Jump to content

Mysterious Process


melus

Recommended Posts

I'm not sure how I picked this up (lsass.exe), but right after I start up the computer, the process starts multiplying. No harm comes to the computer until I want to turn it off. The problem is it just hangs. To get around this problem, I just kill the process and the tree after the computer is on with a handy utility called Process Explorer. I've run anti-virus scans, malware scans, and every other scan I could think of and nothing is found. I've gone to the folder where the lsass.exe file should be, but there's nothing visable. Any comments or suggestions?

lsassprocess4zo.jpg

Link to comment
Share on other sites

Well, the first thing I did was to do a google on the subject. My beast does not act the way the ones found in the search results do. Believe me, I spent hours researching the topic before posting it here.

Link to comment
Share on other sites

The search for the file came up negative. I know where the file is supposed to be, as I stated in my original post, but it's invisible - even when the "Show hidden files and folders" is checked. That makes it pretty hard (impossible really) to delete anything in the folder without deleting the whole folder. Anyway, maybe someone could check to see if this folder (721w) should even exist. Here's the path:

C:\WINDOWS\system32\mui\721w

Link to comment
Share on other sites

Have you checked this out:

The lsass.exe file is located in the c:\windows\System32 folder. In other cases, lsass.exe is a virus, spyware, trojan or worm!

Virus with same name:

W32.Nimos.Worm

W32.Sasser.E.Worm (Lsasss.exe)

W32.HLLW.Lovgate.C@mm

see: http://www.neuber.com/taskmanager/process/lsass.exe.html

Edited by Thomas_Merton
Link to comment
Share on other sites

melus - From your description, I suspect you picked up one of the sasser viri. Since its inception, many varients and copy-cats of sasser have been released. Some have the capability of blocking antivirus software updates. Most also attempt to hide their presence by emulating valid OS processes.

We all have a tendency to forget most malware updates are reactive, not proactive. In other words, they attempt to locate/isolate viri/spyware already in circulation. (Remember, on average over 300 new malware appear each week.)

As others have suggested, run several of the online antivirus scan engines listed here.

Most firewalls are capable of preventing this specific type infection, so ALWAYS use a firewall. (It goes without saying, DO NOT open unknown email attachments.)

good luck :o

Link to comment
Share on other sites

Thanks, Waldwolf. I don't really think that it was a full-blown sassar virus, thankfully, as the only way I even noticed it was when I tried to turn off the computer one night and it wouldn't. Also, it seemed to have disappeared just by deleting the 721w folder with the mysterious invisible cache of lsass.exe(s) it it. I must admit, however, that I had my Windows firewall down when I was transferring some files to another computer on the network. It's back up now.

Link to comment
Share on other sites

Thanks, Waldwolf. I don't really think that it was a full-blown sassar virus, thankfully, as the only way I even noticed it was when I tried to turn off the computer one night and it wouldn't. Also, it seemed to have disappeared just by deleting the 721w folder with the mysterious invisible cache of lsass.exe(s) it it. I must admit, however,  that I had my Windows firewall down when I was transferring some files to another computer on the network. It's back up now.

If this problem is now settled, then fine. But be careful with the deleting since it can be confused with LSASS. exe, a Windows system file. This shows in Task Manager / Processes as always running; don't delete this one!

Link to comment
Share on other sites

.....it seemed to have disappeared just by deleting the 721w folder with the mysterious invisible cache of lsass.exe(s) it it.....

melus - Would strongly recommend, if you have not already done so, you do the previously suggested online antivirus scans. The "picture" you posted clearly shows that the routine in question was attempting to replicated itself. The one file you removed may only be a repository and not the key activator. At a minimum, you probably have one or more registry entries which, if called, could restart the whole process anew, but with differing symptoms.

If any scans even hint at a possible sasser type infection, you will probably have to download specific "cleaners" from that antivirus makers website, in order to properly remove all traces of the virus.

.....when I was transferring some files to another computer on the network.....

Have you check the "other" computer for possible contamination? You may also have transferred this malware at that time.

good luck :o

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.



×
×
  • Create New...