SASSER VIRUS INFO - lsass.exe terminates with an error code

  • Kal-el
  • Born
  • Born
  • Kal-el
  • Posts: 2
  • Loc: Cambridge, UK

Post 3+ Months Ago

Hello,

I was very pleased to find this page whilst searching for virus solutions.
As many have written, my PC started shutting down every twenty minutes, with the same error warning. Sadly last week, it began doing it the moment I logged on to the net. Not being a computer wiz, and desperate for a solution being I couldn't search the net for one. I got the LSA Shell lsass.exe file, and not wanting to delete it, not knowing what it was, I made it unstable by renaming it. It's all good, as I can now log onto the internet and have had no such troubles since, but my question is.....
What does the LSA Shell programme do?! The net appears to run as per normal without it. Should I need it, is it something I can delete and copy from a friends computer, or will it in some way be unique to each machine?
Can some body please help me!!?
  • Anonymous
  • Bot
  • No Avatar
  • Posts: ?
  • Loc: Ozzuland
  • Status: Online

Post 3+ Months Ago

  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23456
  • Loc: Woodbridge VA

Post 3+ Months Ago

Kal-el

re: what Lsass is:

Quote:
Windows Local Security Authority Server Process handles Windows security mechanisms. It verifies the validity of user logons to your computer or server. Technically, the software generates the process that is responsible for authenticating users for the Winlogon service.


Quoted from Wintasks
http://www.liutilities.com/products/win ... ary/lsass/

You probably don't want to be without it, but your workaround now at least gives you the chance to get rid of the worm and start fresh.

Welcome to OZZU and good luck.
  • Kal-el
  • Born
  • Born
  • Kal-el
  • Posts: 2
  • Loc: Cambridge, UK

Post 3+ Months Ago

Thanks very much for making a reply, I'll take steps to get rid of the worm as advised in earlier posts.
All the best
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23456
  • Loc: Woodbridge VA

Post 3+ Months Ago

OK -- but be careful about rebooting. Based on what you said you did, if you reboot, with your current changes to lsass, I seriously suspect, you'll never be able to logon again. And if I recall correctly, the removal tool will require reboot, so make sure you rename lsass back before you do...otherwise have your restore disk handy.
  • DuckIT
  • Graduate
  • Graduate
  • User avatar
  • Posts: 155
  • Loc: London, UK

Post 3+ Months Ago

Nice idea though for fault finding! Would be interested in knowing what happens if it gets rebooted with it renamed. Care to try it in the name of science? :lol: (I'm joking, please don't try it!!)

S
  • down4thecause
  • Born
  • Born
  • down4thecause
  • Posts: 1

Post 3+ Months Ago

Ive done everything, Ive Disabled System restore, Ive ran the sasser remove tool and ive tried to get rid of it manually. When I ran the sasser removal tool it said that lsass was not found anywhere on my computer. Then I pressed ctrl+alt+delete and sure enough lsass.exe and its possy were running. Make sense? Hell no.

Sean
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23456
  • Loc: Woodbridge VA

Post 3+ Months Ago

lsass.exe is not the virus. It's supposed to be there.
  • bajanmac
  • Born
  • Born
  • bajanmac
  • Posts: 1

Post 3+ Months Ago

I have seen the strings on lSASS.exe and have the same issue - yet when I boot up, I get a blank screen and can do nothing - tried safe mode, safe mode with prompt - Am I dead in the water or is there a saviour out there?
bajan
  • UNFLUX
  • Genius
  • Genius
  • User avatar
  • Posts: 6376
  • Loc: twitter.com/unflux

Post 3+ Months Ago

welcome to ozzu. no sense in starting a new thread ;)
  • Donna
  • Newbie
  • Newbie
  • Donna
  • Posts: 9

Post 3+ Months Ago

Is there a way in Windows 2000 to stop the sasser worm shutdown process long enough to upload the worm removal tools?

I'm going insane here! Thanks. (-:
All assistance appreciated.

Donna
  • basdog22
  • Novice
  • Novice
  • User avatar
  • Posts: 21
  • Loc: Hellas

Post 3+ Months Ago

Start ---> Run ---> cmd (or command) and then:

you write ---> shutdown /a

which means abort shutdown

:wink:
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23456
  • Loc: Woodbridge VA

Post 3+ Months Ago

I believe it's shutdown -a (so if the /a doesn't work try that)
  • Neko
  • Born
  • Born
  • Neko
  • Posts: 2

Post 3+ Months Ago

Ok,I hear you all are the ones to come for Sasser help. I've tried virtualy everthing,includeing restoreing the compter more than once. But,not matter what I do I can't seem to rid myself of the thing. My Norton can't work on a Windows XP operatating system,which would be what I have,so I can't get it that way. So,I ask,will you please tell me,in fairly simple terms,I'm only fourteen,how free my comp from the virus?

