lsass.exe, probably virus or malware!


For some strange reason my computer has picked up a virus (probably).
I'll start with the basic:
My OS is Windows 7 x64 Ultimate RTM (Downloaded from technet)
I run AVG Free daily with all security options enabled.

Were should I begin... All started with my system just stoped responding and after a rebbot not all of my autostart-programs started. So this means I need to start AVG manualy.

After a bit of searching in taskmanager I found I have two lsass.exe running. One wich is the Local Security Authority Process and one that has no description.
The one that is fake, named lsass.exe *32 (this makes me think it's a virus since I run a 64 bit OS), changes PID every second which makes it imposssible to stop in the taskmanager or with the taskkill command in cmd with the /p switch. Trying to stop it with /f /im lsass.exe just shuts down the computer after a minute.

I've tried to start in safemode and remove it which was successfull, but when I booted into windows normaly the process was back again.

The file is located directly on C:\ (another thing that makes me think it's a virus). I've scanned my computer with both AVG, Malwarebytes and Spybot. But nothing can delete it, or even find it.

Another process running is cnktva.exe, that exe file is located in my Temp folder and is also impossible to delete. Ending it in taskmanager just makes it start again with a different PID. I've googled the name but haven't found anything about it!

Please help me with this, I'm in great need of this computer right now!



After booting up into safemode once more, I could delete both lsass.exe from C:\ and the cnktva.exe from my Temp folder. I ran some cleanup programs and now when I boot up my computer the files are gone and doesn't show up in taskmanager. As an IT-consultant this sounds starnge, nothing just works this easy ^^ Is there any chanse that the virus still is running?
The reason I ask this is because AVG doesn't start automaticaly and neither does another few applications on startup. This even if they are marked in the startup tab of "msconfig"...
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Mohammed HamadaSenior IT ConsultantCommented:
Hi Andreas
First thing to do is Goto Start -> run --> type msconfig and hit enter
Disable all items on startup tab, goto Services --> hide all Microsoft services and disable the others.

Open task manager and locate the lsass.exe 32 file and check its location, Upload the file to 
post the result link here if possible.

Download hijackthis from
Install it, Run scan and post your log here

Raver87Author Commented:
"First thing to do is Goto Start -> run --> type msconfig and hit enter
Disable all items on startup tab, goto Services --> hide all Microsoft services and disable the others."

Did all that, that's how I got it removed in the first place (you probably wrote this while I edited the question).
So right now I can't upload the files since I was able to delete them.

So right now I just want confirmation that the "virus" is gone... Was kinda hoping that someone out there have had the same problem and came up with a solution that makes sure it's gone.
Raver87Author Commented:
So far, the only explanation I've been able to think of is form the sasser virus.
But I doubt it since it didn't do much damage, none at all more than dissableing AVG and a few other programs.
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

Mohammed HamadaSenior IT ConsultantCommented:
Did you locate the file and uploaded it to ?
Raver87Author Commented:
No, I was able to delete it before you posted your answer.
Mohammed HamadaSenior IT ConsultantCommented:
You can then try online scan using Kaspersky or Sophos.
Sophos has a great offline tool that you can download and scan with on safe mode, I'd really recommend u to use it.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Raver87Author Commented:
Well, everything seems to be fine right now after I was able to delete both files.
Did a scan with the tools posted here, and they couldn't find anything.

So the first thing I did today was to uninstall AVG-Free and buy BitDefender 2010.
Seems like a nice program that has all functions I need/want to have ^^

So points will be divided betweene you guys! Thanks for all tips!
Please Review the below Link....Its not a Virus
Raver87Author Commented:
Yhea, I know that lssas.exe NORMALY isn't a virus.
But this time I had two versions of it. One 64-bit (my OS one) and one 32-bit (located soem were else)
Please read the whole question!

And btw, the other link is just regarding Server 2000 and 2003.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
System Utilities

From novice to tech pro — start learning today.