lsass.exe, ftp.exe & tftp.exe firewall problems

  BBez 15:50 22 Nov 04
Locked

hi, using sygate pfp and am constantly getting a warning about lsas.exe being contacted fronm a remote machine:

File Version : 5.1.2600.1106
File Description : LSA Shell (Export Version) (lsass.exe)
File Path : C:\WINDOWS\system32\lsass.exe
Process ID : 0x25C (Heximal) 604 (Decimal)

Connection origin : remote initiated
Protocol : TCP
Local Address : 81.129.31.38
Local Port : 44445
Remote Name :
Remote Address : 81.129.26.94
Remote Port : 2037

Ethernet packet details:
Ethernet II (Packet Length: 62)
Destination: 00-00-03-00-00-00
Source: 03-00-20-00-03-00
Type: IP (0x0800)
Internet Protocol
Version: 4
Header Length: 20 bytes
Flags:
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset:0
Time to live: 127
Protocol: 0x6 (TCP - Transmission Control Protocol)
Header checksum: 0xf6f2 (Correct)
Source: 81.129.26.94
Destination: 81.129.31.38
Transmission Control Protocol (TCP)
Source port: 2037
Destination port: 44445
Sequence number: 2619568917
Acknowledgment number: 0
Header length: 28
Flags:
0... .... = Congestion Window Reduce (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...0 .... = Acknowledgment: Not set
.... 0... = Push: Not set
.... .0.. = Reset: Not set
.... ..1. = Syn: Set
.... ...0 = Fin: Not set
Checksum: 0xd5e1 (Correct)
Data (0 Bytes)

Binary dump of the packet:
0000: 00 00 03 00 00 00 03 00 : 20 00 03 00 08 00 45 00 | ........ .....E.
0010: 00 30 2C 4B 40 00 7F 06 : F2 F6 51 81 1A 5E 51 81 | .0,K@.....Q..^Q.
0020: 1F 26 07 F5 AD 9D 9C 23 : 73 15 00 00 00 00 70 02 | .&.....#s.....p.
0030: FF FF E1 D5 00 00 02 04 : 05 AC 01 01 04 02 | ..............



also keep getting click here attempting to connect to a remote address and likewise with tclick here


ran a virus scan with avast free edition which found a virus and sucessfully deleted the files but the firewall is still having these problems, tried deleting the click here but windows xp sp1 recreates it so i assume it's a system file...

is there anywhere i can get any info on why this is happening, i run an ftp server on port 11000 to prevent /pub scans but am still having the forementioned problems...

any help, tia...

  rawprawn 17:20 22 Nov 04

Your last link is not working, but turn System Restore off before scanning with Avast and then let it delete.Don't forget to turn System Restore back on afterwards. If that doesn't clear it try in safe mode (Tap F8 when booting then scan again) Also there is an option in Avast to delete when booting make sure that is ticked.

  rawprawn 17:21 22 Nov 04

Actually none of your links are working. (For me anyway)

  Dorsai 17:39 22 Nov 04

I dont think they are intended to be links. I think it is a case that the text looks like a link, and gets gets converted into a 'click here'

"also keep getting ftp: // click here attempting to connect to a remote address and likewise..."

But may be wrong

  Dorsai 17:41 22 Nov 04

try and post 'ftp . exe' to this site, without the spaces...as i did, and you get a 'click here'. 'ftp: \\ ftp . exe'

  rawprawn 17:42 22 Nov 04

I See what you mean.Have you any other ideas?

  Dorsai 17:50 22 Nov 04

Only that there is lsass.exe (firts letter Between K and M), part of windows, and Isass.exe (first letter between H and J) a virus. As the windows bit is with a lover case l, and the virus a Capital I, they look very simular in the standard windows font. Deliberately done by the virus writer, to confuse the user into not being able to tell apart.

the virus click here

the windows part, click here

But this may not be the cause, but is all i can think of.

  rawprawn 18:47 22 Nov 04

I wonder if this might help click here Download and run Trial of Spy sweeper it has cured the odd sticky problem for me in the past.

  BBez 19:54 22 Nov 04

thanks for the link, looks like that was what was causing the problem as my firewall kept disappering and bandwidth was all soaked up by an unknown process, ended up with a full format and reinstall, this is me just back up for net acces, lost my ftp server setting the lot as i didn't want to take any chances, thanks...

yep, they're not links, it's pca's intelligent "click here" links, lol

This thread is now locked and can not be replied to.

How to get Windows 10 for free | How to install Windows 10: There is still a way to avoid paying…

1995-2015: How technology has changed the world in 20 years

Alex Chinneck’s giant ice cube Christmas tree at Kings Cross

Apple rumours & predictions 2017: The iPhone 8, new iPads, and everything else you should expect fr7…