lsass.exe loads 11000 files from profile (...application data\Microsoft\Protect\S-1-5...)results in

[Jan Karraesy]

Hi!

I've a problem with one user-profile on our home computer. The
user-profile has 11000 files in the folder "...application
data\Microsoft\Protect\S-1-5..." named 394085c9-8c6e-2932-7d63ce6b27ed
and similar. If the user logs into the computer lsass.exe tries to load
all this files which takes about 15 minutes, where the CPU usage is up
to 75-90% which allows no working. After this the computer works fine.
But after maybe one hour the lsass tries again to process the files,
which locks the computer again for 15 Minutes.

I've read about many issues in lsass.exe, but they all should be
resolved in Windows XP SP2, with all updates installed.

- So can somebody tell me if I just can delete this files?
- What are this files?
- Why is lsass.exe processing this files?
- Where do this files come from? Other profiles just have a hand full of
the files?

Regards
Jan

 

[David H. Lipman]

From: "Jan Karraesy" <[email protected]>

| Hi!
|
| I've a problem with one user-profile on our home computer. The
| user-profile has 11000 files in the folder "...application
| data\Microsoft\Protect\S-1-5..." named 394085c9-8c6e-2932-7d63ce6b27ed
| and similar. If the user logs into the computer lsass.exe tries to load
| all this files which takes about 15 minutes, where the CPU usage is up
| to 75-90% which allows no working. After this the computer works fine.
| But after maybe one hour the lsass tries again to process the files,
| which locks the computer again for 15 Minutes.
|
| I've read about many issues in lsass.exe, but they all should be
| resolved in Windows XP SP2, with all updates installed.
|
| - So can somebody tell me if I just can delete this files?
| - What are this files?
| - Why is lsass.exe processing this files?
| - Where do this files come from? Other profiles just have a hand full of
| the files?
|
| Regards
| Jan

Jan, there are several infectors that use the name LSASS.EXE. With the type of activity you
describe, you may have a malware problem.


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
http://kixtart.org Kixtart is CareWare } 4 batch files, 6 Kixtart scripts, one Link
(.LNK) file, a PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
simplify the process of using; Sophos, Trend, Kaspersky and McAfee Anti Virus Command
Line Scanners to remove viruses, Trojans and various other malware.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

* * * Please report back your results * * *

 

[Jan Karraesy]

I've running Adadware, Microsoft Antispyware, PestPatrol, Kapersky
Antivirus, NOD32, McAfee VirusScan and Symantec Antivirus using clean
boots from a special Linux-Anti-AV-CD (downloading the actual signatures
from internet) and "dirty" ones scans from the installing partition.

I think its no malware, its a windows bug. If it is malware, a root kit
or something similar than it is in the wild since more than 2 years,
because the oldest files of the 11000 files are from 2003 and not
detected by any scanner. All files are 368 and 388 bytes, maybe some
encryption hashes? Is there a relation to the EFS? I dont know, maybe a
windows expert can tell.

A scan with Sysinternals Process-Explorer and File-Explorer gives no
hint to a malware infection, it seems to be the windows "Local Security
Authority Subsystem (LSASS)".

I just have no clue what is stored in these folder and cant find any
resources on the microsoft webpages.

Regards
Jan

From: "Jan Karraesy" <[email protected]>

| Hi!
|
| I've a problem with one user-profile on our home computer. The
| user-profile has 11000 files in the folder "...application
| data\Microsoft\Protect\S-1-5..." named 394085c9-8c6e-2932-7d63ce6b27ed
| and similar. If the user logs into the computer lsass.exe tries to load
| all this files which takes about 15 minutes, where the CPU usage is up
| to 75-90% which allows no working. After this the computer works fine.
| But after maybe one hour the lsass tries again to process the files,
| which locks the computer again for 15 Minutes.
|
| I've read about many issues in lsass.exe, but they all should be
| resolved in Windows XP SP2, with all updates installed.
|
| - So can somebody tell me if I just can delete this files?
| - What are this files?
| - Why is lsass.exe processing this files?
| - Where do this files come from? Other profiles just have a hand full of
| the files?
|
| Regards
| Jan

Jan, there are several infectors that use the name LSASS.EXE. With the type of activity you
describe, you may have a malware problem.


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
http://kixtart.org Kixtart is CareWare } 4 batch files, 6 Kixtart scripts, one Link
(.LNK) file, a PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
simplify the process of using; Sophos, Trend, Kaspersky and McAfee Anti Virus Command
Line Scanners to remove viruses, Trojans and various other malware.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

* * * Please report back your results * * *