Major help needed.

This is posted in another thread here.

Well looks like my problem is back. I can not log on normally. I try to login normally. It tells me my password is wrong and then says C:\WINDOWS\system32\lsass.exe with a status code of 1073741819 and says the system will be shut down that was initiated by the error message. I am unable to give you a screenshot since it only happen in the normal mode and I can not log in. Goggle searches mention the Sasser virus. However Comodo anti-virus will not pick it up in safe mode with networking ( so I can get online )and neither will Symantec. :-\The Symantec Sasser removal tool finds nothing. BitDefender online scanner finds nothing. >:( McAfee online scanner finds nothing either. A thread on testmy that I started shows it comes back to a Comodo issue. I hope someone will help with this. I am going to send this same message in a ticket.

The thread at testmy is Forums - TestMy.net

Hello,

Try running Trend Micro housecall.

Also you can try running Panda Activescan Panda Security | Official Website

See if they come up with anything, and send the infected file(s) to malwaresubmit@comodo.com so they can be added to the CAVS detection.

Hi,

Also Ewido is a nice free tool in detecting malware, try and install it in safe mode, be sure to update it then do a Full Scan, the scan will take time, but Ewido has very good detection.

As you can see from this post Ewido did not find anything. Forums - TestMy.net. I am trying to be calm about this. It is becoming a real issue with me.

this is what lsass is read and see if yours might be a trojan. Description:
lsass.exe is a system process of the Microsoft Windows security mechanisms. It specifically deals with local security and login policies. This program is important for the stable and secure running of your computer and should not be terminated.

Note: lsass.exe is a process which is registered as a trojan. This Trojan allows attackers to access your computer from remote locations, stealing passwords, Internet banking and personal data. This process is a security risk and should be removed from your system.

Note: lsass.exe is registered as a downloader. This process usually comes bundled with a virus or spyware and its main role is to do nothing other than download other viruses/spyware to your computer. This process is a security risk and should be removed from your system.

Determining whether this process is a virus or a legitimate Windows process depends on the directory location it executes or runs from in WinTasks.

I do not know which option to believe. From my highjack this log what do you think I should do?

Logfile of HijackThis v1.99.1
Scan saved at 12:28:10 PM, on 9/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Just Me\Local Settings\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=192.168.0.1:87
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;www.DirecWaysupport.com;192.168.0.*
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DiABLO - {487CA274-DDC9-45CA-BF51-2017CE8D6D8A} - C:\Program Files\Comodo\i-Vault\i-Vault.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &FirstStop WebSearch - {E26FDEC1-053B-11D6-B969-CEEBA9E95046} - C:\PROGRA~1\BRUSHG~1\FSWEBS~1\ieband3.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O4 - HKLM..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [RemoteControl] “C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe”
O4 - HKLM..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.EXE /P23 “EPSON Stylus C62 Series” /O5 “LPT1:” /M “Stylus C62”
O4 - HKLM..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM..\Run: [DPAgnt] C:\Program Files\DigitalPersona\Bin\DPAgnt.exe
O4 - HKLM..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM..\Run: [Comodo Launch Pad Tray] “C:\Program Files\Comodo\LaunchPad\CLPTray.exe”
O4 - HKLM..\Run: [cnfgCav] “C:\Program Files\Comodo\Comodo AntiVirus\CMain.exe” " /login"
O4 - HKLM..\Run: [Comodo Firewall] “C:\Program Files\Comodo\Firewall\CPF.exe” /background
O4 - HKLM..\Run: [PC Pitstop Optimize Scheduler] C:\Program Files\PCPitstop\Optimize\PCPOptimize.exe -boot
O4 - HKCU..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.EXE /A “C:\WINDOWS\system32\E_SD.tmp”
O4 - HKCU..\RunOnce: [CleanUp!] C:\Program Files\CleanUp!\Cleanup.exe /WindowsRestart
O4 - Startup: Desktop Alert.lnk = C:\Program Files\Desktop Alert\desktopalert_1984197.exe
O4 - Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O4 - Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HPAiODevice(hp officejet v series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra ‘Tools’ menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\system32\shdocvw.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cavemlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cavemlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cavemlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cavemlsp.dll
O16 - DPF: PCPitstop-Tracks-Checker - http://www.pcpitstop.com/privacy/PCPTracks.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - https://vapwda.ops.placeware.com/etc/place/DESK/VADpws-a3s/5.1.8.511/lib/quicksilver.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Comodo Anti-Virus and Anti-Spyware Service - Comodo Inc. - C:\Program Files\Comodo\common\CAVASpy\cavasm.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Windows XP FUS Manager (DPFUSMgr) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
O23 - Service: Biometric Authentication Service (DpHost) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DpHost.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - Unknown owner - (no file)
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe

Hi,

I don’t really know much about Hijack This :-[ never have really needed it, but I researched the lsass.exe and it is an important Windows component, so you do not want to remove it from startup, of course a virus of some sort could have modified it or some other Windows component, as I said before this is most likely not a CAVS issue, but more of an issue of some sort of virus. I didn’t notice anything out of the ordinary in your HijackThis log but like I said I don’t use HijackThis that much. I am truly sorry I could not be of more assistance.

G’day,

LSASS is not a virus, at least not if its the original lasass.exe that Microsoft shipped. It is the Local Security Authority Subsystem Service and it is a vital component of Windows. The sasser infection used a vulnerability in lsass.exe to compromise a machine, but it is not a virus or a trojan or a downloader. However, as the other poster pointed out, it is possible that you have another file with the same name, so I’d check whether your instance of lsass.exe is being invoked from the C:\WINDOWS\SYSTEM32 folder.

In your HJT log, it shows four “O10” items relating to CAVS, specifically the LSPs. LSPs are not necessarily bad. They are memerly a means of extending the capabilities of the TCP/IP stack. In this case, the four LSP entries are how CAVS provides inbound and outbound email scanning. In a nutshell, they intercept emails, do a scan and return the email to the IP stack for forwarding. This is not to say that LSPs haven’t in the past been used for less than legitimate purposes (new.net for example), it just means that each instance of an LSP needs to be checked.

Your actual problem - not being able to log in, relates directly to lsass.exe, which is an integral part of the login process. I don’t believe this to be related to CAVS.

Have you tried replacing the lsass.exe on the problem PC with a copy from another known working PC, or doing a repair? Alternatively, you could run SFC.EXE (System File Checker), a Microsoft utility shipped with windows to verify the critical Windows components. This might be a good starting point. As a side note, SFC can takes ages to run.

As a first step, I’d try running SFC.EXE. At least this should confirm that your copy of lsass.exe is valid, or if it isn’t, you’ll be able to repair it.

Hope this helps,
Ewen

Hi,

Also if you have your Windows XP disks you can use the little known command sfc /scannow just type that in Run and it will check all of the Critical Windows files to make sure they are in their original state and if they are not then it will repair them.

You can try a bit of “self help” by posting your HijackThis log into the box in this link

http://www.hijackthis.de/

and click “analyze”