Posted: Tue Mar 16, 2010 2:04 am Post subject: LSASS errors - probable malware..
Not sure if this is the right place as one thing I can't do is a HJT log...
I am looking at a machine for a friend, when it starts up it gives LSASS unable to locate component and a message box that complains about msls52.dll missing.
There are almost no hits for that file on google - just a couple on the prevx site where it had been found on machines last week...
Windows will not start NOT EVEN IN SAFE MODE. I get the message box above and then no response from mouse or keyboard (even LEDs).
It will boot to UBCD4WIN and using that I have:
found an AV log file that had removed msls52.dll (!!)
Run clamwin with latest updates - found several occurrences of KOOBFACE which were all quarantined.
Dug through the registry and can find nothing that looks odd (eg run, userinit, LSA entries all look OK)
I have searched the (correct) registry for msls52.dll but it isn't there...
I did get into windows before I brought it home, but explorer also complained about missing msls52.dll as did almost everything else I tried to do...!
I ran HJT and there was a 'stray' userinit entry which I removed.
I am obviously missing the location in the registry which is calling the rogue software...
Any suggestions where else I should look in the registry (or elsewhere) to find what is being called by lsass and everything else??
Removed a Trojan yesterday but when restarting I can no longer get any further than the initial log on screen, ie can't get the start bar to appear on the desktop because of this lsass.exe - Unable To Find Component message which I can't get past.
Posted: Wed Mar 17, 2010 12:42 am Post subject: SORTED - msls52.dll missing
Finally cracked it...
I ended up doing a search for any file that contained the text msls52.dll ...
lo & behold uxtheme.dll was the only file that contained the text & there was a renamed copy of it as usxtheme.dll<random characters>.TMP so I renamed the first one (to .vxx !) and renamed the 2nd one back to .dll & it boots up.
anyone interested in a copy of the infected file?
Hint - if your machine won't boot up then you need an alternative boot disk, this simple change could be done from windows recovery console (boot from the XP install CD if it isn't on the F8 boot menu), or get yourself a bootable utility CD (EG ubcd4win) or a linux live CD...
I ended up doing a search for any file that contained the text msls52.dll ...
lo & behold uxtheme.dll was the only file that contained the text & there was a renamed copy of it as usxtheme.dll<random characters>.TMP so I renamed the first one (to .vxx !) and renamed the 2nd one back to .dll & it boots up.
anyone interested in a copy of the infected file?
Hint - if your machine won't boot up then you need an alternative boot disk, this simple change could be done from windows recovery console (boot from the XP install CD if it isn't on the F8 boot menu), or get yourself a bootable utility CD (EG ubcd4win) or a linux live CD...
David ( Very )
David
I registered at this forum just so that I could say thanks to you.
I spent all day looking for solutions, when I found yours, after creating a Linux Live CD on a USB Drive and locating the file you mention, and making the changes, everything is back to normal on my Nieces Computer
It only took 20 mins in total to fix, Once again, Thank you for this Solution.
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum