# Solved: LSA Shell (Export Version) Inbound traffic



## karbo (Sep 3, 2003)

My ESET firewall just openned a window telling me that a remote computer is attempting to communicate with an application running on this computer. Do you wish to allow this communication?

Application: LSA Shell (Export Version) 
Publisher: Microsoft Windows Component Publisher
Remote computer: reverse.4.53.48.65.static.ldmi.com (65.45.53.4)
Local port: 500 (isakmp)

Do I allow this action?

_This, of course, relates to C:\WINDOWS\system32\lsass.exe_

I remember the old connection with the sasser worm. So, that's why I want to be sure it's ok to let it through.

Thank you


----------



## karbo (Sep 3, 2003)

It could be legitimate, since I've downloaded the latest critical IE7 update yesterday. When I openned my computer this morning, this window openned. Please, it's urgent, I have to leave for the weekend soon and I have to give an answer to my firewall before shutting eveything down.

Thanks


----------



## ~Candy~ (Jan 27, 2001)

I think I'd choose deny.


----------



## karbo (Sep 3, 2003)

Any reason?

If it's needed by Windows, will I risk having problems with my system or accessing the Internet?


----------



## ~Candy~ (Jan 27, 2001)

When you restart windows....it's going to ask again. Or at least from my experience, if you don't permanently deny yet, it should ask again. What are your choices in advanced options?

http://ask-leo.com/what_is_lsa_shell_and_why_is_it_an_export_version.html


----------



## karbo (Sep 3, 2003)

And if it asks again, then what? It will mean that's indeed needed and legit?


----------



## ~Candy~ (Jan 27, 2001)

http://forums.techguy.org/malware-removal-hijackthis-logs/400084-lsa-shell-export-version.html


----------



## karbo (Sep 3, 2003)

Thanks for the link but it doesn't really answer my question. Because mine is not asking to access the Internet. It wants to get into my system. If it's the worm, I'm screwed by letting it in I guess. But how to know if it's legit?


----------



## ~Candy~ (Jan 27, 2001)

That is why I think you should block it, you might post a Hijack This log to THIS thread...and I would block it for now.


----------



## karbo (Sep 3, 2003)

Ok, I've denied it.


----------



## karbo (Sep 3, 2003)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:44:32, on 2008-12-19
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\ActiveTracker 2.0 for Outlook Express\ReadNotify.exe
C:\Program Files\HP Multimedia Keyboard\KMaestro.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Aide mémoire\Aide mémoire.exe
C:\Program Files\Aide mémoire\Aide mémoire.exe
C:\Program Files\Aide mémoire\Aide mémoire.exe
C:\Program Files\Aide mémoire\Aide mémoire.exe
C:\Program Files\Aide mémoire\Aide mémoire.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Steve\Bureau\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=144.229.36.41:80
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ActiveTracker for Outlook Express] C:\Program Files\ActiveTracker 2.0 for Outlook Express\ReadNotify.exe
O4 - HKLM\..\Run: [BtcMaestro] "C:\Program Files\HP Multimedia Keyboard\KMaestro.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Aide mémoire.lnk = ?
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - https://fmusmail1.med.usherbrooke.ca/dwa7W.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5362 bytes


----------



## karbo (Sep 3, 2003)

Another thing I forgot to mention is that my firewall is configured to block the sasser worm. So why didn't it say that it was indeed the sasser worm? Perhaps it wasn't. 

There's a good chance that when I reboot my computer, I'll get the same warning again since I've denied access. I'll have to deny access permamently to get rid of that warning. But still, I don't know if Windows needs that process. And why would it have to communicate with the process?


----------



## Kenny94 (Dec 16, 2004)

It's a Windows update. This can be real confusing. So, I will post these links below:

http://forums.zonelabs.org/zonelabs/board/message?board.id=win_za_msgs&message.id=16233

http://pralerts.zonelabs.com/pranal...01/1d74c03011d43935d5605cf4&tab=details&CL=en

Your log is clean.

