virus - lsass.exe constantly using about 25% of CPU

07
2014-07
  • Clark

    Recently noticed that my computer was running a bit slow and saw that a program which I have never seen before, lsass.exe is using about 25% of my cpu nearly all of the time. If I close it I receive an error message and am told the computer will reboot in 1 minute. I then scanned my computer with ESET and found no viruses. I then scanned with Malwarebytes and discovered 1 infiltration, which I let it clean. I then rebooted and found that the number of scvhost.exe's that had been previously running had decreased by one. The lsass.exe was still consistently using 25% of my CPU and a new program called TrustedInstaller.exe used a large amount of CPU on bootup and then diminished to 0% CPU.

    How can I fix this?

    P.S. I am unsure because of the limited amount of time before logoff but when I kill it the issue seems to go away.

    If you claim that it is a legitimate process can you please explain why I have never seen it before and why, even though I am constantly in task manager, it has never been shown to use this much CPU...

    Edit - two instances of csrss.exe are now running. One can be opened from system 32 while when clicking the show file location option on the other nothing appears

    • Answers
  • user322367

    Download and install the following applications:

    1. AdwCleaner
    2. Malwarebytes
    3. OTL(OldTimer's List-It)

    After you have done that, run each of them separately. Post logs here.


    • Related Question

    anti virus - Does Antivirus2009 or Antivirus360 automatically install on your computer and if so how?
  • Questioner

    I run Firefox on Vista, and unfortunately I got tricked (through a deceptive google result) into going to a page containing one of those fake "Your Computer Has all of this Spyware on it!" pages. I tried manually closing the tab, but it had a "Are you sure you want to navigate away" JavaScript alerts (HATE THOSE). So I clicked "OK," and the tab closed. Then I closed firefox altogether and rebooted.

    Now, before I could close the tab, it did prompt me to download a file, but of course I choose not to, and checking my downloads folder, nothing new is there. Also, even if I ?did? download it, ?I? would still have to choose to run it by double clicking on it for it to install itself, right? Also, I ran Malware Bites and Windows Defender and both said everything was fine.

    From this I would normally believe I am safe, but I have read everywhere that this thing "automatically installs" itself and that it is a bitch to get rid of. Is it really possible for this thing to dig in if you are running firefox and didn't choose to download it or run it after downloading?


    • Related Answers
  • Phoshi

    The only way a piece of software can silently install itself through a web-browser is by exploiting a security hole in the browser itself. The only cases of AV2009 I've seen were accompanied by an IE-user, so I assume that file dialogue was firefox not breaking, and still keeping you safe. Close one!

    However, probably best to run a scan with your AV of choice, just in case, because nothing is infallible. If it indeed did get through - don't worry, you'll find out soon enough. This is not quiet or subtle malware, this is in-your-face "Give me money or I'm never going away" malware.

    Lifehacker ran a story on how to remove something similar, just in case.

  • foraidt

    It should only be able to install itself by using some sort of security hole.
    My guess is that you update Firefox whenever there are updates; right? If yes, you can quite safely assume that it hasn't installed itself on your machine.

    For the future you might want to have a look at the NoScript extension. It's targeted at advanced users but is generally a big security improvement. It would also have spared you those annoying JavaScript popups.

  • bobince

    Is it really possible for this thing to dig in if you are running firefox

    Yes, either through Firefox security hole exploits (if you haven't been letting it update itself) or — far more likely — through browser plugin security holes that can be exploited in any web browser. Ensure all plugins you have are up-to-date, and uninstall/disable any (Java, Windows Media Player, QuickTime, RealPlayer, PDF Reader, Silverlight, Office Web Components, and so on) that you aren't sure you definitely need.

    The Adobe Reader PDF plugin is responsible for a large proportion of the exploits currently loading the fake-AVs. It is especially bad because it installs a plugin (that doesn't update itself) without telling you it is doing so, so many users have no idea they have a vulnerable browser plugin.

    I ran Malware Bites and Windows Defender and both said everything was fine.

    I wouldn't necessarily trust AV tools to detect (and certainly not remove!) today's trojans. But this does tend to back up the lack of any evidence that anything has installed.