Lsass.exe

[rikkkki]

Yes, this new version of XP Pro comes with SP. 2 I will try your link right now

:( Edit, Well no luck there. I

[cak46]

Is your  windows firewall enabled?

BTW:  That message on IPsec came back with this (Win2000, but probably applicable)

Event Message:

IPSec policy agent changed: parameter PolicySource: parameter parameter

Source Event Log Event ID Event Type

Security Security 615 Success Audit

Explanation:

This event record indicates that a local group account has been created.

Wait,  my stupid.  Your audit policy changed, not a local group creation. DisRegard. 

************

I have to go offline now but will be back tomorrow about the same time.  Will do some more research tomorrow (Back to work in 6 hours  .)    Could be a registry entry calling for a driver involved with that program you mentioned(Maybe)  Before you reinstall it, try cleaning out dead references in your registry.  If you have NortonSystemworks, run the WinDoctor and clean out the dead registry entries (could use one of the other regcleaners, maybe someone has a suggestion on this?)

[rikkkki]

Ya, Windows Firewall is now enabled since I took out McAfee last night. Still got the error, though. I really like McAfee, but I can put it back in anytime.Windows does not have near the amount of tweaks that McAfee does. Trouble is, when I'm running their virus and firewall scan, I have about 8 processes/tasks running at any given time, but I guess that's what it takes :!: :!:

Edit; Ya I thought it was getting a little late for you, thanks for hanging out like you did. Somehow I think there is an answer out there that doesn't require reinstalling :!: The dirver problem is something that I don't know anything about. MS is talking like we are supposed to know what the driver is,or what it belongs to. I  have PC Rescue and I use it every day to clean out  dead reg keys, etc. When I have the choice of cleaning or deleting I read all entries before doing so, but of course there's always the slight chance that maybe I'm getting rid of something I wasn't supposed to :!: I'm quite sure that I did not run PC Rescue on Sat. Until tomorrow :icon_salut: :wave:

[cholla]

69 RAT & cak46 :I'm still watching you work on this I just don't have anything to add

[rikkkki]

Hey Cholla; thanks for the interest. Somehow I think this can be taken care of without me having to reinstall :!: In some ways, that's too easy!!!!!!!. It won't tell us what causes this and I think we would all like to know, at least for future reference, like the next guy that comes up with the same problem!!!!!!!!!!!!!!!!!!!

[cak46]

Ya, Windows Firewall is now enabled since I took out McAfee last night. Still got the error, though. I really like McAfee, but I can put it back in anytime.Windows does not have near the amount of tweaks that McAfee does. Trouble is, when I'm running their virus and firewall scan, I have about 8 processes/tasks running at any given time, but I guess that's what it takes :!: :!:

Edit; Ya I thought it was getting a little late for you, thanks for hanging out like you did. Somehow I think there is an answer out there that doesn't require reinstalling :!: The dirver problem is something that I don't know anything about. MS is talking like we are supposed to know what the driver is,or what it belongs to. I have PC Rescue and I use it every day to clean out dead reg keys, etc. When I have the choice of cleaning or deleting I read all entries before doing so, but of course there's always the slight chance that maybe I'm getting rid of something I wasn't supposed to :!: I'm quite sure that I did not run PC Rescue on Sat. Until tomorrow :icon_salut: :wave:

No problemo!   Get a bit punchy around 10:00 or so because I do this 8 or so hours a day at work too....

 

You are right!  It should not require a format and re-install, only time to find the solution.....  I have only had to reformat 2 systems in about 15 years of working with systems both professionally and privately.  Also, I agree that MS should at least give you the driver name so that you have something to go on  .  Microsoft just keeps barrelling along to the next op sys (Longhorn) rollout  which inevitably will be heavily bug-ridden, leaving a wake of buggy, mal-programmed, half-completed, massively patched operating systems for the world to endure. 

