Mysterious Process

[melus]

I'm not sure how I picked this up (lsass.exe), but right after I start up the computer, the process starts multiplying. No harm comes to the computer until I want to turn it off. The problem is it just hangs. To get around this problem, I just kill the process and the tree after the computer is on with a handy utility called Process Explorer. I've run anti-virus scans, malware scans, and every other scan I could think of and nothing is found. I've gone to the folder where the lsass.exe file should be, but there's nothing visable. Any comments or suggestions?

[stumonster]

lsass.exe

[taxexile]

i think its a trojan virus.

search on google and you will get a lot of info.

try this site and it should tell you how to get rid of it.

http://www.microsoft.com/security/incident/sasser.mspx

[melus]

Well, the first thing I did was to do a google on the subject. My beast does not act the way the ones found in the search results do. Believe me, I spent hours researching the topic before posting it here.

[paulfr]

What protection programs are you running to find malware ?

Are they all updated weekly at least ??

[melus]

I'm using Spybot S & D, Ad-Aware SE Professional, XoftSpy, and Spy Sweeper, and all are updated. I also have McAfee VirusScan Enterprise running in the background.

[withnail]

try searching for the file on your PC and once you've located it start your PC in safe mode then rename the file

[melus]

The search for the file came up negative. I know where the file is supposed to be, as I stated in my original post, but it's invisible - even when the "Show hidden files and folders" is checked. That makes it pretty hard (impossible really) to delete anything in the folder without deleting the whole folder. Anyway, maybe someone could check to see if this folder (721w) should even exist. Here's the path:

C:\WINDOWS\system32\mui\721w

[Wolfie]

I have a "C:\WINDOWS\system32\mui" directory but no 721w sub directory.

I do have 34 other sub directories though.

[melus]

This helps. I have 34 sub directories, not including the mysterious 721w folder. I guess it's time for a safe-mode attack and delete.

[Darknight]

I have a "C:\WINDOWS\system32\mui" directory but no 721w sub directory.

I do have 34 other sub directories though.

<{POST_SNAPBACK}>

same here 34 subs no 721w

[melus]

The 721w folder has been deleted in diagnostic mode and hasn't reappeared. The mysterious multiple lsass.exe(s) haven't come back, either. Problem solved (I hope). Thanks all.

[Thomas_Merton]

Have you checked this out:

The lsass.exe file is located in the c:\windows\System32 folder. In other cases, lsass.exe is a virus, spyware, trojan or worm!

Virus with same name:

W32.Nimos.Worm

W32.Sasser.E.Worm (Lsasss.exe)

W32.HLLW.Lovgate.C@mm

see: http://www.neuber.com/taskmanager/process/lsass.exe.html

[Abandon]

forget all virus scans except this one. http://www.trendmicro.com/en/home/global/enterprise.htm

especially as the trojan or whatever it is has likely altered registry keys too.

another option than safe mode is to pull out the hard drive and plug it into a different computer as an extra drive and scan it that way

[waldwolf]

melus - From your description, I suspect you picked up one of the sasser viri. Since its inception, many varients and copy-cats of sasser have been released. Some have the capability of blocking antivirus software updates. Most also attempt to hide their presence by emulating valid OS processes.

We all have a tendency to forget most malware updates are reactive, not proactive. In other words, they attempt to locate/isolate viri/spyware already in circulation. (Remember, on average over 300 new malware appear each week.)

As others have suggested, run several of the online antivirus scan engines listed here.

Most firewalls are capable of preventing this specific type infection, so ALWAYS use a firewall. (It goes without saying, DO NOT open unknown email attachments.)

good luck

[melus]

Thanks, Waldwolf. I don't really think that it was a full-blown sassar virus, thankfully, as the only way I even noticed it was when I tried to turn off the computer one night and it wouldn't. Also, it seemed to have disappeared just by deleting the 721w folder with the mysterious invisible cache of lsass.exe(s) it it. I must admit, however, that I had my Windows firewall down when I was transferring some files to another computer on the network. It's back up now.

[johnrh]

Thanks, Waldwolf. I don't really think that it was a full-blown sassar virus, thankfully, as the only way I even noticed it was when I tried to turn off the computer one night and it wouldn't. Also, it seemed to have disappeared just by deleting the 721w folder with the mysterious invisible cache of lsass.exe(s) it it. I must admit, however,  that I had my Windows firewall down when I was transferring some files to another computer on the network. It's back up now.

<{POST_SNAPBACK}>

If this problem is now settled, then fine. But be careful with the deleting since it can be confused with LSASS. exe, a Windows system file. This shows in Task Manager / Processes as always running; don't delete this one!

[waldwolf]

.....it seemed to have disappeared just by deleting the 721w folder with the mysterious invisible cache of lsass.exe(s) it it.....

<{POST_SNAPBACK}>

melus - Would strongly recommend, if you have not already done so, you do the previously suggested online antivirus scans. The "picture" you posted clearly shows that the routine in question was attempting to replicated itself. The one file you removed may only be a repository and not the key activator. At a minimum, you probably have one or more registry entries which, if called, could restart the whole process anew, but with differing symptoms.

If any scans even hint at a possible sasser type infection, you will probably have to download specific "cleaners" from that antivirus makers website, in order to properly remove all traces of the virus.

.....when I was transferring some files to another computer on the network.....

<{POST_SNAPBACK}>

Have you check the "other" computer for possible contamination? You may also have transferred this malware at that time.

good luck