Lsass.exe has become infected - Nothing seems to sort it out!

Hi all,

Anyones help on this would be greatly appreciated (see attachment for detailed info) - My antivirus keeps telling me that lsass.exe is infected with a Trojan. The antivirus wants to delete or quarantine this file, but as I understand it it's a system critical file so that will cause more problems.

I've tried using Regcure, which (as all of them do) stated that it would definitely fix the problem, but it hasn't.

Now as you can see in the image, this instance of lsass is in c:\windows\config... I was under the impression that all these files would be in the System32 folder instead, and sure enough there is another lsass.exe in there too.

So really i'm looking for someone to say whether or not it is ok to delete this file completely or not. It does make me wonder though, as if the 'REAL' lsass.exe was ok (in system32), why would I see the lsass.exe process running frequently at 100% and also uploading to the maximum of my bandwidth?? (luckily I have Netlimiter installed, so have put a stop to that straight away!!).

Any advice or suggestions would be greatly appreciated!

Many thanks,

Pete
lsass-Problem.JPG
LVL 19
PeteJThomasAsked:
Who is Participating?
 
orangutangConnect With a Mentor Commented:
Remove these with HijackThis:
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Config\lsass.exe
O2 - BHO: ShoppingReport - {100EB1FD-D03E-47FD-81F3-EE91287F9465} - C:\Program Files\ShoppingReport\Bin\2.0.26\ShoppingReport.dll
O9 - Extra button: ShopperReports - Compare product prices - {C5428486-50A0-4a02-9D20-520B59A9F9B2} - C:\Program Files\ShoppingReport\Bin\2.0.26\ShoppingReport.dll
O9 - Extra button: ShopperReports - Compare travel rates - {C5428486-50A0-4a02-9D20-520B59A9F9B3} - C:\Program Files\ShoppingReport\Bin\2.0.26\ShoppingReport.dll
0
 
and235100Connect With a Mentor Commented:
The "proper" lsass.exe is located in C:\Windows\System32
You can remove this one.
0
 
and235100Commented:
I would suggest that you run a virus scan here (HouseCall: http://housecall.trendmicro.com/) in Safe Mode - if at all possible.
0
The eGuide to Automating Firewall Change Control

Today‚Äôs IT environment is constantly changing, which affects security policies and firewall rules. Discover tips to help you embrace this change through process improvement & identify areas where automation & actionable intelligence can enhance both security and business agility.

 
PeteJThomasAuthor Commented:
Here's the log, having never used hijackthis before I have no idea what it's telling me though... Translate please! :)

I'll run through the other suggestions too and let you know the results...
hijackthis.log
0
 
PeteJThomasAuthor Commented:
Thanks guys - Allowing AV to delete the file was ok, but kept on erroring on bootup saying it couldn't find that file.

Removing that F2 in HijackThis stopped that as well! Perfecto!
0
All Courses

From novice to tech pro — start learning today.