SASSER VIRUS INFO - lsass.exe terminates with an error code

  • conorific
  • Proficient
  • Proficient
  • User avatar
  • Posts: 350
  • Loc: NY

Post 3+ Months Ago

Every twenty minutes or so, I get a message stating that lsass.exe has terminated with -(bunch of numbers) and the system will shut down in 60 seconds. I run Windows XP Home. What's happening, and how can I stop it?
  • Ragnar78
  • Proficient
  • Proficient
  • Ragnar78
  • Posts: 279

Post 3+ Months Ago

You have a virus, and the newest one...its a Worm Sasser...
It hits the Lsass.exe 's vulnerabilty...

If you have an AV then update it and scan your pc...if not try a webscan from some of the biigest companies like Norton Mcafee or Trenmicro...

Oh and update windows...grab the latest patches...
  • Ragnar78
  • Proficient
  • Proficient
  • Ragnar78
  • Posts: 279

Post 3+ Months Ago

In case its the virus wich i'm 90% sure
this is what you should do

Open Windows Task Manager.
On Windows 95/98/ME systems, press
CTRL+ALT+DELETE
On Windows NT/2000/XP systems, press
CTRL+SHIFT+ESC, then click the Processes tab.
In the list of running programs*, locate the malware file(s) detected earlier.
Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system.
Do the same for all detected malware files in the list of running processes.
To check if the malware process has been terminated, close Task Manager, and then open it again.
Close Task Manager.
Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing during startup.

Open Registry Editor. To do this, click Start>Run, type Regedit, then press Enter.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Run
In the right panel, locate and delete the entry or entries:
avserve.exe = %Windows%\avserve.exe
Close Registry Editor.
(taken from Trendmicro website)
  • dimchandeliers
  • Newbie
  • Newbie
  • dimchandeliers
  • Posts: 13

Post 3+ Months Ago

Here are some of the processes running. I've done searches - but no info. I ran ad-aware and got rid of alot of bad stuff but some is still there


1. avserve.exe
2. avserve2.exe
3. hognubn.exe
4. rundll32 cwcprops
  • Ragnar78
  • Proficient
  • Proficient
  • Ragnar78
  • Posts: 279

Post 3+ Months Ago

These are the Sasser worm ...
you have to remove them manually...
I posted an explanation in the the 'Lsass' Topic
  • UNFLUX
  • Genius
  • Genius
  • User avatar
  • Posts: 6367
  • Loc: twitter.com/unflux

Post 3+ Months Ago

good info - thanks Ragnar78 :D
  • UNFLUX
  • Genius
  • Genius
  • User avatar
  • Posts: 6367
  • Loc: twitter.com/unflux
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23473
  • Loc: Woodbridge VA

Post 3+ Months Ago

*sighs Two posts on the Sasser worm in one day. Now I need to go look this up and find out what it is does and how it replicates so I don't have to go around fixing a bunch of computers next week.

Like UNFLUX said Ragnar78. good info (see I even spelled your name right this time *wink)
  • Ragnar78
  • Proficient
  • Proficient
  • Ragnar78
  • Posts: 279

Post 3+ Months Ago

Thank ATNO/TW and UNFLUX :D

Actually the worm is like Witty, i dosent spread through mail, it just need to see that you're online...

I'm wondering what MS process dosent have vulnarability? :shock:
  • Scar
  • Born
  • Born
  • Scar
  • Posts: 1

Post 3+ Months Ago

The same is happening to me, it's Worm Sasser. I keep deleting it with Norton but it keeps coming back...

