Lsass.exe

[betakappa19]

Hi,

I just scanned my computer with with Malaware bytes after getting popups saying my computer was infected (rouge spyware it seems). The scan picked up the following:

Trojan.Agent C:\Users\Julie\Appdata\Roaming\Microsoft\Windows\lsass.exe

Trojan.Agent HKEY_CURRENT\USERS\Micorsoftwindows\CurrentVersion\Run\Isass Service (Data: C:\Users\Julie\Appdata\Roaming\Microsoft\Windows\lsass.exe)

After deleting these, I realized that lsass.exe is a Windows Security Mechanism. Should I restore these Quarantined Items?

Thanks in advance.

[miekiemoes]

Hi,

This is no false positive. The legitimate lsass.exe is not targeted here (which is present in your system32 folder), it's a trojan present in your C:\Users\Julie\Appdata\Roaming\Microsoft\Windows here.

Also see here: http://vil.nai.com/vil/content/v_229703.htm

Other scanners may call is Buzus.

In either way, do not restore from quarantine.

[Kevboy73]

Hi. I have AVG and when I start up my computer, the AVG Firewall keeps saying "Application is trying to access the internet"

Do you wish to allow this communication?

Do you wnat to block it?

Application Info

Full path C:\USERS\USER\APPDATA\ROAMING\LSASS.EXE

Company: unknown

Local address Local computer:49162

Remote address 68.107.145.35:3175

Connection TCP

Direction: Out

Process ID 2492

I cannot find any application called "info" on my computer and when I follow the file path, it doesn't exist.

A full scan with AVG doesn't flag anything up.

Is this a virus or a legitimate part of the system?

I'm using Vista 32 bit.

Kev

[miekiemoes]

Hi,

This is no false positive and is malware as the genuine lsass.exe is present in your system32 folder and not in your application data folder.

Please scan with malwarebytes and let it remove it, because malwarebytes is able to detect and delete this variant.

If you need additional help/guidance + to find out if there's more malware lurking there, do the following:

1. Please read and follow the instructions provided here: I'm infected - What do I do now?
   
2. If needed please post your logs in a NEW topic here: Malware Removal - HijackThis Logs
   
3. When posting logs please do not use any Quote, Code, or other tags. Please copy/paste directly into your post and do not attach files unless requested.
   

• Please do not post any logs in the General forum. We do not work on any logs posted in the General forum.
  
• Please do not install any software or use any removal/scanning tool except for those you're requested to run by the Helper that will assist you.
  
• Using these other tools often makes the cleanup task more difficult and time consuming.
  
• If you have already submitted for assistance at one of the other support sites on the Internet then you should not post a new log here, you should stay working with the Helper from that site until the issue is resolved.
  
• Do not assume you're clean because you don't see something in the logs. Please wait until the person assisting you provides feedback.
  
• There are often many others that require asistance as well, so please be patient. If no one has responded within 48 hours then please go ahead and post a request for review
  

• NOTE: If for some reason you're unable to run some or any of the tools in the first link, then skip that step and move on to the next one. If you can't even run HijackThis, then just proceed and post a NEW topic as shown in the second link describing your issues and someone will assist you as soon as they can.
  

[Kevboy73]

Thanks miekiemoes. I downloaded Malwarebytes and it found and got rid of the virus.

I'll check the rest of my system.

Thanks again.

Kev

[miekiemoes]

Good to hear