Cleaning the LSASS worm : Part 1

Posted March 22, 2007
Filed under: Infections |

I had tried avast! Antivirus (my favorite antivirus), Norton, and so many other stuff, but this worm “lsass.exe” remained undetected, untampered, and unrepaired in my sister’s computer.

The first signs of an infection started with the “Task Manager” button being disabled in the CTRL+ALT+DEL window. We then noticed that the “Run” option was also disabled on the start menu. Exploring further, “Folder options” were not there on the Tools menu of the Windows explorer window. More woes, as the home page of IE was changed to some obscene site, and we couldn’t change it either! To cap it all, Yahoo messenger showed a link to the same site beside the user name whenever someone logged in. T’would be embarrasing if there’s a link to some stupid site beside your name, showing to all of your contacts!

We thought it was just another virus and ran a boot scan and a run-time scan using avast! but nothing turned up. We did know that this wasn’t any problem with the registry or Windows itself.

After trying out a lot of other tools, I decided to look for suspicious processes running. But how? The task manager was disabled!

I won’t get into all the research I did, but to cut the long story short, I had to manually clean up the trojan (as we found out later) using some good information from Internet forums, some trial and error, and some good tools…

We had seen some error message relating to “MyWebSearch” toolbar so I googled it, and sure enough, there were many forums with info on it as a worm! That’s where I got to know of all these tools that I could use to remove the toolbar. After going through the instructions, and restarting… the task manager button was still disabled!

The worm infection was clearly deeper and we had to somehow see the running processes. The trick was to first somehow enable the task manager so that I could see them. Well, it turned out that I didn’t really need the task manager after all. Instead, I used the Process explorer from SysInternals. The next stage was some guess-work, but it got the job done, for a while…

3 comments so far

  1. Faiq on July 10, 2007

    Can you please share with me the process of removal?

    Reply
  2. Hamman on July 10, 2007

    Sorry, my PC is down from a hardware failure and I saved the actual steps for removal there :( Well, I couldn’t remember them forever, could I? So till I replace my motherboard, I won’t be able to complete this tutorial.

    Reply
  3. Cleaning the LSASS worm : Part 2 « The IT Tutor on August 20, 2007

    I finally finished the Part 2! Its a follow-up to this post.

    Reply

Leave a reply