sasser on xp pro sp2 machine??

[moondoggie]

just as it says. this lady has xp pro and it's acting like it has the sasser worm on it. she gets random reboots and a lot of times will get a countdown screen before it does the reboot. she can't cancel the counter and it doesn't let her do anything else except reboot once it starts. when it reboots it gives the "recovered from a system error" message and faults lsass.exe as the problem process

the thing is, i know the sasser vulnerability was supposed to be patched as of sp2. i've run the windows vulnerability assessment tool, mcafee viruscan 8.0 full system scan and taken her machine off the network for now. no malware has been detected whatsoever. i am just stumped.

[Groovicus]

Yours is the second thread I've seen discussing this. I put out some feelers on some other boards, but nothing yet. Have you run a rootkit check yet?
_________________
Never argue with stupid people. They just drag you down to their level and beat you with experience.

[moondoggie]

no, i'm doing a complete reformat & reinstall right now, hoping that kills whatever it is. originally this machine was quick formatted and i think it missed whatever was hiding in there. but we can swap out machines pretty quick here so we just gave the user a new machine while we reformat the old one

[Groovicus]

Aack! Is there any way possible to avoid doing that? At least until you can get a look around? It would be very helpful if you can find an infector of some sort.
_________________
Never argue with stupid people. They just drag you down to their level and beat you with experience.

[moondoggie]

sorry, it's already been reformatted this morning if it is a rootkit though, do you think there's a chance of it coming back at this point?

[Groovicus]

[moondoggie]

this was a machine that was reimaged for another user and we think the original user infected it. so i don't think the problem will come back with the current user since the previous user was known for their browsing habits of going to just about any and every site possible

[larsmhansen]

Rootkits and other malware usually doesn't survive reformats and/or re-imaging.
_________________
Is there anybody listening? Is there anyone that sees what's going on?
Read between the lines, criticize the words they're selling
Think for yourself and feel the walls Become sand beneath your feet

[moondoggie]

that's what i thought too, but the guy who re-installed it originally said he just did a "quick format" during the installation instead of a full format. this time around he did a full format. hopefully it won't have problems when we bring it back on the domain....

[Groovicus]

According to the specs, the only difference between quick format and full format is that the quick format does not check the disk for bad sectors. It says that it removes files from the partition, but that could be taken to mean that files are marked for deletion, etc. I am just guessing at this point.

On the other hand, wouldn't it be interesting (to me, nightmare to you) if there was a different machine on your network that actually carried the infection...say, some sort of worm?

EDIT: Just found this though, and on the face of it, it makes sense.

[moondoggie]

yeah, it was always my understanding that a quick format just recreated the FAT and didn't actually delete anything from the drive, this is why i thought the infection could have made it through the quick format. well, unless it comes back i'll never get the chance to find out if anyone else has it. and i can't say i would be sorry if that's the case