none
C:\Win\lsass.exe what is this?????

    Question

  • Hy i had now for some time strange problems with my keybord,,, when i inputed my desighn tablet and used the input panel my for typing  i got strange behavior paterns which i never seen before,,,


    when i type something i get a lag and my words come out writen backwords as i writen them,,, so i tried to find the couse and found this lithell guy....


    which is mentioned in my post first i got this error while i had the latency and now all is alright,,,, so my question is this thing a virus, a key loger or what is it ... and it seems to be responsible that i see all my folders in memeory sticks as exe files...
    were are some screenshots...

    free image hosting by LargeImageHost.com

    free image hosting by LargeImageHost.com

    free image hosting by LargeImageHost.com

    as you se e

    it is one sucker hiden,,, is it a virus can i delete it??? will it be harmfull if i delete it???? the moust concerning thing is panda av pro 2009 dosent seem to mind it at allll!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    Monday, June 22, 2009 8:23 PM

Answers

  • gokuchan -

    There's no AV product on the market that will catch everything 100% of the time. What might work well today, might let something new slip by tomorrow. That, sadly, is the nature of the antivirus business. It's an eternal arms race between the virus writers who come up with more and more imaginative means to take over your system and the AV companies who have to play catch-up all the time, trying to figure out what the virus writers have come up with and finding the means to catch it, quarantine it and keep it from infecting your system. There will always be a bit of a lag between what the black hats come up with and what the white hat do to combat it.

    • Marked as answer by axfelix Tuesday, June 23, 2009 5:28 PM
    Tuesday, June 23, 2009 10:32 AM

All replies

  • As this is from the web, i checked and it is prety old.


    What is lsass.exe?


    A Microsoft Windows file stored in the c:\windows\system32 or c:\winnt\system32 directory that is short for Local Security Authority Subsystem Service and has the file description: "LSA shell". This file is responsible for how Microsoft Windows handles security and security related policies, authority domain authentication, and Active Directory management on your computer.



    This file has had security vulnerabilities in the past, as mentioned at: Microsoft Security Bulletin (MS04-11). Make sure your computer is up-to-date with all the latest Microsoft Windows updates.


    Finally, the files and processes: isass.exe or Isassa.exe (that is a capital 'i' and not an 'l'), lsassa.exe and lsasss.exe are infected files. If you see any of these file on your computer or listed in the Task Manager processes your computer is infected with the Sasser worm. See below steps for additional information about cleaning the computer from this file.

    Hope this helps.

    Good Luck.



    P.S. This info from the web.
    • Edited by asdy Monday, June 22, 2009 8:48 PM
    Monday, June 22, 2009 8:30 PM
  • I managed to remove it, no crashes for now no nothing,,,, it seeems this lithe sucker was responsible for all my crashes and my malfunctions.... i wonder where i got it,,, i usualy run prety tight security on my laptop... it must have sliped on some usb device,,,, man who invented those things???


    The starnge thing is panda dint find it until i manually showed it the file, strange,,, which av should i use to prevent this in future????



    thy again for your help.
    Tuesday, June 23, 2009 10:13 AM
  • gokuchan -

    There's no AV product on the market that will catch everything 100% of the time. What might work well today, might let something new slip by tomorrow. That, sadly, is the nature of the antivirus business. It's an eternal arms race between the virus writers who come up with more and more imaginative means to take over your system and the AV companies who have to play catch-up all the time, trying to figure out what the virus writers have come up with and finding the means to catch it, quarantine it and keep it from infecting your system. There will always be a bit of a lag between what the black hats come up with and what the white hat do to combat it.

    • Marked as answer by axfelix Tuesday, June 23, 2009 5:28 PM
    Tuesday, June 23, 2009 10:32 AM
  • derosnec,

    Good catch - I imagine that was an isass.exe masquerading as lsass.exe.

    1.exe is very likely a virus as well, as searching any major engine for the filename will attest.
    -Alex
    Tuesday, June 23, 2009 5:30 PM

  • Well, Wolfie, while we're on this topic, and since I've already posted one paranoid remark today that's bound to get deleted, I think I'll submit yet a second.  Ever hear the phrase follow the money?