Ex: Now if you had *LSA Shell Export-Version file name lsass.exe *in your O23's List of Windows services. You have the virus.


----------



## karbo (Sep 3, 2003)

As I mentionned before, it was incoming, so I couldn't have the virus without letting it in first. It didn't ask to reach the Internet.

But if you say it's safe, I'll let it in next time I'm prompted by ESET.

Thank you very much.


----------



## ~Candy~ (Jan 27, 2001)

What anti-virus program are you running?


----------



## Kenny94 (Dec 16, 2004)

You're Welcome



> What anti-virus program are you running?


ESET NOD32 Antivirus. You should you that AcaCandy by karbo HJT log...


----------



## ~Candy~ (Jan 27, 2001)

Not that familiar with that one. Assumed it might be just a firewall that he was running  Never hurts to ask


----------



## Kenny94 (Dec 16, 2004)

ESET Smart Security is a excellent product. I had for years until it expire. Then I went with Kaspersky on this notebook. I must say,,, I miss NOD32 Antivirus...


----------



## Cookiegal (Aug 27, 2003)

I don't see what the information in the screenshot for the remote computer has to do with Windows updates.

ge-7-10.car1.Boston1.Level3.net (4.53.48.65)

Level 3 Communications, Inc.
1025 Eldorado Blvd.
Broomfield, CO
US

ip65-45-53-4.z53-45-65.customer.algx.net (65.45.53.4)
XO Communications
13865 Sunrise Valley Drive
Herdon, VA
US

Check out Site Advisor on algx.net (although McAfee gives it a green, there are many negative comments, although these have to be taken with a grain of salt, so to speak:

http://www.siteadvisor.com/sites/algx.net

And what does the site ldmi.com have to do with it too?

I would deny this and then check your Windows Updates history and see if everything has downloaded fine.


----------



## Kenny94 (Dec 16, 2004)

> I don't see what the information in the screenshot for the remote computer has to do with Windows updates.


Your right Karen now looking at the screenshot... Sorry karbo.


----------



## karbo (Sep 3, 2003)

Thanks for your replies. I just came back from a trip this weekend. We had so much snow lately that it was great for winter sports! Sorry for taking so long to reply.

The pop-up never came back. It was possibly the Sasser worm or something else fishy.

My Windows Update is just fine.

Looking at the IP addresses linked to the pop-up, I really don't think it has anything to do with Microsoft...

And indeed, AcaCandy, I'm using NOD32 antivirus (with ESET Smart Security).

Kenny94, no problem. This one doesn't seem an easy one to figure out.

Cookiegal, thank you for the details. I had also previously checked those IP addresses and it was indeed peculiar.

Could we call this a type of "phishing"?


----------



## Cookiegal (Aug 27, 2003)

It's hard to say exactly what it was but I assume you never allowed it?

Just the same, you should do some scans. If you want help in checking then please post a HijackThis log.


----------



## karbo (Sep 3, 2003)

No, I haven't allowed it. If it ever comes back I won't allow it either.

I do scan my computer regularly with NOD32 and SuperAntiSpyware and I have SpywareBlaster. Since NOD32 takes only 10 minutes to scan my whole system, I don't mind scanning often.


----------



## Cookiegal (Aug 27, 2003)

I would do at least one on-line scan as well, such as Kaspersky or F-Secure for good measure.


----------



## karbo (Sep 3, 2003)

Ok, will do.

Thanks


----------



## karbo (Sep 3, 2003)

Just scanned my system with F-Secure. Everything was clean.

I must say I have total confidence in NOD32 antivirus. My computer really runs well. It has been like this for a long time.

But, no antivirus is complete without common sense when surfing the Web...


----------



## Cookiegal (Aug 27, 2003)

Exactly and even though Nod32 is one of the best, it's not infallible.


----------



## Kenny94 (Dec 16, 2004)

> Kenny94, no problem. This one doesn't seem an easy one to figure out.


I should of download the Attached Thumbnail screenshot and looked more closely karbo. It's in back and white as Cookiegal point out in her post.


----------

