Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Za Alert "lsa Shell (export Version) Wants To Accept Connection


  • Please log in to reply
14 replies to this topic

#1 bloomcounty

bloomcounty

  • Members
  • 672 posts
  • OFFLINE
  •  
  • Local time:11:13 AM

Posted 23 April 2007 - 04:33 PM

Mod Edit: bloomcounty's previous topic, has been merged with this one, as per his request, in post #6. ~tg


Hi,

I use Zone Alarm free version 7.0.302 and have been for months. But for the first time today, as soon as I dialed-up to the internet just now (though I had been connected multiple times previously today with no warning coming up), I got this message:

LSA Shell (Export Version) wants to accept connections from the Internet.
Application: lsass.exe
Source IP: 12.14.170.15: Port 500
This is the program's first attempt to access the Internet.


I clicked on DENY and then immediately opened up ZA and checked the Program Control, and LSA Shell (Export Version) had been added to the list with both Access-Trusted and Access-Internet checked with green checkmark (even though I clicked DENY)! I immediate changed them check marks to ASK (question marks). There were question marks already in the columns for Server-Trusted and Server-Internet.

1. What exactly has happened here? What has this popped up now? I did not change any settings or anything...

2. Is this someone trying to connect to my computer all of a sudden?

3. Should I remove LSA Shell (Export Version) all together from my Program Control list in ZA?

4. Could this imply that I've got something "bad" on my computer?

5. Is there anything else I should do/check to make sure something bad isn't going on?

Seems like something always pops up just when I'm done worrying about something else with my computer! :flowers:

Thanks for the help! :thumbsup:

Edited by tg1911, 03 May 2007 - 08:10 PM.

My stats: Windows XP Home SP2; Firefox 3.0.14 w/ Ad-Block Plus; IE 6.0 (used only for monthly Windows Critical Updates); ZoneAlarm 6.1.744.001 Free; AVG 8.5 A/V Free; SuperAntispyware Free 4.28.1010

BC AdBot (Login to Remove)

 


m

#2 bloomcounty

bloomcounty
  • Topic Starter

  • Members
  • 672 posts
  • OFFLINE
  •  
  • Local time:11:13 AM

Posted 23 April 2007 - 05:12 PM

A bit more...

There were a number of these entries in my ZA log:

Type: Firewall
Protocol: ICMP (type:3/subtype:2)
Source IP: <I believe this would be mine>
Destination IP: 12.14.170.15
Direction: Outgoing
Acton Taken: Blocked
Count: 8 (18, 31, 15, 18, 12, 22, 12 -- those are all the different occurances while I was on-line)

It doesn't look like I've had any more of these since disconnecting from the internet and then logging back on.

I have never had an Outgoing log message before...

Note: I have dial-up.

6. Should I have immediately disconnected from the internet and then logged back on? I don't recall if I checked my email or logged onto anything password-sensitive, etc. while still connected to the internet when that happened. I'm pretty sure I updated my AVG to the newest program version while I was still connected that time. Does any of that matter?

Thanks again! :thumbsup:

Edited by bloomcounty, 23 April 2007 - 05:13 PM.

My stats: Windows XP Home SP2; Firefox 3.0.14 w/ Ad-Block Plus; IE 6.0 (used only for monthly Windows Critical Updates); ZoneAlarm 6.1.744.001 Free; AVG 8.5 A/V Free; SuperAntispyware Free 4.28.1010

#3 buddy215

buddy215

  • BC Advisor
  • 12,620 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:12:13 PM

Posted 23 April 2007 - 07:21 PM

Do you recognize the companies?