(Sorry, a bit of a tirade but MS has a long history of doing this )

I'll try to let it go and "enhance my calm"..... :haha:

Here are a number of questions and things to do.  Have a few more, but should probably start here. 

A.)  Were the following entries in the Application log or the System log?

****************

Details

Product: Windows Operating System

ID: 26

Source: Application Popup

Version: 5.2

Symbolic Name: STATUS_LOG_HARD_ERROR

Message: Application popup: %1 : %2

 

Explanation

The program could not load a driver because the program user doesn't have sufficient privileges to access the driver or because the drive is missing or corrupt.

 

User Action

To correct this problem:

Ensure that the program user has sufficient privileges to access the directory in which the driver is installed.

Reinstall the program to restore the driver to the correct location.

If these solutions do not work, contact Product Support Services.

 

 

Version: 5.0

Symbolic Name: status_log_hard_error

Message: Unable to Load Device Driver : device driver could not be loaded.

 

Explanation

The program could not load a driver because the program user doesn't have sufficient privileges to access the driver or because the drive is missing or corrupt.

 

User Action

To correct this problem:

Reinstall the program to restore the driver to the correct location.

If these solutions do not work, contact Product Support Services.

*************

If they were both in one log, look at the other log to see if there is a corrosponding entry.  That entry might give us more info on the driver.  I can't remember, does it do the "object not found" error in safe mode as well?

Hijackthis:

1.)  Download and run Hijackthis and post the results (copy results and paste into a post)

This will sometimes show if there is a missing file or at least the registry calls.  We might see something there.  Here is the link:  http://www.majorgeeks.com/download3155.html

2.)  After doing #1 above, click on the misc tools button and check off "List also minor sections" and "List empty sections" then click on generate startup list.  The results will open in notepad.  Save it to your desktop and attach it to your next post.

3.)  Next, click on open hosts manager and take a peek.  Are there any entries there?  If there are, are there any that start with an IP address other than 127.0.0.1?

If you need additional help with these let me know.... Quite a bit to do  , but these will give me a better picture of what is running on your system, what programs, etc. execute at startup, if there are any redirectors in your hosts file, etc.  If this is too much crap to do, please let me know and we can try to pare it down a bit.  Good luck and will be watching for your posts.

[rikkkki]

Details

Product: Windows Operating System

ID: 7023

Source: Service Control Manager

Version: 5.0

Component: System Event Log

Symbolic Name: EVENT_SERVICE_EXIT_FAILED

Message: The %1 service terminated with the following error:

%2

[rikkkki]

OK. Here goes cak46. This is the main scan. I'll post the startup with the minor and empty settings in the next post. Oh by the by, the  127.0.0.1 is the only "local host" listed. I thought this was the dreaded "loop around IP?"

Logfile of HijackThis v1.99.1

Scan saved at 6:33:48 PM, on 6/24/2005

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:WINDOWSSystem32smss.exe

C:WINDOWSsystem32winlogon.exe

C:WINDOWSsystem32services.exe

C:WINDOWSsystem32lsass.exe

C:WINDOWSsystem32svchost.exe

C:WINDOWSSystem32svchost.exe

C:WINDOWSsystem32LEXBCES.EXE

C:WINDOWSsystem32spoolsv.exe

C:WINDOWSExplorer.EXE

C:PROGRA~1mcafee.comvsomcvsshld.exe

C:PROGRA~1mcafee.comagentmcagent.exe

c:progra~1mcafee.comvsomcvsescn.exe

C:Program FilesLogitechMouseWaresystemem_exec.exe

C:WINDOWSSystem32svchost.exe

c:PROGRA~1mcafee.comvsomcvsrte.exe

C:WINDOWSsystem32svchost.exe

c:PROGRA~1mcafee.comvsomcshield.exe

C:Program FilesOutlook Expressmsimn.exe

C:Program FilesInternet Exploreriexplore.exe

C:WINDOWSsystem32mmc.exe

C:Program FilesHIJACKhijackthisHijackThis.exe

R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://google.com/

R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Window Title = Dave's Search Results

