Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Disk thrashing lsass.exe


  • Please log in to reply
4 replies to this topic

#1 santa401

santa401

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:06 AM

Posted 09 April 2012 - 04:34 AM

Hi this is my first ever post so be gentle with me

I have Vista x64 with a quad cpu
McAfee AV

I have an intermittent problem which when it manifests takes 100% of the disk and carrying out normal tasks on the computer is impossible. It seems to last about 20 mins at a time. The main IO culprit is lsass.exe with associated services of 'protected storage' and 'security accounts manager'

I have run HiJack this and although I dont really know what Im looking for I did note lots of 'file missing' entries such as:-

O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)

this isnt normal....right

Any help would be much appreciated

Kind Regards

Santa401

BC AdBot (Login to Remove)

 


#2 Allan

Allan

  • BC Advisor
  • 8,611 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:01:06 AM

Posted 09 April 2012 - 06:50 AM

1) What is new or different since the last time everything worked properly (ie, new hw, new sw, virus, error, etc)?
2) lsass.exe is a frequent target of malware. For a start I suggest you run full scans with BOTH your anti virus app and with MalwareBytes. You might also want to post in the Am I Infected forum and let a malware expert help you check.

#3 santa401

santa401
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:06 AM

Posted 10 April 2012 - 04:36 AM

Dear Allan

Thanks for your reply. Yes I have undertaken a full scan using McAfee and that was fine. I even had one of their tech guys remotely take over my pc to see if he could see any virus and he reported nothing sinister.

I looked on the guidelnes and it said not to post in multiple forums, so I didnt, but if you think it may help to post in the 'Am I Infected forum' then I will.

Is there anything else I can look into or check? other than that?

Kind Regards

Santa401

#4 Allan

Allan

  • BC Advisor
  • 8,611 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:01:06 AM

Posted 10 April 2012 - 06:47 AM

Okay, before moving the thread to the am I infected forum let's try a selective startup.

Open msconfig and on the General tab choose "selective startup" (uncheck all three items) and reboot. Does the problem still occur? If not, start adding items back to msconfig one or two at a time, rebooting after each change, until the problem reappears and you'll have identified the offending process. This is clearly a time consuming procedure, but it is the best way to determine if some process loading with the system is the cause of your problem.
After you've isolated the cause, do not use msconfig to permanently disable the process. Instead, if it is a service go to START - RUN and type: services.msc (then press enter) and disable the service OR, if it a program, you can download & run a simple app such as Mike Lin's Startup Control Panel (http://www.mlin.net/StartupCPL.shtml) to enable, disable, or otherwise manage startup programs.

#5 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,993 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:01:06 AM

Posted 10 April 2012 - 02:03 PM

We rarely use HijackThis for several reasons. One is that it doesn't scan properly on 64 bit systems. It will show many files as missing that are actually present.

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users