[WTF!?] Sasser on patched system!?!?!?!

[RejZoR]

For last two days i'm getting lsass RPC error all over again and again and it starts to piss me off. System is patched against Sasser,i have McAfee firewall and NOD32. Makes no sense. Even if i don't connect to the internet,i get that damn RPC error and here we go again.

I managed to get to the internet before RPC terminates itself (i canceled shutdown timer with shutdown -a command) so i can still browse the web,but cannot do practically anything because whole shitty system relies on one pathetic service (RPC Remote Procedure Call). I also reinstalled OS and patched it immediatelly with SP1 and antisasser patch,but no success. I just don't get it,its driving me crazy argh!? Can anyone from Alwil experts help me? Or if someone has any contact with Microsoft?

[RejZoR]

Is it possible that this is somekind of new Sasser version which is not detectable by any antivirus/firewall? And its not blocked by current Sasser patch?

[RejZoR]

Ok here's the error window. I assume this is Sasser,but its just not logical

[igor]

I haven't heard about anything new... and I think if a new exploit of this kind appeared (and was abused by a worm!), it would be known.

Did you install only the one RPC patch, or is the system completely updated (if not, I'd suggest to do it... maybe some other updates are needed to patch the vulnerability completely?)
Do you have any suspicious files (virus bodies) on the disk?

[RejZoR]

I checked the system with avast! Free Cleaner and with latest NOD32 at highest possible settings and nothing. I have installed SP1, MSBlast and Sasser patch,but i cannot access windows update because RPC fails before i can do anything (i can remove that countdown,but after i cancel it system becomes quiet useless without RPC service. Yesterday i was on the old Win installation with all possible patches and it was the same. I thought its SP2 beta issue,because i uninstalled it,but it appears that its not since i have the same problem on fresh Win installation.

Here is also a NOD32 log which shows files of Sasser patch. I don't think its normal that they are not accessable. Or is this due to offline RPC service?

EDIT:
avast! Virus Cleaner shows the same thing (i didn't see this on last installation when i performed scan!?):

4.6.2004, 14:06:54
Memory scanning started...
No virus body found in memory.
Memory scanning finished (1,9s).
----------
Files scanning started...
C:\WINDOWS\$NtUninstallKB835732$\callcont.dll... file could not be scanned!
C:\WINDOWS\$NtUninstallKB835732$\cmdevtgprov.dll... file could not be scanned!
C:\WINDOWS\$NtUninstallKB835732$\evtgprov.dll... file could not be scanned!
C:\WINDOWS\$NtUninstallKB835732$\gdi32.dll... file could not be scanned!
C:\WINDOWS\$NtUninstallKB835732$\h323.tsp... file could not be scanned!
C:\WINDOWS\$NtUninstallKB835732$\h323msp.dll... file could not be scanned!
C:\WINDOWS\$NtUninstallKB835732$\helpctr.exe... file could not be scanned!
C:\WINDOWS\$NtUninstallKB835732$\ipnathlp.dll... file could not be scanned!
C:\WINDOWS\$NtUninstallKB835732$\lsasrv.dll... file could not be scanned!
C:\WINDOWS\$NtUninstallKB835732$\mf3216.dll... file could not be scanned!
C:\WINDOWS\$NtUninstallKB835732$\msasn1.dll... file could not be scanned!
C:\WINDOWS\$NtUninstallKB835732$\msgina.dll... file could not be scanned!
C:\WINDOWS\$NtUninstallKB835732$\mst120.dll... file could not be scanned!
C:\WINDOWS\$NtUninstallKB835732$\netapi32.dll... file could not be scanned!
C:\WINDOWS\$NtUninstallKB835732$\nmcom.dll... file could not be scanned!
C:\WINDOWS\$NtUninstallKB835732$\rtcdll.dll... file could not be scanned!
C:\WINDOWS\$NtUninstallKB835732$\schannel.dll... file could not be scanned!
C:\WINDOWS\system32\CatRoot2\edb.log... file could not be scanned!
C:\WINDOWS\system32\CatRoot2\tmp.edb... file could not be scanned!
C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb... file could not be scanned!
No virus body found.
Files scanning finished  (28363 files, 0 infected, 803,0s).
Drives scanned: C:
----------

[igor]

Very strange... I really don't know what could it mean  

Just an idea... couldn't it be possible to block all the network communication with the firewall (to prevent the crash) and allow access only to windowsupdate service... or something like that?

