Hello Avast! community I’m new to this and Im kinda desperate about my PC situation, first of all, greetings from Mexico City to all of you guys…this is your casa anytime

Well I just bought Avast Professional 4.6 (latest version) cause I had around 10 viruses and my PC was going insane (no regedit, no msconfig open, no task manager etc) it cleaned well but there is something bothering me yet.

I have a problem with the lsass.exe thing especially something my Antivirus blocks called “LSASS EXP and SXP Exploits”…

Even though my computer is supposed to be clean and the Web Protection says they’re blocked on a red-letter yellow-background box…my PC still reboots by itself after 50 minutes of activity or less (being online) it says save all your info and I see this timer clock, the process is Authorized by NT/AUTHORITY and the error is always with the C:\Windows\system32\lsass.exe.

I heard about Sasser and Blaster fuc$%rs, so I downloaded the supposed patch standing for blaster at Windows website but it won’t work, I got the Symantec sasser patch from the official site and it says Sasser wasn’t detected (And all folders scanned)

After this thing takes place my PC is rebooted showing me LSA Shell (Export Version) found a problem and had to close, the specific locations of the files with “problems” are these…this is what I find in my desktop, they look like temp directories to me but I still dont know how to erase or if they’re safe to delete or infected, I ran Deep Scan like 3 hours ago and Avast didn’t detect any thing.

http://img136.imagevenue.com/loc25/th_15501_Error.JPG

And these are the attacks I usually get, they get blocked but still reboot my PC.

19.04.2006 03:20:29 DCOM Exploit attack
from 200.58.4.114:135
19.04.2006 03:22:39 DCOM Exploit attack
from 85.178.112.193:135
19.04.2006 17:55:11 LSASS Exploit (SXP) attack
from 65.24.130.150:445
19.04.2006 18:27:08 DCOM Exploit attack
from 61.197.116.152:135
19.04.2006 18:33:18 DCOM Exploit attack
from 81.242.204.105:135
19.04.2006 18:43:28 DCOM Exploit attack
from 200.64.30.80:135
20.04.2006 00:04:32 LSASS Exploit (SXP) attack
from 200.64.58.17:445
20.04.2006 00:19:49 LSASS Exploit (EXP) attack
from 209.234.151.130:445
20.04.2006 00:22:30 LSASS Exploit (SXP) attack
from 59.115.54.164:445
20.04.2006 00:37:43 LSASS Exploit (SXP) attack
from 65.24.130.150:445

Help me out friends I really dont wanna format and I still trust in Avast, tried other antivirus programs (Panda, Norton, NOD32) and didnt get as good results as with Avast!, could I have downloaded the wrong patches? is there a module I have to activate so I fix this? what could it be!!!..I wait for your answers thanks in advance and greetings from your friend. >:(

I think not… you’re right.

NetShield is this module.
But better if you install and use a 3rd party firewall. I suggest Sunbelt Kerio Personal (free).

It will be good if you schedule an avast scanning at boot time and, if you can, download, install, update and run www.ewido.net

If your Operating System is up to date you would have little to fear from these attempts to exploit your system (it doesn’t stop them from trying to gain access to your system though). The Network Shield is also watching out for these common exploit routes into your system and protecting you from them. This you can see from the log information you posted they are internet IP addresses and not Hard Disk locations.

However as Tech said a 3rd party firewall provides much more protection including outbound protection, which stops unauthorised connections to the internet from your system.

They do look like temp locations and they should be OK to delete, ClearProg - Temp File Cleaner or CCleaner - Temp File Cleaner, etc.

Hi Jason :

 What's a gringo doing in Mexico City !? Has to firewalls,
 NOT the Sunbelt Kerio because it has been affected by
 the recently released & flawed Microsoft Update KB908531.
 Better off to have Zone Alarm or what I use, the Sygate
 Personal ( FREE ) firewall available for download at 
 www.filehippo.com/download_sygate_personal_firewall/ . There is a
"Guide" @ www.kotiposti.net/string/SPF_eng/SPFGuide.html

I don’t see a problem here with my Kerio… I’ve Googled but did not find something specific related to this…
Can you explain more? Thanks.