WHOIS results for 12.14.170.15
Generated by www.DNSstuff.com

Location: United States [City: Kennesaw, Georgia]
AT&T WorldNet Services ATT (NET-12-0-0-0-1)
12.0.0.0 - 12.255.255.255
GAMESTOP, INC. GAMESTOP35-170 (NET-12-14-170-0-1)
12.14.170.0 - 12.14.170.255

Edited by buddy215, 23 April 2007 - 07:22 PM.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#4 bloomcounty

bloomcounty
  • Topic Starter

  • Members
  • 672 posts
  • OFFLINE
  •  
  • Local time:11:13 AM

Posted 23 April 2007 - 07:26 PM

I do not recognize either of those companies. (There's actually no reason that I know of why something else would be trying to ping or contact my computer in this way... I don't really run any kind of weird programs or any games or anything...)
My stats: Windows XP Home SP2; Firefox 3.0.14 w/ Ad-Block Plus; IE 6.0 (used only for monthly Windows Critical Updates); ZoneAlarm 6.1.744.001 Free; AVG 8.5 A/V Free; SuperAntispyware Free 4.28.1010

#5 bloomcounty

bloomcounty
  • Topic Starter

  • Members
  • 672 posts
  • OFFLINE
  •  
  • Local time:11:13 AM

Posted 03 May 2007 - 02:03 PM

Something else I notice, and this may be normal and have no bearing on anything, but when I open Task Manager, csrss.exe and SYSTEM are at 33% for half a second, as is Task Manager, then go away and it all goes to System Idle Process except for like 2% to Task Manager. But maybe that just has to do with Task Manager opening up?

Now I'm not positive, but I think lsass.exe might also sometimes be at 33% or something for half a second but goes away when I open Task Manager sometimes too... But I'm not positive. Haven't been able to duplicate it yet.

I'M POSTING IN THE Security > Am I Infected? THREAD, AS I THINK THAT IS A BETTER SPOT TO POST. MODERATOR, PLEASE FEEL FREE TO MERGE THIS THREAD INTO THAT ONE. Here's the link below:

http://www.bleepingcomputer.com/forums/t/90977/za-alert-lsa-shell-export-version-wants-to-accept-connection/

Thanks and sorry for the hassle! :thumbsup:

Edited by bloomcounty, 03 May 2007 - 05:57 PM.

My stats: Windows XP Home SP2; Firefox 3.0.14 w/ Ad-Block Plus; IE 6.0 (used only for monthly Windows Critical Updates); ZoneAlarm 6.1.744.001 Free; AVG 8.5 A/V Free; SuperAntispyware Free 4.28.1010

#6 bloomcounty

bloomcounty
  • Topic Starter

  • Members
  • 672 posts
  • OFFLINE
  •  
  • Local time:11:13 AM

Posted 03 May 2007 - 05:57 PM

Hi,

Sorry for the cross-post, but I originally posted about this in the Antivirus board here:

http://www.bleepingcomputer.com/forums/ind...=25&t=89810

...and I think that was the wrong place. So if a mod wants to close that thread or merge it with this one, that would be great! Thanks! :flowers:

I use Zone Alarm free version 7.0.302 and have been for months. But for the first time the other day, as soon as I dialed-up to the internet (though I had been connected multiple times previously that day with no warning coming up), I got this message:

LSA Shell (Export Version) wants to accept connections from the Internet.
Application: lsass.exe
Source IP: 12.14.170.15: Port 500
This is the program's first attempt to access the Internet.


I clicked on DENY and then immediately opened up ZA and checked the Program Control, and LSA Shell (Export Version) had been added to the list with both Access-Trusted and Access-Internet checked with green checkmark (even though I clicked DENY)! I immediate changed them check marks to ASK (question marks). There were question marks already in the columns for Server-Trusted and Server-Internet.

There were a number of these entries in my ZA log:

Type: Firewall
Protocol: ICMP (type:3/subtype:2)
Source IP: <I believe this is my IP listed here>
Destination IP: 12.14.170.15
Direction: Outgoing
Acton Taken: Blocked
Count: 8 (18, 31, 15, 18, 12, 22, 12 -- those are all the different occurances while I was on-line)


It doesn't look like I've had any more of these since disconnecting from the internet and then logging back on.

I have never had an Outgoing log message before...

And I do not recognize these companies for the IP address in question, nor is there any reason that anybody should/would be trying to access my computer. I don't run any weird programs nor play any games, etc.

