Jump to content
xisto Community
Sign in to follow this  
vdhieu84

Lsass Virus?

Recommended Posts

Somehow, all my web browsers (Firefox, IE, Opera) stopped working. I used Norton Antivirus to check but found nothing. After using hijackthis, I found out that there is a process which rooted at file C:\WINDOWS\lsass.exe , this is an illegal process since the correct lsass.exe should be under \system32\ folder. However, there is no actual C:\WINDOWS\lsass.exe file. When using task manager, there is two lsass processes. I believed one of them is a legal one from Windows and the other one is the nasty one. But there is no way for me to stop the second one because task manager thinks that both of them are legitimate. What should I do?

Share this post


Link to post
Share on other sites

lsass.exe also relates to the Windang.worm, irc.ratsou.b, Webus.B, MyDoom.L, Randex.AR and Nimos.wormThose worm can be spreaded via floppy disk drives, mass-mailing and peer-to-peer sharing. You better install Microsoft Security Bulletin MS04-011 if you have installed it yet.Inaddition, I recommend you use a firewall. Or you can just simplely turneon the Internet Connection Firewall included in Windows XP.

Share this post


Link to post
Share on other sites

Yes, I do have firewall which is a part of Norton Antivirus and the system is up-to-date for sure. What I did currently is using a software called Process Explorer. By using this piece of software I can force kill the fake lsass.exe process and everything work fine. However, it cannot be a solution because everytime I restart the system, the process is there again and I have to use Process Explorer again.

 

lsass.exe also relates to the Windang.worm, irc.ratsou.b, Webus.B, MyDoom.L, Randex.AR and Nimos.worm

Those worm can be spreaded via floppy disk drives, mass-mailing and peer-to-peer sharing. 

 

You better install Microsoft Security Bulletin MS04-011 if you have installed it yet.

Inaddition, I recommend you use a firewall. Or you can just simplely turne

on the Internet Connection Firewall included in Windows XP.

1064327433[/snapback]

Share this post


Link to post
Share on other sites

I'm not sure what the rules here on HijackThis logs, but if you have a site that you can upload the log to, do that and post the link here. I can help you analyze the log and provide instructions to remove it. Please PM me once you did that since I don't keep track of the topics I post to.

Share this post


Link to post
Share on other sites

I'm not sure what the rules here on HijackThis logs, but if you have a site that you can upload the log to, do that and post the link here.  I can help you analyze the log and provide instructions to remove it.  Please PM me once you did that since I don't keep track of the topics I post to.

1064327617[/snapback]


I did use HijackThis and the only "Possibly Nasty" process is that lsass.exe running from C:\WINDOWS\ . But as I said before, no actual lsass.exe was found on C:\WINDOWS\ directory or the entire system except the default place under C:\WINDOWS\system32 .

Share this post


Link to post
Share on other sites

Yeah I used to have this virus. It not only slowed down my internet connction speed, but intermitenly shut down my computer also. I use process explorer too lol, and used it to determine what tcp/ip resources this process was using. I got rid of it the manual way, by finding how by google, and deleting the reg files it uses. Until you get it deleted, you can go to the tcp/ip tab of process explorer, and turn off the connections its using ;)

Share this post


Link to post
Share on other sites

All i can tell you is that you NEED to patch that OS of yours. Its been 2 years now, and i know the virus still roams around the net. Even today if i try connecting without a SP2 or a non-patched version, I get d/c or the computer restarts.

 

My suggestion is to go to https://www.microsoft.com/de-de and search for "Lsass Patch" and download the appropriate patch for your system.

 

Regards

Dhanesh.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×
×
  • Create New...

Important Information

Terms of Use | Privacy Policy | Guidelines | We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.