SASSER VIRUS INFO - lsass.exe terminates with an error code

May 5th, 2004, 12:06 pm

What on earth? Welchia has nothing to do with the lsass exploitablity.. it sounds like your computer has a lot of problems

Ok, here's my suggestion on what to do..

#1: If welchia is gone, then check out :

http://securityresponse.symantec.com/av ... sdbot.html
http://www.pestpatrol.com/pestinfo/b/ba ... %20Removal

Get rid of the backdoor, if nothing else, adaware or other generic removal programs might even work on it.

#2: Restart your computer, if the window pops up use shutdown -a and follow the link that i posted in the last post to get rid of your lsass problem.

#3: Restart your computer again, and be happy. (Unless you have random other viruses? )

May 5th, 2004, 1:41 pm

Oh! And of course, the most important part.

http://www.microsoft.com/downloads/deta ... laylang=en

Get that patch, and apply it.

You'll be safe from sasser.

May 6th, 2004, 6:11 pm

hi, i have a seaget personal firewall, and its has bing the only way to stop the turining off my computer. what else can i do!!! to romove sasser ., que mas no se que hacer!!

May 7th, 2004, 12:37 am

Hola que tal?

(its the only spanish i know )
Check out the specific details for removal instrunction in this topic, but i'll make it a little bit easier...
APPLY THE MICROSOFT PATCH (MAS IMPORTANTE)
and then get a removal tool for Sasser

May 7th, 2004, 1:18 am

so i removed the worm with the removal tool and installed the MS patch, but now i can run my Liveupdate or load up the symantec website. i'm thinking the worm caused this. does anyone know how to fix this problem???

May 7th, 2004, 1:32 am

Quote:

so i removed the worm with the removal tool and installed the MS patch, but now i can run my Liveupdate or load up the symantec website. i'm thinking the worm caused this. does anyone know how to fix this problem???

???
you can or you can't?
if you can't, then reinstall your NAV...

May 7th, 2004, 1:34 am

doh sorry typo. i meant i can't. i've already tried reinstalling

May 7th, 2004, 1:56 am

Sorry, but i dont think sasser attacks or tries to disable AVs...
Can you tell me if Sasser rebooted your PC a LOT of times?
This might have affected windows stability...so you might consider reparing it...and resinstall all the patches...
And if its only Norton that is not installing, i heared from some people that they had some problems installing it on their machines (up to 3 or 4 tries before it worked so...)

May 7th, 2004, 3:54 am

Hi all.

Ok Can this file Lsass.exe realy be moved from your system.??

I did everythink to get rid of it, scanned with Trojan scanners, Virus utils, ect,ect, i later decided to do another format, anda New Fresh re-install of XP.

When i got XP onto the system, i downloaded the Trojan Tools and Virus Killers Again and did another scan, and guess what, it was found on my system again, how i dont know why.. i found the file in Windows/system32/ directory...

Only way to get rid of this file is to do a Safe Boot mode, and goto that direcory and delete it, as you cant delete it in normal windows mode.!!

But i still like to know that after formatting my drive 2 times and doing a fresh re-install this poxy file was still here.. i enven scanned my CD's and did'nt find it, so i can only think that it must automaticly download itself sectrectly when your first login to the internet, OR it dont get cleaned by any Antivirus or Trojan cleaners..

Any input would be gratefull.

Firefox.

May 7th, 2004, 4:13 am

A 4 page input...

PATCH YOUR WINDOWS WITH WINDOWS UPDATE
http://www.ozzu.com/ftopic24247.html

May 7th, 2004, 4:39 am

Ragnar78 wrote:

Sorry, but i dont think sasser attacks or tries to disable AVs...
Can you tell me if Sasser rebooted your PC a LOT of times?
This might have affected windows stability...so you might consider reparing it...and resinstall all the patches...
And if its only Norton that is not installing, i heared from some people that they had some problems installing it on their machines (up to 3 or 4 tries before it worked so...)

i've read that 1 of the symptons of this worm is that it prevents you from reaching AV sites like symantec. but anyways, i tried these instructions that i found elsewhere:

-----------------------------------
Open the "Hosts" file in notepad and delete eveything in there apart from this line:

127.0.0.1 localhost
-----------------------------------

and there was this big list of AV sites that included symantec and f-secure, so i deleted all those entries and i could reach symantec finally but my liveupdate still wouldn't update. uninstall and reinstall my AV but no luck. did a reboot and i was back to square one...couldn't get to symantec again. looked into the hosts file and saw that list in there again! i deleted the entries again and uninstalled my symantec corp edition AV and surfing to those sites was fine. i rebooted my xp and same problem again. so it looks like to me there's some file(s) still on my system causing the problem...anybody managed to fix this problem??

[ATNO/TW]

May 7th, 2004, 6:50 am

Zoolander. Turn off system restore and try again.

May 7th, 2004, 12:19 pm

FireFox:

We already addressed the issue of whether lsass.exe can be deleted. Once again: the Sasser worm targets a vulnerability in lsass.exe. It's not lsass.exe itself that's causing the problem. It's actually a critical system process.

Next time, please read more carefully and ask for clarification if you don't understand.

May 7th, 2004, 3:25 pm

ATNO/TW wrote:

Zoolander. Turn off system restore and try again.

i turned off my system restore when running the removal tool and it's still off. any other suggestions?

[ATNO/TW]

May 7th, 2004, 4:43 pm

Well, I only had to fix one computer with this worm. Unfortunately , there were two other viruses on the machine. All I did was follow the instructions exactly and used the removal tool for all three (fortunately all three had a removal tool.

The only thing I did different that I don't believe was recomended or suggested as far as I could see was turn on XP's firewall before connecting to the internet again.

I made the assumption that if the perpetrator of the virus had my IP, then the machine was apt to get hit again, probably almost instantaneously.

The owner of the computer hasn't had any problems since and it's been at least 3 or 4 days now, I think. Not sure if that will work for you,. I'm just relating what I did, and it was fixed on the first try.