WHOIS results for 12.14.170.15
Generated by www.DNSstuff.com

Location: United States [City: Kennesaw, Georgia]
AT&T WorldNet Services ATT (NET-12-0-0-0-1)
12.0.0.0 - 12.255.255.255
GAMESTOP, INC. GAMESTOP35-170 (NET-12-14-170-0-1)
12.14.170.0 - 12.14.170.255


Note: I have dial-up. I have since scanned my computer with Ad-Aware SE free, AVG free, AVG rootkit scanner, and SpyBot, all updated with the most current definitions, etc. -- and all is clear. This situation has not happened again -- only that ONE TIME. Once I disconnected from the internet and dialed back up, it has never happened again.

1. What exactly has happened here? What has this popped up now? I did not change any settings or anything...

2. Is this someone trying to connect to my computer all of a sudden?

3. Should I remove LSA Shell (Export Version) all together from my Program Control list in ZA? (Edit: I did this already...)

4. Could this imply that I've got something "bad" on my computer?

5. Is there anything else I should do/check to make sure something bad isn't going on?

6. Should I have immediately disconnected from the internet and then logged back on? I don't recall if I checked my email or logged onto anything password-sensitive, etc. while still connected to the internet when that happened. I'm pretty sure I updated my AVG to the newest program version while I was still connected that time. Does any of that matter?

I can post a HijackThis log in the proper forum here if necessary, but I'd rather not start doing on-line scans and installing new stuff unless there's a chance I have an actual problem. So any help with these questions and what happened would be greatly appreciated! :trumpet:

Thanks for the help, as always! :thumbsup:

Edited by bloomcounty, 04 May 2007 - 09:55 AM.

My stats: Windows XP Home SP2; Firefox 3.0.14 w/ Ad-Block Plus; IE 6.0 (used only for monthly Windows Critical Updates); ZoneAlarm 6.1.744.001 Free; AVG 8.5 A/V Free; SuperAntispyware Free 4.28.1010

#7 fozzie

fozzie

    aut viam inveniam aut faciam


  • Members
  • 3,516 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ossendrecht/The Netherlands
  • Local time:07:13 PM

Posted 03 May 2007 - 06:41 PM

This thread describes your problem. If the lsass.exe is in the system32 folder in Windows it is ok.


GameStop - Wikipedia, the free encyclopedia Were you downloading games or something? Do you have Messenger installed?

#8 bloomcounty

bloomcounty
  • Topic Starter

  • Members
  • 672 posts
  • OFFLINE
  •  
  • Local time:11:13 AM

Posted 03 May 2007 - 07:35 PM

This thread describes your problem. If the lsass.exe is in the system32 folder in Windows it is ok.


GameStop - Wikipedia, the free encyclopedia Were you downloading games or something? Do you have Messenger installed?


That ZA thread is actually me... :flowers:

And, yeah, it's in the system32 folder.

BUT, as I said above, I don't download or play games of any sort on my computer. And this still doesn't explain what happened and why, you know?

Re: Messenger
Do you mean MS Instant Messenger? I don't use it. I have it disabled (as far as I know), but I'm sure it's still installed, as I believe it's part of Windows, right?

Why do you ask about Messenger?

Thanks! Looking forward to hearing back! :thumbsup:
My stats: Windows XP Home SP2; Firefox 3.0.14 w/ Ad-Block Plus; IE 6.0 (used only for monthly Windows Critical Updates); ZoneAlarm 6.1.744.001 Free; AVG 8.5 A/V Free; SuperAntispyware Free 4.28.1010

#9 tg1911

tg1911

    Lord Spam Magnet


  • Members
  • 19,274 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SW Louisiana
  • Local time:12:13 PM

Posted 03 May 2007 - 08:11 PM

Your 2 topic's have been merged, bloomcounty.
MOBO: GIGABYTE GA-MA790X-UD4P, CPU: Phenom II X4 955 Deneb BE, HS/F: CoolerMaster V8, RAM: 2 x 1G Kingston HyperX DDR2 800, VGA: ECS GeForce Black GTX 560, PSU: Antec TruePower Modular 750W, Soundcard: Asus Xonar D1, Case: CoolerMaster COSMOS 1000, Storage: Internal - 2 x Seagate 250GB SATA, 2 x WD 1TB SATA; External - Seagate 500GB USB, WD 640GB eSATA, 3 x WD 1TB eSATA

Become a BleepingComputer fan: Facebook

#10 fozzie

fozzie

    aut viam inveniam aut faciam


  • Members
  • 3,516 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ossendrecht/The Netherlands
  • Local time:07:13 PM

Posted 04 May 2007 - 01:37 AM

Messenger brings in advertisements. If you want to be sure thaere are no virusses in those files to start with please upload the files at Jotti or Virustotal and post back the result

#11 bloomcounty

bloomcounty
  • Topic Starter

  • Members
  • 672 posts
  • OFFLINE
  •  
  • Local time:11:13 AM

Posted 04 May 2007 - 10:00 AM

Your 2 topic's have been merged, bloomcounty.


