LSAS.EXe

I have been battling a virus on my network  for since last Friday.  My virus software (Trend) finds the virus, but is misdiagnosing it.  It says it is Dos_Agobot.GEN which affects the hosts file.  It is fixing that problem, but at each re-occurrence also drops lsas.exe in the system32 folder (and sometimes others)  sets it to run in the registry in
local machine\software\microsoft\windows\currentversion\\run
and
local machine\software\microsoft\windows\currentversion\runservice

We are booting into safe mode and deleting the files and the registry entries.  It eventually comes back.

This is affecting Windows 2000 and some or ouor XP machines.  None of our NT workstations have been affected.

We thought we were done with it as it had been gone since late yesterday, but reappeared with a vengeance this afternoon.

HELP!!!
rcuttsAsked:
Who is Participating?
 
slappa1Connect With a Mentor Commented:
make sure you patch the pc's before reconnecting them

The worm uses multiple vulnerabilities to spread, including:
The DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026), using TCP port 135
The RPC locator vulnerability (described in Microsoft Security Bulletin MS03-001), using TCP port 445

use mcafee's stinger to remove the infections, don't reconnect any infected pc's to the network after you clean them, untill you have cleaned all the pc's and the server.
0
 
rtptucksConnect With a Mentor Commented:
A good tool for popular virus removal which i recommend is the Stinger file which is available from www.nai.com 
run this program which detects and cleans most popular virus around

the file is available directly from here : -
http://download.nai.com/products/mcafee-avert/stinger.exe

the file only weighs in at a mere 800k so its not going to be a long download.. I am a network administrator and i find this always coming in use on my USB pen :)

Hope this helps.
0
 
Hammadian2Connect With a Mentor Commented:
You need to do 2 things:

1. Clean your system
2. Update your system so that these trojans do not get into it again

For the 1st thing you need to download a cleanning utility
I recommened Pest Patrol, you can get an evaluation copy from:
http://www.pestpatrol.com/Products/PestPatrolHE/Single_User_Evaluation.asp

For the 2nd thing (and it's really important)
goto:
http://windowsupdate.microsoft.com

Then re-scan again and everything should be ok
0
 
JohnnyCanuckCommented:
The most important part of the above advice is to disconnect all computers from the network until they are clean.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.