1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: lsaass.exe crashes randomly every few hours.

Discussion in 'Windows XP' started by CaptainSiberia, Jan 23, 2011.

Thread Status:
Not open for further replies.
Advertisement
  1. CaptainSiberia

    CaptainSiberia Thread Starter

    Joined:
    Nov 29, 2007
    Messages:
    77
    Like the title says, lsaass.exe crashes randomly every few hours. I don't know what it could be. I don't think I can do anything to make it happen. It just happens by itself. I'm stumped on this one, so I'm asking for your help. I've got two crash reports for you.
     

    Attached Files:

  2. Saga Lout

    Saga Lout

    Joined:
    Sep 15, 2004
    Messages:
    3,791
    It seems this could be an imitation of a genuine Microsoft essential file lsass.exe and fake copies of that file are frequent malware attacks because it can be disguised with an upper case I for India to imitate the lower case l for Lima that is the proper letter.

    Go to http://www.trendmicro.com and download HijackThis, install as directed and click to Scan and Save a Log. Do nothing else at this stage than to post that log back here and one of the advisers with Blue or Gold shields beside their name will advise what to do next.
     
  3. CaptainSiberia

    CaptainSiberia Thread Starter

    Joined:
    Nov 29, 2007
    Messages:
    77
    My log:

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 2:52:12 AM, on 1/23/2011
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\DeviceVM\Browser Configuration Utility\BCUService.exe
    C:\Program Files\GIGABYTE\EnergySaver2\des2svr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
    C:\Program Files\Mediafour\MacDrive 8\MacDrive8Service.exe
    C:\Program Files\M-Audio\M-Audio Series II MIDI\MA_CMIDI_Inst.exe
    C:\Program Files\GIGABYTE\Smart6\Timelock\TimeMgmtDaemon.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Unlocker\UnlockerAssistant.exe
    C:\Program Files\DeviceVM\Browser Configuration Utility\BCU.exe
    C:\Program Files\CyberLink\PowerDVD10\PDVD10Serv.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\WINDOWS\system32\taskswitch.exe
    C:\Program Files\WxEx\WxEx.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\AIM7\aim.exe
    C:\Program Files\BoldFinger.exe
    C:\Program Files\FlashMute\FlashMute.exe
    C:\Program Files\PeerBlock\peerblock.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
    C:\Program Files\Actual Window Manager\ActualWindowManagerCenter.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\GIGABYTE\Smart6\Timelock\AlarmClock.exe
    C:\Program Files\Java\jre6\bin\javaw.exe
    C:\Program Files\SoulseekNS\slsk.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\taskmgr.exe
    C:\Program Files\FolderSize\FolderSizeSvc.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\Raymond.RAYBOX\Application Data\Mozilla\Firefox\Profiles\hpqyhlrr.default\extensions\{E173B749-DB5B-4fd2-BA0E-94ECEA0CA55B}\components\afom.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Winamp\winamp.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe
    C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
    C:\DOCUME~1\RAYMON~1.RAY\LOCALS~1\Temp\mozOpenDownload\mbam-setup-1.50.1.1100.exe
    C:\DOCUME~1\RAYMON~1.RAY\LOCALS~1\Temp\is-KNTJ0.tmp\mbam-setup-1.50.1.1100.tmp

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.facemoods.com/?a=ddr&s={searchTerms}&f=4
    R3 - URLSearchHook: SearchHook Class - {BC86E1AB-EDA5-4059-938F-CE307B0C6F0A} - C:\Program Files\DeviceVM\Browser Configuration Utility\AddressBarSearch.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Windows Live ID Sign-in Helper - {6EB5270F-6FBD-65C3-1D71-49E232AC2907} - C:\WINDOWS\system32\oneex.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
    O4 - HKLM\..\Run: [BCU] "C:\Program Files\DeviceVM\Browser Configuration Utility\BCU.exe"
    O4 - HKLM\..\Run: [RemoteControl10] "C:\Program Files\CyberLink\PowerDVD10\PDVD10Serv.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
    O4 - HKLM\..\Run: [WxEx] C:\Program Files\WxEx\WxEx.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\RunOnce: [Uninstall Adobe Download Manager] "C:\Program Files\NOS\bin\getPlusUninst_Adobe.exe" /Get1noarp
    O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Aim] "C:\Program Files\AIM7\aim.exe" /d locale=en-US
    O4 - HKCU\..\Run: [BoldFinger] C:\Program Files\BoldFinger.exe
    O4 - HKCU\..\Run: [FlashMute] C:\Program Files\FlashMute\FlashMute.exe
    O4 - HKCU\..\Run: [PeerBlock] C:\Program Files\PeerBlock\peerblock.exe
    O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
    O4 - HKCU\..\Run: [Actual Window Manager] "C:\Program Files\Actual Window Manager\ActualWindowManagerCenter.exe"
    O8 - Extra context menu item: En&queue current page with BID - file://C:\Program Files\Bulk Image Downloader\iemenu\iebidqueue.htm
    O8 - Extra context menu item: Enqueue link tar&get with BID - file://C:\Program Files\Bulk Image Downloader\iemenu\iebidlinkqueue.htm
    O8 - Extra context menu item: Open &link target with BID - file://C:\Program Files\Bulk Image Downloader\iemenu\iebidlink.htm
    O8 - Extra context menu item: Open current page with BI&D - file://C:\Program Files\Bulk Image Downloader\iemenu\iebid.htm
    O8 - Extra context menu item: Open current page with BID Link Explorer - file://C:\Program Files\Bulk Image Downloader\iemenu\iebidlinkexplorer.htm
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1295069983590
    O17 - HKLM\System\CCS\Services\Tcpip\..\{D66B55A8-724E-4945-B97E-9DBF6B710228}: NameServer = 68.87.64.150,68.87.75.198
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: AppleChargerSrv - Unknown owner - C:\WINDOWS\system32\AppleChargerSrv.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Browser Configuration Utility Service (BCUService) - DeviceVM, Inc. - C:\Program Files\DeviceVM\Browser Configuration Utility\BCUService.exe
    O23 - Service: DES2 Service for Energy Saving. (DES2 Service) - Unknown owner - C:\Program Files\GIGABYTE\EnergySaver2\des2svr.exe
    O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Intel(R) Management and Security Application Local Management Service (LMS) - Intel Corporation - C:\Program Files\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
    O23 - Service: MacDrive 8 service (MacDrive8Service) - Mediafour Corporation - C:\Program Files\Mediafour\MacDrive 8\MacDrive8Service.exe
    O23 - Service: M-Audio Series II MIDI Installer (MA_CMIDI_InstallerService) - Unknown owner - C:\Program Files\M-Audio\M-Audio Series II MIDI\MA_CMIDI_Inst.exe
    O23 - Service: Smart TimeLock Service (Smart TimeLock) - Gigabyte Technology CO., LTD. - C:\Program Files\GIGABYTE\Smart6\Timelock\TimeMgmtDaemon.exe
    O23 - Service: Intel(R) Management & Security Application User Notification Service (UNS) - Intel Corporation - C:\Program Files\Intel\Intel(R) Management Engine Components\UNS\UNS.exe

