Well looks like my problem is back. I can not log on normally. I try to login normally. It tells me my password is wrong and then says C:\WINDOWS\system32\lsass.exe with a status code of 1073741819 and says the system will be shut down that was initiated by the error message. I am unable to give you a screenshot since it only happen in the normal mode and I can not log in. Goggle searches mention the Sasser virus. However Comodo anti-virus will not pick it up in safe mode with networking ( so I can get online )and neither will Symantec. :-\The Symantec Sasser removal tool finds nothing. BitDefender online scanner finds nothing. >:( McAfee online scanner finds nothing either. A thread on testmy that I started shows it comes back to a Comodo issue. I hope someone will help with this. I am going to send this same message in a ticket.
Also Ewido is a nice free tool in detecting malware, try and install it in safe mode, be sure to update it then do a Full Scan, the scan will take time, but Ewido has very good detection.
As you can see from this post Ewido did not find anything. Forums - TestMy.net. I am trying to be calm about this. It is becoming a real issue with me.
this is what lsass is read and see if yours might be a trojan. Description:
lsass.exe is a system process of the Microsoft Windows security mechanisms. It specifically deals with local security and login policies. This program is important for the stable and secure running of your computer and should not be terminated.
Note: lsass.exe is a process which is registered as a trojan. This Trojan allows attackers to access your computer from remote locations, stealing passwords, Internet banking and personal data. This process is a security risk and should be removed from your system.
Note: lsass.exe is registered as a downloader. This process usually comes bundled with a virus or spyware and its main role is to do nothing other than download other viruses/spyware to your computer. This process is a security risk and should be removed from your system.
Determining whether this process is a virus or a legitimate Windows process depends on the directory location it executes or runs from in WinTasks.
I do not know which option to believe. From my highjack this log what do you think I should do?
Logfile of HijackThis v1.99.1
Scan saved at 12:28:10 PM, on 9/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
I don’t really know much about Hijack This :-[ never have really needed it, but I researched the lsass.exe and it is an important Windows component, so you do not want to remove it from startup, of course a virus of some sort could have modified it or some other Windows component, as I said before this is most likely not a CAVS issue, but more of an issue of some sort of virus. I didn’t notice anything out of the ordinary in your HijackThis log but like I said I don’t use HijackThis that much. I am truly sorry I could not be of more assistance.
LSASS is not a virus, at least not if its the original lasass.exe that Microsoft shipped. It is the Local Security Authority Subsystem Service and it is a vital component of Windows. The sasser infection used a vulnerability in lsass.exe to compromise a machine, but it is not a virus or a trojan or a downloader. However, as the other poster pointed out, it is possible that you have another file with the same name, so I’d check whether your instance of lsass.exe is being invoked from the C:\WINDOWS\SYSTEM32 folder.
In your HJT log, it shows four “O10” items relating to CAVS, specifically the LSPs. LSPs are not necessarily bad. They are memerly a means of extending the capabilities of the TCP/IP stack. In this case, the four LSP entries are how CAVS provides inbound and outbound email scanning. In a nutshell, they intercept emails, do a scan and return the email to the IP stack for forwarding. This is not to say that LSPs haven’t in the past been used for less than legitimate purposes (new.net for example), it just means that each instance of an LSP needs to be checked.
Your actual problem - not being able to log in, relates directly to lsass.exe, which is an integral part of the login process. I don’t believe this to be related to CAVS.
Have you tried replacing the lsass.exe on the problem PC with a copy from another known working PC, or doing a repair? Alternatively, you could run SFC.EXE (System File Checker), a Microsoft utility shipped with windows to verify the critical Windows components. This might be a good starting point. As a side note, SFC can takes ages to run.
As a first step, I’d try running SFC.EXE. At least this should confirm that your copy of lsass.exe is valid, or if it isn’t, you’ll be able to repair it.
Also if you have your Windows XP disks you can use the little known command sfc /scannow just type that in Run and it will check all of the Critical Windows files to make sure they are in their original state and if they are not then it will repair them.