Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Lsass.exe Keeps Trying To Contact A Suspicious Ip Address


  • Please log in to reply
6 replies to this topic

#1 Larent

Larent

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:19 PM

Posted 20 October 2005 - 07:06 AM

Hi,

I am using Sygate Personal Firewall, free edition. Recently, I keep getting this message over and over again:

"C:\WINNT\lsass.exe is trying to connect to h.animeteam.net (216.253.177.154) using remote port 8163. Do you want to allow this program to access the network?"

I have tried to run AVG, Spybot and Adaware to figure out what this is and why it keeps on trying to access the network, but no luck. I am running Windows XP Service Pack 2.

I have checked my c:\winnt folder and cannot find lsass.exe. The only place I see it is c:\winnt\system32 and c:\winnt\ServicePackFiles\i386, and I think those are supposed to be legit.

It's driving me batty thinking that there's some kind of trojan on my computer and I can't do anything about it. I tried to go directly to 216.253.177.154, but there's really nothing there except a supposed "Online Help Desk" and a couple of phone numbers. The phone numbers provided belong a couple of Texas area businesses, one a real estate agent and the other a web hosting company.

Any help would be appreciated, thanks!

BC AdBot (Login to Remove)

 


#2 Rimmer

Rimmer

  • Members
  • 2,159 posts
  • OFFLINE
  •  
  • Location:near Sydney, Australia
  • Local time:05:19 AM

Posted 20 October 2005 - 08:15 AM

Hi Larent, :thumbsup: to BC!

You could try some free online scans as a start:
Here are some links to free online Anti-Virus scans. They do take some time to load and run and in some cases you can only use Internet Explorer, with ActiveX enabled, to access them but they are an excellent support for your existing anti-virus program.

Trend Micro online scan "housecall" - http://housecall.antivirus.com/

Panda Active Scan online - http://www.pandasoftware.com/activescan/
Internet Explorer only. Requires email address. Requires Active-X components to be installed. Approx 12MB download.

BitDefender online scan - http://www.bitdefender.com/scan/licence.php
Internet Explorer only. Must agree to a EULA. Need to allow installation of an Active X component.Some of the options are not clearly explained.

McAfee online scan - http://www.pcpitstop.com/freescan/

Security Advisor (?) - http://www3.ca.com/securityadvisor/virusinfo/scan.aspx

Trend Micro Housecall - http://uk.trendmicro-europe.com/enterprise...call_launch.php
(European version, supports Netscape, Mozilla, Firefox and Opera)


If you still have no success with online scans you can submit a HijackThis Log :
Please read the pinned posts 'How to use this Forum' and 'How to post a HiJack This log' at the top of the forum:
http://www.bleepingcomputer.com/forums/Hij...alysis-f22.html

hth :flowers:

Soltek QBIC, Pentium 4 3.0GHz, 512MB RAM, 200GB SATA HDD, ATI Radeon 9600XT 256MB, Netgear 54Mb/s WAP, ridiculously expensive Satellite Broadband
Windows XP Home SP2, Trend Micro Internet Security, Firefox, Thunderbird, AdAwareSE, Spybot S&D, SpywareBlaster, A-squared Free, Ewido Security Suite.

#3 stidyup

stidyup

  • Members
  • 641 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:19 PM

Posted 20 October 2005 - 08:54 AM

Free stand alone scanners to run from safe mode (Getting to safe-mode) Sysclean you'll also need the virus template file from here lpt***.zip remember to extract the contents of the zip file into the same folder as Sysclean.com

or

DrWeb CureIT

If your good with the command line also try Sophos Command Line scanner this command will scan all of your hdd's SAV32CLI.EXE -F -di -remove -dn -mbr -all -zip -p=avscanlog.txt and give you a log file to review afterwards.

#4 tramond

tramond

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:19 PM

Posted 20 October 2005 - 07:28 PM

i had that same thing running on my computer before it crashed.
i think it comes from looking at porn:(
uh, just get rid of it before it messes up your computer.

#5 Larent

Larent
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:19 PM

Posted 20 October 2005 - 09:13 PM

Thanks! Panda Active Scan found it and fixed it! I wish they had a freeware version. It was a worm, forgot the name now, fde something.

I'm pretty sure I didn't get it from looking at porn though. The porn folder came up clean :thumbsup: .

#6 tramond

tramond

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:19 PM

Posted 20 October 2005 - 09:43 PM

Thanks! Panda Active Scan found it and fixed it! I wish they had a freeware version. It was a worm, forgot the name now, fde something.

I'm pretty sure I didn't get it from looking at porn though. The porn folder came up clean :thumbsup: .


lol

i just read up on it
turns out. the ACTUAL lsass.exe is supposed to run. its just that the sasser worm looks for computers that are vulnerable to its attack, which i forgot the specifics on..

#7 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,091 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:03:19 PM

Posted 21 October 2005 - 10:24 AM

Here's a link about the Sasser and lsass worms: http://securityresponse.symantec.com/avcen...ser.b.worm.html

As I recall, it gained notoriety because it would attack systems that weren't updated - hence there was a great call for updating your system at Windows Update. I know that it increased my awareness of staying updated and has probably saved me from the same fate.

Edited by usasma, 21 October 2005 - 10:25 AM.

My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users