    --
    End of file - 9821 bytes
     
  4. CaptainSiberia

    CaptainSiberia Thread Starter

    Joined:
    Nov 29, 2007
    Messages:
    77
    Since I last posted, I uploaded the file lsaass.exe to Kaspersky for analysis. It was a trojan. So I deleted it and removed some references to it with Autoruns. Now I'll reboot, do a complete virus scan, and see if there's any trouble left.
     
  5. Macboatmaster

    Macboatmaster Trusted Advisor Spam Fighter

    Joined:
    Jan 14, 2010
    Messages:
    22,538
    I have NOT analysed your HiJack for infections.
    I am NOT authorised to do so.
    As Saga Lout mentioned that must be done by an authorised person.

    In relation to more general matters
    Is that Malwarebytes the free version, if so, that does not provide real time protection.
    I realise Spybot search and destroy is installed but I may be mistaken but I cannot see an anti-virus
    programme.
     
  6. Saga Lout

    Saga Lout

    Joined:
    Sep 15, 2004
    Messages:
    3,791

    As you say, Mac, we couldn't psosibly comment :D but I can't help noticing traces of a fomer XP installation in there. Despite Captain Siberia finding and removing a Trojan, I think there is work to be done on this one.
     
  7. CaptainSiberia

    CaptainSiberia Thread Starter

    Joined:
    Nov 29, 2007
    Messages:
    77
    Yes, there was a former XP installation. I got a new computer with a new motherboard, so I had to reinstall the operating system. It's running perfectly fine for me, unless you think I should do some extra things.

    The virus is gone. I got rid of it.
     
  8. CaptainSiberia

    CaptainSiberia Thread Starter

    Joined:
    Nov 29, 2007
    Messages:
    77
    I actually haven't relied on real-time protection as much for certain reasons. One, it slows things down. Two, it catches too many false positives. It deletes programs that I want, like the FFMpeg front-end. Three, I've had anti-virus software with real-time protection, and sometimes I just plain get viruses anyway. Four, when I get a virus, it tends to take scans to get rid of it, rather than real-time protection. Five, I know where viruses come from, so I make it a policy not to mess around with files that reek of virus.
     
  9. Macboatmaster

    Macboatmaster Trusted Advisor Spam Fighter

    Joined:
    Jan 14, 2010
    Messages:
    22,538
    CaptainSiberia
    It is your computer and your decision.
    But your system did not work too well on this occasion.
     
  10. CaptainSiberia

    CaptainSiberia Thread Starter

    Joined:
    Nov 29, 2007
    Messages:
    77
    I got rid of the virus, didn't I?
     
  11. Saga Lout

    Saga Lout

    Joined:
    Sep 15, 2004
    Messages:
    3,791

    I hope so but every customer who comes through my door says their computer have a virus yet of all the systems I fix, I haven't seen a virus since I don't know when. I do deal with a lot of fake AVs and HDD tools, Trojans and Rootkits that go to the heart of the system and the most dangerous are those which just quietly sit there and get on with robbing you of data without doing anything to make their presence felt.

    I genuinely hope you got everything out but I think despite your dislike of protection, you would benefit form paying to upgrade MBAM from the fre version to a lifetime subscription for a very small cost. It isn't invasive or intrusive and it will keep nasty stuff at bay. Also, something I never thought I would hear myself saying - Microsoft has a valuable AV utility - it's called Microsoft Security Essentials and it too works quietly in the background.

    As Macboatmasters says, it's your choice.
     
  12. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    The filename in question lsaass.exe is definitely not the same as the normal System file lsass.exe, so it would most likely been a trojan.

    Simple deletion often does work for Trojan infections, but of course, not always. More in-depth scanning is advised but if you are happy, we are happy.

    The scan results you posted clearly show the filename as lsaas, so I do not think it is a typo that you made. And, the normal lsass.exe file shows in your HJT log......

    If you wish the thread Closed just let us know. You can also mark your own thread "Solved" if you think it's done........
     
  13. CaptainSiberia

    CaptainSiberia Thread Starter

    Joined:
    Nov 29, 2007
    Messages:
    77
    Yeah, the virus scanner tools can't find any trace of it anymore. Looks like we're clean.
     
  14. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/976385

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice