Lsass Virus?

[vdhieu84 0]

Somehow, all my web browsers (Firefox, IE, Opera) stopped working. I used Norton Antivirus to check but found nothing. After using hijackthis, I found out that there is a process which rooted at file C:\WINDOWS\lsass.exe , this is an illegal process since the correct lsass.exe should be under \system32\ folder. However, there is no actual C:\WINDOWS\lsass.exe file. When using task manager, there is two lsass processes. I believed one of them is a legal one from Windows and the other one is the nasty one. But there is no way for me to stop the second one because task manager thinks that both of them are legitimate. What should I do?

[jedipi 0]

lsass.exe also relates to the Windang.worm, irc.ratsou.b, Webus.B, MyDoom.L, Randex.AR and Nimos.wormThose worm can be spreaded via floppy disk drives, mass-mailing and peer-to-peer sharing. You better install Microsoft Security Bulletin MS04-011 if you have installed it yet.Inaddition, I recommend you use a firewall. Or you can just simplely turneon the Internet Connection Firewall included in Windows XP.

[vdhieu84 0]

Yes, I do have firewall which is a part of Norton Antivirus and the system is up-to-date for sure. What I did currently is using a software called Process Explorer. By using this piece of software I can force kill the fake lsass.exe process and everything work fine. However, it cannot be a solution because everytime I restart the system, the process is there again and I have to use Process Explorer again.

 

lsass.exe also relates to the Windang.worm, irc.ratsou.b, Webus.B, MyDoom.L, Randex.AR and Nimos.worm

Those worm can be spreaded via floppy disk drives, mass-mailing and peer-to-peer sharing. 

 

You better install Microsoft Security Bulletin MS04-011 if you have installed it yet.

Inaddition, I recommend you use a firewall. Or you can just simplely turne

on the Internet Connection Firewall included in Windows XP.

1064327433[/snapback]

[WeaponX 0]

I'm not sure what the rules here on HijackThis logs, but if you have a site that you can upload the log to, do that and post the link here. I can help you analyze the log and provide instructions to remove it. Please PM me once you did that since I don't keep track of the topics I post to.

[vdhieu84 0]

I'm not sure what the rules here on HijackThis logs, but if you have a site that you can upload the log to, do that and post the link here.  I can help you analyze the log and provide instructions to remove it.  Please PM me once you did that since I don't keep track of the topics I post to.

1064327617[/snapback]

I did use HijackThis and the only "Possibly Nasty" process is that lsass.exe running from C:\WINDOWS\ . But as I said before, no actual lsass.exe was found on C:\WINDOWS\ directory or the entire system except the default place under C:\WINDOWS\system32 .

[thename1000 0]

Yeah I used to have this virus. It not only slowed down my internet connction speed, but intermitenly shut down my computer also. I use process explorer too lol, and used it to determine what tcp/ip resources this process was using. I got rid of it the manual way, by finding how by google, and deleting the reg files it uses. Until you get it deleted, you can go to the tcp/ip tab of process explorer, and turn off the connections its using

[dhanesh1405241511 0]

All i can tell you is that you NEED to patch that OS of yours. Its been 2 years now, and i know the virus still roams around the net. Even today if i try connecting without a SP2 or a non-patched version, I get d/c or the computer restarts.

 

My suggestion is to go to https://www.microsoft.com/de-de and search for "Lsass Patch" and download the appropriate patch for your system.

 

Regards

Dhanesh.