lsass.exe – trojan Bumat

I use UnHackMe for cleaning adware and viruses from my friend's computers, because it is extremely fast and effective.

Download free e-book [PDF]: "How to Easily Remove Malware with UnHackMe"

Join us on Facebook
Click to Download
Solved! The issue has been fixed!
5 Stars (5 / 5)


The file lsass.exe is identified as the Trojan Program that is used for stealing bank information and users passwords.
To delete lsass.exe we recommend you to use UnHackMe:
http://www.unhackme.com

Malware Analysis of lsass.exe
Executed: Sons of anarchy.exe
Removed: lsass.exe. Full path: C:\WINDOWS\CIDD_P\lsass.exe

—————————————————————————————————————————-
Detected by UnHackMe:


Your Vote?
1 0

Item Name: configuration
Author: Unknown
Related File: C:\WINDOWS\CONFIGURATION\CONFIGURATION.EXE
Type: Registry Run

Item Name: lsass.exe
Author: Unknown
Related File: C:\WINDOWS\CIDD_P\LSASS.EXE
Type: Running Processes

Removal Results: Success
Number of reboot: 1

—————————————————————————————————————————-
How to quickly detect malware presence?

Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\configuration
Value: “C:\WINDOWS\configuration\configuration.exe”

Folders:
C:\WINDOWS\CIDD_P\
C:\WINDOWS\configuration\
Files:
C:\WINDOWS\CIDD_P\41646D696E6973747261746F72\10.exe
C:\WINDOWS\CIDD_P\41646D696E6973747261746F72\11.exe
C:\WINDOWS\CIDD_P\41646D696E6973747261746F72\12.exe
C:\WINDOWS\CIDD_P\41646D696E6973747261746F72\13.exe
C:\WINDOWS\CIDD_P\41646D696E6973747261746F72\br.dll
C:\WINDOWS\CIDD_P\41646D696E6973747261746F72\clm.dll
C:\WINDOWS\CIDD_P\41646D696E6973747261746F72\nam.dll
C:\WINDOWS\CIDD_P\41646D696E6973747261746F72\nfie.dll
C:\WINDOWS\CIDD_P\lsass.exe
C:\WINDOWS\configuration\configuration.exe
—————————————————————————————————————————-
Classification:

Antivirus Version Last Update Result
F-Secure 9.0.16160.0 2011.02.28 -
Kaspersky 7.0.0.125 2011.02.28 Trojan-Spy.Win32.AutoIt.h
Microsoft 1.6603 2011.02.28 Trojan:Win32/Bumat!rts
NOD32 5913 2011.02.28 Win32/Autoit.HF

—————————————————————————————————————————-

MD5 a53e5adcabc6456a00af6806cb9b99da

SHA1 c3359fbc2addfd4d21a623388a477fd0a846d255

SHA256 1913fc81c94b5e224437ca7c29e393da0340c0a635e40e79b1ee60463798bbc4

—————————————————————————————————————————-


Installation
When the program is executed, it creates the following registry subkeys and values:

———————————-
Keys added:5
———————————-
HKCU\Software\Microsoft\Internet Explorer\TypedURLs
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
HKCU\Software\Microsoft\Windows\ShellNoRoam\BagMRU\12\0\3\0
HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\38
HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\38\Shell

———————————-
Values added:14
———————————-
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\configuration: “C:\WINDOWS\configuration\configuration.exe”
HKCU\Software\Microsoft\Internet Explorer\Main\Use FormSuggest: “no”
HKCU\Software\Microsoft\Internet Explorer\Main\FormSuggest Passwords: “no”
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\GlobalUserOffline: 0×00000000
HKCU\Software\Microsoft\Windows\ShellNoRoam\BagMRU\12\0\3\0: 4E 00 31 00 00 00 00 00 73 3E 22 1A 17 00 53 4F 4E 53 4F 46 7E 31 00 00 36 00 03 00 04 00 EF BE 73 3E 22 1A 73 3E 22 1A 14 00 00 00 53 00 6F 00 6E 00 73 00 20 00 6F 00 66 00 20 00 61 00 6E 00 61 00 72 00 63 00 68 00 79 00 00 00 18 00 00 00
HKCU\Software\Microsoft\Windows\ShellNoRoam\BagMRU\12\0\3\0\NodeSlot: 0×00000026
HKCU\Software\Microsoft\Windows\ShellNoRoam\BagMRU\12\0\3\0\MRUListEx: FF FF FF FF
HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\38\Shell\Mode: 0×00000006
HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\38\Shell\ScrollPos1024x768(1).x: 0×00000000
HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\38\Shell\ScrollPos1024x768(1).y: 0×00000000
HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\38\Shell\Sort: 0×00000000
HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\38\Shell\SortDir: 0×00000001
HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\38\Shell\Col: 0xFFFFFFFF
HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\38\Shell\ColInfo: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FD DF DF FD 0F 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

———————————-
Values modified:6
———————————-
(-) HKCU\Software\Microsoft\Windows\ShellNoRoam\BagMRU\NodeSlots: 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02
(+) HKCU\Software\Microsoft\Windows\ShellNoRoam\BagMRU\NodeSlots: 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02
(-) HKCU\Software\Microsoft\Windows\ShellNoRoam\BagMRU\12\0\MRUListEx: 00 00 00 00 04 00 00 00 05 00 00 00 03 00 00 00 02 00 00 00 01 00 00 00 FF FF FF FF
(+) HKCU\Software\Microsoft\Windows\ShellNoRoam\BagMRU\12\0\MRUListEx: 03 00 00 00 00 00 00 00 04 00 00 00 05 00 00 00 02 00 00 00 01 00 00 00 FF FF FF FF
(-) HKCU\Software\Microsoft\Windows\ShellNoRoam\BagMRU\12\0\3\MRUListEx: FF FF FF FF
(+) HKCU\Software\Microsoft\Windows\ShellNoRoam\BagMRU\12\0\3\MRUListEx: 00 00 00 00 FF FF FF FF

———————————-
Files added:10
———————————-
C:\WINDOWS\CIDD_P\41646D696E6973747261746F72\10.exe
C:\WINDOWS\CIDD_P\41646D696E6973747261746F72\11.exe
C:\WINDOWS\CIDD_P\41646D696E6973747261746F72\12.exe
C:\WINDOWS\CIDD_P\41646D696E6973747261746F72\13.exe
C:\WINDOWS\CIDD_P\41646D696E6973747261746F72\br.dll
C:\WINDOWS\CIDD_P\41646D696E6973747261746F72\clm.dll
C:\WINDOWS\CIDD_P\41646D696E6973747261746F72\nam.dll
C:\WINDOWS\CIDD_P\41646D696E6973747261746F72\nfie.dll
C:\WINDOWS\CIDD_P\lsass.exe
C:\WINDOWS\configuration\configuration.exe

———————————-
Files deleted:4
———————————-
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\gi17c3pt.default\cookies.sqlite
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\gi17c3pt.default\formhistory.sqlite
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\gi17c3pt.default\key3.db
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\gi17c3pt.default\urlclassifierkey3.txt

———————————-
Folders added:4
———————————-
C:\sand-box\Sons of anarchy
C:\WINDOWS\CIDD_P
C:\WINDOWS\CIDD_P\41646D696E6973747261746F72
C:\WINDOWS\configuration

———————————-
Total changes:43
———————————-

—————————————————————————————————————————-
Recommended software:
UnHackMe anti-rootkit and anti-malware
http://www.unhackme.com
RegRun Security Suite (Good choice for removal and protection)
http://www.regrun.com


I use UnHackMe for cleaning adware and viruses from my friend's computers, because it is extremely fast and effective.

Download it here




1. Download UnHackMe for free

UnHackMe removes Adware/Spyware/Unwanted Programs/Browser Hijackers/Search Redirectors from your PC easily.

Free Download

UnHackMe is compatible with most antivirus software.
UnHackMe is 100% CLEAN, which means it does not contain any form of malware, including adware, spyware, viruses, trojans and backdoors. VirusTotal (0/56).
System Requirements: Windows 2000-Windows 8.1/10 32 or 64-bit. UnHackMe uses minimum of computer resources.

2. Double click on UnHackMe_setup.exe

You will see a confirmation screen with verified publisher: Greatis Software. Verified Publisher Greatis Software

Once UnHackMe has installed has installed the first Scan will start automatically

Review the detected threats

3. Carefully review the detected threats!

Click Remove button or False Positive.

What to do if you are unable to solve a problem?

UnHackMe Remote Assistant
  1. Open UnHackMe main screen.
  2. Click on a Remote Assistant button.
  3. Follow instructions on a screen.
  4. We will contact you and send a solution of your problem.
  5. Remote assistance is free during trial period.

Enjoy!