Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Fake lsm.exe - runs on start-up, and if I delete it, it shows up next boot-up.

  • Please log in to reply
1 reply to this topic

#1 marcin714


  • Members
  • 6 posts
  • Local time:08:16 AM

Posted 22 September 2013 - 12:48 PM



I've had a file called lsm.exe in my .Roaming folder for a while now; I noticed it in task manager, as it uses about 90% of my CPU. When I went to the process, it took me to the .Roaming folder. After looking it up online, I tried to delete it, which seemed to work, but the process reappeared the next time I used my computer. Sometimes, when I bootup, I can see a command prompt labelled "lsm.exe," but it disappears almost instantly. Naturally, I've been running Malwarebytes scans of my computer, and the file itself, but it came up with nothing. However, online virus scans found something (link to Virustotal and Jotti here). 


I just really want to know if it's dangerous, and how I can get rid of it. (Although the virus scans seem to imply some else is just using my computer for bitcoin mining).



Edited by hamluis, 22 September 2013 - 03:01 PM.
Moved from Win 7 to Am I Infected - Hamluis.

BC AdBot (Login to Remove)


#2 sikntired


  • Members
  • 1,092 posts
  • Gender:Male
  • Location:USA
  • Local time:08:16 AM

Posted 22 September 2013 - 02:00 PM



LSM is Local Session Manager in Windows. It manages connectivity with regards to terminal server on host machine.It's a core Windows function in Windows Vista/7.


However in your case I do suspect that your system is infected based upon your Virustotal analysis and the fact that it reappears after deletion. This is quite indicative of Malware.


The lsm.exe file is located in the folder C:\Windows\System32. In some cases lsm.exe is a virus, trojan, spyware or worm.


I would encourage you to seek assistance from our Malware Response Team where you will receive proper guidance. (Am I Infected Forum)


Please be patient as they are quite busy.


Best of Luck

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users