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:Program FilesAdobeAcrobat 7.0ActiveXAcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:PROGRA~1SPYBOT~1SDHelper.dll

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:progra~1mcafee.comvsomcvsshl.dll

O4 - HKLM..Run: [VSOCheckTask] "c:PROGRA~1mcafee.comvsomcmnhdlr.exe" /checktask

O4 - HKLM..Run: [VirusScan Online] "c:PROGRA~1mcafee.comvsomcvsshld.exe"

O4 - HKLM..Run: [MCUpdateExe] C:PROGRA~1mcafee.comagentMcUpdate.exe

O4 - HKLM..Run: [MCAgentExe] c:PROGRA~1mcafee.comagentmcagent.exe

O4 - HKLM..Run: [Logitech Utility] Logi_MwX.Exe

O4 - HKLM..Run: [NvCplDaemon] RUNDLL32.EXE C:WINDOWSsystem32NvCpl.dll,NvStartup

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.5.0_02binnpjpi150_02.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.5.0_02binnpjpi150_02.dll

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab

O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/OAS/ActiveX/winrep.cab

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab

O23 - Service: Diskeeper - Executive Software International, Inc. - C:Program FilesExecutive SoftwareDiskeeperDkService.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:WINDOWSsystem32LEXBCES.EXE

O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:PROGRA~1mcafee.comvsomcshield.exe

O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:PROGRA~1McAfee.comAgentmcupdmgr.exe

O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:PROGRA~1mcafee.comvsomcvsrte.exe

[rikkkki]

Whew :!: This is alot, with the other stuff. Here goes

Edit by RTB: Made the log an attachment. Looks better that way

[rikkkki]

Here's one for ya. I get this everytime I log off for the night. Now, the userenv is not listed in my services, so I can't config it the way they're saying to.

[cak46]

O23 - Service: Diskeeper - Executive Software International, Inc. - C:Program FilesExecutive SoftwareDiskeeperDkService.exe

Did you reinstall diskkeeper?  If not, runhijackthis and delete this entry.  Could be a contributer if the file is missing...........

Will edit as I go thru stuff.  The userenv thing is nothing to  get in a twist over.  Seen this before.

Back to you in a bit.......

Edit: 

Heres another issue, potentially:  In the attached log file you did......

StubPath = %systemroot%system32shmgrate.exe OCInstallUserConfigIE  See link:  http://castlecops.com/s3328-Shmgrate_exe.html

Another diskkeeper entry....

Diskeeper: "C:Program FilesExecutive SoftwareDiskeeperDkService.exe" (autostart)

[rikkkki]

Hi cak46: Yes I reinstalled Diskeeper Lite last night. I went to install my full version #9 Pro and it wouldn't work cause it's not for XP Pro :!: So, I had a free copy of lite lying around, soooooooooooooooo, I put it in. Works fine alright for now.

Edit:I went to do a manual reg key remove(with the shmgrate.exe) and the keys don't exist  :!: Wouldn't that mean that this "cootie" wouldn't run??

[cak46]

Hi cak46: Yes I reinstalled Diskeeper Lite last night. I went to install my full version #9 Pro and it wouldn't work cause it's not for XP Pro :!: So, I had a free copy of lite lying around, soooooooooooooooo,

Free is good!  Still going thru the large log file.  ........

Go into the Services under control panel and set lsass.exe to autostart, then reboot.  Probably not it, but.........

Are you still running Alcohol?

Looks like you have terminal services running.......... (Allows connection from a remote computer, can be disabled)

[rikkkki]

No, but a drink a few beers now and then :haha: :haha:

HeHe, little humor there. Note the edit above last post. I will check services now

[cak46]

Hi cak46: Yes I reinstalled Diskeeper Lite last night. I went to install my full version #9 Pro and it wouldn't work cause it's not for XP Pro :!: So, I had a free copy of lite lying around, soooooooooooooooo, I put it in. Works fine alright for now.

