security accounts manager?

[ms]

SP4

Ran a2 Hijackfree, found several old services from SuperAntiSpyware, which
I had uninstalled long ago, deleted them.

But I found a service that raises a question:

security accounts manager winnit/system32/sass.exe

running, auto startup

Any unknown in auto startup is a concern to me.

Is this a normal W2K service? If not, it could be another debris from SAS,
that I would delete.

ms

 

[Meinolf Weber [MVP-DS]]

Hello ms,

Security accounts manager is a default windows service.

http://en.wikipedia.org/wiki/Security_Accounts_Manager

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

 

[John John (MVP)]

It isn't a native Windows 2000 file, the Security Accounts Manager is
LSASS.EXE (Local Security Authority Subsystem Service). Files that are
a play on the LSASS name are often malware in disquise. A quick search
on the net seems to indicate that sass.exe is related to spyware.

John

 

[ms]

SP4

Ran a2 Hijackfree, found several old services from SuperAntiSpyware,
which I had uninstalled long ago, deleted them.

But I found a service that raises a question:

security accounts manager winnit/system32/sass.exe

running, auto startup

Any unknown in auto startup is a concern to me.

Is this a normal W2K service? If not, it could be another debris from
SAS, that I would delete.

ms

Thanks to all. There seems to be different opinions.

I took another look:

In Services: I have now-

IPSEC Policy Agent winnit/system32/sass.exe state-stopped startup-auto

Net Logon ... state- stopped startup- manual

NT LM Security Support Provider ... state- stopped startup- manual

Security Accounts Manager .... state- stopped startup- disabled

I changed the Net Logon to the above. Rebooted, still log on normally.

I did look at the alarming comments on Wiki. I am not clear that sass.exe
is necessarily malware from the above services using it.

Is there a problem with any of the above service settings?

ms

 

[John John (MVP)]

In Services: I have now-

IPSEC Policy Agent winnit/system32/sass.exe state-stopped startup-auto

That is not right. The IPSEC Policy Agent is run by LSASS.exe. The
proper path for this file is: C:\WINNT\System32\lsass.exe

Sass.exe is not a Windows 2000 file, I have no such file on my machine
and I find no references for this file on the Microsoft site. I think
that you probably mistyped winnt but if the actual name of the file is
sass.exe and if it is masquerading as the IPSEC Policy Agent then I
think that your machine is compromised. Carefully verify the name and
path of the file, a typo here will almost certainly result in
unnecessary or incorrect advice.

If the file that you are concerned about is LSASS.exe and if it is in
the correct C:\WINNT\system32\lsass.exe path then stop worrying, this is
a necessary file, you cannot kill it and you cannot boot Windows 2000
without this file, it is one of the six critical Windows NT services.

John

 

[ms]

auto

That is not right. The IPSEC Policy Agent is run by LSASS.exe. The
proper path for this file is: C:\WINNT\System32\lsass.exe

You're right. I'm 76 with terrible sleep, so that stuff happens.

Sass.exe is not a Windows 2000 file, I have no such file on my machine
and I find no references for this file on the Microsoft site. I think
that you probably mistyped winnt but if the actual name of the file is
sass.exe and if it is masquerading as the IPSEC Policy Agent then I
think that your machine is compromised. Carefully verify the name and
path of the file, a typo here will almost certainly result in
unnecessary or incorrect advice.

If the file that you are concerned about is LSASS.exe and if it is in
the correct C:\WINNT\system32\lsass.exe path then stop worrying, this is
a necessary file, you cannot kill it and you cannot boot Windows 2000
without this file, it is one of the six critical Windows NT services.

John

Is it OK to uninstall the other 3 services using sass.exe? Each of them
has the same WINNT\System32\ path, except using sass.exe.

Or redirect them to the proper execute file? (and how to do that?)

And then remove all instances of sass.exe?

ms

 

[ms]

You're right. I'm 76 with terrible sleep, so that stuff happens.


Is it OK to uninstall the other 3 services using sass.exe? Each of them
has the same WINNT\System32\ path, except using sass.exe.

Or redirect them to the proper execute file? (and how to do that?)

And then remove all instances of sass.exe?

ms

Addition: There is no instance of sass.exe on my machine. There are 3
locations for lsass.exe, which maybe be normal.

So, please, advice when the file does not exist.

ms

 

[John John (MVP)]

Is it OK to uninstall the other 3 services using sass.exe? Each of them
has the same WINNT\System32\ path, except using sass.exe.

Yes, but it's up to you to find out what this file really is, it is not
a Windows file. If you are unsure of the origin of the file you should
run up do date anti-virus and anti-spyware scans on your machine, if
this is malware it will have to be properly removed.

John

 

[PA20Pilot]

Hi,

I also use W2000 and don't have sass.exe installed. I did a search on
Google and found close to 13,000 hits on that file name. Looks to be
bad news.

http://www.google.com/search?hl=en&...=&as_occt=any&cr=&as_nlo=&as_nhi=&safe=images


---==X={}=X==---

Jim Self

AVIATION ANIMATION, the internet's largest depository.
http://avanimation.avsupport.com

Your only internet source for spiral staircase plans.
http://jself.com/stair/Stair.htm

Experimental Aircraft Association #140897
EAA Technical Counselor #4562

 

[ms]

Yes, but it's up to you to find out what this file really is, it is not
a Windows file. If you are unsure of the origin of the file you should
run up do date anti-virus and anti-spyware scans on your machine, if
this is malware it will have to be properly removed.

John

I uninstalled the service
security accounts manager winnit/system32/sass.exe using Asquare HJ,
rebooted, and all seems well.

Curious that today (daily cold boot), only that service showed using
sass.exe, the other 2 did not.

Thanks for the help.

ms

 

[ms]

Hi,

I also use W2000 and don't have sass.exe installed. I did a search on
Google and found close to 13,000 hits on that file name. Looks to be
bad news.

http://www.google.com/search?hl=en&as_q=&as_epq=Sass.exe&as_oq=&as_eq=&
num=10&lr=&as_filetype=&ft=i&as_sitesearch=&as_qdr=all&as_rights=&as_oc
ct=any&cr=&as_nlo=&as_nhi=&safe=images


---==X={}=X==---

Jim Self

AVIATION ANIMATION, the internet's largest depository.
http://avanimation.avsupport.com

Your only internet source for spiral staircase plans.
http://jself.com/stair/Stair.htm

Experimental Aircraft Association #140897
EAA Technical Counselor #4562

Thanks, some good links on that page. This is the first indication in a
long (8-12 years) time that online browsing resulted in any real malware
indication.

BTW, In my senior years, I'm still sort of an aviation nut.

ms

 

[John John (MVP)]

@TK2MSFTNGP02.phx.gbl:




I uninstalled the service
security accounts manager winnit/system32/sass.exe using Asquare HJ,
rebooted, and all seems well.

Curious that today (daily cold boot), only that service showed using
sass.exe, the other 2 did not.

Thanks for the help.

You're welcome.

John

 

[PA20Pilot]

Hi again,

.......BTW, In my senior years, I'm still sort of an aviation nut.

I'll keep an eye out for you at Oshkosh.


---==X={}=X==---

Jim Self

AVIATION ANIMATION, the internet's largest depository.
http://avanimation.avsupport.com

Your only internet source for spiral staircase plans.
http://jself.com/stair/Stair.htm

Experimental Aircraft Association #140897
EAA Technical Counselor #4562