How can I remove with Avast the Win32:Trojan-gen {Other} in lsass.exe?

Hi…

I’ve got an Win32:Trojan-gen {Other} in lsass.exe I’ve read many topics, however I haven’t seen the real solution for removing this from my computer with Avast…

Could anybody help me?

Now this virus is in quarantine. Is it enough? Will it effect to my system? Or is it false alert?

All the best,
Peter Gyarmati

A(z) lsass.exe állomány feltöltve: 2008.08.12 21:37:41 (CET)
Pillanatnyi állapot: befejeződött
Eredmény: 22/36 (61.11%)
Formázott Formázott
Eredmény nyomtatása Eredmény nyomtatása
Antivírus Verzió Utolsó frissítés Eredmény
AhnLab-V3 2008.8.13.0 2008.08.12 -
AntiVir 7.8.1.19 2008.08.12 BDS/VB.eyp.1
Authentium 5.1.0.4 2008.08.12 W32/VB-EMU:VB-Backdoor-HRS-based!Maximus
Avast 4.8.1195.0 2008.08.12 Win32:Trojan-gen {Other}
AVG 8.0.0.161 2008.08.12 BackDoor.VB.DHM
BitDefender 7.2 2008.08.12 -
CAT-QuickHeal 9.50 2008.08.12 Backdoor.VB.eyp
ClamAV 0.93.1 2008.08.12 -
DrWeb 4.44.0.09170 2008.08.12 BACKDOOR.Trojan
eSafe 7.0.17.0 2008.08.12 Suspicious File
eTrust-Vet 31.6.6027 2008.08.12 -
Ewido 4.0 2008.08.12 -
F-Prot 4.4.4.56 2008.08.12 W32/VB-EMU:VB-Backdoor-HRS-based!Maximus
F-Secure 7.60.13501.0 2008.08.12 Backdoor.Win32.VB.eyp
Fortinet 3.14.0.0 2008.08.12 -
GData 2.0.7306.1023 2008.08.12 Backdoor.Win32.VB.eyp
Ikarus T3.1.1.34.0 2008.08.12 Trojan.Win32.VB.es
K7AntiVirus 7.10.412 2008.08.12 -
Kaspersky 7.0.0.125 2008.08.12 Backdoor.Win32.VB.eyp
McAfee 5358 2008.08.11 -
Microsoft 1.3807 2008.08.12 Trojan:Win32/VB.FF
NOD32v2 3350 2008.08.12 -
Norman 5.80.02 2008.08.12 W32/VBDoor.KYB
Panda 9.0.0.4 2008.08.12 -
PCTools 4.4.2.0 2008.08.12 -
Prevx1 V2 2008.08.12 -
Rising 20.57.12.00 2008.08.12 -
Sophos 4.32.0 2008.08.12 Mal/VBDos-A
Sunbelt 3.1.1542.1 2008.08.12 Backdoor.Win32.VB.HRS!cobra (v)
Symantec 10 2008.08.12 -
TheHacker 6.3.0.3.046 2008.08.12 Backdoor/VB.eyp
TrendMicro 8.700.0.1004 2008.08.12 BKDR_VB.AB
VBA32 3.12.8.3 2008.08.11 Backdoor.Win32.VB.eyp
ViRobot 2008.8.12.1333 2008.08.12 Backdoor.Win32.VB.128558
VirusBuster 4.5.11.0 2008.08.12 Backdoor.VB.EEPN
Webwasher-Gateway 6.6.2 2008.08.12 Trojan.Backdoor.VB.eyp.1
További információ
File size: 128529 bytes
MD5…: 0978fda50023456457486bad9f1a663e
SHA1…: c92ba257770cc96544a9cef8c5899fe22510e911
SHA256: 0079af35a844e68a6c9e11642c20211a5b4c6454b60c3e68fe017c94a03ddb60
SHA512: 39897f1d736490b027f666576d6373f0f88dc86f51403f6bc4991e1ba9de5232
09494025aa56f24067241006c75f4577a98833037ab5157c83d83cfdfeb82f2c
PEiD…: UPX 2.90 [LZMA] → Markus Oberhumer, Laszlo Molnar & John Reiser
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x42a900
timedatestamp…: 0x488f6834 (Tue Jul 29 18:57:56 2008)
machinetype…: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
UPX0 0x1000 0x26000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
UPX1 0x27000 0x4000 0x3c00 7.78 8e484cec18f1d378deae479eab46f509
.rsrc 0x2b000 0x1c000 0x1b600 6.34 196242042d6688d8881fa93a72ae0bb2

( 2 imports )

KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, ExitProcess
MSVBVM60.DLL: -

( 0 exports )
packers (Kaspersky): PE_Patch.UPX, UPX
packers (Avast): UPX
packers (F-Prot): UPX
packers (Authentium): UPX

It is certainly not a false alert based on the VT results.

It is fine in the chest, it can do no harm in there and if it were a true system file you would know about it.

lsass.exe is a system process of the Microsoft Windows security mechanisms. It specifically deals with local security and login policies. This program is important for the stable and secure running of your computer and should not be terminated.

You don’t mention the path to this particular lsass.exe, e.g. (C:\windows\system32\infected-file-name.xxx) ?
Check the avast! Log Viewer (right click the avast ‘a’ icon), Warning section, this contains information on all avast detections.

It is a common trick to use the name of a valid system file but put it in a different location, so you see why I ask about its location.

Because of the malware names of the VT results and the quotes below, it would be wise to do some other scans.

Note: lsass.exe is a process which is registered as a trojan. This Trojan allows attackers to access your computer from remote locations, stealing passwords, Internet banking and personal data. This process is a security risk and should be removed from your system.

Note: lsass.exe is registered as a downloader. This process usually comes bundled with a virus or spyware and its main role is to do nothing other than download other viruses/spyware to your computer. This process is a security risk and should be removed from your system.

If you haven’t already got this software (freeware), download, install, update and run it, preferably in safe mode and report the findings (it should product a log file).

  1. SUPERantispyware On-Demand only in free version.

  2. MalwareBytes Anti-Malware freeware version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.

Run the first and report the findings (hopefully we can check it and see if you need to do anything else) then running the second and report the findings.

as DavidR said - when the file is named lsass.exe, then it’s good to know where the file was located (a full path, if possible)… other steps are depending on the current state of your machine… can you see any unusual behavior of your PC? maybe it would be good to run a HiJackThis scan and post the log here…

Hello,

First of all, thank you very much for your quick reply. This lsass.exe what I mentioned and checked with VT is placed: windows/Cursors/lsass.exe. On the afternoon I gonna check with HiJack and Avast log for the path. I use XP64PROF SP1. How can I decide that it is a downloader or a trojan? Is it a malware or a virus? Anyway when I’m going to home I’ll check your suggestions!!!

Thanks, guys! And pls check this topic on this evening again:-)

Best Regards,
Peter Gyarmati

No problem, glad I could help.

That is most certainly a strange place for that file, so is highly suspicious, even before the VT results confirmed the avast detection as good.

I don’t believe you have to decide if it is a trojan or a downloader as you can have a trojan which is a downloader. The process is the same for either, you need to take the additional actions I mentioned, e.g. the other scans and a hijackthis log mentioned by Maxx.

Program & Tutorial - Also useful as a diagnostic tool - FileHippo Download - HiJackThis and post the contents of the HJT log file here. - HJT Information HiJackThis Tutorial.

I honestly don’t know if the scanners mentioned and HJT works with XP Pro 64bit OS, but there really is only one way to find out, try them.

What is your firewall ?
As that would have an impact on outbound protection.

Welcome to the forums.