Lsass.exe has become infected - Nothing seems to sort it out!

Hi all,

Anyones help on this would be greatly appreciated (see attachment for detailed info) - My antivirus keeps telling me that lsass.exe is infected with a Trojan. The antivirus wants to delete or quarantine this file, but as I understand it it's a system critical file so that will cause more problems.

I've tried using Regcure, which (as all of them do) stated that it would definitely fix the problem, but it hasn't.

Now as you can see in the image, this instance of lsass is in c:\windows\config... I was under the impression that all these files would be in the System32 folder instead, and sure enough there is another lsass.exe in there too.

So really i'm looking for someone to say whether or not it is ok to delete this file completely or not. It does make me wonder though, as if the 'REAL' lsass.exe was ok (in system32), why would I see the lsass.exe process running frequently at 100% and also uploading to the maximum of my bandwidth?? (luckily I have Netlimiter installed, so have put a stop to that straight away!!).

Any advice or suggestions would be greatly appreciated!

Many thanks,

LVL 19
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

The "proper" lsass.exe is located in C:\Windows\System32
You can remove this one.
I would suggest that you run a virus scan here (HouseCall: in Safe Mode - if at all possible.
Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

PeteJThomasAuthor Commented:
Here's the log, having never used hijackthis before I have no idea what it's telling me though... Translate please! :)

I'll run through the other suggestions too and let you know the results...
Remove these with HijackThis:
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Config\lsass.exe
O2 - BHO: ShoppingReport - {100EB1FD-D03E-47FD-81F3-EE91287F9465} - C:\Program Files\ShoppingReport\Bin\2.0.26\ShoppingReport.dll
O9 - Extra button: ShopperReports - Compare product prices - {C5428486-50A0-4a02-9D20-520B59A9F9B2} - C:\Program Files\ShoppingReport\Bin\2.0.26\ShoppingReport.dll
O9 - Extra button: ShopperReports - Compare travel rates - {C5428486-50A0-4a02-9D20-520B59A9F9B3} - C:\Program Files\ShoppingReport\Bin\2.0.26\ShoppingReport.dll

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
PeteJThomasAuthor Commented:
Thanks guys - Allowing AV to delete the file was ok, but kept on erroring on bootup saying it couldn't find that file.

Removing that F2 in HijackThis stopped that as well! Perfecto!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows XP

From novice to tech pro — start learning today.