Everytime I come on it says "LSA Shell (export version) error". After about 20 - 40 minutes it will then start the NT AUTHORITY/SYSTEM crap and give me 60 seconds.
  • dimchandeliers
  • Newbie
  • Newbie
  • dimchandeliers
  • Posts: 13

Post 3+ Months Ago

WARNING
I downloaded and ran Avert's Stinger. It detected and removed the Sasser Worm. BTW, I disabled system restore as instructed.
I'm back online and AVSERVE2 is RUNNING AGAIN!!!!!!!!!
Seems like everytime I go online the worm returns.
HELP!!!!!!!!!!!
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23473
  • Loc: Woodbridge VA

Post 3+ Months Ago

Symantec has a removal tool for W32.Sasser.Worm and W32.SasserB.Worm and can be found here along with instructions:

http://securityresponse.symantec.com/av ... .tool.html

More information about SasserB can be found here:
http://securityresponse.symantec.com/av ... .worm.html

And about Sasser here:
http://securityresponse.symantec.com/av ... .worm.html

You do not have to have Norton or Symantec AV protection to use the tool.
  • Ragnar78
  • Proficient
  • Proficient
  • Ragnar78
  • Posts: 279

Post 3+ Months Ago

Dont forgzt to update windows...
Its a patch that is needed and not only a ramoval tool..

Actuall Sasser dosen't need to be sent by email of executed to be activated on a PC...
You just have to be connected for it to work...
  • UNFLUX
  • Genius
  • Genius
  • User avatar
  • Posts: 6367
  • Loc: twitter.com/unflux

Post 3+ Months Ago

I merged the 2 sasser threads together, since it's all the same info/topic
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23473
  • Loc: Woodbridge VA

Post 3+ Months Ago

Thanks UNFLUX -- I should have thought of that. I think I'm going to remote into work and check things out and do some Critical updates on the computers that are lacking.
  • The^Watcher
  • Student
  • Student
  • The^Watcher
  • Posts: 72
  • Loc: Sabah, Malaysia

Post 3+ Months Ago

regarding this worm w32/Sasser.A...
if i get infected with it.. beside using a proctection... can i get rid of it by reformating and reinstalling the system?
  • SeanLeclaire626
  • Born
  • Born
  • SeanLeclaire626
  • Posts: 1

Post 3+ Months Ago

i searched the net for lsass.exe error, and came to this forum, and saw this post of my exact problem, i followed everythign that was said to do, but it would seem it didnt do much for my computer, it still comes up with the error after about 20-40 mins and restarts, just to do it again after another amount of time. ive deleted the autostart file from the registry. and closed it from the task manager, ive ran the symantec removal tool. and it said i didnt have the virus. im downloading a AV. even though ive scaned my computer and thats how i got rid of what i first came apon wich was a file MSBLAST.exe. can somebody please help me out, i even did a system restore, so i have no programs on my computer. wich meens it hasnt the updates for windows. and i cant get them cause it takes longer than 20 mins to get them so i have a small problem there. thx for your time
  • Ragnar78
  • Proficient
  • Proficient
  • Ragnar78
  • Posts: 279

Post 3+ Months Ago

Hy,

Well actually MSBlaster does the same thing (in very simplified way) than Sasser, they both shutdown your PC.

Now honnestly, i suggest you try and grab all the windows patches through Updates...
Sasser can only be rmoved by the Norton Removal tool, but it can reinstall itself easaly due to a Flaw in the Lsass.exe that needs to be patched...so no matter how long you remove it, you will still grab sasser.

The same goes for MSBlaster...you can remove the processes but you wil get it back again due to a Flaw in the Dcom RPC that windows uses...
So if you are attacked with MSBlaster or Sasser, no matter how tough the AV you have, you will stil be infected...
Now the only solution i find, since you cannot update correctly, is to set your Firewall to the Highest possible security level...
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23473
  • Loc: Woodbridge VA

Post 3+ Months Ago

heeheee -- I knew when I read these posts over the weekend, I'd having to be fixing this on somebody's machine, sure enough, I'm sitting here with one of our executive's 80 year old mother's computer with sasser, welchia and blaster on it! *lol I'll let you know how it goes.
  • dimchandeliers
  • Newbie
  • Newbie
  • dimchandeliers
  • Posts: 13

Post 3+ Months Ago

The Sasser is gone!
Thanks guys.
Big outbreak though. It's all over the news.
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23473
  • Loc: Woodbridge VA

Post 3+ Months Ago

There are a couple key things in avoiding a reocurrance.
1) Make sure you have the patch installed. The patch was released April 13 in critical updates and you should install it if you haven't done so already. (You may need to run the worm removal tool first before downloading the patch if you hadn't done so prior)

http://www.microsoft.com/security/secur ... indows.asp

2) The patch should take care of things, but if you are on XP enable the Firewall, or get a firewall program like ZoneAlarm, or use Symantec's or McAfee's Firewall if available.