-Thanks in advance!
  • Neko
  • Born
  • Born
  • Neko
  • Posts: 2

Post 3+ Months Ago

Um...nevermind....I'm gotten rid of it and updated as many things as possable. But just incase i'm going to check for the virus once a day.
  • SSH-Raj
  • Expert
  • Expert
  • User avatar
  • Posts: 588

Post 3+ Months Ago

just run a firewall that'll solve the problem.
  • db
  • Born
  • Born
  • db
  • Posts: 2

Post 3+ Months Ago

Great help topic here. I'm trying to buy some more time to download the patches, but the command 'shutdown' does not work for me on Windows 2000.

Start > Run > shutdown -a
"Cannot find the file 'shutdown' (or one of its components). Make sure path and filename are correct blah blah blah...."

Prompt> shutdown -a
'shutdown' is not recognized as an internal or external command, blah blah...


Anyone know the command to abort the shutdown on Win2K?
  • db
  • Born
  • Born
  • db
  • Posts: 2

Post 3+ Months Ago

Ok after some searching around, I'll answer my own question so that someone else may benefit.

shutdown.exe is not included with Win2K, but is offered as part of the Windows 2000 Resourse Kit ($69.99)

Some Googling turned up a link to that single file itself at this site.


Thanks for this helpful topic.
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23456
  • Loc: Woodbridge VA

Post 3+ Months Ago

We are delighted that you found useful information in it. And thanks for the updated tip. That was information I was unaware of. Welcome to OZZU.
  • BSRipper
  • Newbie
  • Newbie
  • BSRipper
  • Posts: 6
  • Loc: Ohio

Post 3+ Months Ago

Hey guys just an update! The Sasser worm will make it so you can't log on. It happened to me the only way to fix it at this point is to reload.
  • Mat28590
  • Born
  • Born
  • Mat28590
  • Posts: 3

Post 3+ Months Ago

Hey guys im mat. Im not exactly a computer genius but i know a thing or two about sasser. I still have it and have had it for months now. It's a tricky bastard. Ive downloaded loadsa removal tools for it but none seem to work :roll: It seems to work in the exact same way a blaster which i have also had in the past, but that was easy to get rid of. That is a small window pops up after about two minutes of being on the internet. It tells me that isass.exe has unexpectadly terminated and the system will shutdown in sixty seconds. In response to someone earlier let me please make it clear: isass.exe is not the virus; do not modify this file otherwise u will be pretty screwed. The reason the system is restarting is because the virus has corrupted a windows file so after so long of the port being opened to the internet it terminates isass which is the cause of the system reboot. It works in the same way to blaster, the blaster virus causes the process RCE to terminate which pops up the same window.

Now i've only just turned 14, therefore if you are in the same situation as me of not being able to remove the virus i'm afraid i can't help you there. However I have told you what not to do and your decission to listen to me or not is up to you.

Someone else had a query on temporarily preventing the shutdown on a 2k computer i believe. You said you tried opening run and executing <shutdown - a> or <shutdown /a>. I have another solution of which i quite luckily stumbled upon. Now as long as the window pops up displaying the time left until shutdown this should work. All you have to do is turn your clock back a few hours! That's it. However make sure you don't turn it back over midnight to the previous day. For example: the time is 01.00 don't turn it back to 23.00, otherwise this will cause immediate reebot.

Thankyou for your time and i hope i have been some assistance of what not to do. Please post if you have any solutions for me.

Mat
  • Mat28590
  • Born
  • Born
  • Mat28590
  • Posts: 3

Post 3+ Months Ago

Hey guys it's me again (mat) Does any1 know how 2 make an external hard drive your main drive and your current one the slave,

thanks in advance
  • Mat28590
  • Born
  • Born
  • Mat28590
  • Posts: 3

Post 3+ Months Ago

Hi there i'm mat (again, more questions), i just made a post regarding sasser worm on the board entitled summin like "lsass.exe terminates with..." I was kinda hoping u could help me. I've had it for a while now, and just can't seem to get rid of it. Iv'e tried downloaded various removal tools and none seem to find it. I have sophos antivirus and downloaded .ide files for the different variants of it (a-f) that didn't work. It must be sasser cos after being on the internet for about 3 mins it terminates the process lsass.exe - making the window thing pop up giving me 60 seconds until it reboots. I know how to prevent it rebooting though. It seems to work in a similar way to blaster though the RCE process isn't terminated.

Also I have a couple of other questions: can it gradually become more unstable. Someone posted about lsass being totally wrecked and the pc not even being able to reach the desktop before reboot. Could this happen to me cos i've had sasser a long time...

