Solved

LSAS.EXe

Posted on 2004-08-31
7
235 Views
Last Modified: 2011-08-18
I have been battling a virus on my network  for since last Friday.  My virus software (Trend) finds the virus, but is misdiagnosing it.  It says it is Dos_Agobot.GEN which affects the hosts file.  It is fixing that problem, but at each re-occurrence also drops lsas.exe in the system32 folder (and sometimes others)  sets it to run in the registry in
local machine\software\microsoft\windows\currentversion\\run
and
local machine\software\microsoft\windows\currentversion\runservice

We are booting into safe mode and deleting the files and the registry entries.  It eventually comes back.

This is affecting Windows 2000 and some or ouor XP machines.  None of our NT workstations have been affected.

We thought we were done with it as it had been gone since late yesterday, but reappeared with a vengeance this afternoon.

HELP!!!
0
Comment
Question by:rcutts
7 Comments
 
LVL 3

Accepted Solution

by:
slappa1 earned 168 total points
ID: 11948545
make sure you patch the pc's before reconnecting them

The worm uses multiple vulnerabilities to spread, including:
The DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026), using TCP port 135
The RPC locator vulnerability (described in Microsoft Security Bulletin MS03-001), using TCP port 445

use mcafee's stinger to remove the infections, don't reconnect any infected pc's to the network after you clean them, untill you have cleaned all the pc's and the server.
0
 
LVL 2

Assisted Solution

by:rtptucks
rtptucks earned 166 total points
ID: 11949594
A good tool for popular virus removal which i recommend is the Stinger file which is available from www.nai.com 
run this program which detects and cleans most popular virus around

the file is available directly from here : -
http://download.nai.com/products/mcafee-avert/stinger.exe

the file only weighs in at a mere 800k so its not going to be a long download.. I am a network administrator and i find this always coming in use on my USB pen :)

Hope this helps.
0
 
LVL 5

Assisted Solution

by:Hammadian2
Hammadian2 earned 166 total points
ID: 11949839
You need to do 2 things:

1. Clean your system
2. Update your system so that these trojans do not get into it again

For the 1st thing you need to download a cleanning utility
I recommened Pest Patrol, you can get an evaluation copy from:
http://www.pestpatrol.com/Products/PestPatrolHE/Single_User_Evaluation.asp

For the 2nd thing (and it's really important)
goto:
http://windowsupdate.microsoft.com

Then re-scan again and everything should be ok
0
 
LVL 14

Expert Comment

by:JohnnyCanuck
ID: 11951344
The most important part of the above advice is to disconnect all computers from the network until they are clean.
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Read-only SNMP string example ? 7 74
Internet problem with a router wifi in our iPhone 31 80
fibre channel switch - sfp needed? 2 18
Sonicwall blocks a site 49 56
Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now