3) If you are on XP, make sure you disable the "restore" as described in the symantec security response article before running the removal tool.

http://securityresponse.symantec.com/av ... .tool.html

4) In the last 30 days, there have been over 100 viruses/trojans/worms identified. Here are some "best practices that Symantec recomends:

Quote:
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.


//added note from what I've been reading today -- if you have a hardware firewall or your company uses a hardware firewall you should be at low risk on Sasser. BTW it apears two more variants appeared over the weekend.

http://www.symantec.com/avcenter/venc/d ... .worm.html
http://www.symantec.com/avcenter/venc/d ... ser.d.html
  • tyalangan
  • Born
  • Born
  • tyalangan
  • Posts: 1
  • Loc: Chicago

Post 3+ Months Ago

HI Guys. I need some help. I definitely have this sasser thing going on but the fix-it tool from microsoft doesn't work. I am not a computer genius in the least - i stumbled across this site trying to find a solution to this problem. If anyone has any tips for me it would be great.

Thanks!
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23473
  • Loc: Woodbridge VA

Post 3+ Months Ago

tyalangan wrote:
HI Guys. I need some help. I definitely have this sasser thing going on but the fix-it tool from microsoft doesn't work. I am not a computer genius in the least - i stumbled across this site trying to find a solution to this problem. If anyone has any tips for me it would be great.

Thanks!


What OS? XP or Win2K? Read everything I just posted above you. I gave every detail I found today. The Firewall is particularly important (especially if you are on broadband), because if your ports remain open, the attacking computer may find you again easily and reinstall it.

P.S. Try the removal tool from symantec. It worked for the one computer I had that was infected:

http://securityresponse.symantec.com/av ... .tool.html
  • DuckIT
  • Graduate
  • Graduate
  • User avatar
  • Posts: 155
  • Loc: London, UK

Post 3+ Months Ago

Zonealarm is a good free firewall (for personal use) and as long as your not trying to do anything complicated over the net the default install should be fine. Otherwise it may need some fiddling if you do VPN's or gaming etc to get it working properly.

A big agree on the Symantec removal tools. Use them all the time. They take forever to run, but work very well.

By the way, this site is number 4 on the list if you do a search in Google for 'Removing Sasser' so you may get a *few* hits to this thread :lol:
  • aggie
  • Born
  • Born
  • aggie
  • Posts: 1

Post 3+ Months Ago

Hello, I have tried deleting the lsass.exe in the running processes window. I am denied access even though I am in administrator. I have also tried running the removal tool I downloaded from Norton. It comes back saying that there is no sasser on the computer. What am I missing? We have 2 computers with lsass.exe in the running processes both windows 2000
Thanks
Rick
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23473
  • Loc: Woodbridge VA

Post 3+ Months Ago

lsass.exe should be running on both computers aggie. That's not the worm. That's the Windows service that the worm tries to exploit. You should be OK.
  • conorific
  • Proficient
  • Proficient
  • User avatar
  • Posts: 350
  • Loc: NY

Post 3+ Months Ago

Aggie: lsass.exe is one of them spooky critical system processes. As ATNO/TW said, the worm infects a vulnerability in it. Welcome to Microsoft :x

To everyone else: thank you for replying. I came back here a few days after I started the thread, because I found it on my laptop (gar!) and it came back after I tried to remove it. Good thing I discovered all the info here.

I'm going to run the Symantec tool, download Windows patches and crank up the firewall. I'll let you know if anything else happens.

In the meantime, I've just had the Task Manager open so I can kill inetman.exe and cool.exe when they come up on the list of processes. Works so far.

*le sigh*
  • conorific
  • Proficient
  • Proficient
  • User avatar
  • Posts: 350
  • Loc: NY

Post 3+ Months Ago

................Maggie's bewildered!

I ran the Symantec tool, and...behold! I HAVE NO WORM. But five minutes before, NT AUTHORITY killed my computer after 60 seconds.