My final question is about a solution someone posted on the same board. If I were to buy a new external hardrive which plugs to my usb port, could I make that the main drive and my internal one the slave or would I have to get someone in to fit a whole new internal one; and if so could I still use my current internal one as an external slave.

Thankyou for your time reading this message, perhaps you could read my posted messages as well if time allows. A response would be appretiated very much.

Mat
  • mas77
  • Proficient
  • Proficient
  • User avatar
  • Posts: 258

Post 3+ Months Ago

does anybody know how the virus came so that it can be avoided, is it spread through network computers or just from the net off some websites
  • BSRipper
  • Newbie
  • Newbie
  • BSRipper
  • Posts: 6
  • Loc: Ohio

Post 3+ Months Ago

It spreads through the net piggy backing on downloads and email
  • mas77
  • Proficient
  • Proficient
  • User avatar
  • Posts: 258

Post 3+ Months Ago

I know that but piggy places like what, be more specific
  • BSRipper
  • Newbie
  • Newbie
  • BSRipper
  • Posts: 6
  • Loc: Ohio

Post 3+ Months Ago

Here is a link on all the different sasser worm varients I found it at McAfee
http://vil.nai.com/vil/alphar.asp
  • lalitha07
  • Born
  • Born
  • lalitha07
  • Posts: 1

Post 3+ Months Ago

Hi,

I have the same problem on my laptop running on XP. I get the whole shutdown in 60 secs msg and this happens even when Im off the internet. I ran the sasser and blaster removal kit and it came up saying that I did NOT have either of the worms on my machine.

Ive faithfully gone thro all 6 pages of this thread - almost everyone whio has this problem has one of the worms in their system. So has anyone seen this msg pop up when the worm is not there? Or am I not running the right tool to find the worm? I am not able to doing anything for 5 mins at a time on my laptop, its maddening, please help!

thanks,
lalitha.
  • Animefoo
  • Born
  • Born
  • Animefoo
  • Posts: 2
  • Loc: Los Angeles

Post 3+ Months Ago

On windows 2k, the best way to stop LSASS from crashing is by running the following in the command prompt:

echo dcpromo >%systemroot%\debug\dcpromo.log & attrib +r %systemroot%\debug\dcpromo.log

If you're already infected, or think you are, look for these signs and kill the process if it's running in the task manager

anything with 4 or more numbers and “_up.exe” (for example, 12345_up.exe)

anything starting with avserve (for example, avserve.exe, avserve2.exe)

or the following processes: skynetave.exe, hkey.exe, msiwin84.exe, or wmiprvsw.exe


Haven't tried the dcpromo.log fix on XP, should still work though.

If all else fails, there's always housecall.antivirus.com.

Good Luck.
  • woohooo
  • Born
  • Born
  • woohooo
  • Posts: 1

Post 3+ Months Ago

Hi All,

Okay, I'm having problems. My laptop is running winxp home. I had a corrupt win32/config/system file. I used recovery console and renamed the
old system file. I then went to my repair folder but only found a system.bak file. I copied it to my system folder and took off the bak extension. Now I get the lsasse.exe error message at boot up and it won't let me get to the desktop. So I try to go to recovery console again, (I was going to replace the new system file with another from my desktop) but the recovery console won't let me enter without a admin password!!! What?! I never used one on my laptop before! Was there a default password on that
system.bak file? Please help! My last resort is to take out the hdd and stick it in my desktop, get my important files and do a fresh install.

Byron
  • MacemanDerek
  • Born
  • Born
  • MacemanDerek
  • Posts: 4

Post 3+ Months Ago

I have noticed that in my taskmans process that there is lsass
This lsass.exe has problems, its memory usage keeps raising. normaly it would be about 5mb usage. But after an hour of being online it is over 200mb usage. This extremely lags my computer once it passes my 512mb limit. I read on a website that if you have this virus it disables access to anti-virus websites. Well because of that i cant download the removal tool. I did a scan with my AVG antivirus and a scan on microsoft.com they both found nothing.

MY svchost.exe uses tons of CPU now! Before it was always under 1%, now it is never under 20%. This lags my computer also when im running other stuff.

When i play this game called 'Stronghold' it lags more then it used too. The taskman says it uses around 100% cpu. Before i got this virus or what ever it is, it was never over 10%.

I hope someone can help me, if not thanks anyway for having a great site like this up to help out people.
  • Anonymous
  • Bot
  • No Avatar
  • Posts: ?
  • Loc: Ozzuland
  • Status: Online

Post 3+ Months Ago

Post Information

  • Total Posts in this topic: 99 posts
  • Users browsing this forum: No registered users and 58 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
cron
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.