMessages" forces status messages to be disabled, make sure this value does not exist or is set to "0". (DisableStatusMessages REG_DWORD 0x00000000 (0))

More instructions:

http://www.techspot.com/vb/topic12413.html

If you are uncomfortable with registry editing, use the alternate way in the first link to turn on verbose logging.  Alway remember, backup the registry prior to editing it! 

Edit:  For various reasons........ 

[rikkkki]

Hey cak46.  Before I do the reg thing I just want to show you my mail I sent to MS(on the bottom) and their reply(on the top) that I got at 6:00 AM this morning. I read it and replied with something like "how bout my boot.ini. Will that stay intact?" (paraphrase) BUT you will notice that NOW he's talking about being able to transfer my sutff over to the new install. Well, I don't remember getting that from the previous mail. Remember the "test"part he was talking about in that one? And there was never an indication from his previous mail that what he told me to do was only step 1. Hmmmmmmmm. Well, anyhow, see what you think about it.OK, off to the reg, back soon,,,,,,,,,,

[cak46]

Hey cak46. Before I do the reg thing I just want to show you my mail I sent to MS(on the bottom) and their reply(on the top) that I got at 6:00 AM this morning. I read it and replied with something like "how bout my boot.ini. Will that stay intact?" (paraphrase) BUT you will notice that NOW he's talking about being able to transfer my sutff over to the new install. Well, I don't remember getting that from the previous mail. Remember the "test"part he was talking about in that one? And there was never an indication from his previous mail that what he told me to do was only step 1. Hmmmmmmmm. Well, anyhow, see what you think about it.OK, off to the reg, back soon,,,,,,,,,,

You will be able to transfer data files just fine.  It's your installed programs and personalized settings that will need to be redone.  (Along with the parallel install).  Ask him directly if there is a way to transfer your programs and settings and see what he says.  Of course, one of those programs might be the problem too....... 

I had a thought on your mouse.  Why not uninstall any software associated with it, then delete it from the device  manager, then shut down, hook up your other mouse, then restart.  Just make sure to uninstall any software involved with it first.  Try it for a day or two and see what happens?  The wheel thing bothers me... sometimes it works, sometimes it doesn't.  Could be a short there causing the problem....

[rikkkki]

You will be able to transfer data files just fine.