See this post, Tech.

http://forum.avast.com/index.php?topic=20596.msg172679#msg172679

Thanks Charlie… but my Kerio stays calm in the system tray, working like a charm 8)
Maybe I’m a lucky guy 8)

Anyway, verclsid.exe is allowed to connect.

Hi Tech :

 I thought you were already aware of the info at :

  http://support.microsoft.com/kb/918165  !?

  Some Excerpts :

"CAUSE

Security update 908531 (MS06-015) installs a new binary program, Verclsid.exe. "

                   AND

"• The Verclsid.exe program is flagged by Kerio Personal Firewall from Sunbelt Software. "

                 AND

"RESOLUTION
8. Use Task Manager to close the Verclsid.exe program "

Have the Sunbelt people sent a firewall “update” since
the release of KB908531 ?

I use Sunbelt Kerio P.F.W. I checked with their Tech support on April 18th concerning this issue. What they had me do was to open up the firewall, then go to the “Intrusions” tab and click on it. Then go to the bottom of that page and under “enable application behavior blocking” left click the “advanced” button. Then at the top of the new page click on the “applications” tab. There will be a list of programs. Find the “Windows Explorer” entry. Be sure that under the colums, 1. Starting 2. Modifying, 3. Launching of… that they are ALL set to the “permit” choice. If they are then this MS patch will not cause your pc a problem if your running Sunbelt Kerio P.F.W.
If those 3 settings next to the “Windows Explorer” are not set to “permit” then click on each of them until the “permit” choice shows. This should take care of any problems resulting from downloading this patch and also using Sunbelt Kerio P.F.W. Just thought I would pass this information on to anyone that might need it. Have a nice day.
This is also referred to as MS06-015 My settings were already all set to “permit” by the Windows Explorer entry so I was in good shape.

Although this is a Kerio issue, I have blocked internet access to explorer.exe, Windows Explorer, I can see no good reason to allow it access, even though you can type a url in the address window.

For one thing it opens the web page inside explorer and it uses IE to display it and not your default browser.
For another if I want to connect to the internet, I will use the appropriate program, browser/ftp, etc.
For another there are a number of malware programs that attempt to hijack/inject/use explorer.exe to connect to the internet, as for most people they allow access to explorer.exe.

If you don’t correct this, you can’t use the computer… that simple.
The problem appeared to me today and only following the Neal’s solution I could get into the computer…
Of course it needs a Kerio update or a Microsoft patch to solve this.
I’m thinking if other code injection applications (ProcessGuard, SSM, PrevX, Outpost firewall…) arent affected with this too.

My firewall Outpost Pro hasn’t had a problem with the MS update, but the Verclsid.exe file that you are allowing to start other programs isn’t what I’m doing, I’m blocking explorer.exe, so verslsid.exe could launch explorer.exe but if that entailed and internet access it would be blocked from accessing the internet in my system.

• The Verclsid.exe program is flagged by Kerio Personal Firewall from Sunbelt Software. For more information about Kerio Personal Firewall, visit the following Sunbelt Software Web site: Sunbelt Kerio Personal Firewall ([url=http://918165]http://www.sunbelt-software.com/Kerio.cfm[/url]) Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.

This software flags any attempt by one application to start another application and asks for the user’s approval. Kerio Personal Firewall flags an attempt by Internet Explorer to start the Verclsid.exe program. When this behavior occurs, the Versclid.exe program stops running until the user clicks through Kerio’s notification dialog box. Users can configure Kerio so that the Versclid.exe program runs without any prompts.

