Raver87
asked on
lsass.exe, probably virus or malware!
Hi!
For some strange reason my computer has picked up a virus (probably).
I'll start with the basic:
My OS is Windows 7 x64 Ultimate RTM (Downloaded from technet)
I run AVG Free daily with all security options enabled.
Were should I begin... All started with my system just stoped responding and after a rebbot not all of my autostart-programs started. So this means I need to start AVG manualy.
After a bit of searching in taskmanager I found I have two lsass.exe running. One wich is the Local Security Authority Process and one that has no description.
The one that is fake, named lsass.exe *32 (this makes me think it's a virus since I run a 64 bit OS), changes PID every second which makes it imposssible to stop in the taskmanager or with the taskkill command in cmd with the /p switch. Trying to stop it with /f /im lsass.exe just shuts down the computer after a minute.
I've tried to start in safemode and remove it which was successfull, but when I booted into windows normaly the process was back again.
The file is located directly on C:\ (another thing that makes me think it's a virus). I've scanned my computer with both AVG, Malwarebytes and Spybot. But nothing can delete it, or even find it.
Another process running is cnktva.exe, that exe file is located in my Temp folder and is also impossible to delete. Ending it in taskmanager just makes it start again with a different PID. I've googled the name but haven't found anything about it!
Please help me with this, I'm in great need of this computer right now!
BR
Andreas
UPDATE!!:
After booting up into safemode once more, I could delete both lsass.exe from C:\ and the cnktva.exe from my Temp folder. I ran some cleanup programs and now when I boot up my computer the files are gone and doesn't show up in taskmanager. As an IT-consultant this sounds starnge, nothing just works this easy ^^ Is there any chanse that the virus still is running?
The reason I ask this is because AVG doesn't start automaticaly and neither does another few applications on startup. This even if they are marked in the startup tab of "msconfig"...
For some strange reason my computer has picked up a virus (probably).
I'll start with the basic:
My OS is Windows 7 x64 Ultimate RTM (Downloaded from technet)
I run AVG Free daily with all security options enabled.
Were should I begin... All started with my system just stoped responding and after a rebbot not all of my autostart-programs started. So this means I need to start AVG manualy.
After a bit of searching in taskmanager I found I have two lsass.exe running. One wich is the Local Security Authority Process and one that has no description.
The one that is fake, named lsass.exe *32 (this makes me think it's a virus since I run a 64 bit OS), changes PID every second which makes it imposssible to stop in the taskmanager or with the taskkill command in cmd with the /p switch. Trying to stop it with /f /im lsass.exe just shuts down the computer after a minute.
I've tried to start in safemode and remove it which was successfull, but when I booted into windows normaly the process was back again.
The file is located directly on C:\ (another thing that makes me think it's a virus). I've scanned my computer with both AVG, Malwarebytes and Spybot. But nothing can delete it, or even find it.
Another process running is cnktva.exe, that exe file is located in my Temp folder and is also impossible to delete. Ending it in taskmanager just makes it start again with a different PID. I've googled the name but haven't found anything about it!
Please help me with this, I'm in great need of this computer right now!
BR
Andreas
UPDATE!!:
After booting up into safemode once more, I could delete both lsass.exe from C:\ and the cnktva.exe from my Temp folder. I ran some cleanup programs and now when I boot up my computer the files are gone and doesn't show up in taskmanager. As an IT-consultant this sounds starnge, nothing just works this easy ^^ Is there any chanse that the virus still is running?
The reason I ask this is because AVG doesn't start automaticaly and neither does another few applications on startup. This even if they are marked in the startup tab of "msconfig"...
ASKER
"First thing to do is Goto Start -> run --> type msconfig and hit enter
Disable all items on startup tab, goto Services --> hide all Microsoft services and disable the others."
Did all that, that's how I got it removed in the first place (you probably wrote this while I edited the question).
So right now I can't upload the files since I was able to delete them.
So right now I just want confirmation that the "virus" is gone... Was kinda hoping that someone out there have had the same problem and came up with a solution that makes sure it's gone.
Disable all items on startup tab, goto Services --> hide all Microsoft services and disable the others."
Did all that, that's how I got it removed in the first place (you probably wrote this while I edited the question).
So right now I can't upload the files since I was able to delete them.
So right now I just want confirmation that the "virus" is gone... Was kinda hoping that someone out there have had the same problem and came up with a solution that makes sure it's gone.
ASKER
So far, the only explanation I've been able to think of is form the sasser virus.
But I doubt it since it didn't do much damage, none at all more than dissableing AVG and a few other programs.
But I doubt it since it didn't do much damage, none at all more than dissableing AVG and a few other programs.
Did you locate the file and uploaded it to virustotal.com ?
ASKER
No, I was able to delete it before you posted your answer.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Well, everything seems to be fine right now after I was able to delete both files.
Did a scan with the tools posted here, and they couldn't find anything.
So the first thing I did today was to uninstall AVG-Free and buy BitDefender 2010.
Seems like a nice program that has all functions I need/want to have ^^
So points will be divided betweene you guys! Thanks for all tips!
Did a scan with the tools posted here, and they couldn't find anything.
So the first thing I did today was to uninstall AVG-Free and buy BitDefender 2010.
Seems like a nice program that has all functions I need/want to have ^^
So points will be divided betweene you guys! Thanks for all tips!
Please Review the below Link....Its not a Virus
http://support.microsoft.com/kb/308356
http://support.microsoft.com/kb/308356
ASKER
Yhea, I know that lssas.exe NORMALY isn't a virus.
But this time I had two versions of it. One 64-bit (my OS one) and one 32-bit (located soem were else)
Please read the whole question!
And btw, the other link is just regarding Server 2000 and 2003.
But this time I had two versions of it. One 64-bit (my OS one) and one 32-bit (located soem were else)
Please read the whole question!
And btw, the other link is just regarding Server 2000 and 2003.
First thing to do is Goto Start -> run --> type msconfig and hit enter
Disable all items on startup tab, goto Services --> hide all Microsoft services and disable the others.
Open task manager and locate the lsass.exe 32 file and check its location, Upload the file to www.virustotal.com
post the result link here if possible.
Download hijackthis from www.hijackthis.de
Install it, Run scan and post your log here