Jump to content

Lsass.exe


rikkkki

Recommended Posts

Hi. Not at all. That has always been the final possibility. But cak46 mentioned awhile back he hates to lose to a comptuter and in a way I do to. A clean install would fix it I'm sure, but then we would never know what caused it, and this may be one "for the books" besides, have you noticed how many have viewed this?? It must be generating some kind of interest somehow. A clean install could happen, though, this last weekend I was burned on the whole deal so we'll see how long we(or I) can hold out. There's got to be a fix in there somewhere. Other forums don't seem to be much better or more thorough as this one, although a virus is usually the cause. Well gotta go. Keep in touch :) :)

Link to comment
Share on other sites

  • Replies 615
  • Created
  • Last Reply

Top Posters In This Topic

Hi. Not at all. That has always been the final possibility. But cak46 mentioned awhile back he hates to lose to a comptuter and in a way I do to. A clean install would fix it I'm sure, but then we would never know what caused it, and this may be one "for the books" besides, have you noticed how many have viewed this?? It must be generating some kind of interest somehow. A clean install could happen, though, this last weekend I was burned on the whole deal so we'll see how long we(or I) can hold out. There's got to be a fix in there somewhere. Other forums don't seem to be much better or more thorough as this one, although a virus is usually the cause. Well gotta go. Keep in touch :) :)

Also I might add, there's got to be some people out there that would love to find out what's causing this just in case it might happen to them. :haha::evil6:

Link to comment
Share on other sites

Yeah I've banged my head a few times not wanting "it" to win either.

There have been a few times when I was bound and determined to find out what was causing this or that, and I tried so many things that when I did get it fixed I wasn't sure what it was that fixed it ..LOL!

I have been following your thread quite a bit and wished I could contribute, but it seemed anything I thought of you guys already did.

Wish I could help more... :cry:

I do things (BAD THINGS) to this poor PC all the time just experimenting, that I reload XP about every month just cuz I like that fresh install.

Got it down so pat that installing it and the many programs I have only takes about 2 or 3 hours.

Well good luck with it...Have a good one

Link to comment
Share on other sites

Yeah I've banged my head a few times not wanting "it" to win either.

There have been a few times when I was bound and determined to find out what was causing this or that, and I tried so many things that when I did get it fixed I wasn't sure what it was that fixed it ..LOL!

I have been following your thread quite a bit and wished I could contribute, but it seemed anything I thought of you guys already did.

Wish I could help more... :cry:

I do things (BAD THINGS) to this poor PC all the time just experimenting, that I reload XP about every month just cuz I like that fresh install.

Got it down so pat that installing it and the many programs I have only takes about 2 or 3 hours.

Well good luck with it...Have a good one

Link to comment
Share on other sites

Thanks for the input. Ya, I have two partitions also, and it seems to me that it would be easy to just install XP onto the one partition and then transfer all my goodies over and then delete the first copy of XP. Apparently, that's not what MS wants me to do. They want me to do the parallel install.( in the same partition) And THEN transfer over my goodies. BUT, if I do that BEFORE we find this, then what's to say I don't transfer the "cooty" over with MY stuff? (if it's in my stuff) It's kinda difficult to decide which way to go without finding the culprit first.  :? :?

Link to comment
Share on other sites

May have found something.  Will need to do a bit more research, but here is where I am at:The lsass error occurs at 4:36:07pm in the app evt log.  In the Security evt log, this program Advapi executes at the same thime.  Did a look up at Castlecops, please see link: http://castlecops.com/startuplist-146.html

I have to look deeper to see if this file is at all legitimate but from my soft search, the answer is no:

See google search: http://www.google.com/search?q=advapi&sourceid=mozilla-search&start=0&start=0&ie=utf-8&oe=utf-8&client=firefox-a&rls=org.mozilla:en-US:official

Don't do anything with it till I see if I can get a clearcut answer on that file.  Back to ya soon.....

Edit:  Here is an interesting search result!  http://www.google.com/search?q=advapi+legitimate&hl=en&hs=BJj&lr=&client=firefox-a&rls=org.mozilla:en-US:official&start=0&sa=N

Link to comment
Share on other sites

Sorry about the double post: 

Here is the entries from your app events log at 4:36:07:

7/19/2005 4:36:41 PM PDSched Information None 0 N/A Service started

7/19/2005 4:36:07 PM PDEngine Information None 0 N/A Service started

These are tied to your auto defrag program

Here are the entries in your security log:

7/19/2005 4:36:07 PM Security Success Audit Privilege Use 576 NT AUTHORITYNETWORK SERVICE "Special privileges assigned to new logon:

User Name: NETWORK SERVICE

Domain: NT AUTHORITY

Logon ID: )

Privileges: SeAuditPrivilege

SeAssignPrimaryTokenPrivilege

SeChangeNotifyPrivilege"

