HELP: Lsass (no Sasser detected), System Defender fake, etc

Wow, where to start? I'm usually the amateur computer debugger. But I've been hit hard. Before I describe my problem, let me note that I did the full READ & RUN ME FIRST for Windows XP, as well as all the basic maintenance (defragged, cleaned up old programs, etc). I also keep an eye on my processes, and usually run from a modified startup, disabling the usual run of updating services and supposed shortcuts that really just slow everything down. Okay, onward.


The first sign of a problem: I'm working off of a Dell Inspiron 700m laptop, using the Intel PROSet/Wireless Software 9.0.0.1 to connect to my at-home wireless, as well as wi-fi at various libraries and cafes. A couple of weeks ago, i began having connection problems. The radar-like icon in the tray is supposed to show green when it's connected, but instead, it would be connected while showing red or yellow, then drop the connection at random. The color and signal only match up consistently after a cold boot; that's also the only time I can hold a wi-fi connection for more than about 60 seconds. Right now, it's cutting in and out, despite the fact that I'm about 10 yards away from the source. If I connect a cable to the computer, the connection is fine.

Cleaned up the computer (deleted a couple gigs of crap), ran Ad-Aware, Spybot and SuperAnti scans, updated and reinstalled the Norton Internet Security package (I had been having problems with CCAPP delaying the shutdown of the computer as well), and switched to Firefox...things seemed to be improved, then it all went to sh*t.

1. I started to get false warnings in the system tray: little shields with pop-up balloons and bad grammar telling me to click on them. Doing so reveals a fake malware detector called SYSTEM DEFENDER 2007 or WINDOWS HELP CENTER SECURITY CENTER, or Internet Explorer (which is not my default browser) opens and attempts to go to: SYS-CLEANER.com or SYSTEM-DEFENDER.com. If I ignore the shields, they just sit in the tray and blow balloons at me. Oh, and a window opens as Windows is starting up, attempting to connect to the Internet.

2. I began to get seemingly bogus popup errors. Right now there are two on the screen: "SysFader: IE7EXPLORER.EXE - Application Fatal Error" and "Your system is unstable - A problem has been detected and Windows has been shutdown buggy application to prevent damage..." [bad grammar quoted correctly]. I usually just close these.

3. The big one: System Shutdown. Invariably, the system shutdown window pops up at some point, letting me know that Lsass.exe is shutting down the computer because of some sort of problem with kernel321.dll. I've learned how to kill this process or delay it (shutdown -i or -a), but this is only a temporary solution. I DO have Windows XP Sp2, and I ran the Norton Sasser tool. No Sasser was detected.

4. Just yesterday, a new thing started happening: a window pops up asking me if I want IE to be my default browser (I can't remember the exact details and neglected to write them down--it's not happening right now).

I've included the suggested logs. PLEASE HELP. I'm a freelance writer. I need my machine for my work. Thank you so much in advance,

-Chris

 

Thank you for the quick response. Two immediate issues:

1) When I checked that line in HiJackThis and hit "fix", the computer shut down almost instantly. When it rebooted, I used "shutdown -i" to create a delayed shutdown, and re-ran hijack. No problems fixing the problem line this time. But...

2) I saved that line, copied to txt, as a .reg file, but when I double-click it, Windows asks me which program to use to open it. It didn't seem to automatically merge. What should I do?

Thanks again.
-Chris

 

Good news. First of all, that fix worked for the reg associations. Secondly, upon completing the rest of your initial directions (twice having to kill a 6-second shutdown process; is the virus protecting itself?), there is marked improvement. No sign of the fake shields in th system tray, no security popups, and so far, no Lsass.exe shutdown (this sometimes takes an hour or so to kick in). No weird IE popups either. Using Firefox with no issues.

One thing that hasn't changed, which may or may not be related: I have the same problems with my Wi-Fi, which began to occur BEFORE the more viral symptoms (all the stuff we seemingly just killed). So the connection darts in and out, and the Intel PROSet radar image colors do not match the true status.

Also, as you'll see in the Avenger log, there was one folder that didn't get deleted, and a rootkit found, I believe. Check it out.

Thanks so much. Things are already markedly better.
-Chris

 

Well damn. I don't want to jinx myself, but this computer appears to be in fighting form now. Even the wi-fi SEEMS to be working fine. It does work occasionally, then reverts back to its old tricks, but so far, so good. Avenger picked up a hidden driver--is this something I should be concerned about? I'll attach the log.

I don't know what else to say except thank you thank you thank you. It's really great that you guys do this.

Let me know if you have any ideas about why the wi-fi would be acting strange (in case it starts up again)--i.e. does one need to replace the internal antenna (or whatever) from time to time?

Okay. Again, thank you so much.
-Chris.

 

Looks like we're clean. No problems to report at all, and the machine seems to be working better than I can ever remember. Even the Wi-Fi is fixed. There's a service now running (in MSConfig) that wasn't before: "Microsoft DDE+ Server". Seems like this is tied to the Wi-Fi, and that it had been somehow disabled or bypassed by the bug. Now that the bug's gone, this is back, and everything, I mean EVERYTHING, is running just fine.

Please let me know the final steps, and we'll call this chapter closed.

Thank you so much.
-Chris

 

Done and done. I'm going to give Norton the boot. Currently downloading the recommended protection from the link you gave me. Tired of these bloated corporate-created programs. And of paying for something that should be free.

Going with:
-Antivir
-A-Squared
-Comodo firewall
-Comodo BOClean
-Spybot
-Spyware Blaster

Thanks again.
-c