Avast has found this virus on my computer and it is located in the following file; “C:\windows/system32\lsass.exe”. Avast will not allow me to send it to chest. How can I get rid of this virus? ???
Are you sure that this is the correct name, no typos, like the / forward slash in the path
That is the correct path for the legit file of that name.
A file in use is protected and this if the legit file lsass.exe it is an important system file.
http://www.liutilities.com/products/wintaskspro/processlibrary/lsass/
The process lsass.exe serves as the Local Security Authentication Server by Microsoft, Inc. It is responsible for the enforcement of the security policy within the operating system. This process checks whether a user’s supplied identification is valid or not whenever he or she tries to access the computer system.
What OS version do you have ?
I have XP Pro SP3 and my version of lsass.exe has an MD5 (unique identifier, see below) and is 13,312 bytes in size.
lsass.exe MD5: BF2466B3E18E970D8A976FB95FC1CA85
Does yours match that assuming you have XP SP3 ?
Can you inform the file as being a false positive? (click on the bottom right of the virus warning message).
To know if a file is a false positive, please submit it to VirusTotal and let us know the result. VirusTotal has a file size limit of 10Mb. You can use VirScan also.
If it is indeed a false positive, send it in a password protected zip to virus@avast.com. Please, mention in the body of the message why you think it is a false positive and the password used. Thanks.
This link is a tutorial on how to help correct a virus detection that you believe to be false:
http://forum.avast.com/index.php?topic=25009.msg204838#msg204838
or http://forum.avast.com/index.php?topic=7779.msg62586#msg62586
don’t even try to remove the file before you’ll do a virustotal analysis as Tech advised…
regarding our internal testing this one seems to be a valid detection… the file is injected with a malicious code… anyway, send it to www.virustotal.com analysis and post the results here…
After so much ranting and raving about how good avast is my friend asked me to download it on her Windows Vista Premium (os fully updated)
On installing program it identified a problem so I let it do a scan, got message
Windows/System/pm.proc1.exe is infected by Win32.AGent-ACZY
It gave me 9 options I selected 0 = ignore all and let it complete scan. Is it harmful and can or more importantly how can I remove it?
Please bear in mind that I am completely pc illiterate. I tried to follow this thread and send it to the virtu addy but I cant even find the file!!!
To know if a file is a false positive, please submit it to VirusTotal and let us know the result. VirusTotal has a file size limit of 10Mb. You can use VirScan also.
If it is indeed a false positive, send it in a password protected zip to virus@avast.com. Please, mention in the body of the message why you think it is a false positive and the password used. Thanks. In your case, most probably the file is indeed infected and the better will be send it to Chest (do not direct delete it). You can do it running avast at boot time (scheduling avast).
Start avast! > Right click the skin > Schedule a boot-time scanning.
Select for scanning archives.
Boot.
If infected files are found, it’s safer to send them to Chest instead of deleting them.
This way you can further analysis them.
Personally I would have sent it to the chest. I would also never select an ‘all’ option, e.g. ignore all or delete all, etc. etc. I prefer to know what is going on in the system.
A google search for “pm.proc1.exe” with and without the quotes doesn’t return much that helps, and for me a legitimate file in a system folder should have good information returned on a search. I also don’t like seeing this two periods as in pm (.) proc1 (.)exe, this is against the standard file naming convention. Again very strange for a file in a system folder, where they tend to be in an 8.3 format, 8 characters for the file name and 3 characters for the file type separated by a single period.
- Ensure that you have hidden files and folders enabled and disable hide system files in Windows Explorer, Tools, Folder Options, Hidden files and folders, uncheck Hide extensions for known file types, etc. see image.