Why does the lsass.exe process use so much CPU?


E

Eric Kolotyluk

I'm using XP SP3 on my computer at home. A few weeks ago I noticed my
computer was using a significant amount of CPU even though no applications
were running. Using task manager I discovered that lsass.exe was using 30 % -
50% of my CPU constantly. I have never seen this behavior before. Overall
performance on my computer has been abysmal since then.

Is there any valid reason why this process is using so much CPU?

I've browsed the web and found lots of articles on viruses using lsass.exe
as as vector, but nothing the seems to be helpful. Using Process Explorer I
tried to validate the process, and Process Explore thinks it's a valid
Microsoft process.

I've been in touch with Bit Defender, my security software provider, but
they have not really been of use.

I'm still convinced there is something not quite right with my system, but
the virus scans don't turn up anything. I have notice the for some reason the
latest Windows updates seem to fail. My disk keeps getting full even though I
am not adding any files, and routinely cleaning out temporary and cache files.

Any help or thoughts would be greatly appreciated.
 
Ad

Advertisements

L

Leonard Grey

Your computer is most likely infected.

&ry scanning your system with /several/ of the better online scanners,
such as:
Kaspersky Antivirus (http://www.kaspersky.com/virusscanner)
Panda ActiveScan (http://www.pandasoftware.com/activescan)

Download HijackThis from www.trendsecure.com. Run it, save a log, and
post the log at one of the many sites that support HJT, such as
spywarewarrior.com, bleepingcomputer.com, and temerc.com -- but not
here. Within a day, sometimes within an hour, you'll have one-on-one
step-by-step advice from a security expert on cleaning up any
infestations—or you'll have a clean bill of health from the volunteer
expert.

Even the best detection and removal software can't fix every malware
infection. If none of the above remove the infection, you may want to
show the computer to a professional.

---
Leonard Grey
Errare humanum est

"A Day in the Life of a Web 2.0 Hacker" - PC Magazine
http://www.pcmag.com/article2/0,2817,2330952,00.asp
 
N

nass

Eric Kolotyluk said:
I'm using XP SP3 on my computer at home. A few weeks ago I noticed my
computer was using a significant amount of CPU even though no applications
were running. Using task manager I discovered that lsass.exe was using 30 % -
50% of my CPU constantly. I have never seen this behavior before. Overall
performance on my computer has been abysmal since then.

Is there any valid reason why this process is using so much CPU?

I've browsed the web and found lots of articles on viruses using lsass.exe
as as vector, but nothing the seems to be helpful. Using Process Explorer I
tried to validate the process, and Process Explore thinks it's a valid
Microsoft process.

I've been in touch with Bit Defender, my security software provider, but
they have not really been of use.

I'm still convinced there is something not quite right with my system, but
the virus scans don't turn up anything. I have notice the for some reason the
latest Windows updates seem to fail. My disk keeps getting full even though I
am not adding any files, and routinely cleaning out temporary and cache files.

Any help or thoughts would be greatly appreciated.

Any software development that been configured to access the internet for
Updates or looking ofr the latest news on the Developers MSDN?

Use this tool to see what taken the most usage of the CPU on your machine.
ShellExView v1.19 - Shell Extensions Manager
http://www.nirsoft.net/utils/shexview.html

Go through these cleaning steps:
1... Click start >> Control Panel >> Double Click Network and Internet
Connections >> Double click Internet Options, on the IE Properties window
you will see these Options:
General | Security | Privacy | Content | Connections | Programs
| Advanced .

Click on General Tab (1st Tab on the left) and you will see a Button called
[ Clear History ..] click on it to clear your History caches, then click on
[Delete Files..] to delete Internet Files created over the time, click on [
Delete Cookies...] to delete your cookies left by visiting websites.

Then click on Advanced tab and scroll down to under the Browsing Option:
[&] Browsing
[ ] Enable Third-Party browser extensions (Req Rest) uncheck this box.

= Then try to Disable the Add-Ons on your Browser somehow installed on your
browser, On how to disable the Add-ons follow this:
Click on Programs Tab and then click the Manage Add-Ons Button there Disable
the None/Not Verified Plug-ins/Add-ons ( you need to Renable them one-by-one
later and see which is the culprit .
How to manage Add-Ons:
http://support.microsoft.com/kb/883256

Scan for malware from here:
SuperAntispyware - Free
http://www.superantispyware.com/superantispywarefreevspro.html
http://www.malwarebytes.org/rr-update/rr-free-setup.exe
http://onecare.live.com/site/en-gb/default.htm?s_cid=sah
http://onecare.live.com/standard/en-gb/default.htm

Run a scan from here on-line:
http://security.symantec.com/sscv6/default.asp?langid=ie&venid=sym
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
Download Avast Cleaner (offline scanner) from here:
http://www.avast.com/eng/avast-virus-cleaner.html
Comodo BOClean : Anti-Malware Version 4.27
http://www.comodo.com/boclean/boclean.html
Download Hijackthis and send me the log.
(http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php)
Check the Log and analysis the entries, what your Findings?

HTH,
nass
 
E

Eric Kolotyluk

Thanks for the prompt advice. I'm working on following your suggestions now
and will post back my results here.
 
E

Eric Kolotyluk

Thanks for the advice. I'm going to follow Leonard's advice first (since he
responded first) and if I'm still having trouble I will follow your advice
and report back here.

--
Eric Kolotyluk
Software Developer


nass said:
Eric Kolotyluk said:
I'm using XP SP3 on my computer at home. A few weeks ago I noticed my
computer was using a significant amount of CPU even though no applications
were running. Using task manager I discovered that lsass.exe was using 30 % -
50% of my CPU constantly. I have never seen this behavior before. Overall
performance on my computer has been abysmal since then.

Is there any valid reason why this process is using so much CPU?

I've browsed the web and found lots of articles on viruses using lsass.exe
as as vector, but nothing the seems to be helpful. Using Process Explorer I
tried to validate the process, and Process Explore thinks it's a valid
Microsoft process.

I've been in touch with Bit Defender, my security software provider, but
they have not really been of use.

I'm still convinced there is something not quite right with my system, but
the virus scans don't turn up anything. I have notice the for some reason the
latest Windows updates seem to fail. My disk keeps getting full even though I
am not adding any files, and routinely cleaning out temporary and cache files.

Any help or thoughts would be greatly appreciated.

Any software development that been configured to access the internet for
Updates or looking ofr the latest news on the Developers MSDN?

Use this tool to see what taken the most usage of the CPU on your machine.
ShellExView v1.19 - Shell Extensions Manager
http://www.nirsoft.net/utils/shexview.html

Go through these cleaning steps:
1... Click start >> Control Panel >> Double Click Network and Internet
Connections >> Double click Internet Options, on the IE Properties window
you will see these Options:
General | Security | Privacy | Content | Connections | Programs
| Advanced .

Click on General Tab (1st Tab on the left) and you will see a Button called
[ Clear History ..] click on it to clear your History caches, then click on
[Delete Files..] to delete Internet Files created over the time, click on [
Delete Cookies...] to delete your cookies left by visiting websites.

Then click on Advanced tab and scroll down to under the Browsing Option:
[&] Browsing
[ ] Enable Third-Party browser extensions (Req Rest) uncheck this box.

= Then try to Disable the Add-Ons on your Browser somehow installed on your
browser, On how to disable the Add-ons follow this:
Click on Programs Tab and then click the Manage Add-Ons Button there Disable
the None/Not Verified Plug-ins/Add-ons ( you need to Renable them one-by-one
later and see which is the culprit .
How to manage Add-Ons:
http://support.microsoft.com/kb/883256

Scan for malware from here:
SuperAntispyware - Free
http://www.superantispyware.com/superantispywarefreevspro.html
http://www.malwarebytes.org/rr-update/rr-free-setup.exe
http://onecare.live.com/site/en-gb/default.htm?s_cid=sah
http://onecare.live.com/standard/en-gb/default.htm

Run a scan from here on-line:
http://security.symantec.com/sscv6/default.asp?langid=ie&venid=sym
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
Download Avast Cleaner (offline scanner) from here:
http://www.avast.com/eng/avast-virus-cleaner.html
Comodo BOClean : Anti-Malware Version 4.27
http://www.comodo.com/boclean/boclean.html
Download Hijackthis and send me the log.
(http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php)
Check the Log and analysis the entries, what your Findings?

HTH,
nass
 
N

nass

Good choice and good luck.
Leo sent a good two online scanners that will help.
Regards,
nass

Eric Kolotyluk said:
Thanks for the advice. I'm going to follow Leonard's advice first (since he
responded first) and if I'm still having trouble I will follow your advice
and report back here.

--
Eric Kolotyluk
Software Developer


nass said:
Eric Kolotyluk said:
I'm using XP SP3 on my computer at home. A few weeks ago I noticed my
computer was using a significant amount of CPU even though no applications
were running. Using task manager I discovered that lsass.exe was using 30 % -
50% of my CPU constantly. I have never seen this behavior before. Overall
performance on my computer has been abysmal since then.

Is there any valid reason why this process is using so much CPU?

I've browsed the web and found lots of articles on viruses using lsass.exe
as as vector, but nothing the seems to be helpful. Using Process Explorer I
tried to validate the process, and Process Explore thinks it's a valid
Microsoft process.

I've been in touch with Bit Defender, my security software provider, but
they have not really been of use.

I'm still convinced there is something not quite right with my system, but
the virus scans don't turn up anything. I have notice the for some reason the
latest Windows updates seem to fail. My disk keeps getting full even though I
am not adding any files, and routinely cleaning out temporary and cache files.

Any help or thoughts would be greatly appreciated.

Any software development that been configured to access the internet for
Updates or looking ofr the latest news on the Developers MSDN?

Use this tool to see what taken the most usage of the CPU on your machine.
ShellExView v1.19 - Shell Extensions Manager
http://www.nirsoft.net/utils/shexview.html

Go through these cleaning steps:
1... Click start >> Control Panel >> Double Click Network and Internet
Connections >> Double click Internet Options, on the IE Properties window
you will see these Options:
General | Security | Privacy | Content | Connections | Programs
| Advanced .

Click on General Tab (1st Tab on the left) and you will see a Button called
[ Clear History ..] click on it to clear your History caches, then click on
[Delete Files..] to delete Internet Files created over the time, click on [
Delete Cookies...] to delete your cookies left by visiting websites.

Then click on Advanced tab and scroll down to under the Browsing Option:
[&] Browsing
[ ] Enable Third-Party browser extensions (Req Rest) uncheck this box.

= Then try to Disable the Add-Ons on your Browser somehow installed on your
browser, On how to disable the Add-ons follow this:
Click on Programs Tab and then click the Manage Add-Ons Button there Disable
the None/Not Verified Plug-ins/Add-ons ( you need to Renable them one-by-one
later and see which is the culprit .
How to manage Add-Ons:
http://support.microsoft.com/kb/883256

Scan for malware from here:
SuperAntispyware - Free
http://www.superantispyware.com/superantispywarefreevspro.html
http://www.malwarebytes.org/rr-update/rr-free-setup.exe
http://onecare.live.com/site/en-gb/default.htm?s_cid=sah
http://onecare.live.com/standard/en-gb/default.htm

Run a scan from here on-line:
http://security.symantec.com/sscv6/default.asp?langid=ie&venid=sym
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
Download Avast Cleaner (offline scanner) from here:
http://www.avast.com/eng/avast-virus-cleaner.html
Comodo BOClean : Anti-Malware Version 4.27
http://www.comodo.com/boclean/boclean.html
Download Hijackthis and send me the log.
(http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php)
Check the Log and analysis the entries, what your Findings?

