Topic: Check your PC for MalWare (Read 1856 times)

Dracho · « **on:** June 07, 2005, 12:06:57 pm »

Here is a handy site:

Will tell you pretty much everything about the processes running on your PC

http://www.tasklist.org/

E_Look · « **Reply #1 on:** June 07, 2005, 10:52:04 pm »

I'm no PC wiz, so some of this site's content is somewhat confusing, so I hope you can clarify- how can a file, such as lsass.exe, be legitimate, but then also "added" by a worm? In WinXP, is the one that shows in Task Manager the legit one??

Dracho · « **Reply #2 on:** June 07, 2005, 10:54:03 pm »

Description: Added by the RANDEX.AR WORM! Note - this is not the legitimate Lsass.exe system file should normally NOT figure in Msconfig/Startup!

Run msconfig and see if it's starting up?

E_Look · « **Reply #3 on:** June 07, 2005, 10:55:37 pm »

I guess...

Dracho · « **Reply #4 on:** June 07, 2005, 10:57:31 pm »

I'm guessing the viral one overwrites the original, or has one with the same name as a mask.

Grim · « **Reply #5 on:** June 08, 2005, 07:05:48 am »

The site doesnt appear to be that clear, Lsass.exe for example can be a proper safe process running but at the same time as mentioned by that site it can be a common process that is hijacked by a worm. Doesnt really say how you can tell if its been hijacked or not or what you need to do.

I believe if that process is indeed infected a common syptom is your computer rebooting repeatedly.

The defintion from the Microsoft site is this:

Lsass.exe - You cannot end this process from Task Manager.

This is the local security authentication server, and it generates the process responsible for authenticating users for the Winlogon service. This process is performed by using authentication packages such as the default Msgina.dll. If authentication is successful, Lsass generates the user's access token, which is used to launch the initial shell. Other processes that the user initiates inherit this token.

I assume if you delete or stop this process when its not infected this could cause some major system issues.

Perhaps we could move this thread to engineering as it deals with computer issues, plus might get some knowledge from the other techies around here about the various system processes.

Javora · « **Reply #6 on:** June 10, 2005, 03:34:15 am »

I would only worry about Lsass.exe if it is not in c:\windows\System32 folder. If ever anyone is not sure, they should run their virus scan with the latest updates. If that option is not available for what ever reason (like a virus

), then I would suggest an online virus scan or virus removal tool to handle the problem. I would never suggest deleting a program file, just because it is showing up on the Task Manager.

Given that, the site that Dracho posted is a good one. I have used that site to help track down and remove some psycho HP printer drivers that would connect to the mother ship every two minutes. HP stated that this part of the printer "driver" helps ensure that my printer runs smoothly.

Forget the fact that this program would kick me out to the desktop every two minutes when I tried to do anything, including game playing like NeverWinter Nights.

Another good site for tracking runaway programs on your system is:

http://www.pcpitstop.com/pcpitstop/default.asp

After you run the tests (and you can run this relatively anonymously) it gives you a list of all the processes that are running on your system. It even helps you identify the processes that are needed and ones that you can safely remove via Msconfig or Services.msc. Hope this helps.

News: