My computer is running WinXP. For some reason, my computer is generating a copy of this file in C: and apparently running it upon startup, as I have two entries for lsass.exe under my username, in addition to the one under SYSTEM in the task manager. I have also noticed a very minor slowdown on some programs. Does anyone have any ideas? I can’t delete the EXE, as lsass.exe is running, and I can’t kill the programs in the task manager, as they are system processes. More importantly, it appears from the way that the file’s date changes that it is appearing whenever I turn on the computer. Any ideas?
From here. Remember, Win XP is an NT platform. Why did you want to delete it?
Local Security Authentication Server.
But if your computer is running a copy of it from the root directory, C:, it could be a trojan.
Desmostylus has a point. It would be a good idea to run an updated virus scan on it, just to be sure. McAfee and other anitvirus software vendors have trial versions of their software, and some offer free online scanning if you can’t or don’t wish to purchase one at this time.
From looking around a bit in Google, yes, it’s a known trojan. There are several variants listed at Symantec.
Do what Q.E.D. said.
Also see here for some additional removal instructions.
Thanks for the help. I think the virus is gone (no registry keys/dlls where the help files say they should be, and the utilities say it’s gone) but I still have two instances of lsass.exe executed under ‘USER’ in the task manager, and still have the copy of it in C:. Anyone have any tips on killing that file?