HTH,
nass
 
Ad

Advertisements

F

FordPrefect

I am also using XP SP3 on my IBM ThinkPad computer at home, and am
experiencing similar issues. A few days ago I noticed my computer was using a
significant amount of CPU even though no applications
were running. Using task manager I discovered that lsass.exe was using 30 %
- 80% of my CPU constantly. I installed Microsoft Windows Defender and found
this Trojan: Win32/Wundo.HJ which the Defender removed, I also found some
interesting information about lsass.exe: (File Name: lsass.exe, File Size:
13312, File Version: 5.1.2600.5512 (xpsp.080413-2113), Date Installed:
1/1/1980 2:00:00 AM).

CA Security Center also removed few Trojans, but my PC behaved as if it
would explode from all the unnecessary CPU usage which is directly caused by
lsass.exe. Since I installed SP3 should the lassas.exe be a different version
then the one I have installed now?

Is there a way to copy or replace this version of lsass.exe with a different
or newer version of lsass.exe, and how do you do it?

I tried few of the suggestion provided by Leonard Grey to no avail,
lsass.exe is still domination the CPU usage, Windows Defender and CA Security
Center are useless at this point, any suggestion please respond.
 
N

nass

Hi Ford,
Note LSASS.EXE and lsass.exe are legitimate Processes! But isass.exe and
Isass.exe not legit they are Trojans.
Run a search for lsass.exe and copy it to the %SystemRoot%\
Mine located here:
Version: 5.1.2600.1106
C:\Windows\$NtServicePackUninstall$
C:\Windows\ServicePackFiles\i386
C:\Windows\SoftwareDistribution\SelfUpdate\16b2.....
c:\windows\system32

copy from:
C:\Windows\ServicePackFiles\i386
To: c:\windows\system32

Please run a thorough scan with an Anti-Virus software and anti-malware like
superantispyware and Malwarebytes in Both Normal Mode and safe Mode after
updating their definitions.
Or you can contact me with your Hijackthis log if the above didn't solve
your issue.
HTH,
nass
 
F

FordPrefect

Well good news, after downloading a few of the suggested tools, I am happy to
report that lsass.exe is no longer hogging the CPU, I found four more
Trojans, two which were on my jump drive, the combination of
SUPERAntiSpyware, CA Security Center, Windows Defender, RogueRemover, and few
others.

Which also led me to also solve the Firefox 3.0 browser hogging CPU as well
in the range of 30% to 100% of CPU usage, the latter required turning java,
and java scripting off and installing a Flashblock which is an extension for
the Mozilla, Firefox, and Netscape browsers? Now I have to repeat this
process for the Opera browser, Apple Safari browser seems to be immune to
this behavior. Microsoft Internet Explorer I have not used for over 6 years
now (I have the latest version installed just in case the other do not work),
I am afraid to use it every time I use it some weird pop-up or new windows is
opened offering me virus protection or tool to fix my system…despite the fact
that I am using a verity of protection packages, firewall, anti-virus,
anti-spyware, etc…at the moment I have 31 tabs open in Firefox and no hogging
of the CPU, I have 6 tabs opened in Safari…all quite as it should be.

I would like to thank everyone that contributed in getting this issue
resolved, thank you all very much.
 
N

nass

You still get some residues and you need to send your Hijackthis to one of
many forums on the INTERNET to analysis it for you!

I will be happy to help you if you want, if you don't please send your log
to one of the forums!
I'm not scare mongering you but this true your machine may not completely
clean!!!
HTH,
nass
 
Ad

Advertisements

E

Eric Kolotyluk

OK, so the problem has mysteriously gone away. The lsass,exe process is
running normally now. I am not sure why.

I ran two virus scans, Kaspersky and Panda, and neither found anything
significant, and neither did anything to remedy the situation.

The only other significant event I noted was for a while now windows update
was not working properly. I had 4 updates that would not apply. Finally I
tried applying them one at a time, and the first 3 worked, the last one still
won't apply. Since then my computer performance is back to normal and
lsass.exe seems to be running normal. Also, since resolving the failed
updates a lot of my disk space got freed up, and no more disk space is
disappearing.

Is there any way windows update could have cause my problems?

- Eric
 
Ad

Advertisements


Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top