[karbo]

My ESET firewall just openned a window telling me that a remote computer is attempting to communicate with an application running on this computer. Do you wish to allow this communication?

Application: LSA Shell (Export Version)
Publisher: Microsoft Windows Component Publisher
Remote computer: reverse.4.53.48.65.static.ldmi.com (65.45.53.4)
Local port: 500 (isakmp)

Do I allow this action?

This, of course, relates to C:\WINDOWS\system32\lsass.exe

I remember the old connection with the sasser worm. So, that's why I want to be sure it's ok to let it through.

Thank you

[karbo]

It could be legitimate, since I've downloaded the latest critical IE7 update yesterday. When I openned my computer this morning, this window openned. Please, it's urgent, I have to leave for the weekend soon and I have to give an answer to my firewall before shutting eveything down.

Thanks

[~Candy~]

I think I'd choose deny.

[karbo]

Any reason?

If it's needed by Windows, will I risk having problems with my system or accessing the Internet?

[~Candy~]

When you restart windows....it's going to ask again. Or at least from my experience, if you don't permanently deny yet, it should ask again. What are your choices in advanced options?

http://ask-leo.com/what_is_lsa_shell...t_version.html

[karbo]

And if it asks again, then what? It will mean that's indeed needed and legit?

[~Candy~]

http://forums.techguy.org/malware-re...t-version.html

[karbo]

Thanks for the link but it doesn't really answer my question. Because mine is not asking to access the Internet. It wants to get into my system. If it's the worm, I'm screwed by letting it in I guess. But how to know if it's legit?

[~Candy~]

That is why I think you should block it, you might post a Hijack This log to THIS thread...and I would block it for now.

[karbo]

Ok, I've denied it.

[karbo]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:44:32, on 2008-12-19
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\ActiveTracker 2.0 for Outlook Express\ReadNotify.exe
C:\Program Files\HP Multimedia Keyboard\KMaestro.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Aide mémoire\Aide mémoire.exe
C:\Program Files\Aide mémoire\Aide mémoire.exe
C:\Program Files\Aide mémoire\Aide mémoire.exe
C:\Program Files\Aide mémoire\Aide mémoire.exe
C:\Program Files\Aide mémoire\Aide mémoire.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Steve\Bureau\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=144.229.36.41:80
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ActiveTracker for Outlook Express] C:\Program Files\ActiveTracker 2.0 for Outlook Express\ReadNotify.exe
O4 - HKLM\..\Run: [BtcMaestro] "C:\Program Files\HP Multimedia Keyboard\KMaestro.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Aide mémoire.lnk = ?
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - https://fmusmail1.med.usherbrooke.ca/dwa7W.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5362 bytes

[karbo]

Another thing I forgot to mention is that my firewall is configured to block the sasser worm. So why didn't it say that it was indeed the sasser worm? Perhaps it wasn't.

There's a good chance that when I reboot my computer, I'll get the same warning again since I've denied access. I'll have to deny access permamently to get rid of that warning. But still, I don't know if Windows needs that process. And why would it have to communicate with the process?

[Kenny94]

It's a Windows update. This can be real confusing. So, I will post these links below:

http://forums.zonelabs.org/zonelabs/...ssage.id=16233


http://pralerts.zonelabs.com/pranaly...=details&CL=en

Your log is clean.

Ex: Now if you had LSA Shell Export-Version file name lsass.exe in your O23's List of Windows services. You have the virus.

[karbo]

As I mentionned before, it was incoming, so I couldn't have the virus without letting it in first. It didn't ask to reach the Internet.

But if you say it's safe, I'll let it in next time I'm prompted by ESET.

Thank you very much.

[~Candy~]

What anti-virus program are you running?