7/19/2005 4:36:07 PM Security Success Audit Logon/Logoff 528 NT AUTHORITYNETWORK SERVICE "Successful Logon:

User Name: NETWORK SERVICE

Domain: NT AUTHORITY

Logon ID: )

Logon Type: 5

Logon Process: Advapi 

Authentication Package: Negotiate

Workstation Name:

Logon GUID: {00000000-0000-0000-0000-000000000000}"

7/19/2005 4:36:07 PM Security Success Audit Privilege Use 576 NT AUTHORITYLOCAL SERVICE "Special privileges assigned to new logon:

User Name: LOCAL SERVICE

Domain: NT AUTHORITY

Logon ID: )

Privileges: SeAuditPrivilege

SeAssignPrimaryTokenPrivilege

SeChangeNotifyPrivilege"

7/19/2005 4:36:07 PM Security Success Audit Logon/Logoff 528 NT AUTHORITYLOCAL SERVICE "Successful Logon:

User Name: LOCAL SERVICE

Domain: NT AUTHORITY

Logon ID: ()

Logon Type: 5

Logon Process: Advapi 

Authentication Package: Negotiate

Workstation Name:

Logon GUID: {00000000-0000-0000-0000-000000000000}"

And here are the system evts:

7/19/2005 4:36:07 PM Application Popup Information None 26 N/A Application popup: lsass.exe - System Error : Object Name not found.

I stripped out identifying features, for your computing safety  :)

I do not know for sure if this file is legit or not.  Entries on ms website are lower case a while in your event logs its upper case A, same as at castlecops.  I would suggest contact the ms dude and see what he has to say about it.  I will do a more involved search and let you know what I find if you wish. 

Link to comment
Share on other sites

Hey cak46. Ya, if you would. I checked today with all 3 logs and they are: App event-PDEngine starts/Sec event-Ipsec services started/Sys event-App error, well you know  :)

All 3 of these happened at exactly 4:38:46 PM

That one site I was on(via your link) mentioned that Advapi.exe is not needed. But it would probably be better to know more about it, for sure. I just counted up all of my scanning utilities last night and I have 10. Not all anti-virus of course, but jee whiz, that's alot. I ran all last night and came up clean with all of them.  :!:

Link to comment
Share on other sites

Hey cak46. Ya, if you would. I checked today with all 3 logs and they are: App event-PDEngine starts/Sec event-Ipsec services started/Sys event-App error, well you know :)

All 3 of these happened at exactly 4:38:46 PM

That one site I was on(via your link) mentioned that Advapi.exe is not needed. But it would probably be better to know more about it, for sure. I just counted up all of my scanning utilities last night and I have 10. Not all anti-virus of course, but jee whiz, that's alot. I ran all last night and came up clean with all of them. :!:

Thats about what I've run so far on the hp on the bench, not including virus specific removers. 

Ewido

Spybot

Ad-Aware

TrojanHunter

Stinger

Hijackthis

AVG-Unsuccessfully at the beginning

avcleaner (AVG's answer to mcafee'sstinger)

Avast

F-bot

(Another bot cleaner, can't remember the name)

Trendmicro sysclean

Killbox(process and program file killer)

MS Anti-spyware

MS Malicious program removal but can't find a damn thing to remove program

Process View (Process viewer and allows you to stop a process)

There are probably more but I can't name them right now.  Good news is I'm on the last profile and only 1 search bar tried to vainly install itself.  Never thought I'd say this, but sp2 is at least a good thing to protect IE settings and ms antispy to stop the reinstall and clean it out.  I plan to do 1 more reboot/scan of each profile, then will declare victory after 3 or 4 weeks!

Will search around some more and you may want to contact Mr. Microsoft  :icon_rr: to see what he has to say about it.  NSA..... HMMMMMMM  :haha: :haha: :whaa:

Edit:  More scans used:

TweakNow RegCleaner

A Squared

RootkitReveal

CWS Shredder

Link to comment
Share on other sites

Oh Boy. That's alot. But after reading what you have done, I actually have done all of what you have except AVG, Killbox and F-bot. But I do have PcRescue that came up clean, I think for the first time. The HP mouse doesn"t have a startup key or is in my startups at all. TUT also has a processes, tasks page where I can disable or delete any entry and it shows all tasks, running or not. It's quite a list. I think I posted it earlier,,,,,,,,,,,,,,,,,,,,,,,

OK, I give up,

Link to comment
Share on other sites

Oh Boy. That's alot. But after reading what you have done, I actually have done all of what you have except AVG, Killbox and F-bot. But I do have PcRescue that came up clean, I think for the first time. The HP mouse doesn"t have a startup key or is in my startups at all. TUT also has a processes, tasks page where I can disable or delete any entry and it shows all tasks, running or not. It's quite a list. I think I posted it earlier,,,,,,,,,,,,,,,,,,,,,,,

OK, I give up,  :) I'll write and ask the MS dude about Avapi.exe. I wonder what "Billy" Gates :tongue2: will have to say about it  :haha:

