|
|
gareth5506
regular
Reg'd: Thu
Posts: 59
|
|
In the last couple of days, when I boot up my computer, I have been getting a message that says lsass.exe cannot be found. My AVG Free kicked in and told me this was a threat. Having not heard of the file before, I thought it was best to quarantine the file, instead of clicking 'Heal'. However, I am still getting this message when I boot up.
After doing some research, I discovered this could be a trojan and one website suggested that I should scan the lsass.exe file. Making sure AVG was up to date first, I scanned the file and it said the file wasn't infected.
There has been no changes to my computer's behaviour apart from the message that pops up during boot up.
How can I solve this please?
Thank you in advance,
Gareth
|
|
bricat
HijackThis Helper
Reg'd: Wed
Posts: 31982
Loc: belfast
|
|
please go HERE
At the top, click on BROWSE. AND BROWSE TO this file on your computer :-
C:\windows\system32\lsass.exe
click on it to highlite it and then click SUBMIT.
the file will be scanned by various virus scanners.
please wait until the results come up, then post the results back here.
--------------------
IF I HAVE SAVED YOU MONEY, PLEASE CONSIDER GIVING A DONATION TO HELP IN MY FIGHT AGAINST MALWARE.
 
When the only tool you own is a hammer, every problem begins to look like a nail. 
|
gareth5506
regular
Reg'd: Thu
Posts: 59
|
|
Thanks Bricat, but the website you told me to go to says it cannot be found. I tried to go to their homepage, but still get the same message!
Also, I read the dialogue box message I get on boot up before coming on here and it said the file missing was located at C:\WINDOWS\Config not C:\windows\system32\lsass.exe like you said, although I do have the file lsass.exe located at C:\windows\system32
I hope that all makes sense and that you or someone else can help me further.
Thank you,
Gareth
|
bricat
HijackThis Helper
Reg'd: Wed
Posts: 31982
Loc: belfast
|
|
Quote:
but the website you told me to go to says it cannot be found
does that mean the WEBSITE can't be found or the FILE can't be found ?
if it's the website that can't be found :-
Download the HostsXpert 4.2 - Hosts File Manager.
- Unzip HostsXpert 4.2 - Hosts File Manager to a convenient folder such as C:\HostsXpert 4.2 - Hosts File Manager
- Run HostsXpert 4.2 - Hosts File Manager from its new home
- Click on "File Handling".
- Click on "Restore MS Hosts File".
- Click OK on the Confirmation box.
- Click on "Make Read Only?"
- Click the X to exit the program.
- Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.
then try the site again
--------------------
IF I HAVE SAVED YOU MONEY, PLEASE CONSIDER GIVING A DONATION TO HELP IN MY FIGHT AGAINST MALWARE.
When the only tool you own is a hammer, every problem begins to look like a nail.
|
gareth5506
regular
Reg'd: Thu
Posts: 59
|
|
It just said Requested URL "/en-GB" was not found on this server. Tried to go to http://virusscan.jotti.org but got the same message.
Thanks,
Gareth
|
bricat
HijackThis Helper
Reg'd: Wed
Posts: 31982
Loc: belfast
|
|
did you install HOSTEXPERT and try again ?
--------------------
IF I HAVE SAVED YOU MONEY, PLEASE CONSIDER GIVING A DONATION TO HELP IN MY FIGHT AGAINST MALWARE.
When the only tool you own is a hammer, every problem begins to look like a nail.
|
gareth5506
regular
Reg'd: Thu
Posts: 59
|
|
No because I don't understand what you mean by "Note: If you were using a custom Hosts file you will need to replace any of those entries yourself."
Sorry but I'm new to all this and don't want to do something that will cause further problems.
Thanks,
Edited by bricat (Wed Oct 28 2009 01:59 PM)
|
bricat
HijackThis Helper
Reg'd: Wed
Posts: 31982
Loc: belfast
|
|
Quote:
"Note: If you were using a custom Hosts file you will need to replace any of those entries yourself."
