Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Lsass.exe 2 Incidents


  • Please log in to reply
7 replies to this topic

#1 digicrow

digicrow

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:10:46 AM

Posted 28 December 2006 - 08:30 PM

While running an AVG scan on my weekly schedule I discovered 2 incidents of isass.exe under the "connections" tab in AVG. I would like to know how to get rid of these as I see they are a "worm" or similar. I have also discovered through AVG that there is a "dropper.agent.amm" listed. I have had multiple warnings from Trend anti-virus that my ports are being listened to. this is out of my league so am looking for some assistance here.

(Edit)- I should also add that I can't start my computer in safe mode while pressing F8. This is a new prob. that I think should not be happening. Is this associated with the above? I have started my computer numerous times in safe mode using F8 before. This is something I just became aware of.

(Moderator edit: changed the topic title to reflect the .exe file's correct name. jgweed)

Edited by jgweed, 29 December 2006 - 11:57 AM.


BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,110 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:10:46 AM

Posted 28 December 2006 - 09:46 PM

Can you recheck the spelling of that file? Is the first letter a small case i or a small case l?

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Internet Security, NoScript Firefox ext.


animinionsmalltext.gif

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,072 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:46 AM

Posted 29 December 2006 - 09:13 AM

Also provide the path (location) from where these files are running from.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 digicrow

digicrow
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:10:46 AM

Posted 29 December 2006 - 10:20 AM

Now that I have looked at this again I see that this double incident is: lsass.exe. (small case L).

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,072 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:46 AM

Posted 29 December 2006 - 10:39 AM

lsass.exe is the Local Security Authentication Server which verifies the validity of user logons to your computer and generates the process responsible for authenticating users for the Winlogon service. The lsass.exe process receives authentication requests from WINLOGON and calls the appropriate authentication package (implemented as a DLL) to perform the actual verification, such as checking whether a password matches what is stored in the SAM (the part of the registry that contains the definition of the users and groups). The legit lsass.exe file is located in the folder C:\Windows\System32. If found running from a different location it is malware.

You can download and use Process Explorer to investigate all processes and gather additional information to identify and resolve problems. This tool will show the process CPU useage, a description and its path.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 digicrow

digicrow
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:10:46 AM

Posted 29 December 2006 - 11:37 AM

Thank you for that. Here is the AVG Repost concerning the "Dropper. Agent.amm" which AVG represents as high risk. I have quarantined this in AVG and would like to get rid of it. Can you help or give me info on what this is and how to get rid of it?
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 8:28:53 AM 12/29/2006

+ Scan result:



C:\System Volume Information\_restore{2C0632EF-9D9A-42B9-B475-C321AD2892A9}\RP9\A0001179.exe -> Dropper.Agent.amm : No action taken.
:mozilla.33:C:\Documents and Settings\TCrowe\Application Data\Mozilla\Firefox\Profiles\ozf5dl4h.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.34:C:\Documents and Settings\TCrowe\Application Data\Mozilla\Firefox\Profiles\ozf5dl4h.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.106:C:\Documents and Settings\TCrowe\Application Data\Mozilla\Firefox\Profiles\ozf5dl4h.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.107:C:\Documents and Settings\TCrowe\Application Data\Mozilla\Firefox\Profiles\ozf5dl4h.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.108:C:\Documents and Settings\TCrowe\Application Data\Mozilla\Firefox\Profiles\ozf5dl4h.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.


::Report end

I took this report before the deletion of the cookies and quarantine of "Dropper". It is now quarantined and cookies removed. I have quarantined this and delelted it before but it keeps showing up. Thanks

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,072 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:46 AM

Posted 29 December 2006 - 11:51 AM

The "No action taken" entries means you saved the report before you clicked the "Apply all actions" button. When you do that, the log that is created will indicate "No action taken". When running AVG AS in the future make sure you save it AFTER clicking the "Apply all actions" button.

To delete items from quarantine, do this:
1. Launch AVG Anti-Spyware and click the "Infections" button.
2. Click the "Quarantine" tab, choose "Select All" and click "Remove finally".
3. A window will pop up asking "Are you sure you want to remove the selected files...??"
4. Choose "Yes".

Then SET A NEW RESTORE POINT to prevent reinfection from an old restore point. The easiest and safest way to do this is:
1. Go to Start > Programs > Accessories > System Tools and click "System Restore".
2. Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
3. Then go to Start > Run and type: Cleanmgr
4. Click "OK".
5. Click the "More Options" Tab.
6. Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

Reboot when done.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 buddy215

buddy215

  • Moderator
  • 13,502 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:09:46 AM

Posted 29 December 2006 - 11:54 AM

Are you using Apache Web Server? If so , could be a false positive.
http://www.apachefriends.org/f/viewtopic.p...d9a825b09d1ac2c
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users