Link to home
Create AccountLog in
Avatar of steveLaMi
steveLaMiFlag for United States of America

asked on

What is scan500.exe, lserver.exe and lsass.exe?

Our sql server was recently hacked.  I am looking at every open process in the task manager and have come across a couple that I cannot tell if they belong there or not.  Here they are

scan500.exe
lserver.exe
lsass.exe

are they legit files?
Avatar of billwharton
billwharton

these files are related to multiple viruses like myDoom. Install the latest patches on your system and run an antivirus application
Avatar of steveLaMi

ASKER

is there legit versions of these files? and what directories SHOULD they reside in? I know that if lsass.exe is anywhere but win32/system32 then it could be a virus. How about scan500.exe or lserver.exe?
Well, these files have a little difference in the resident folders depending on the OS. However, don't make yourself struggle by finding out locations. Instead run a good antivirus scanner.

Try deleting scan500.exe -> it's defeinitely a virus. However, it may not be resident in memory and if that's the case, you would be able to delete it.

Scan500.exe belongs to the Exploit.Win32.WebDav virus class
Thats correct.Scan500 is definetly suspicious....you can check the file versions and the size as well if you are not sure...
Another thing is run a good AN to find any other hidden or unknown worms as well...
When I do a search for scan500.exe I find nothing. Any suggestions?
ASKER CERTIFIED SOLUTION
Avatar of srikrishnak
srikrishnak
Flag of Singapore image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer