lamvna.exe No info around?

Yes, I'm sure I was hit with a trojan/hijacker. My indication came in several spy sweeps with three or four apps (that eliminated everything?).

However, my Mozilla browser is still giving me pop-ups! - For the first time ever - - as it is disabled.

Hijackthis shows things to be clean.

----> However in Process Explorer I get lamvna.exe popping up if I start 'Explore'. I kill it but if I opens when open Explore (the File Manage), starts again.

No, the "File" itself, 'lamvna.exe' doesn't seem to exist! Process Explorer give the path as WINDOWS\system32\lamvna.exe -- but it isn't there!

----> Oh, my Task Manager is also corrupt. taskmgr.exe The one that comes with MS.

It starts? But it only shows the "inner box" - no tabs, or the container shell. (That's why I'm using Process Explorer which is great.

I even tried grabbing another taskmgr.exe and installing it and executing in another directory. Same thing - - only the "inner shell" with the list of processes for taskmgr.exe.

Yes, I believe 'something' is calling on lamvna.exe - - but it is not in my system! So, how can it show it's using 3,000 K +, if the file doesn't exist?

I ran netstat (from the cmd prompt) and I don't believe I am connecting to any unknown addresss. (I was).

So:

1. Why am I still getting popups?

2. What is lamvna.exe? And why the strange behavior for a file not in the system?

3. Finally, is there anyway to get taskmgr.exe 'fixed' - though Process Explorer is great? Until it's fixed, I'll wonder what else might be messed up?!

Thanks!

 

lamvna.exe is probably some randonly generated name. Have you tried searching for it with your 'hidden' files unhidden? Do the following:-

Open Windows Explorer and:-
1. Select "Tools" from the menu on top.
2. Select "Folder Options".
3. Select the "View" tab.
4. Scroll down and Select "Show hidden files and folders".
5. Unselect "Hide extentions for known file types".
6. Unselect "Hide protected operating system files".
7. If you get a "warning" prompt, say yes you want to do it anyway.
8. Click Apply and Ok.

Now try navigating to lamvna.exe. You'll have to kill it with Process Explorer before deleting it - and you might have to act fast (that is set it up for a delete, kill it with PE then immediately confirm the delete) if it keeps coming back.

Also you may want to bring up its Property box, before deletion, to note its date and time stamp; then you can search for other files with the same credentials that may be connected with it.

I note that you say your HJT log is clean - with pop-ups one might expect it not to be - but, as you know, we cannot deal with that here so I will take your word for it!

 

----es, I can account for everything in HJT as well as all 'processes' except the lamvna.exe - which only 'exists' in the prefetch folder as a .pf file. No, it is not being executed.

---RE: Mozilla? I checked my prefs in prefs.js in Mozilla? I believe the 'popups' blocking was deleted (thought it shows in the GUI). I have another machine and I believe I can edit the line back in.

But? No one has heard of lamvna.exe. It is not the 'trojan', itself? - - But file which was spawned by the bad guy? The only reference to 'lamvna' (not an '.exe') in Google is a 'pharmacy' spammer. That's a clue, eh?

 

I think probably the General Cleaning instructions are your best bet at the moment:-

https://www.wilderssecurity.com/showthread.php?t=50662

It is hard to think what else to suggest!

You could try UnHackMe I suppose:- http://greatis.com/unhackme/

 

Thanks,

So far I'm not in 'too' much trouble. I can prolly fix the prefs in Mozilla to enable popup blocking and I'll get rido of the lamvna.exe that runs as a process even though there is no file and netstat doesn't show me connecting with anything/anyone I shouldn't be...

I'll take some time with the link(s) you provided - - - It will be a last resort or when I can roll-the-dice versus putting up with an process that seems to be doing nothing.

I run S&D, Sweeper and tried a couple of trials in the past couple of days - Other than ZA picking up the initial 'event'? - - the anti-spy/trojan/hijack hasn't done a thing?! I do have Avast in my other machine and it seem more sensitive. It grabbed several files that were sitting in it for a year (while running ZA during that time).

I would like to know why the MS task manager won't 'fully' execute...