Cool -- thanks, tg1911!

Messenger brings in advertisements. If you want to be sure thaere are no virusses in those files to start with please upload the files at Jotti or Virustotal and post back the result


Which files? Are we talking about more than one? Or just lsass.exe?

Also, how could Messenger bring in advertisements if I don't use it, nor do I use IE? I only use Firefox?

And is there a standard way to take Messenger completely off your system? How can I check to see if I even have it for sure or that it's active in any way?

Answers to these questions and any from my first posts would be greatly appreciated -- thanks for the help! :thumbsup:

Edited by bloomcounty, 04 May 2007 - 10:02 AM.

My stats: Windows XP Home SP2; Firefox 3.0.14 w/ Ad-Block Plus; IE 6.0 (used only for monthly Windows Critical Updates); ZoneAlarm 6.1.744.001 Free; AVG 8.5 A/V Free; SuperAntispyware Free 4.28.1010

#12 fozzie

fozzie

    aut viam inveniam aut faciam


  • Members
  • 3,516 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ossendrecht/The Netherlands
  • Local time:07:13 PM

Posted 04 May 2007 - 04:32 PM

Yes post the lsass.exe to see whether it is clean. As far as the other questions i will revert tomorrow with documentation on it

#13 bloomcounty

bloomcounty
  • Topic Starter

  • Members
  • 672 posts
  • OFFLINE
  •  
  • Local time:11:13 AM

Posted 05 May 2007 - 10:01 AM

Yes post the lsass.exe to see whether it is clean. As far as the other questions i will revert tomorrow with documentation on it


That sounds good.

I do have a question about posting lsass.exe, as I've never used a site like that before. Hope you don't mind the questions! :flowers:

I'll probably use the http://www.virustotal.com/en/indexf.html site, as it lets you use Firefox to send the file in the browser.

But are you actually sending the file from your computer to them? Or are you letting them scan the file on your computer?

What exactly happens when you do whichever of the above it is that happens?

Does the file lsass.exe contain any information about your system or anything, or does it look like anybody else's lsass.exe file? And by uploading the file to their system, are you sharing any information about you or your system (or anything) in any way?

I just want to makes sure this is 100% safe, etc... Sorry to be paranoid, but better to ask the stupid questions first than to be sorry later! Thanks! :thumbsup:
My stats: Windows XP Home SP2; Firefox 3.0.14 w/ Ad-Block Plus; IE 6.0 (used only for monthly Windows Critical Updates); ZoneAlarm 6.1.744.001 Free; AVG 8.5 A/V Free; SuperAntispyware Free 4.28.1010

#14 fozzie

fozzie

    aut viam inveniam aut faciam


  • Members
  • 3,516 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ossendrecht/The Netherlands
  • Local time:07:13 PM

Posted 07 May 2007 - 01:14 PM

You are not physicly removing the file from your computer. They are scsanning the file with the scanning machines so to say. No information on your system or any other personal data will be conveyed to them.

Better be safe than sorry my Granny allways said.. :thumbsup: NP

#15 bloomcounty

bloomcounty
  • Topic Starter

  • Members
  • 672 posts
  • OFFLINE
  •  
  • Local time:11:13 AM

Posted 10 May 2007 - 08:54 AM

As far as the other questions i will revert tomorrow with documentation on it


Never heard back from you... were you still going to post this? Thanks! :thumbsup:
My stats: Windows XP Home SP2; Firefox 3.0.14 w/ Ad-Block Plus; IE 6.0 (used only for monthly Windows Critical Updates); ZoneAlarm 6.1.744.001 Free; AVG 8.5 A/V Free; SuperAntispyware Free 4.28.1010




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users