Edit:I went to do a manual reg key remove(with the shmgrate.exe) and the keys don't exist :!: Wouldn't that mean that this "cootie" wouldn't run??

I think it's tied to execution of IE, but am not sure......

Go to my computer, C: drive, windows, then system32.  Look to see if the file is listed in there. 

No, but a drink a few beers now and then :haha: :haha:

HeHe, little humor there. Note the edit above last post. I will check services now

:haha:   Me too.  Goin' to get one cause your computer is driving me to it! 

BTW:  Are you running multiple logon id's and are you using the Switch user option with XP?

[rikkkki]

Got rid of teminal services, switched diskeeper to manual and checked out shmgrate in sys 32. It's there and listed as "windows nt user data migration tool" dated 8/4/2004

Well I must not be running multiple logons. I'm not really sure what that ensues. The switch thing I no nothing about. Oh BTW you may want to get an extra case or two

[cak46]

With XP, it comes as default to allow multiple logins and the capacity to switch users.  This leaves the other user(s) processes running and can bog a system down but allows fast switching of users.  Saw that the process for this funtion was running on your machine but since you aren't aware of multiple logons on your machine so just disregard it. (Some spyware/malware will install in individual logon profiles but may not be detected if the profile is password protected).

Hey, you';ve made Google:  Check out the 6th entry in the search results:  http://www.google.com/search?q=lsass.exe+objects&sourceid=mozilla-search&start=0&start=0&ie=utf-8&oe=utf-8&client=firefox-a&rls=org.mozilla:en-US:official

[rikkkki]

Cool :!:

[cak46]

Cool :!:  I'll post this and then take a look. I checked around a little bit and noticed that I'm the only user in the user profiles section of my computer/properties/advanced/user profiles. It lists my name and that's about it. Oh, the 'type' is local

edit; boy you were'nt kidding. That sucker takes you right back to where we are now :!: I wonder how that happened. Hummmmmmmmmm

Cyclical  :haha:

Did you ever check your group membership under users and passwords?  Make sure you are in the Administrators group, if you haven't done it already.......

edit, edit; I forgot to tell, I finally go a reponse from MS a while ago. It's a new guy and he says "haven't heard a reply from you yet, if you have any other questions, blah blah,,,,,,,,,,,,, Well I turned right around and resent the same message that I sent on the 21st Exclamation Exclamation Exclamation They need to get on the same page in the same book..................

Instills a sense of security in me knowing MS is on top of it................... :haha:

[rikkkki]

In the control panel/user accounts, it shows me only as the Administrator if that's where you mean

[cak46]

In the control panel/user accounts, it shows me only as the Administrator if that's where you mean

Yup.  that's it.  Starting to run out of options quickly.  It seems to me that lsass is looking for something that either doesn't exist or you don't have access to.  By looking at the HJT logs and info, there are no entries that have missing files.  You could try changing your membership by adding yourself to the Users group, applying it, then removing it.  That might re-write your acl. 

Are you using a password to logon to your machine and have you changed any permissions settings on any directorys (Folders) on your system?

[rikkkki]

Yup.

[rikkkki]

Edit; no, not using a password. And I don't think I have changed any permission settings that I'm aware of,,,,,,,,,,,,,,

I have a strange feeling that it is something that doesn't exist :(

[cak46]

I have a strange feeling that it is something that doesn't exist :(

Yeah, I think you may be right.  Did you try the group membership thing?  When you're assigned to a group giving you permissions for "objects", you're given a "key" which you present to the security system (lsass) for access to "objects" (files, directorys(folders), etc.) and it grants or denies access based on your "key".  I was thinking maybe your "key" got messed up since it's stored as a file on your computer. 

[rikkkki]

Yeah, I think you may be right.