Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 248
  • Last Modified:

LSAS.EXe

I have been battling a virus on my network  for since last Friday.  My virus software (Trend) finds the virus, but is misdiagnosing it.  It says it is Dos_Agobot.GEN which affects the hosts file.  It is fixing that problem, but at each re-occurrence also drops lsas.exe in the system32 folder (and sometimes others)  sets it to run in the registry in
local machine\software\microsoft\windows\currentversion\\run
and
local machine\software\microsoft\windows\currentversion\runservice

We are booting into safe mode and deleting the files and the registry entries.  It eventually comes back.

This is affecting Windows 2000 and some or ouor XP machines.  None of our NT workstations have been affected.

We thought we were done with it as it had been gone since late yesterday, but reappeared with a vengeance this afternoon.

HELP!!!
0
rcutts
Asked:
rcutts
3 Solutions
 
slappa1Commented:
make sure you patch the pc's before reconnecting them

The worm uses multiple vulnerabilities to spread, including:
The DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026), using TCP port 135
The RPC locator vulnerability (described in Microsoft Security Bulletin MS03-001), using TCP port 445

use mcafee's stinger to remove the infections, don't reconnect any infected pc's to the network after you clean them, untill you have cleaned all the pc's and the server.
0
 
rtptucksCommented:
A good tool for popular virus removal which i recommend is the Stinger file which is available from www.nai.com 
run this program which detects and cleans most popular virus around

the file is available directly from here : -
http://download.nai.com/products/mcafee-avert/stinger.exe

the file only weighs in at a mere 800k so its not going to be a long download.. I am a network administrator and i find this always coming in use on my USB pen :)

Hope this helps.
0
 
Hammadian2Commented:
You need to do 2 things:

1. Clean your system
2. Update your system so that these trojans do not get into it again

For the 1st thing you need to download a cleanning utility
I recommened Pest Patrol, you can get an evaluation copy from:
http://www.pestpatrol.com/Products/PestPatrolHE/Single_User_Evaluation.asp

For the 2nd thing (and it's really important)
goto:
http://windowsupdate.microsoft.com

Then re-scan again and everything should be ok
0
 
JohnnyCanuckCommented:
The most important part of the above advice is to disconnect all computers from the network until they are clean.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now