[RejZoR]

Problem is that this crap initiates even if i don't connect to internet. Takes some more time,but it starts even this way. If i connect i get the RPC error immediatelly. Firewall on or off,makes no difference.

[igor]

Oh... and isn't there anything suspicious in your auto-start items?
How about the Safe mode - does the problem appear if you boot to Safe mode without connecting to the Internet?

[RejZoR]

Aaaaaaa thank god. Not sure what was the problem,but i reinstalled Windows again and installed SP1 in Safe mode. After that MSBlast and Sasser patch and now it seems to work fine (10min connected to net,also 20min in windows). Still not quiet sure what coused lsass component to fail Thanks igor,for your time

EDIT:
I was talking too soon. After installing soundcard drivers,i restarted and boom on next boot that thing came up after a few minutes. Reboted again and now its working again. Hopefully. Currently updateing windows on Windows Update,hoping for the best.

[RejZoR]

Nope nothing suspicious in Startup section. I check it regulary and its clean. Yeah in Safe Mode i don't get this,also i can't connect to internet (no connection drivers/LAN card for ADSL since Safe Mode is a bit limited )

[RejZoR]

Ok this crap has to be some new Sasser like exploit. I reinstalled system 3 times,patched it 6 times,using latest (and worlds probably best antivirus NOD32) with McAfee Firewall and i still get that lsass RPC error like with Sasser.

If you need any files to check or any info i'll be glad to help as much as i can.

[igor]

Well, I really don't know what to suggest...
Did the Windows update finished successfully when you managed to connect? Does the firewall show any incoming connections (or, can you limit them somehow)?

Maybe the worm file isn't actually transferred (the firewall may prevent it), so you can't see it on disk - but the initial connection crashes the service... but of course, it shouldn't happen on a patched system. I don't know... are you sure the patches are OK (correct version, ...)

[RejZoR]

Yup i'm sure. Everything finished normally after update. Firewall is online so it would most probably block Inbound attack,but on my machine there is nothing suspicious except that lsass RPC error that smells like Sasser,but its not a Sasser.
I tried to somehow contact Microsoft but i can't find any Contact us link out there... Any idea?

[RejZoR]

Hm maybe its not a virus after all. I checked the Event Logs and i got this event to appear in regular basis.

A critical system process, C:\WINDOWS\system32\lsass.exe, failed with status code c0000005.  The machine must now be restarted.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

When i checked description i got this:
Product: Windows Operating System
ID: 1015
Source: Winlogon
Version: 5.0
Component: Application Event Log
Symbolic Name: EVENT_SAVE_SYSTEM_DEFAULT_FAILED
Message: Failed to save the system default profile to a local profile for user %1.  
   
Explanation
The system default profile appears when nobody is logged on. This event record indicates that the changes that the user made to the default profile were not saved to the local system. The user will have to use the system default profile at the next logon session.
 
It looks like its something wrong with user profiles
Thats why i get that error crap even before i connect online.
At least i hope this is the problem...

[whocares]

Hi RejZoR,

- this is a new PC ? is a hardware problem possible ?

- you have done scandisk /intensive & a RAM-Test ?

- did you change all your Passwords.. ?

- can you run an Onlinescan, e.g. by Trend and/or RAV ?

- are Ports 135, 139, 445, 4500 definetly blocked inbound ?

- Please post a hijackthis_log: http://hjt.klaffke.de/en

- if Lsass is corrupted, this might tell/fix it:
start -> run -> SFC /scannow  (System file check will start & replace "bad files")

P.S.: Avast Cleaner results imho don't tell much here, as this could also be some AgoBot/PhatBot-Variant (some 500 variants and counting..)