Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


LSASS.EXE is possibly compromised, Win 7

  • Please log in to reply
2 replies to this topic

#1 Alley Cat

Alley Cat

  • Members
  • 65 posts
  • Gender:Male
  • Local time:11:51 PM

Posted 01 June 2016 - 02:05 AM

I have been researching this for a few days, with no answers.


I keep this notices after restarting that LSASS.EXE (located in windows/system32 directory), is attempting to create a new user login.


The file size seems to be the standard 30 kb.


This reminds me of the foreign login I suddenly had, two to three years ago.  Back then, my computer ran SUPER SLOW.   Once in a while, my laptop gets very slow. 


Also, in recent months, I had repeated fake warnings (browser:  Google Chrome) from my ISP telling me that I broke laws and I must phone them.  These fake warnings had a blue background, embedded audio telling me that I broke laws, and to call a 1800 number.  It was faking Shaw Communications.

Edited by hamluis, 01 June 2016 - 08:49 AM.
Moved from Win 7 to Am I Infected - Hamluis.

BC AdBot (Login to Remove)


#2 dc3


    Bleeping Treehugger

  • Members
  • 30,809 posts
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:10:51 PM

Posted 01 June 2016 - 09:37 AM

Please run Malwarebytes AntiMalware
Please download Malwarebytes Anti-Malware
1)  Double-click on mbam-setup.exe, then click on Run to install the application, follow the prompts through the installation.
2)  Malwarebytes will automatically open.  You will see an image like the one below, click on Update Now.  
3)  Click on Settings, you will see a image like the one below.
When Settings opens click on Detection and Protection, then under Non-Malware Protection, click on the down arrow for PUP (Potentially Unwanted Programs) detections and select Treat detections as malware.
4)  Click on Scan (next to Settings), then click on Scan Now.  The scan will automatically run now.
5)  When the scan is complete the results will be displayed.  Click on Delete All.
6)  Please post the Malwarebytes log.
To find your Malwarebytes log,download mbam-check.exe from here and save it to your desktop.
To open the log double click on mbam-check.exe on your desktop.  Copy and paste the log in your topic.

Please run TDSSKiller.
Please download TDSSKiller from here and save it to your Desktop.
The log for the TDSSKiller can be very long.  If you go to the bottom of the log to where you find Scan finished you will see the results of the scan.  If it shows Detected object count: 0 and Actual detected object count: 0, this means that nothing malicious was found and you will not need to post the log.
1.  Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
2.  Check Loaded Modules, Verify Driver Digital Signature, and Detect TDLFS file system.
If you are asked to reboot because an "Extended Monitoring Driver is required" please click Reboot now.
3.  Click Start Scan and allow the scan process to run.
4.  If threats are detected select Cure (if available) for all of them unless otherwise instructed.
***Do NOT select Delete!
Click on Continue.
5.  Click on Reboot computer.
Please copy the TDSSKiller.[Version]_[Date]_[Time]_log.txt file found in your root directory (typically c:\) and paste it into your next reply.
Note:  The log may be very long.  You may need to break it into parts to post the whole log.
Post this in your topic.


Please run AdwCleaner
Please download AdwCleaner and install it.
When AdwCleaner opens you will see an image like the one below.
Click on Scan to start the scan.
Once the search is complete a list of the pending items will be displayed.  If you see any which you do not want removed, remove the check mark next to it.
If there are no malicious programs are found you will receive the following message.
Click on Clean to remove the selected items.  If you have any questions about any items in the list please copy and paste the list in your topic so we can review it.  
You will receive a message telling you that all programs will be closed so that the infections can be removed.  Click on OK.  The computer will be restarted to complete the cleaning process.
When the cleaning process is complete a log of what was removed will be presented.  Please copy and the paste this log in your topic.

Please run the ESET OnlineScan

This scan takes quite a long time to run, so be prepared to allow this to run
till it is completed.

***Please note. If you run this scan using Internet Explorer you won't need
to download the Eset Smartinstaller.***

ESET Online Scanner

  • Click here to download the installer for ESET Online Scanner and save it to your Desktop.
  • Disable all your antivirus and antimalware software - see how to do that
  • Right click on esetsmartinstaller_enu.exe and select Run as Administrator.
  • Place a checkmark in YES, I accept the Terms of Use, then click Start. Wait for ESET Online Scanner to load its components.
  • Select Enable detection of potentially unwanted applications.
  • Click Advanced Settings, then place a checkmark in the following:
    • Remove found threats
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click Start to begin scanning.
  • ESET Online Scanner will start downloading signatures and scan. Please be patient, as this scan can take quite some time.
  • When the scan is done, click List threats (only available if ESET Online Scanner found something).
  • Click Export, then save the file to your desktop.
  • Click Back, then Finish to exit ESET Online Scanner.

Edited by dc3, 01 June 2016 - 09:39 AM.

Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.





