Windows\Fonts\Lsass.exe Sasser?

[WillShakespeare]

Hi,

I have a friends PC, and I am an IT pro, but this one has got me stumped! The PC has been scanned and double scanned, from boot, Safe Mode, and full windows.
The symptoms include:

* Missing Turn Off Computer button in Start
* Regedit doesn't work from Run
* Can't right-click on MyComputer to get properties (System)
* 2 x lsass.exe running in Processes in Task Manager
* One of the lsass's is heavy on resources
* Registry contains MANY entries to windows\Fonts\lsass.exe
which seems to be a funky virus (maybe Sasser), but...
You cannot see this file for browsing to it, and you
cannot delete it using the full path, because the system
says it's not there!!

What I have tried:

* I fixed the Turn off computer thingy, by editing the
appropriate reg entry.
* Obviously I found a way into regedit, but only as a
workaround. This workaround being typing cmd at the Run
field, and then in the Command WIndow, typing "regedit"
* I have searched out and deleted the spurrious fonts\lsass
entries which include:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
among other entries, including (I think) the association
with exe extension. I have checked on my machine and there
should definitely ONLY be one lsass.exe process running!
* But, if I reboot, all these entries come back, and all the
other things happen like the disappearing Turn Off button

Apparently some files have also gone missing. A whole directory of invocies for this chap's business. But I wasn't aware the Sasser variants got rid of files... ?


Can anyone help?

Will

 

[AgentZer0]

Well keep in mind that there is a legitimate windows file that should be running called lsass.exe, the letter is an L not and i. isass.exe is a trojan. It sounds like one of the files is isass.exe and the other may be Lsass.exe. Lsass.exe should use about 1,168 k of memory. check this microsoft page

http://www.microsoft.com/security/incident/sasser.mspx

to scan for the sasser which this might be. I would also go to the command prompt and try running "netstat -an" to get a look at all ports to see if you have any questionable netbios ports open or any odd ftp action. Go to

http://www.foundstone.com

to map out all the open ports so that you can see what is really going on. The tool is called Vision. You might have some H@XoR issues. LoL sorry.

 

[RVStevenson]

I agree that this sounds like a virus or spyware.

Have you tried the standard procedure of starting in safe mode and doing a full virus scan with an up to date virus definition file?

For antivirus I highly reccomend Norton SystemWorks as it has antivirus and some other handy tools too. If you are looking for a cheaper option you can boot into safemode with networking (assuming you have broadband internet) and use the online trend micro virus scanner.

I reccomend using a tool from Lavasoft called AdAware to scan your system for spyware. You may download the tool and sue it for free and it is available at

http://www.lavasoftusa.com

.


Thanks,

Ryan V. Stevenson
Specialty Services Director

National Support Network
East Lansing, MI - USA

Ryan@itpayz.com

http://www.itpayz.com

 

[WillShakespeare]

Hi Guys, thanks for the info, but these are all avenues I have already been down. As for Norton, Norton was installed when this happened. I use AVG from GRIsoft, the Free version, and my machine at home has never been infected and I leave it one for weeks at a time.
I eventually downloaded a tool from McAfee called Stinger. This found no less than 13 viruses on the machine, that Norton and other did not pick up (I would have tried AVG, but while the viruses were there I could not install anything new). I don't have a lot of faith in McAfee as an app, however, because it slows machines down, and is a pain to configure properly. Kudos for finding these viruses though!
After this, I managed to track down the annoying C:\Windows\Fonts\lsass.exe entires in the registry and deleted them all. However, I then found that after a reboot, I could not run any executable at all! WHich makes sense because lsass.exe is used to run "exe" extensions.
So, as a drastic resort, I manage dto hack into another dead installation of XP on the same machine that one of my friends friends screwed up, by using the Repair console, and figured it might work if I copied the registry entries for lsass.exe from there and apply them to the other installation. Afterall, the extensions would be .reg, so these work.
In a fit of madness and late night shock, I figured I'd try to copy the whole registry and apply that... needless to say before I realsied my mistake it was too late, and I killed the installation to Blue Screen...
So, I did a repair installation on the other installation, and eventually all came back up! Becuase the other installation was pretty much brand new, it wa the same as reinstalling from scratch, but there were some deleted files the chap was looking for, and so by doing the repair I had a better chance of not overwriting space taken up by deleted files. WIth a recovery tool called R-Drive (well, it was R-Suite of Tools or something like that), we managed to find his files, and now all is well. I applied XPSP2 RC2 to the machine, where the Firewall is great! I also applied AVG, and for the last 3 weeks, no problems at all. Fingers crossed...

Thanks for replies,

Will