Re: Finding The Source, How The Find The Source Of A Malware

downloaded process monitor as explained in the above post. followed the instructions, i pressed ctrl + L then selected path, contains, pmnnn.dll (as bds said was a virus) well lsass.exe was creating a bunch of pmnnn.dll over and over again. it keeps on creating it. isnt lsass.exe part of windows? should i delete that?

Find more posts tagged with

Comments

AndreiASM

pmnnn.dll isn't a legit file, and lsass.exe shouldn't create it over and over again. It could be that the original lsass.exe (which is an important windows service) was replaced by a malware program, which leads to that behaviour. What you should do is attach both pmnnn.dll and lsass.exe in an archive with the password "infected", and attach it to your next post. Virus Researchers will have a look at it, and add detection if necesarly.

Andrei

Cd-MaN

lsass.exe is part of windows (and deleting it would render windows unusable) if it is located in your system directory (C:\Windows\System32 usually). You can find this out by right-clicking on the particular entry in the process monitor log, selecting properties and going to the second tab (Process). Look in the "Path" text-box. Check if you see C:\Windows\System32\lsass.exe (or an other directory if you don't have windows installed in C:\Windows). Look carefully, because it is possible for malware to use tricks like 1sass.exe (that is the number 1 instead the letter l), or to put a file named lsass.exe in a different directory (C:\Windows for example).

If you determined that this isn't the legitimate lsass.exe, please archive the suspected file and attach to a posting on this forum.

If you however determined that it is in fact the lsass.exe from Windows creating this file, probably malicious code was injected in the process. We could probably pinpoint the problem if we can get a list of all the loaded modules from lsass.exe. To provide that, while still on the "Process" page of the properties window, press the "Copy All" button and paste the results here on the forum.

Best regards.