    Back on topic.  Regarding gokuchan's images, it is interesting to note that lsass.exe (isass.exe?) is a 539k app with a folder icon.   I'm looking at Vista right now, where it is a 10K app.  I don't expect Win7 is much different.  Also notice that file's date, 1.1.2002.  That's not a virus.  It's a big old elephant, that's what it is.



    btw   I wonder what 1.exe is?


    egads -

    Of course I've heard of that phrase.

    The BBC recently did exactly that - they did story where they bought a small botnet. It seems they paid top Euro (Pound?) for it. They were able to spam one email address and launched a DDoS attack against one site - which they arranged ahead of time to hit. After the story was done, they were actually nice enough to leave a note on the affected computers telling the owners of which they were "pwned" and should clean up their infection.

    The bottom line - there's BIG money in creating and selling botnets and the trojans and viruses that make them happen.

    You're right - Vista's LSASS.EXE is 10 KB, Win 7's is 22 KB and XP SP2's is 13 KB. Somehow, I seriously doubt 539 KB is anything BUT a virus, trojan or other some other form of malware.

    1.EXE - as Alex suggested is likely another component of the trojan's package, which the main module was trying to download or create when the thing blew chunks (as seen in the 1st picture). The 3rd file in the C:\Win folder (names.txt) is likely a list of some sort - probably email address' that the bugger was supposed to send spam to.

    Also note the folder - C:\Win... Way back in the day (3.11 days), I used to install Windows into that folder - to save space in the PATH statement. But since Win 95, I don't believe you can do a custom install into a folder like that - though I could be wrong. I know for sure that you can't do that kind of thing any longer in XP, Vista or 7. That's an obvious red flag that something funny's going on.
    Wednesday, June 24, 2009 5:17 AM
  • egads -

    Of course there is. And I'll even cop to having taken some of those big bucks cleaning up and repairing computers that got infected.

    As far as that file is concerned... I have no idea. No doubt the fake EXE would have tried to run, probably would have crashed again while trying to do whatever it was programmed to do - maybe downloading other modules... I honestly don't really care what it's about.

    Whatever it is, it was most likely geared toward XP pwnage and may not be compatible with Vista or later. Vista wasn't so much as a speck on the horizon back in 2002...

    Wednesday, June 24, 2009 9:14 AM
  • sorry guys to end your guessing game, but i found the cause,,, that was a worm. a key logger it grew so much that it had 0,5 mb because it was logging my keyboard but because it was unable to send the data it just grew end eventually the code got messed up and i was able to notice it... 


    as for teh date my partiotn is not older than 2 months and not to speack this laptop is brand new,,, so it was just making up the creation date... and the exe files were stored passwords which he picked up... and tehy were empty i opend them with a hex editor notpad ++
    Wednesday, June 24, 2009 12:30 PM
  • gokuchan -

    No worries...

    The file's date could have been the date the fake file was created. Old viruses and such don't always just go away. Sometimes they stay in circulation for a good long time. Or they can stay dormant on a USB stick or CD or DVD. It happens.

    Glad you got rid of the bugger though.
    Wednesday, June 24, 2009 12:34 PM
  • For Windows XP users:

    U can simply delete files folder C://Win in WinRAR (can be found free on internet) and then empty recycle bin.

    Keep your folders on memory stick in archive and worm will have no chance to make application with same name...

    Kaspersky Anti-Virus will find that worm but it will ask you to delete. Remember: Original lsass.exe is placed in C://Windows/System32/
    In every other case it is a virus. If Kaspersky ask you to delete C://Win/lsass.exe , DELETE IT!

    I hope that this will help U to solve a problem...

    I did it this way and my keyboard works perfectly again, and there is no applications on my memory stick... And computer still works normally...

    U can protect your USB memory with USB Write Protect application, but U will not be able to write on it until you don't unlock it! U can use it just to transfer data from your (clean) computer to other one... If U unlock USB on that computer, virus will have a chance to get on USB...

    Have a nice day folx....
    Saturday, June 27, 2009 11:04 PM