• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 942
  • Last Modified:

lsass.exe, probably virus or malware!


For some strange reason my computer has picked up a virus (probably).
I'll start with the basic:
My OS is Windows 7 x64 Ultimate RTM (Downloaded from technet)
I run AVG Free daily with all security options enabled.

Were should I begin... All started with my system just stoped responding and after a rebbot not all of my autostart-programs started. So this means I need to start AVG manualy.

After a bit of searching in taskmanager I found I have two lsass.exe running. One wich is the Local Security Authority Process and one that has no description.
The one that is fake, named lsass.exe *32 (this makes me think it's a virus since I run a 64 bit OS), changes PID every second which makes it imposssible to stop in the taskmanager or with the taskkill command in cmd with the /p switch. Trying to stop it with /f /im lsass.exe just shuts down the computer after a minute.

I've tried to start in safemode and remove it which was successfull, but when I booted into windows normaly the process was back again.

The file is located directly on C:\ (another thing that makes me think it's a virus). I've scanned my computer with both AVG, Malwarebytes and Spybot. But nothing can delete it, or even find it.

Another process running is cnktva.exe, that exe file is located in my Temp folder and is also impossible to delete. Ending it in taskmanager just makes it start again with a different PID. I've googled the name but haven't found anything about it!

Please help me with this, I'm in great need of this computer right now!



After booting up into safemode once more, I could delete both lsass.exe from C:\ and the cnktva.exe from my Temp folder. I ran some cleanup programs and now when I boot up my computer the files are gone and doesn't show up in taskmanager. As an IT-consultant this sounds starnge, nothing just works this easy ^^ Is there any chanse that the virus still is running?
The reason I ask this is because AVG doesn't start automaticaly and neither does another few applications on startup. This even if they are marked in the startup tab of "msconfig"...
2 Solutions
Mohammed HamadaSenior IT ConsultantCommented:
Hi Andreas
First thing to do is Goto Start -> run --> type msconfig and hit enter
Disable all items on startup tab, goto Services --> hide all Microsoft services and disable the others.

Open task manager and locate the lsass.exe 32 file and check its location, Upload the file to www.virustotal.com 
post the result link here if possible.

Download hijackthis from www.hijackthis.de
Install it, Run scan and post your log here

Raver87Author Commented:
"First thing to do is Goto Start -> run --> type msconfig and hit enter
Disable all items on startup tab, goto Services --> hide all Microsoft services and disable the others."

Did all that, that's how I got it removed in the first place (you probably wrote this while I edited the question).
So right now I can't upload the files since I was able to delete them.

So right now I just want confirmation that the "virus" is gone... Was kinda hoping that someone out there have had the same problem and came up with a solution that makes sure it's gone.
Raver87Author Commented:
So far, the only explanation I've been able to think of is form the sasser virus.
But I doubt it since it didn't do much damage, none at all more than dissableing AVG and a few other programs.
The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

Mohammed HamadaSenior IT ConsultantCommented:
Did you locate the file and uploaded it to virustotal.com ?
Raver87Author Commented:
No, I was able to delete it before you posted your answer.
Mohammed HamadaSenior IT ConsultantCommented:
You can then try online scan using Kaspersky or Sophos.
Sophos has a great offline tool that you can download and scan with on safe mode, I'd really recommend u to use it.

Raver87Author Commented:
Well, everything seems to be fine right now after I was able to delete both files.
Did a scan with the tools posted here, and they couldn't find anything.

So the first thing I did today was to uninstall AVG-Free and buy BitDefender 2010.
Seems like a nice program that has all functions I need/want to have ^^

So points will be divided betweene you guys! Thanks for all tips!
Please Review the below Link....Its not a Virus
Raver87Author Commented:
Yhea, I know that lssas.exe NORMALY isn't a virus.
But this time I had two versions of it. One 64-bit (my OS one) and one 32-bit (located soem were else)
Please read the whole question!

And btw, the other link is just regarding Server 2000 and 2003.

Featured Post

SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now