What the hell happened?
  • Ragnar78
  • Proficient
  • Proficient
  • Ragnar78
  • Posts: 279

Post 3+ Months Ago

Dont question your luck :D
As long as you applied the patch and didn't find the worm...its good :wink:
  • conorific
  • Proficient
  • Proficient
  • User avatar
  • Posts: 350
  • Loc: NY

Post 3+ Months Ago

But that's just it! I didn't do aaaaaaaaanything. Cursèd computers. Whatever.
  • DuckIT
  • Graduate
  • Graduate
  • User avatar
  • Posts: 155
  • Loc: London, UK

Post 3+ Months Ago

I must admit I don't know the full info on this virus, but have seen a similar problem to yours today....

I was working on a poor guys computer who had got this over the weekend. When I arrived his machine was in a constant reboot loop (I.E. it crashed & burnt before even hitting the desktop. Safemode was screwed too!). He told me of a system message he got earlier regarding LSASS.exe so I pretty much guessed it was Sasser virus. Because of the reboot loop I had to use a disc to load the machine (I use the excellent ERD commander by Winternals) this allowed me to run the Symantec tool, and sure enough I found 18 (!) copies of the virus.

Unfortunately even with all of the above, his machine was still constantly rebooting. I tried a few more things but in the end had to rebuild the OS. Even tried an 'in place upgrade' to keep his settings but that did the same thing! Man this virus can suck! :evil:

I can only guess that perhaps there is some destructive element of Sasser that can occur that maybe wrecks lsass.exe?? Its a pretty essential service.

S
  • conorific
  • Proficient
  • Proficient
  • User avatar
  • Posts: 350
  • Loc: NY

Post 3+ Months Ago

Eeeesh. I'd hate that to happen to my computer. *grabs CPU and holds it protectively*

Is there any word on who's coming out with the miracle fix to kill this thing? If it's anyone, it ought to be Microsoft. Grar. Silly MS.
  • -DaVinci-
  • Born
  • Born
  • -DaVinci-
  • Posts: 1

Post 3+ Months Ago

Im having the same problem I have the virus as well, right now I have ME installed should I install XP then get rid of the virus or get rid of the virus then install?? :shock: dam virus :evil:
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23473
  • Loc: Woodbridge VA

Post 3+ Months Ago

If you intend to install XP anyway, installing it will basically give you the option to format your drive. That will nix the virus and all the other files on your computer, so do a backup first if you can, (but may not prevent you from getting it again). Windows XP does come with a built in firewall. In my opinion, it's not the best I've seen, but at least it is one. You access it by going to network properties on your network connection and clicking the advanced tab. If I recall the option will be there. (Sorry if that's not 100 percent right that's from memory.)

If you do install XP, make sure your first step after your driver and chipset install is to download the current critical updates. Those should include the updates that will reduce the risk of the sasser exploitation of the lsapp vulnerability.
  • Ragnar78
  • Proficient
  • Proficient
  • Ragnar78
  • Posts: 279

Post 3+ Months Ago

The best firewall i ever tested while gaming, surfing on the net was the Built In firewall in my AV, PC Ciliin internet Security 2004...

When i use the Direct Connection option for the firewall, and test my PC with the Norton Security Response web, my PC is Stealth all the way, and games never lag, not a bit, and dont even drop connection.

This is why i hate Zonealarm..its good at what it does, but a bit TOO good that you have to drop the protection to be able to play games or upload to a web etc...
  • DuckIT
  • Graduate
  • Graduate
  • User avatar
  • Posts: 155
  • Loc: London, UK

Post 3+ Months Ago

If you want to check how open you are Gibson Research offers a good free firewall check on their site (as well as many handy freeware programs for security etc). Go here:

http://www.grc.com

..and browse down to 'Shields up' in the hotspots area. Note that if you do have a firewall such as Zonealarm, it will go crazy whilst you scan your machine as, as far as its concerned its under attack! Do not be alarmed if you get these messages!. The common ports test is probably the best for most purposes, but it can scan all the standard <1056 ports.

