SASSER VIRUS INFO - lsass.exe terminates with an error code

May 8th, 2004, 3:47 pm

Hello,

I was very pleased to find this page whilst searching for virus solutions.
As many have written, my PC started shutting down every twenty minutes, with the same error warning. Sadly last week, it began doing it the moment I logged on to the net. Not being a computer wiz, and desperate for a solution being I couldn't search the net for one. I got the LSA Shell lsass.exe file, and not wanting to delete it, not knowing what it was, I made it unstable by renaming it. It's all good, as I can now log onto the internet and have had no such troubles since, but my question is.....
What does the LSA Shell programme do?! The net appears to run as per normal without it. Should I need it, is it something I can delete and copy from a friends computer, or will it in some way be unique to each machine?
Can some body please help me!!?

[ATNO/TW]

May 8th, 2004, 5:21 pm

Kal-el

re: what Lsass is:

Quote:

Windows Local Security Authority Server Process handles Windows security mechanisms. It verifies the validity of user logons to your computer or server. Technically, the software generates the process that is responsible for authenticating users for the Winlogon service.

Quoted from Wintasks
http://www.liutilities.com/products/win ... ary/lsass/

You probably don't want to be without it, but your workaround now at least gives you the chance to get rid of the worm and start fresh.

Welcome to OZZU and good luck.

May 8th, 2004, 5:26 pm

Thanks very much for making a reply, I'll take steps to get rid of the worm as advised in earlier posts.
All the best

[ATNO/TW]

May 8th, 2004, 5:34 pm

OK -- but be careful about rebooting. Based on what you said you did, if you reboot, with your current changes to lsass, I seriously suspect, you'll never be able to logon again. And if I recall correctly, the removal tool will require reboot, so make sure you rename lsass back before you do...otherwise have your restore disk handy.

May 9th, 2004, 4:16 pm

Nice idea though for fault finding! Would be interested in knowing what happens if it gets rebooted with it renamed. Care to try it in the name of science? (I'm joking, please don't try it!!)

S

May 13th, 2004, 1:25 pm

Ive done everything, Ive Disabled System restore, Ive ran the sasser remove tool and ive tried to get rid of it manually. When I ran the sasser removal tool it said that lsass was not found anywhere on my computer. Then I pressed ctrl+alt+delete and sure enough lsass.exe and its possy were running. Make sense? Hell no.

Sean

[ATNO/TW]

May 13th, 2004, 1:59 pm

lsass.exe is not the virus. It's supposed to be there.

May 24th, 2004, 10:05 am

I have seen the strings on lSASS.exe and have the same issue - yet when I boot up, I get a blank screen and can do nothing - tried safe mode, safe mode with prompt - Am I dead in the water or is there a saviour out there?
bajan

May 24th, 2004, 10:26 am

welcome to ozzu. no sense in starting a new thread

May 24th, 2004, 1:19 pm

Is there a way in Windows 2000 to stop the sasser worm shutdown process long enough to upload the worm removal tools?

I'm going insane here! Thanks. (-:
All assistance appreciated.

Donna

May 24th, 2004, 1:32 pm

Start ---> Run ---> cmd (or command) and then:

you write ---> shutdown /a

which means abort shutdown

[ATNO/TW]

May 24th, 2004, 3:31 pm

I believe it's shutdown -a (so if the /a doesn't work try that)

June 5th, 2004, 11:41 am

Ok,I hear you all are the ones to come for Sasser help. I've tried virtualy everthing,includeing restoreing the compter more than once. But,not matter what I do I can't seem to rid myself of the thing. My Norton can't work on a Windows XP operatating system,which would be what I have,so I can't get it that way. So,I ask,will you please tell me,in fairly simple terms,I'm only fourteen,how free my comp from the virus?

-Thanks in advance!

June 5th, 2004, 12:07 pm

Um...nevermind....I'm gotten rid of it and updated as many things as possable. But just incase i'm going to check for the virus once a day.

June 5th, 2004, 3:11 pm

just run a firewall that'll solve the problem.