nasty lsass.exe in documents and settings

[jasondhsd]

Has anyone come across this thing? A file called lsass.exe located in c:\documents and settings\username

I came across this when cleaning out a clients computer from what I gather it goes onto the internet and downloads other malware. It will infect any writable usb memory inserted into the machine...such as my usb kit and when said USB stick is inserted into another machine it will infect that machine too. I found this out when I just finished doing a clean install of windows and put my usb stick in to install AVG and next thing I know I get that dreaded yellow caution symbol down in the system tray and the pop-ups to buy antivirus. THis was a brand new clean install with legit software and the only site I was on with the system was windows update. So I installed AVG and it had a dozen medium to high trojans, downloaders, bots after only 10 mins of scanning. Hijack this showed a ton of suspect dll files. And then I saw the lsass.exe in the c:\documents and settings\username and thats when I put everything together. I looked on my usb stick and there was a file a hidden file called start.exe that had the same icon as the lsass.exe file.

Both with the laptop and the clients computer that originally got infected I was able to clear the file but only by disabling system restore first or the file would reappear on startup. As for the laptop I just started over again.

[Kosak]

Hi!

I saw a lot of similar things. You can run only one harmful file, which starts download next files from network and install it to computer. The best solution is using antivirus with actual virus database, firewall and own head.

Regards

[LoneWolf]

Quote:

Originally Posted by jasondhsd

Has anyone come across this thing? A file called lsass.exe located in c:\documents and settings\username

I came across this when cleaning out a clients computer from what I gather it goes onto the internet and downloads other malware. It will infect any writable usb memory inserted into the machine...such as my usb kit and when said USB stick is inserted into another machine it will infect that machine too. I found this out when I just finished doing a clean install of windows and put my usb stick in to install AVG and next thing I know I get that dreaded yellow caution symbol down in the system tray and the pop-ups to buy antivirus. THis was a brand new clean install with legit software and the only site I was on with the system was windows update. So I installed AVG and it had a dozen medium to high trojans, downloaders, bots after only 10 mins of scanning. Hijack this showed a ton of suspect dll files. And then I saw the lsass.exe in the c:\documents and settings\username and thats when I put everything together. I looked on my usb stick and there was a file a hidden file called start.exe that had the same icon as the lsass.exe file.

Both with the laptop and the clients computer that originally got infected I was able to clear the file but only by disabling system restore first or the file would reappear on startup. As for the laptop I just started over again.

Maybe this was what your client was experancing.

http://www.softwarepatch.com/tips/isass.html

Quote:

Originally Posted by Kosak

Hi!

The best solution is using antivirus with actual virus database, firewall and own head.

Regards

Hi Kosak,
You must be referring to security suites.
That is a matter of opinion and personal taste.
Myself I prefer separate apps.
Layered security if you will.

[HURST]

disable autoplay on your computer in order to clean your usb stick...