#3 Alley Cat

Alley Cat
  • Topic Starter

  • Members
  • 65 posts
  • Gender:Male
  • Local time:11:51 PM

Posted 02 June 2016 - 06:06 PM

Malwarebytes Anti-Malware

Scan Date: 6/1/2016
Scan Time: 5:02 PM
Administrator: Yes

Malware Database: v2016.06.01.07
Rootkit Database: v2016.05.27.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Xanatos SpeedChess

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 608185
Time Elapsed: 58 min, 8 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


18:20:34.0809 0x0b58  TDSS rootkit removing tool Dec 11 2015 22:49:12
18:20:36.0809 0x0b58  ============================================================
18:20:36.0809 0x0b58  Current date / time: 2016/06/01 18:20:36.0809
18:20:36.0809 0x0b58  SystemInfo:
18:20:36.0809 0x0b58  
18:20:36.0810 0x0b58  OS Version: 6.1.7601 ServicePack: 1.0
18:20:36.0810 0x0b58  Product type: Workstation
18:20:36.0810 0x0b58  ComputerName: SILENTCARTOGRAP
18:20:36.0810 0x0b58  UserName: Xanatos SpeedChess
18:20:36.0810 0x0b58  Windows directory: C:\Windows
18:20:36.0810 0x0b58  System windows directory: C:\Windows
18:20:36.0810 0x0b58  Running under WOW64
18:20:36.0810 0x0b58  Processor architecture: Intel x64
18:20:36.0810 0x0b58  Number of processors: 4
18:20:36.0810 0x0b58  Page size: 0x1000
18:20:36.0810 0x0b58  Boot type: Normal boot18:20:38.0005 0x0b58  ============================================================
18:20:38.0005 0x0b58  Initialize success
18:20:38.0005 0x0b58  ============================================================
18:20:44.0025 0x11b0  ============================================================
18:20:44.0025 0x11b0  Scan started
18:20:44.0025 0x11b0  Mode: Manual;
18:20:44.0025 0x11b0  ============================================================
18:20:44.0025 0x11b0  KSN ping started
18:21:27.0905 0x11b0  KSN ping finished: false
18:21:28.0125 0x11b0  ================ Scan system memory ========================
18:21:28.0125 0x11b0  System memory - ok

18:21:44.0713 0x11b0  AV detected via SS2: Baidu Antivirus, C:\Program Files (x86)\Baidu Security\Baidu Antivirus\\bavsvc.exe ( ), 0x71000 ( enabled : updated )
18:21:44.0733 0x11b0  Win FW state via NFP2: disabled ( trusted )
18:21:44.0733 0x11b0  ============================================================
18:21:44.0733 0x11b0  Scan finished
18:21:44.0733 0x11b0  ============================================================
18:21:44.0733 0x11a8  Detected object count: 0
18:21:44.0733 0x11a8  Actual detected object count: 0

# AdwCleaner v5.032 - Logfile created 01/06/2016 at 20:45:30
# Updated 31/01/2016 by Xplode
# Database : 2016-01-25.3 [Local]
# Operating system : Windows 7 Home Premium Service Pack 1 (x64)
# Username : Xanatos SpeedChess - SILENTCARTOGRAPHER
# Running from : H:\Fighting Malware\adwcleaner_5.032.exe
# Option : Cleaning
# Support : http://toolslib.net/forum

***** [ Services ] *****

***** [ Folders ] *****

[-] Folder Deleted : C:\Users\Xanatos SpeedChess\AppData\Local\Google\Chrome\User Data\Default\Extensions\bpphkkgodbfncbcpgopijlfakfgmclao
[-] Folder Deleted : C:\Users\Public\Documents\pc faster

***** [ Files ] *****

[-] File Deleted : C:\Users\Xanatos SpeedChess\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_bpphkkgodbfncbcpgopijlfakfgmclao_0.localstorage
[-] File Deleted : C:\Users\Xanatos SpeedChess\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_bpphkkgodbfncbcpgopijlfakfgmclao_0.localstorage-journal
[-] File Deleted : C:\Users\Xanatos SpeedChess\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_babylon5.wikia.com_0.localstorage
[-] File Deleted : C:\Users\Xanatos SpeedChess\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_babylon5.wikia.com_0.localstorage-journal

***** [ DLLs ] *****

***** [ Shortcuts ] *****

***** [ Scheduled tasks ] *****

***** [ Registry ] *****

[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3CCC052E-BDEE-408A-BEA7-90914EF2964B}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{61F47056-E400-43D3-AF1E-AB7DFFD4C4AD}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E2B98EEA-EE55-4E9B-A8C1-6E5288DF785A}

***** [ Web browsers ] *****

[-] [C:\Users\Xanatos SpeedChess\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Extension] Deleted : bpphkkgodbfncbcpgopijlfakfgmclao


:: "Tracing" keys removed
:: Winsock settings cleared

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [2055 bytes] ##########



C:\Kernels\driver\explorer.exe    Win32/BitCoinMiner.N potentially unsafe application    
C:\Downloads\spsetup126.exe    Win32/Bundled.Toolbar.Google.D potentially unsafe application    
C:\Program Files (x86)\Dorgem\Dorgem.exe.56b2541a    a variant of Win32/DorgeCapturer.A potentially unsafe application    
C:\Users\Xanatos SpeedChess\Downloads\The Sims 4 Mod Toggle-8-2-2.zip    a variant of MSIL/Injector.IFP trojan    
C:\Windows\KMSServerService\KMS Server Service.exe    a variant of Win32/HackKMS.W potentially unsafe application    
C:\Windows\System32\drivers\hmpnet.sys    a variant of Win64/NetFilter.A potentially unsafe application    
C:\Lame32\dffsetup-lame_enc.exe    a variant of Win32/Systweak.U potentially unwanted application  

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users