If you don't know what a custom hosts file is then you obviously aren't using one, because you would have to install it yourself.
so it is ok to install HOSTEXPERT.
--------------------
IF I HAVE SAVED YOU MONEY, PLEASE CONSIDER GIVING A DONATION TO HELP IN MY FIGHT AGAINST MALWARE.
When the only tool you own is a hammer, every problem begins to look like a nail.
|
gareth5506
regular
Reg'd: Thu
Posts: 59
|
|
Dowloaded and installed the program, followed your easy step by step instructions, went back to the website and still got the same message saying the website cannot be found. I tried in both Opera and IE, but no luck!
I did find this website if it's any use http://ask-leo.com/what_are_lsass_lsasse...do_if_i_am.html
Although I'm only getting a dialogue box saying the file is missing. I'm not getting the countdown or being asked to shutdown.
Sorry for all the hastle.
Thanks,
Edited by bricat (Wed Oct 28 2009 02:00 PM)
|
bricat
HijackThis Helper
Reg'd: Wed
Posts: 31982
Loc: belfast
|
|
I doubt very much it is the sasser virus, that one isn't around anymore.
Please download ComboFix from Here or Here to your Desktop.
**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
- Please, never rename Combofix unless instructed.
- Close any open browsers.
- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
- Close any open browsers.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
- Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" In the HJT forum
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
P.S
can you please STOP putting your website at the bottom of your posts.
advertising is not allowed on the forum.
--------------------
IF I HAVE SAVED YOU MONEY, PLEASE CONSIDER GIVING A DONATION TO HELP IN MY FIGHT AGAINST MALWARE.
When the only tool you own is a hammer, every problem begins to look like a nail.
|
gareth5506
regular
Reg'd: Thu
Posts: 59
|
|
I have right-clicked AVG's system tray icon, but combofix still detects it. What am I doing wrong?
Please note that I am really uncomfortable doing all these new things, I just don't want anything to go wrong with my computer!
Thanks,
Gareth
|
bricat
HijackThis Helper
Reg'd: Wed
Posts: 31982
Loc: belfast
|
|
Quote:
Please note that I am really uncomfortable doing all these new things, I just don't want anything to go wrong with my computer!
If you don't feel confident following my instructions, which are step by step.
it might be better if you got a professional to have a look at it. It's up to you.
If you click on the LINK i put in my last post it will tell you how to disable AVG.
which version of AVG are you using ?
--------------------
IF I HAVE SAVED YOU MONEY, PLEASE CONSIDER GIVING A DONATION TO HELP IN MY FIGHT AGAINST MALWARE.
When the only tool you own is a hammer, every problem begins to look like a nail.
|
gareth5506
regular
Reg'd: Thu
Posts: 59
|
|
Sorry but I couldn't find instructions to disabled AVG. I'm using AVG 8.5
|
bricat
HijackThis Helper
Reg'd: Wed
Posts: 31982
Loc: belfast
|
|
Please open the AVG 8.5 Control Center, by right clicking on the AVG icon on task bar.
* Click on Open AVG Interface.
* Double click on Resident Shield
* Deselect the option to "Enable Resident Shield."
* Save changes, and exit the application.
* To re-enable AVG 8.5, please select "Enable Resident Shield" again.
--------------------
IF I HAVE SAVED YOU MONEY, PLEASE CONSIDER GIVING A DONATION TO HELP IN MY FIGHT AGAINST MALWARE.
When the only tool you own is a hammer, every problem begins to look like a nail.
|
gareth5506
regular
Reg'd: Thu
Posts: 59
|
|
I have posted my Combofix log in the HJT forum as you requested. It is at: http://www.webuser.co.uk/forums/showflat.php/Cat/0/Number/441166/an/0/page/0#441166
Thanks for all your help.
Gareth
|
Previous
Index
Next
Threaded
Edit
Reply
Quote
