lsass.exe

  • Thread starter Thread starter oldbeeman
  • Start date Start date
O

oldbeeman

would someone explain what this process does and why it is doing disk
accesses 3 time a second, please? this is on xp sp3 uptodate updates.

tnx oldbeeman
 
There is a very good chance that you are seeing the effects of a hijackware
infection!

NB: If you had no anti-virus application installed or the subscription had
expired *when the machine first got infected* and/or your subscription has
since expired and/or the machine's not been kept fully-patched at Windows
Update, don't waste your time with any of the below: Format & reinstall
Windows. A Repair Install will NOT help!

1. See if you can download/run the MSRT manually:
http://www.microsoft.com/security/malwareremove/default.mspx

NB: Run the FULL scan, not the QUICK scan! You may need to download the
MSRT on a non-infected machine, then transfer MRT.EXE to the infected
machine and rename it to SCAN.EXE before running it.

2. [WinXP ONLY!! =>] Run the Windows Live Safety Center's 'Protection' scan
(only!) in Safe Mode with Networking, if need be:
http://onecare.live.com/site/en-us/center/howsafe.htm

3. Run a /thorough/ check for hijackware, including posting the requested
logs in an appropriate forum, not here.

Checking for/Help with Hijackware
http://aumha.net/viewtopic.php?f=30&t=4075
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/tshoot.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://www.elephantboycomputers.com/page2.html#Removing_Malware

**Seek expert assistance in
http://spywarehammer.com/simplemachinesforum/index.php?board=10.0,
http://forums.spybot.info/forumdisplay.php?f=22,
http://www.dslreports.com/forum/cleanup, http://aumha.net/viewforum.php?f=30
or other appropriate forums.**

If these procedures look too complex - and there is no shame in admitting
this isn't your cup of tea - take the machine to a local, reputable and
independent (i.e., not BigBoxStoreUSA) computer repair shop.
 
oldbeeman wrote :
would someone explain what this process does and why it is doing disk
accesses 3 time a second, please? this is on xp sp3 uptodate updates.
Click to expand...

Also try ATF Cleaner.
http://www.softpedia.com/get/Security/Secure-cleaning/ATF-Cleaner.shtml
http://www.atribune.org/
Forum
http://www.atribune.org/forums/
This program is for Windows 98/ME/2K/XP and Vista!
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please
click No at the prompt.
If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please
click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the
bottom of each menu.
This will remove all files from the items that are checked so if you
have some cookies you'd like to save, please move them to a different
directory first.
 
Check for malware as the others have suggested but remember this process
does in the normal way generate a lot of activity.

lsass.exe is a service known as Local Security Authentication Server.
Historically malware has used the file name as a camouflage most notably
Sasser so that is why it needs to be handled with a degree of care.

Have a look in the System and Application logs in Event Viewer for
Errors and Warnings and post copies here. Don't post any more than 48
hours ago.

You can access Event Viewer by selecting Start, Control Panel,
Administrative Tools, and Event Viewer. When researching the meaning
of the error, information regarding Event ID, Source and Description
are important.

HOW TO: View and Manage Event Logs in Event Viewer in Windows XP
http://support.Microsoft.com/kb/308427/en-us

A tip for posting copies of Error Reports! Run Event Viewer and double
click on the error you want to copy. In the window, which appears is a
button resembling two pages. Click the button and close Event
Viewer.Now start your message (email) and do a paste into the body of
the message. Make sure this is the first paste after exiting from
Event Viewer.


--



Hope this helps.

Gerry
~~~~
FCA
Stourport, England
Enquire, plan and execute
~~~~~~~~~~~~~~~~~~~
 
i ran microsoft malware removal tool, spybot sd and am running microsoft One
care safety scanner. it is very slow and am waiting.

i have two other computers that are both doing the same thing with lsass and
i checked with a friend and his is doing the same thing
what other things does lsass do besides login that would be causing so much
activity?

oldbeeman
 
Many users do not rate Windows Live OneCare very highly.

If you are worried aboutr malware I suggest you download and run Spybot
S & D (freeware version). There is a freeware version buried in this
link:
http://www.safer-networking.org/en/spybotsd/index.html

Malwarebytes' Anti-Malware
1.36 -freeware (if you upgrade you pay).
http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html

Run Malwarebytes' in safe mode and turn off your current anti-virus
before you do to avoid a conflict. Disregard the invitation on the web
site regarding the Registry Optimiser -a Registry Optimiser is not a
helpful utility.

--


Hope this helps.

Gerry
~~~~
FCA
Stourport, England
Enquire, plan and execute
~~~~~~~~~~~~~~~~~~~
 
i had already run spybot sd and found nothing.
what i would like to know is what lsass does that keeps it writing to disk.
amd it is doinmg the same thing on three other computers that i know of.
oldbeeman
 
NB: If the computers are networked, chances are that all of them have been
infected and your router's been compromised, too. Do NOT connect these
machines to the network or the router until all of them have been cleanup up
*and* you've either Reset or Reinstalled the router.


Repost:

NB: If you had no anti-virus application installed or the subscription had
expired *when the machine first got infected* and/or your subscription has
since expired and/or the machine's not been kept fully-patched at Windows
Update, don't waste your time with any of the below: Format & reinstall
Windows. A Repair Install will NOT help!

1. See if you can download/run the MSRT manually:
http://www.microsoft.com/security/malwareremove/default.mspx

NB: Run the FULL scan, not the QUICK scan! You may need to download the
MSRT on a non-infected machine (i.e., one that's never been connected to
your network or router), then transfer MRT.EXE to the infected machine and
rename it to SCAN.EXE before running it.

2. [WinXP ONLY!! =>] Run the Windows Live Safety Center's 'Protection' scan
(only!) in Safe Mode with Networking, if need be:
http://onecare.live.com/site/en-us/center/howsafe.htm

3. Run a /thorough/ check for hijackware, including posting the requested
logs in an appropriate forum, not here.

Checking for/Help with Hijackware
http://aumha.net/viewtopic.php?f=30&t=4075
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/tshoot.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://www.elephantboycomputers.com/page2.html#Removing_Malware

**Seek expert assistance in
http://spywarehammer.com/simplemachinesforum/index.php?board=10.0,
http://forums.spybot.info/forumdisplay.php?f=22,
http://www.dslreports.com/forum/cleanup, http://aumha.net/viewforum.php?f=30
or other appropriate forums.**

If these procedures look too complex - and there is no shame in admitting
this isn't your cup of tea - take the machine to a local, reputable and
independent (i.e., not BigBoxStoreUSA) computer repair shop.
 
oldbeeman

Then it is likely that malware is not the problem. However,
Malwarebytes' Anti-Malware is the stonger player so running that
software is sensible if you want to feel more secure.

What about posting the Event Viewer reports I suggested earlier. That
usually provides useful information of what is going wrong, although
many users have difficulty interpreting what the Reports mean.

--


Hope this helps.

Gerry
~~~~
FCA
Stourport, England
Enquire, plan and execute
~~~~~~~~~~~~~~~~~~~
 
Back
Top