lamvna.exe No info around?

Discussion in 'malware problems & news' started by Slip Kid, Apr 10, 2005.

Thread Status:
Not open for further replies.
  1. Slip Kid

    Slip Kid Registered Member

    Joined:
    Apr 10, 2005
    Posts:
    3
    Yes, I'm sure I was hit with a trojan/hijacker. My indication came in several spy sweeps with three or four apps (that eliminated everything?).

    However, my Mozilla browser is still giving me pop-ups! - For the first time ever - - as it is disabled.

    Hijackthis shows things to be clean.

    ----> However in Process Explorer I get lamvna.exe popping up if I start 'Explore'. I kill it but if I opens when open Explore (the File Manage), starts again.

    No, the "File" itself, 'lamvna.exe' doesn't seem to exist! Process Explorer give the path as WINDOWS\system32\lamvna.exe -- but it isn't there!

    ----> Oh, my Task Manager is also corrupt. taskmgr.exe The one that comes with MS.

    It starts? But it only shows the "inner box" - no tabs, or the container shell. (That's why I'm using Process Explorer which is great.

    I even tried grabbing another taskmgr.exe and installing it and executing in another directory. Same thing - - only the "inner shell" with the list of processes for taskmgr.exe.

    Yes, I believe 'something' is calling on lamvna.exe - - but it is not in my system! So, how can it show it's using 3,000 K +, if the file doesn't exist?

    I ran netstat (from the cmd prompt) and I don't believe I am connecting to any unknown addresss. (I was).

    So:

    1. Why am I still getting popups?

    2. What is lamvna.exe? And why the strange behavior for a file not in the system?

    3. Finally, is there anyway to get taskmgr.exe 'fixed' - though Process Explorer is great? Until it's fixed, I'll wonder what else might be messed up?!

    Thanks!
     
  2. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    lamvna.exe is probably some randonly generated name. Have you tried searching for it with your 'hidden' files unhidden? Do the following:-

    Open Windows Explorer and:-
    1. Select "Tools" from the menu on top.
    2. Select "Folder Options".
    3. Select the "View" tab.
    4. Scroll down and Select "Show hidden files and folders".
    5. Unselect "Hide extentions for known file types".
    6. Unselect "Hide protected operating system files".
    7. If you get a "warning" prompt, say yes you want to do it anyway.
    8. Click Apply and Ok.

    Now try navigating to lamvna.exe. You'll have to kill it with Process Explorer before deleting it - and you might have to act fast (that is set it up for a delete, kill it with PE then immediately confirm the delete) if it keeps coming back.

    Also you may want to bring up its Property box, before deletion, to note its date and time stamp; then you can search for other files with the same credentials that may be connected with it.

    I note that you say your HJT log is clean - with pop-ups one might expect it not to be - but, as you know, we cannot deal with that here so I will take your word for it!
     
  3. Slip Kid

    Slip Kid Registered Member

    Joined:
    Apr 10, 2005
    Posts:
    3
    ----es, I can account for everything in HJT as well as all 'processes' except the lamvna.exe - which only 'exists' in the prefetch folder as a .pf file. No, it is not being executed.

    ---RE: Mozilla? I checked my prefs in prefs.js in Mozilla? I believe the 'popups' blocking was deleted (thought it shows in the GUI). I have another machine and I believe I can edit the line back in.

    But? No one has heard of lamvna.exe. It is not the 'trojan', itself? - - But file which was spawned by the bad guy? The only reference to 'lamvna' (not an '.exe') in Google is a 'pharmacy' spammer. That's a clue, eh?
     
  4. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
  5. Slip Kid

    Slip Kid Registered Member

    Joined:
    Apr 10, 2005
    Posts:
    3
    Thanks,

    So far I'm not in 'too' much trouble. I can prolly fix the prefs in Mozilla to enable popup blocking and I'll get rido of the lamvna.exe that runs as a process even though there is no file and netstat doesn't show me connecting with anything/anyone I shouldn't be...

    I'll take some time with the link(s) you provided - - - It will be a last resort or when I can roll-the-dice versus putting up with an process that seems to be doing nothing.

    I run S&D, Sweeper and tried a couple of trials in the past couple of days - Other than ZA picking up the initial 'event'? - - the anti-spy/trojan/hijack hasn't done a thing?! I do have Avast in my other machine and it seem more sensitive. It grabbed several files that were sitting in it for a year (while running ZA during that time).

    I would like to know why the MS task manager won't 'fully' execute...
     
  6. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Hi Slip Kid, welcome to Wilders.

    If you find Windows system files affected, you can place your Windows CD in the drive, click start> run type in CMD, when the black window opens type in "sfc /scannow" SFC (System File Checker, a part of Windows File Protection) will replace any changed/damaged system files with a clean copy. SFC may not solve every problem, but it's a good start that anyone can do.

    Hope this helps...

    Let us know how you go.

    Cheers :D
     
Thread Status:
Not open for further replies.