Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

LSASS.exe and associated virus?!?!? 1

Status
Not open for further replies.
ADoozer

ADoozer

Programmer
Joined
Dec 15, 2002
Messages
3,487
Location
AU
can anybody tell me exactly what LSASS.exe is and if there are any known Virii associated with it.

Norton on my friends machine has lately (in the last week) started reporting that LSASS.exe is trying to access the internet and subsequently blocking it.

ive googled and come across some articles(below) but am unsure what to make of it!


any help appreciated

If somethings hard to do, its not worth doing - Homer Simpson
------------------------------------------------------------------------
come on... get involved!
To get the best response to a question, please check out FAQ222-2244 first
A General Guide To Excel in VB FAQ222-3383
 
Sort by date Sort by votes
and just to add! the AV is up to date!

If somethings hard to do, its not worth doing - Homer Simpson
------------------------------------------------------------------------
come on... get involved!
To get the best response to a question, please check out FAQ222-2244 first
A General Guide To Excel in VB FAQ222-3383
 
Upvote 0 Downvote
laass.exe is not a virus and does not get infected with any (currently) known viruses. It will be detected as attempting to connect by any outward-monitoring firewall. Just be aware of what it is trying to connect to, tho it will most likely be Microsoft. Why a Local security policy needs to access remote servers, I'm not sure, but someone can probably answer that.
Just make sure you have the latest Windows Updates, and that your AV is updated and scans regularly.

 
Upvote 0 Downvote
Xemus: thnx! was just concerned because of one of the articles i read (Security Incidents: new IIS worm? (rcp lsass.exe))

below is the hijackthis log, it looks ok but if anyone sees anything suspect please let me know.

Logfile of HijackThis v1.97.3
Scan saved at 19:02:38, on 27/11/2003
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\WINNT\Explorer.EXE
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\System32\TrayIcon.exe
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Norton Internet Security\IAMAPP.EXE
C:\PROGRA~1\NavNT\vptray.exe
C:\WINNT\system32\msmsgri32.exe
C:\WINNT\System32\svchost.exe
C:\winnt\debug\usermode\setup\windows\msdos\catroot\microsoft\windows\system32\rsa\crypto\machinekeys\bootup\mouse\lsass.exe
C:\WINNT\system32\ctfmon.exe
C:\Tbridge\Flatbed.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\norman1.NORMAN\My Documents\My Received Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [DisplayTrayIcon] C:\WINNT\System32\TrayIcon.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [System Initialization] C:\WINNT\system32\msmsgri32.exe
O4 - HKLM\..\Run: [lsass] c:\winnt\debug\usermode\setup\windows\msdos\catroot\microsoft\windows\system32\rsa\crypto\machinekeys\bootup\mouse\lsass.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Detector.lnk = C:\Tbridge\Flatbed.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
thnx!

If somethings hard to do, its not worth doing - Homer Simpson
------------------------------------------------------------------------
come on... get involved!
To get the best response to a question, please check out FAQ222-2244 first
A General Guide To Excel in VB FAQ222-3383
 
Upvote 0 Downvote
Theese look a bit strange to me:(never seen path's like this)

Possible : Backdoor.IRC.Aladinz.E

Goto:

C:\winnt\debug\usermode\setup\windows\msdos\catroot\microsoft\windows\system32\rsa\crypto\machinekeys\bootup\mouse\lsass.exe
O4 - HKLM\..\Run: [lsass] c:\winnt\debug\usermode\setup\windows\msdos\catroot\microsoft\windows\system32\rsa\crypto\machinekeys\bootup\mouse\lsass.exe
 
Upvote 0 Downvote
i believe "lsass.exe" has to due with licenceing and active directory schema.

Nick
 
Upvote 0 Downvote
nhidalgo !

It's a fake file .(the one in the fake directory)
Created by the trojan and hidden away
in that riddicolous path.

The real one
c:\windows\system32\lsass.exe (size 12kb)
and
C:\WINDOWS\system32\dllcache\lsass.exe (size 12kb)
Description: The Windows Local Security Authority Server Process Handles Windows Security
 
Upvote 0 Downvote
SYAR2003: spot on! hes deleted the reg entry and it no longer tries to connect to the net and mem usage is down!

If somethings hard to do, its not worth doing - Homer Simpson
------------------------------------------------------------------------
come on... get involved!
To get the best response to a question, please check out FAQ222-2244 first
A General Guide To Excel in VB FAQ222-3383
 
Upvote 0 Downvote
Thanks glad i convinced you all .
Smelled fishy from the moment i saw that path.

Cheers
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

iambob
  • Locked
  • Question Question
Avast Anti-Virus is.. a virus?!
Replies
5
Views
860
Oorde
Oorde
andyv2011
  • Locked
  • Question Question
Looking at Virus Actions
Replies
0
Views
356
andyv2011
andyv2011
Tiffc0922
  • Locked
  • Question Question
Virus / Malware Scans on Local PCs
Replies
5
Views
637
goombawaho
goombawaho
kharrison70
  • Locked
  • Question Question
Meskisift Visaal Studie Virus?
Replies
6
Views
627
goombawaho
goombawaho
CCX008
  • Locked
  • Question Question
Barowwsoe2save , how can I remove this stubborn virus !!
Replies
10
Views
811
goombawaho
goombawaho

Part and Inventory Search

Sponsor

Back
Top