The MS06-015 download will not affect Sunbelt Kerio P.F.W. in several different ways. If your a person running the free version of Kerio then it won’t be affected because it doesn’t have the 1. “Intrusion” feature activated as does the pay for version. 2. If your running the pay for version and DON’T have the “Enable Application Behavior
Blocking” checked then you won’t be affected. 3. And also if the #2 option I listed IS checked, then you can go into the program and change the behavior processes of Kerio where you also won’t be affected.
The Tech I talked to indicated that once you change things over to “permit” beside the Windows Explorer entry, click on “Apply” and then “OK” this change will stay that way unless you manually make a different change.

Hello again friends thanks for your comments including the gringo joke lol! I can see there’s such a controversy about the Firewall stuff? is it vulnerable then, or not? :-\

Well the situation now is…I figured I dont seem to have not Blaster or Sasser worms since patches didn’t find it on my system and my computer is still doing that reboot…yesterday it went insane and would reboot after like 5 or 10 minutes with Avast! on (being online of course), still processing a lot and acting laggy and even Internet connection does, this is what I found on my latest log, they look like some other kind of virus :o

18/04/2006 11:24:32 p.m SYSTEM 1328
Sign of “Win32:Mytob-NU [Wrn]” has been found in
“C:\WINDOWS\system32\hashwin.exe[Upack]” file.

19/04/2006 02:24:26 p.m. Ricky Ruiz 1576
Sign of “Win32:Trojano-3428 [Trj]” has
been found in “C:\WINDOWS\Debug\DCPROMO.LOG” file.

21/04/2006 08:22:12 p.m. SYSTEM 1332
Sign of “Win32:SdBot-gen [Trj]” has been found in
“C:\WINDOWS\system32\msaconf.exe[NsPack]” file.

What the hell is “sign of”?, it notified me online about this last one SdBot-gen thing and I moved it away, I dont know if I have to delete 'em manually or they’re hidden or anything.

Thanks for your suggestions DavidR! I also tried either programs but they wouldn’t delete the locations I specified above in the pic, they’re pretty useful for erasing the rest of Temps but after I ran both clean-ups the error message would tell me the same so those locations still exist and I tried erasing them on Documents & Settings Folder and even System Volume Information but everything I achieved was to lose my personal browser settings! :-[.

I really dont want to format afraid of installing Windows not properly and the trojans could still be present, what shall I do? whats a way to permanently remove that sh*t? thanks again for your help and greetings amigos! ;D

Hi Jason :

 I clicked on your screenshot and saw no security-type
 program there, so it might be helpful if you gave us some
 basic info about your machine, such as Operating System
 and the names of any security-type programs. Should we
 assume these detections are while you are using IE &
 not the Avant browser !?

Give yourself a fighting chance and don’t give malware the permissions required to stick files in the system folders.

Whilst browsing or collecting email, etc. if you get infected then the malware by default inherits the same permissions that you have for your user account. So if the user account has administrator rights, the malware has administrator rights and can reap havoc. With limited rights the malware can’t put files in the system folders, create registry entries, etc. This greatly reduces the potential harm that can be done by an undetected or first day virus, etc.

Check out the link to DropMyRights (in my signature below) - Browsing the Web and Reading E-mail Safely as an Administrator. This obviously applies to those NT based OSes that have administrator settings, winNT, win2k, winXP.

Other useful tools to remove stubborn files:

• MoveOnBoot http://www.snapfiles.com/get/moveonboot.html
• Unlocker http://ccollomb.free.fr/unlocker/ is also good as it also has a few additional features to not only delete the files but stop any process that is stopping you from deleting a file.

I’m using Kerio personal firewall paid version and have no problems at all…My 65536 ports are all stealth so seems like everything’s ok.

and by the way i have a question for u all …Is it recommended to use KPF and the network shield at the same time … ???

There shouldn’t be a problem as if Kerio is started first in the windows boot sequence (likely) then the network Shield won’t have anything to check/alert on as KPF should block those attacks. The Network Shield is very light on resources and there really isn’t any point in disabling it, it works just fine on my system with outpost pro.