Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

lsass.exe....is this a trojan


  • Please log in to reply
6 replies to this topic

#1 ethelsfred

ethelsfred

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:10:41 AM

Posted 28 May 2009 - 09:00 AM

You guys helped me clean up my system...thanks again. I was poking around with TCPView and noticed I have 2 instances of lsass.exe:684 both listening; one TCP and the other TCPV6

Is this a trojan? I have attached a picture of the TCPView log.


AMD Phenom 9950 BE Quadcore 2.6Ghz, 8GB RAM, 64bit Vista Ultimate

Attached Files



BC AdBot (Login to Remove)

 


#2 ethelsfred

ethelsfred
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:10:41 AM

Posted 28 May 2009 - 09:39 AM

After doing some more homework, I am starting to believe the 2 instances of lsass that I have are not malicious. But I would like an experts opinion.

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,939 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:41 AM

Posted 28 May 2009 - 12:37 PM

lsass.exe is the Local Security Authentication Server which verifies the validity of user logons to your computer and generates the process responsible for authenticating users for the Winlogon service. The lsass.exe process receives authentication requests from WINLOGON and calls the appropriate authentication package (implemented as a DLL) to perform the actual verification, such as checking whether a password matches what is stored in the SAM (the part of the registry that contains the definition of the users and groups). This process is important for stable and secure operation of your system and should not be terminated. Determining whether lsass.exe is malware or a legitimate Windows process depends on the location (path) it is running from. One of the ways that malware tries to hide is to give itself the same name as a critical system file. However, it then places itself in a different location on your computer. The legit lsass.exe file is located in the C:\Windows\System32 folder. If found running from a different location it is malware.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 ethelsfred

ethelsfred
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:10:41 AM

Posted 28 May 2009 - 01:16 PM

Sorry for my ignorance.....but how do I determine where it is running from?

Also...todayI purchased, installed and scanned with NOD32 Antivirus, do you think it would have identified the lsass.exe if it were malware?

Edited by ethelsfred, 28 May 2009 - 01:50 PM.


#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,939 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:41 AM

Posted 28 May 2009 - 01:54 PM

Tools to investigate running processes and gather additional information to identify them and resolve problems:These tools will provide information about each process, CPU usage, file description and its path location If you right-click on a file and select properties, you will see more details.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 ethelsfred

ethelsfred
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:10:41 AM

Posted 28 May 2009 - 03:05 PM

Thank you....I do not have any problems, the file is located where it should be.

An unrelated question...you and a few others in here have mentioned ESET NOD 32 Antivirus for AV/spyware protection (I bought it today), but I have not seen any comments regarding their Smart Security 4 which adds firewall and anti spam protection. Your thoughts would be appreciated.


P.S. For others reading this, the aforementioned ESET NOD32 Antivirus 4 (I have Vista SP1 by the way) and Smart Security 4 have a known conflict they are working to resolve with SP2 updated Vista and Windows Server 2008....read the link below before considering a purchase.

http://kb.eset.com/esetkb/index?page=conte...ctp=LIST_RECENT

They recommend using version 3 until the conflict is resolved.

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,939 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:41 AM

Posted 29 May 2009 - 05:55 AM

I have not seen any comments regarding their Smart Security 4 which adds firewall and anti spam protection. Your thoughts would be appreciated.


I'm not an advocate of suites. All-in-one tools and suites generally use more system resources than separate programs that do the same task. They tend to have varying degrees of strengths and weaknesses for each feature. In contrast, separate tools are designed, built and maintained with a greater focus in a specific area so they are generally of better quality. This means the program's performance for that particular feature is usually superior than their all-in-one counterpart. Further, all-in-one tools generally do not allow the user as much flexibility in tailoring default settings and usage.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users