LSASS EXP & SXP Exploits

[Jason_Becker]

Hello Avast! community I'm new to this and Im kinda desperate about my PC situation, first of all, greetings from Mexico City to all of you guys...this is your casa anytime 

Well I just bought Avast Professional 4.6 (latest version) cause I had around 10 viruses and my PC was going insane (no regedit, no msconfig open, no task manager etc) it cleaned well but there is something bothering me yet.

I have a problem with the lsass.exe thing especially something my Antivirus blocks called "LSASS EXP and SXP Exploits"...

Even though my computer is supposed to be clean and the Web Protection says they're blocked on a red-letter yellow-background box...my PC still reboots by itself after 50 minutes of activity or less (being online) it says save all your info and I see this timer clock, the process is Authorized by NT/AUTHORITY and the error is always with the C:\Windows\system32\lsass.exe.

I heard about Sasser and Blaster fuc$%rs, so I downloaded the supposed patch standing for blaster at Windows website but it won't work, I got the Symantec sasser patch from the official site and it says Sasser wasn't detected (And all folders scanned)

After this thing takes place my PC is rebooted showing me LSA Shell (Export Version) found a problem and had to close, the specific locations of the files with "problems" are these...this is what I find in my desktop, they look like temp directories to me but I still dont know how to erase or if they're safe to delete or infected, I ran Deep Scan like 3 hours ago and Avast didn't detect any thing.

 

And these are the attacks I usually get, they get blocked but still reboot my PC.

19.04.2006  03:20:29  DCOM Exploit attack
    from 200.58.4.114:135
19.04.2006  03:22:39  DCOM Exploit attack
    from 85.178.112.193:135
19.04.2006  17:55:11  LSASS Exploit (SXP) attack
    from 65.24.130.150:445
19.04.2006  18:27:08  DCOM Exploit attack
    from 61.197.116.152:135
19.04.2006  18:33:18  DCOM Exploit attack
    from 81.242.204.105:135
19.04.2006  18:43:28  DCOM Exploit attack
    from 200.64.30.80:135
20.04.2006  00:04:32  LSASS Exploit (SXP) attack
    from 200.64.58.17:445
20.04.2006  00:19:49  LSASS Exploit (EXP) attack
    from 209.234.151.130:445
20.04.2006  00:22:30  LSASS Exploit (SXP) attack
    from 59.115.54.164:445
20.04.2006  00:37:43  LSASS Exploit (SXP) attack
    from 65.24.130.150:445

Help me out friends I really dont wanna format and I still trust in Avast, tried other antivirus programs (Panda, Norton, NOD32) and didnt get as good results as with Avast!, could I have downloaded the wrong patches? is there a module I have to activate so I fix this? what could it be??!!.....I wait for your answers thanks in advance and greetings from your friend.  :'(

[Lisandro]

Could I have downloaded the wrong patches?

I think not... you're right.

is there a module I have to activate so I fix this? what could it be??!!

NetShield is this module.
But better if you install and use a 3rd party firewall. I suggest Sunbelt Kerio Personal (free).

It will be good if you schedule an avast scanning at boot time and, if you can, download, install, update and run www.ewido.net 

[DavidR]

If your Operating System is up to date you would have little to fear from these attempts to exploit your system (it doesn't stop them from trying to gain access to your system though). The Network Shield is also watching out for these common exploit routes into your system and protecting you from them. This you can see from the log information you posted they are internet IP addresses and not Hard Disk locations.

However as Tech said a 3rd party firewall provides much more protection including outbound protection, which stops unauthorised connections to the internet from your system.

They do look like temp locations and they should be OK to delete, ClearProg - Temp File Cleaner or CCleaner - Temp File Cleaner, etc.

[Spiritsongs]

   Hi Jason :

     What's a gringo doing in Mexico City !? Has to firewalls,
     NOT the Sunbelt Kerio because it has been affected by
     the recently released & flawed Microsoft Update KB908531.
     Better off to have Zone Alarm or what I use, the Sygate
     Personal ( FREE ) firewall available for download at
     www.filehippo.com/download_sygate_personal_firewall/ . There is a
    "Guide" @ www.kotiposti.net/string/SPF_eng/SPFGuide.html

[Lisandro]

NOT the Sunbelt Kerio because it has been affected by the recently released & flawed Microsoft Update KB908531.

I don't see a problem here with my Kerio... I've Googled but did not find something specific related to this...
Can you explain more? Thanks.

[CharleyO]

***

See this post, Tech.   

http://forum.avast.com/index.php?topic=20596.msg172679#msg172679


***

[Lisandro]

Thanks Charlie... but my Kerio stays calm in the system tray, working like a charm 
Maybe I'm a lucky guy 

Anyway, verclsid.exe is allowed to connect.

[Spiritsongs]

   Hi Tech :

     I thought you were already aware of the info at :

      http://support.microsoft.com/kb/918165  !?

      Some Excerpts :

    "CAUSE
Security update 908531 (MS06-015) installs a new binary program, Verclsid.exe. "

                       AND

   "• The Verclsid.exe program is flagged by Kerio Personal Firewall from Sunbelt Software. "

                     AND

  "RESOLUTION
  8. Use Task Manager to close the Verclsid.exe program  "

   Have the Sunbelt people sent a firewall "update" since
   the release of KB908531 ?

