Tip: Click here to scan for System Errors and Optimize PC performance

May 4th, 2004, 2:07 pm

I must admit I don't know the full info on this virus, but have seen a similar problem to yours today....

I was working on a poor guys computer who had got this over the weekend. When I arrived his machine was in a constant reboot loop (I.E. it crashed & burnt before even hitting the desktop. Safemode was screwed too!). He told me of a system message he got earlier regarding LSASS.exe so I pretty much guessed it was Sasser virus. Because of the reboot loop I had to use a disc to load the machine (I use the excellent ERD commander by Winternals) this allowed me to run the Symantec tool, and sure enough I found 18 (!) copies of the virus.

Unfortunately even with all of the above, his machine was still constantly rebooting. I tried a few more things but in the end had to rebuild the OS. Even tried an 'in place upgrade' to keep his settings but that did the same thing! Man this virus can suck!

I can only guess that perhaps there is some destructive element of Sasser that can occur that maybe wrecks lsass.exe?? Its a pretty essential service.

S

May 4th, 2004, 2:16 pm

Eeeesh. I'd hate that to happen to my computer. *grabs CPU and holds it protectively*

Is there any word on who's coming out with the miracle fix to kill this thing? If it's anyone, it ought to be Microsoft. Grar. Silly MS.

May 4th, 2004, 7:25 pm

Im having the same problem I have the virus as well, right now I have ME installed should I install XP then get rid of the virus or get rid of the virus then install?? dam virus

[ATNO/TW]

May 4th, 2004, 7:35 pm

If you intend to install XP anyway, installing it will basically give you the option to format your drive. That will nix the virus and all the other files on your computer, so do a backup first if you can, (but may not prevent you from getting it again). Windows XP does come with a built in firewall. In my opinion, it's not the best I've seen, but at least it is one. You access it by going to network properties on your network connection and clicking the advanced tab. If I recall the option will be there. (Sorry if that's not 100 percent right that's from memory.)

If you do install XP, make sure your first step after your driver and chipset install is to download the current critical updates. Those should include the updates that will reduce the risk of the sasser exploitation of the lsapp vulnerability.

May 5th, 2004, 1:20 am

The best firewall i ever tested while gaming, surfing on the net was the Built In firewall in my AV, PC Ciliin internet Security 2004...

When i use the Direct Connection option for the firewall, and test my PC with the Norton Security Response web, my PC is Stealth all the way, and games never lag, not a bit, and dont even drop connection.

This is why i hate Zonealarm..its good at what it does, but a bit TOO good that you have to drop the protection to be able to play games or upload to a web etc...

May 5th, 2004, 4:36 am

If you want to check how open you are Gibson Research offers a good free firewall check on their site (as well as many handy freeware programs for security etc). Go here:

http://www.grc.com

..and browse down to 'Shields up' in the hotspots area. Note that if you do have a firewall such as Zonealarm, it will go crazy whilst you scan your machine as, as far as its concerned its under attack! Do not be alarmed if you get these messages!. The common ports test is probably the best for most purposes, but it can scan all the standard <1056 ports.

Also another good tool to see if you have open ports is TCPView by Sysinternals. They make some really good freeware utilities that dont even need installing!:

http://www.sysinternals.com/ntw2k/source/tcpview.shtml

Be warned though that tpcview isnt of the faint of heart & it wont mean much unless you know what your looking for. Also remember that these are the open ports on your machine. If your behind a hardware or software firewall then you will still be protected!.Its just handy for spotting ports that a lot of viruses leave open these days.

S

May 5th, 2004, 9:13 am

OK I'm having a huge problem. I know it's Sasser, because the computer just keeps rebooting. Uhh, I can't even get into Windows with Safe mode before it reboots itself. When the whole warning thing came out, Microsoft refused to let me download a security update. No, my XO is not cracked. Microsoft is just a bunch of bastards. Their Sesser help line doesn't even work.

Uhh... Anyway this began two nights ago when I got back from work. The computer screen was completely frozen, and when I rebooted the computer it just kept restarting. PLEASE tell me I don't have to wipe my system..... Thanks.

May 5th, 2004, 9:32 am

umm sorry, but yes the only resolve I found to this was a rebuild (when it goes into this nasty reboot loop and you cant even get to the desktop)

See my post above on all the things I tried when it did this. Hoping someone can suggest something better though!

S

May 5th, 2004, 9:36 am

*shudder* I'm an artist, and I'll be hideously screwed if I have to wipe the computer, but if I absolutely have to, I'll do it.... Thanks for the suggestion, every little bit of advice is appreciated!

May 5th, 2004, 9:39 am

This may be far fetched, but I am able to boot the computer from the CD drive using BIOS and all that wonderful stuff.... If I, perhaps, wrote a CD with something that could get rid of Sasser, would that MAYBE work? I just rolled out of bed and have devoted this whole day to figuring this out........

May 5th, 2004, 9:57 am

What your suggesting may work *if* you knew what was wrong with Windows - I.E. which files are corrupted or whatever the problem is. I was unable to do this so good luck!

Whats the problem with rebuilding? Loss of data I take it? If you can get a program similar to ERD commander (http://www.winternals.com) to access the files then you can maybe copy them to floppy or something? The data itself should be there still, its just windows thats dead. Its just getting at it that can be fun!

Another idea if you have a spare hard disk would be to replace your current hard drive with that, load Windows onto it, then attatch your old virused drive as a slave, and copy all the data off that way. Then once you have the data backed up you can rebuild the first hard driveno probs!

S

May 5th, 2004, 10:03 am

Yeah I'll look into getting that program, because my artwork is sorta crucial to everything.... GRRR to digital art heh.... I'll see about creating a system backup and everything. Thanks for the help!

May 5th, 2004, 10:16 am

For the record, in case anyone didn't know, typing shutdown -a in run will stop the shutdown process.

Was very helpful when i'm trying remove the stupid thing, giving yourself a minute isn't very useful.

For the record, when i first tried to remove it, i was heading here..

http://support.gateway.com/s/issues/2-976684501.shtml

I was under the impression it was the blaster worm, until I figured out that lsass.exe was causing it all the time.

I'm not sure if anyone has posted a good link for it yet (haven't read 100% of the thread ), but here's the one i used.

http://securityresponse.symantec.com/av ... .worm.html

http://emblems.utopiatemple.com/pic21371.jpg

As you see, it worked for me. Hopefully it helps you folks.

May 5th, 2004, 10:21 am

As of the update, squeaky clean and working fine, as it did before the stupid sasserworm.

Don't worry about making cds or anything silly for it, it's really not neccessary. Just check out symantec's site, grab the fix, and patch it up (after running shutdown -a, or you'll never have time to do it )

May 5th, 2004, 11:56 am

After I connect to the internet (dial-up), I will soon get a message saying that the system is shutting down by NT AUTHORITY/SYSTEM. I get 60 seconds and it cuts off, it says by lsass.exe or something. When I run Norton anti-virus, it picks up the welchia virus and the backdoor.sdbot virus. Norton was unable to to delte or quarantine, it kept failing.
I found a welchia virus tool that took it off, but I can't get rid of this backdoor.sdbot virus, norton says it's located in windows/system32/system32.exe.

I can't delete it and I tried to in regular and safe mode.

I really would appreciate someone giving me step by step to get rid of this thing.

Last night i used the run: shutdown -a, and downloaded all the current critical updates from microsoft, like 13 of them and then turned my computer off. Help me please!