well my isass is 1158 kb so i dont know if it varies and stuff :)…. but i think it is a virus cause once i had that problem too but am not sure …
maybe someone milking your isp. signal check it out
C:\Windows\Config\lsass.exe
Thats the file path being used! how can they milk my ISP? this is upload NOT Download! AND IT”S Beyond my ISP Allowance!
lsass is a system process located in C:\Windows\System32, but there are a number of trojans, worms, etc that create a file with that name. If you’re seeing it anywhere other than in system32, especially with the kind of activity you’re talking about, it’s probably malware. Run antivirus, antispy, etc; get rid of it.
This reply has been removed.
hold on, but my computer turns off if i cut out the lsass.exe in the c:\windows\config\lsass.exe if i cut the lsass out, it sends me the system is somethin seotmhing, small window pops up in middle of screen with a count down!
This reply has been removed.
where can i find a original lsass?
To abort the shutdown go to start>run and type “shutdown -a” (no quotes).
oh yeah… i forgot about that locke, but where can i find a orignal lsass?
please remember its in the “c:\windows\config\lsass.exe”
The the file thats sending out high uploads at very very un common times!
This reply has been removed.
open windows>system32>drivers>etc>hosts using Notepad. If you have a number of entries you didn’t enter, particularly Microsoft/antivirus sites, you likely have the Sasser worm or a variant which exploits the system similarly. Just update and run antivirus/antispy; that will likely at least verify the problem if not completely fix it.
Could you help me here to “http://help.com/post/111433-how-to-list-everything”
127.0.0.1 localhost
thats all i found in the hosts file.
That’s good; that’s what is supposed to be there.
wait a sec am i meant to have two lsass.exe then?
one in config folder and one in system32?
The config folder lsass, I believe, is anomalous. The system32 lsass is the normal one.
Config folder = 220KB
System32 Folder = 13.0KB
the config folder the lsass.exe looks like a folder…
in the system32 folder it looks like a windows.
the internal name of the lsass.exe in Config Folder is “Leet.exe” version 1.0?
has no description… nothing…
Also if i right click on the program it say “Unregister Application”
C:\WINDOWS\Config\lsass.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
C:\WINDOWS\Config\lsass.exe:�SummaryInformation
Thats the files i get when i scan lsass.exe in the config folder…
thats with NOD32 (Yes it may suck! but it’s the best one i can get right now)
As I said, the config folder lsass is likely malware-associated. It is an “alternate data stream” version of the system32 lsass. If there’s an icon of a handicapped sign in your system tray, by the way, that’s likely Smitfraud malware.
To clarify, you should probably get rid of the oversized lsass.
Seriously; “leet.exe”? I’d somehow overlooked that. That’s actually pretty funny, but you should still ditch it.
This reply has been removed.
I’m with Oldfart on this one.
oh… so how do i delete it?
You could try simply deleting it, aborting the shutdown, then running a full system antivirus/antispy scan to get rid of any remnants (download spybot and run that along with your nod32 - one solution often discovers problems another misses, and Spybot is both high-quality and free).
NOD32, when scanned doesn’t find it as a virus…
If i try to normally delete it “select it and press delete” it says “Cannot Delete Access Denied” may be in use ……..
Ill try Spybot. Thanks Locke.
End the process via task manager if possible; then it won’t be in use. If you can’t end it, perhaps it doesn’t run in Safe Mode.
If Spybot detects it in any case, it will remove it when you restart your system before lsass has a chance to run, anyway.
Can not end task in task manager, i tried that 100 times! i got two lsass.exe in task manager, one from User & one for System.
Spybot didn’t delete the lsass.exe OMG!
If it detected it but didn’t delete it, it will likely do so when you restart your system. Anyway, you can, one way or another, delete the rogue lsass file, even if you have to do so through recovery console - but I am not conversant with alternate data streams, and I’m not sure if the system will be able to locate the correct file once the rogue lsass is gone. Ad-aware does recognize and search alternate data streams, but I have no idea whether it will fix your problem.
One thing you can do is go to start>run>regedit. Hit ctrl+f, type lsass, hit enter (and keep on doing this until regedit doesn’t find any more entries). Each time regedit finds an entry, look under the “data” column at the right of the screen and see if it lists a path. If it does, it should be “%SystemRoot%\system32\lsass.exe”. If the path is different (it should not point to the config folder), right-click and modify it so that it reads “%SystemRoot%\system32\lsass.exe” (no quotes). If you had to change anything, registry was pointing your system to the rogue lsass file instead of the correct one - and unless the malware modifies your registry on system start, after restarting you should be able to safely eliminate the bad file. I’ll take a fresh look if it isn’t fixed by tomorrow.
There should actually be a backslash after the second % and after system32 in the path I listed, FYI. This site doesn’t like backslashes, it seems, and removes them automatically in the post.
This reply has been removed.
Hey Locke, thanks mate! everything turned out fine, i did the registry fix my self, as spybot didn’t even find the lsass entry at all.
This reply has been removed.
Oldfart, i may be stupid but not slow…
And i already fixed this problem.
tricky
Locke
Roulston