[neal62]

I use Sunbelt Kerio P.F.W.  I checked with their Tech support on April 18th concerning this issue. What they had me do was to open up the firewall, then go to the "Intrusions" tab and click on it. Then go to the bottom of that page and under "enable application behavior blocking" left click the "advanced" button. Then at the top of the new page click on the "applications" tab. There will be a list of programs. Find the "Windows Explorer" entry. Be sure that under the colums, 1. Starting 2. Modifying, 3. Launching of.. that they are ALL set to the "permit" choice. If they are then this MS patch will not cause your pc a problem if your running Sunbelt Kerio P.F.W.
  If those 3 settings next to the "Windows Explorer" are not set to "permit" then click on each of them until the "permit" choice shows. This should take care of any problems resulting from downloading this patch and also using Sunbelt Kerio P.F.W.  Just thought I would pass this information on to anyone that might need it. Have a nice day. 
This is also referred to as MS06-015  My settings were already all set to "permit" by the Windows Explorer entry so I was in good shape.

[DavidR]

Although this is a Kerio issue, I have blocked internet access to explorer.exe, Windows Explorer, I can see no good reason to allow it access, even though you can type a url in the address window.

For one thing it opens the web page inside explorer and it uses IE to display it and not your default browser.
For another if I want to connect to the internet, I will use the appropriate program, browser/ftp, etc.
For another there are a number of malware programs that attempt to hijack/inject/use explorer.exe to connect to the internet, as for most people they allow access to explorer.exe.

[Lisandro]

Although this is a Kerio issue, I have blocked internet access to explorer.exe, Windows Explorer, I can see no good reason to allow it access, even though you can type a url in the address window.

If you don't correct this, you can't use the computer... that simple.
The problem appeared to me today and only following the Neal's solution I could get into the computer...
Of course it needs a Kerio update or a Microsoft patch to solve this.
I'm thinking if other code injection applications (ProcessGuard, SSM, PrevX, Outpost firewall...) arent affected with this too.

[DavidR]

My firewall Outpost Pro hasn't had a problem with the MS update, but the Verclsid.exe file that you are allowing to start other programs isn't what I'm doing, I'm blocking explorer.exe, so verslsid.exe could launch explorer.exe but if that entailed and internet access it would be blocked from accessing the internet in my system.

•    The Verclsid.exe program is flagged by Kerio Personal Firewall from Sunbelt Software. For more information about Kerio Personal Firewall, visit the following Sunbelt Software Web site:
Sunbelt Kerio Personal Firewall (http://www.sunbelt-software.com/Kerio.cfm)
Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.

This software flags any attempt by one application to start another application and asks for the user's approval. Kerio Personal Firewall flags an attempt by Internet Explorer to start the Verclsid.exe program. When this behavior occurs, the Versclid.exe program stops running until the user clicks through Kerio's notification dialog box. Users can configure Kerio so that the Versclid.exe program runs without any prompts.

[neal62]

The MS06-015 download will not affect Sunbelt Kerio P.F.W. in several different ways. If your a person running the free version of Kerio then it won't be affected because it doesn't have the 1. "Intrusion" feature activated as does the pay for version. 2. If your running the pay for version and DON'T have the "Enable Application Behavior
Blocking" checked then you won't be affected. 3. And also if the #2 option I listed IS checked, then you can go into the program and change the behavior processes of Kerio where you also won't be affected.
     The Tech I talked to indicated that once you change things over to "permit" beside the Windows Explorer entry, click on "Apply" and then "OK" this change will stay that way unless you manually make a different change. 

[Jason_Becker]

 
Hello again friends thanks for your comments including the gringo joke lol! I can see there's such a controversy about the Firewall stuff? is it vulnerable then, or not? 

Well the situation now is....I figured I dont seem to have not Blaster or Sasser worms since patches didn't find it on my system and my computer is still doing that reboot.....yesterday it went insane and would reboot after like 5 or 10 minutes with Avast! on (being online of course), still processing a lot and acting laggy and even Internet connection does, this is what I found on my latest log, they look like some other kind of virus 

 18/04/2006 11:24:32 p.m  SYSTEM   1328   
Sign of "Win32:Mytob-NU [Wrn]" has been found in
"C:\WINDOWS\system32\hashwin.exe\[Upack]" file. 

19/04/2006 02:24:26 p.m.   Ricky Ruiz   1576   
Sign of "Win32:Trojano-3428 [Trj]" has
been found in "C:\WINDOWS\Debug\DCPROMO.LOG" file. 

21/04/2006 08:22:12 p.m.   SYSTEM   1332   
Sign of "Win32:SdBot-gen [Trj]" has been found in
"C:\WINDOWS\system32\msaconf.exe\[NsPack]" file. 

What the hell is "sign of"?, it notified me online about this last one SdBot-gen thing and I moved it away, I dont know if I have to delete 'em manually or they're hidden or anything.

They do look like temp locations and they should be OK to delete, ClearProg - Temp File Cleaner or CCleaner - Temp File Cleaner, etc.

Thanks for your suggestions DavidR! I also tried either programs but they wouldn't delete the locations I specified above in the pic, they're pretty useful for erasing the rest of Temps but after I ran both clean-ups the error message would tell me the same so those locations still exist and I tried erasing them on Documents & Settings Folder and even System Volume Information but everything I achieved was to lose my personal browser settings!  .

I really dont want to format afraid of installing Windows not properly and the trojans could still be present, what shall I do? whats a way to permanently remove that sh*t?  thanks again for your help and greetings amigos! 

[Spiritsongs]

   Hi Jason :

     I clicked on your screenshot and saw no security-type
     program there, so it might be helpful if you gave us some
     basic info about your machine, such as Operating System
     and the names of any security-type programs. Should we
     assume these detections are while you are using IE &
     not the Avant browser !?