Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

lsass.exe - system error message


  • Please log in to reply
6 replies to this topic

#1 snowyman

snowyman

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:29 PM

Posted 03 October 2009 - 02:55 PM

Hello Mybleeping Computer people,

You helped me a great deal once before, :thumbsup: so I'm hoping you can again. I have a number of strange things happening to my two computers right now. I have started getting an error message just after I logon to XP.

Error Message reads:

lsass.exe - system error
An i/o operation initiated by registry failed unredoverably. The registry could not read in, or write out, or flush, one of the files that contain the system image of the registry.


The system just keeps having to reboot and doesn't allow me past this point in Normal Mode.

However I have run Malwarebytes, SuperAntiSpyware, Adaware, SpybotSD and AVG scans in Safemode but they have found nothing and when I restart in normal mode I got the Error Message back again.

I resorted to using ATF Cleaner and had some success starting this computer and that is how I am able to make contact with you now.

On my other computer which started behaving oddly I resorted to using the taskmanager to stop the process lsass.exe. This had the effect of an Error message telling me that Windows was going to be shutdown in 45seconds time and that I should save all work and unsaved documents. Needless to say I am now very hesitant to restart that computer!

PS: I forgot I ran a Malwarebytes scan and it found and deleted 10 entries from the registry the evening before everything turned really nasty.

Malwarebytes' Anti-Malware 1.41
Database version: 2881
Windows 5.1.2600 Service Pack 3

01/10/2009 11:55:56
mbam-log-2009-10-01 (11-55-56).txt

Scan type: Quick Scan
Objects scanned: 94571
Time elapsed: 19 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 10
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{3831331e-0d11-4716-871d-68f3b11d23c9} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3dcd2bc5-8489-48ae-891f-90c8b2f19f56} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{52c01a76-19e2-4a50-ae8a-38ffbccf9182} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{762ec429-1a5d-4ab8-844a-9a552e1241da} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a506ef88-9efc-4522-bfe1-a8e886a64d80} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b87799af-2ce9-4daa-93cf-65f002035369} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{bbc73c94-337c-43cc-b52c-31eb9fa34013} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c406f816-318d-4f7d-81cb-ba93ca7b70d5} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d502d4a3-03e6-4eae-a14e-69606ca63430} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec22770d-3343-4c56-8a8d-3e560475f655} (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Not selected for removal.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Not selected for removal.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Any help you can give me in this matter will be gratefully recieved.

Thank you in advance for your consideration.
Snowy

Edited by snowyman, 03 October 2009 - 03:54 PM.


BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:10:29 AM

Posted 04 October 2009 - 03:23 PM

Please download Win32kDiag.exe by AD and save it to your desktop.
alternate download 1
alternate download 2
  • This tool will create a diagnostic report for me to review.
  • Double-click on Win32kDiag.exe to run and let it finish.
  • When it states Finished! Press any key to exit..., press any key on your keyboard to close the program.
  • A file called Win32kDiag.txt should be created on your Desktop.
  • Open that file in Notepad and copy/paste the entire contents (from Starting up... to Finished! Press any key to exit...) in your next reply.

    --------------------------------------
Go to Posted Image > Run..., then copy and paste this command into the open box: cmd
Click OK.
At the command prompt C:\>, copy and paste the following command and press Enter:
DIR /a/s %windir%\scecli.dll %windir%\netlogon.dll %windir%\eventlog.dll >Log.txt & START notepad Log.txt
A file called log.txt should be created on your Desktop.
Open that file and copy/paste the contents in your next reply.
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 snowyman

snowyman
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:29 PM

Posted 05 October 2009 - 06:18 AM

Hi Garmanma

Thanks for taking up my case. :thumbsup:

I ran Win32Diag and it created this log:

Running from: C:\Documents and Settings\Snowy\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\Snowy\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...





Finished!