:haha: :haha:  Probably something like... "Well, you can disable it but we can't guarantee, won't be responsible for, and would you sign this saying we aren't because we really aren't sure that it won't have a negative impact on some of the other running processes so if you could just digitally sign the attachment on this email and send it to us and the NSA, just for backup, in case our server goes down again because of another trojan horse in an attachment of one of our other customers email which we open and run on a regular basis, just to see what they will do."  :lol:

BTW:  Advapi

Link to comment
Share on other sites

http://www.motobit.com/help/scptutl/cl51.htm

Just found this.... might be the answer?  Looks like a script object uses this program to impersonate your userid or logon another userid.  Object not found could be a virus file that was removed?  Just a guess......May explain the security entries in the sec. log.... again just a pure guess on my part but it makes sense to me..........

Yeah, that's pretty old.  Kind of disturbing as to what the advapi program does, if the information at the above link is correct.  (Administrator, with no password=free reign with this program) if I understand it's usage correctly.

Link to comment
Share on other sites

Remember when I made myself Aministrator with a password? Well, I still have me in there as User also. I can click on either and it let's me in(pass word with Admin/no pass word with user). I think I can find it in my control panel and see just what is listed. Or am I smoking too much?  :haha: :haha:

Link to comment
Share on other sites

I just checked via user accounts and only have me as Admin. I could swear that when I boot into safe mode there are two choices  :confused1:

Or is there another place to check this out? I know I've been somewhere else where I can view this info,,,,,,,,

Link to comment
Share on other sites

That's what's weird. My Control Panel/User Accounts file has me listed as Computer Administrator but there is window I had up on time that seemed to have more info listed but I can't remember where,,,,,,,,,,,,,,I'm still thinking  :confused1:

Link to comment
Share on other sites

Remember when I made myself Aministrator with a password? Well, I still have me in there as User also. I can click on either and it let's me in(pass word with Admin/no pass word with user). I think I can find it in my control panel and see just what is listed. Or am I smoking too much? :haha: :haha:

Smokin too much! :haha: :haha: :haha:

No, not really.  This api is over my head but it looks kinda suspicious.  You should be ok with the anti spy/virus programs your running and that you do have an admin password on board.  Only thing I'm wondering is if there is a thread, whether viral or not, executing the logon process with this program, where is the thread coming from (what program) and what is it trying to execute (since there is an object not found error).  This is "highly" :haha: theoretical and would take someone who knows much more than I about the specifics of this program  (advapi) to figure it out.  For that matter, it could be the pdengine calling something that it needs but can't find as well......  Legitimate call by the defragger but the object being called (trying to execute) is missing.  I just do not know.  If we can just get rid of the advapi without thrashing your op sys in the process, then it would be worth the try.  Hence the note to MR. MS.  Easiest way to do it would be with your process killer, then delete the corrosponding file or using killbox and do both at the same time.  I'd wait till ms responds, though........ The rule I live by is  "First, do no harm".  An old programmer taught me that about 10 years ago. 

Link to comment
Share on other sites

That's what's weird. My Control Panel/User Accounts file has me listed as Computer Administrator but there is window I had up on time that seemed to have more info listed but I can't remember where,,,,,,,,,,,,,,I'm still thinking :confused1:

Your confusing groups and user id's.

Administrator is a user id only found when you boot in safe mode. 

Computer administrator is a group of which your user id is a member.

Groups allow a number of users to be assigned certain permissions to files, etc. so instead of assigning each user id the permission, all you have to do is assign each member you want to have the permissions given to the group. 

You have a fiscal dept. of 80 staff.  You want them all to have access to a financial program but do not want them to have access to the Administration directory.  You would create a group named fiscal, assign each member to this group, then give the group access to the fiscal program wile disallowing access to the Administration directory. Now, 5 new staff members are brought on board to work in the fiscal dept.  All you have to do is add them to the Fiscal group to give them access to the financial program and preclude access to the administration directory. 

This isn't exactly how it would happen but in essence it makes administration of servers and large numbers of users easier to manage.  This help at all?. 

Link to comment
Share on other sites

Ah, OK then I'll change "brands" :haha: :haha:

BTW my task manager doesn't show Advapi at all. I will now into TUT and see maybe if they have it listed since they list all tasks, running or not,,,,,,,,,,,,,,,,,,,,,,,

go to My computer then browse to c:windowssystem32.  I think it may be listed in that folder.

Link to comment
Share on other sites

Well I found advapi32.dll in system 32 but that's all. I'll check TUT now

I'm even more suspicious of the file now that it is not in the system32 directory.  If you can't find it with TUT, try Start>Search> then advanced search and select Hidden files and folders then put in the filename.  I must sign off as it is getting on near midnight here, and I don't want to miss the excitement that is my workplace in the 'morrow!    :haha: :haha:  Good evening!  :):cool::wave::icon_salut:
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...