vdhieu84 0 Report post Posted October 25, 2005 Somehow, all my web browsers (Firefox, IE, Opera) stopped working. I used Norton Antivirus to check but found nothing. After using hijackthis, I found out that there is a process which rooted at file C:\WINDOWS\lsass.exe , this is an illegal process since the correct lsass.exe should be under \system32\ folder. However, there is no actual C:\WINDOWS\lsass.exe file. When using task manager, there is two lsass processes. I believed one of them is a legal one from Windows and the other one is the nasty one. But there is no way for me to stop the second one because task manager thinks that both of them are legitimate. What should I do? Share this post Link to post Share on other sites
jedipi 0 Report post Posted October 25, 2005 lsass.exe also relates to the Windang.worm, irc.ratsou.b, Webus.B, MyDoom.L, Randex.AR and Nimos.wormThose worm can be spreaded via floppy disk drives, mass-mailing and peer-to-peer sharing. You better install Microsoft Security Bulletin MS04-011 if you have installed it yet.Inaddition, I recommend you use a firewall. Or you can just simplely turneon the Internet Connection Firewall included in Windows XP. Share this post Link to post Share on other sites
vdhieu84 0 Report post Posted October 26, 2005 Yes, I do have firewall which is a part of Norton Antivirus and the system is up-to-date for sure. What I did currently is using a software called Process Explorer. By using this piece of software I can force kill the fake lsass.exe process and everything work fine. However, it cannot be a solution because everytime I restart the system, the process is there again and I have to use Process Explorer again. lsass.exe also relates to the Windang.worm, irc.ratsou.b, Webus.B, MyDoom.L, Randex.AR and Nimos.worm Those worm can be spreaded via floppy disk drives, mass-mailing and peer-to-peer sharing. You better install Microsoft Security Bulletin MS04-011 if you have installed it yet. Inaddition, I recommend you use a firewall. Or you can just simplely turne on the Internet Connection Firewall included in Windows XP. 1064327433[/snapback] Share this post Link to post Share on other sites
WeaponX 0 Report post Posted October 27, 2005 I'm not sure what the rules here on HijackThis logs, but if you have a site that you can upload the log to, do that and post the link here. I can help you analyze the log and provide instructions to remove it. Please PM me once you did that since I don't keep track of the topics I post to. Share this post Link to post Share on other sites
vdhieu84 0 Report post Posted October 27, 2005 I'm not sure what the rules here on HijackThis logs, but if you have a site that you can upload the log to, do that and post the link here. I can help you analyze the log and provide instructions to remove it. Please PM me once you did that since I don't keep track of the topics I post to. 1064327617[/snapback] I did use HijackThis and the only "Possibly Nasty" process is that lsass.exe running from C:\WINDOWS\ . But as I said before, no actual lsass.exe was found on C:\WINDOWS\ directory or the entire system except the default place under C:\WINDOWS\system32 . Share this post Link to post Share on other sites
thename1000 0 Report post Posted November 6, 2005 Yeah I used to have this virus. It not only slowed down my internet connction speed, but intermitenly shut down my computer also. I use process explorer too lol, and used it to determine what tcp/ip resources this process was using. I got rid of it the manual way, by finding how by google, and deleting the reg files it uses. Until you get it deleted, you can go to the tcp/ip tab of process explorer, and turn off the connections its using Share this post Link to post Share on other sites
dhanesh1405241511 0 Report post Posted November 6, 2005 All i can tell you is that you NEED to patch that OS of yours. Its been 2 years now, and i know the virus still roams around the net. Even today if i try connecting without a SP2 or a non-patched version, I get d/c or the computer restarts. My suggestion is to go to https://www.microsoft.com/de-de and search for "Lsass Patch" and download the appropriate patch for your system. Regards Dhanesh. Share this post Link to post Share on other sites