Thinking that perhaps the program needed to be run by an administrator I restarted in Safe Mode and ran it as the administrator:

Running from: C:\Documents and Settings\Administrator\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\Administrator\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Cannot access: C:\WINDOWS\Prefetch\layout.ini

[1] 2009-10-03 13:45:55 134224 C:\WINDOWS\Prefetch\layout.ini ()





Finished!


I also ran the CMD which returned this log:

Volume in drive C has no label.
Volume Serial Number is 78BB-465A

Directory of C:\WINDOWS\$NtServicePackUninstall$

04/08/2004 13:00 180,224 scecli.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

04/08/2004 13:00 407,040 netlogon.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

04/08/2004 13:00 55,808 eventlog.dll
3 File(s) 643,072 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

14/04/2008 01:12 181,248 scecli.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

14/04/2008 01:12 407,040 netlogon.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

14/04/2008 01:11 56,320 eventlog.dll
3 File(s) 644,608 bytes

Directory of C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e

14/04/2008 01:12 181,248 scecli.dll

Directory of C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e

14/04/2008 01:12 407,040 netlogon.dll

Directory of C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e

14/04/2008 01:11 56,320 eventlog.dll
3 File(s) 644,608 bytes

Directory of C:\WINDOWS\system32

14/04/2008 01:12 181,248 scecli.dll

Directory of C:\WINDOWS\system32

14/04/2008 01:12 407,040 netlogon.dll

Directory of C:\WINDOWS\system32

14/04/2008 01:11 56,320 eventlog.dll
3 File(s) 644,608 bytes

Total Files Listed:
12 File(s) 2,576,896 bytes
0 Dir(s) 5,060,775,936 bytes free


As a side note I was unable to copy and paste the instruction - or any line of text for that matter - into the command prompt, I had to do it by hand, is that usual?


Thanks for your assistance.
Snowy

#4 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:10:29 AM

Posted 05 October 2009 - 07:42 PM

I suggest posting in our HJT forum


Now that you were successful in creating those two logs you need to post them in our HJT forum:
First, try to run a DDS / HJT log as outlined in our preparation guide:
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

If it won't run, don't worry, just give a brief description and tell them that these logs were all you could get to run successfully

Post them here:
http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/

The HJT team is extremely busy, so be patient and good luck
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#5 snowyman

snowyman
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:29 PM

Posted 06 October 2009 - 01:49 PM

Thanks for your help Mark.

Unfortunately I have to report that my computer went belly up last night. The virus, trogan, whatever took umbrage at me attempting to access Mybleepingcomputer's forum and redirected me to a a website that gave me some extra malware. It even stopped me from booting into SafeMode!

I determined that my best course of action was to format my disks and reinstall WindowsXP. Which I have just spent all day doing, My Avira Anti-Virus has already notified me that I am infected with "SPR/Tool.PsKill.1101"! This managed to get on to my clean install within 10 minutes of connecting to the Web to activate Windows, download Spybot Search & Destroy, Avira and Zone Alarm. That was really very disconcerting but not at all unforeseen, as I am aware that Microsoft's security and Firewall is a train wreck!

I was wondering if you could advise me about two things? I need to know... Is it possible that the original virus, trojan, rootkit or whatever could still be lurking around on a reformated disk? And two: Will all the media files, jpgs, etc that I have saved to CD and DVD over the last year or two have the potential to reinfect this computer?

Thanks for all your support and advice
Snowy

Edited by snowyman, 06 October 2009 - 01:57 PM.


#6 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:10:29 AM

Posted 06 October 2009 - 05:50 PM

If you have an original Windows XP CD, I would run a pass of zero's over the hard drive with Active Killdisk
http://www.killdisk.com/
before reformatting.
If you have a retail computer [Dell, HP, etc] you can't do that because you'll destroy the recovery partition
There is also a slight chance the recovery partition might be infected

jpegs, gifs and other pictures would be the safest to retain. Music is so-so
A big no on the text and documents
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#7 snowyman

snowyman
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:29 PM

Posted 07 October 2009 - 03:38 AM

Thanks again Mark. :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users