Also another good tool to see if you have open ports is TCPView by Sysinternals. They make some really good freeware utilities that dont even need installing!:

http://www.sysinternals.com/ntw2k/source/tcpview.shtml

Be warned though that tpcview isnt of the faint of heart & it wont mean much unless you know what your looking for. Also remember that these are the open ports on your machine. If your behind a hardware or software firewall then you will still be protected!.Its just handy for spotting ports that a lot of viruses leave open these days.

S
  • FunkerMitis
  • Born
  • Born
  • FunkerMitis
  • Posts: 4

Post 3+ Months Ago

OK I'm having a huge problem. I know it's Sasser, because the computer just keeps rebooting. Uhh, I can't even get into Windows with Safe mode before it reboots itself. When the whole warning thing came out, Microsoft refused to let me download a security update. No, my XO is not cracked. Microsoft is just a bunch of bastards. Their Sesser help line doesn't even work.

Uhh... Anyway this began two nights ago when I got back from work. The computer screen was completely frozen, and when I rebooted the computer it just kept restarting. PLEASE tell me I don't have to wipe my system..... Thanks.
  • DuckIT
  • Graduate
  • Graduate
  • User avatar
  • Posts: 155
  • Loc: London, UK

Post 3+ Months Ago

umm sorry, but yes the only resolve I found to this was a rebuild (when it goes into this nasty reboot loop and you cant even get to the desktop)

See my post above on all the things I tried when it did this. Hoping someone can suggest something better though!

S
  • FunkerMitis
  • Born
  • Born
  • FunkerMitis
  • Posts: 4

Post 3+ Months Ago

*shudder* I'm an artist, and I'll be hideously screwed if I have to wipe the computer, but if I absolutely have to, I'll do it.... Thanks for the suggestion, every little bit of advice is appreciated!
  • FunkerMitis
  • Born
  • Born
  • FunkerMitis
  • Posts: 4

Post 3+ Months Ago

This may be far fetched, but I am able to boot the computer from the CD drive using BIOS and all that wonderful stuff.... If I, perhaps, wrote a CD with something that could get rid of Sasser, would that MAYBE work? I just rolled out of bed and have devoted this whole day to figuring this out........
  • DuckIT
  • Graduate
  • Graduate
  • User avatar
  • Posts: 155
  • Loc: London, UK

Post 3+ Months Ago

What your suggesting may work *if* you knew what was wrong with Windows - I.E. which files are corrupted or whatever the problem is. I was unable to do this so good luck!

Whats the problem with rebuilding? Loss of data I take it? If you can get a program similar to ERD commander (http://www.winternals.com) to access the files then you can maybe copy them to floppy or something? The data itself should be there still, its just windows thats dead. Its just getting at it that can be fun!

Another idea if you have a spare hard disk would be to replace your current hard drive with that, load Windows onto it, then attatch your old virused drive as a slave, and copy all the data off that way. Then once you have the data backed up you can rebuild the first hard driveno probs!

S
  • FunkerMitis
  • Born
  • Born
  • FunkerMitis
  • Posts: 4

Post 3+ Months Ago

Yeah I'll look into getting that program, because my artwork is sorta crucial to everything.... GRRR to digital art heh.... I'll see about creating a system backup and everything. Thanks for the help!
  • Joyous
  • Newbie
  • Newbie
  • Joyous
  • Posts: 8

Post 3+ Months Ago

For the record, in case anyone didn't know, typing shutdown -a in run will stop the shutdown process.

Was very helpful when i'm trying remove the stupid thing, giving yourself a minute isn't very useful. ;)

For the record, when i first tried to remove it, i was heading here..

http://support.gateway.com/s/issues/2-976684501.shtml

I was under the impression it was the blaster worm, until I figured out that lsass.exe was causing it all the time.

I'm not sure if anyone has posted a good link for it yet (haven't read 100% of the thread :D ), but here's the one i used.

http://securityresponse.symantec.com/av ... .worm.html

http://emblems.utopiatemple.com/pic21371.jpg

As you see, it worked for me. Hopefully it helps you folks. :)
  • Joyous
  • Newbie
  • Newbie
  • Joyous
  • Posts: 8

Post 3+ Months Ago

As of the update, squeaky clean and working fine, as it did before the stupid sasserworm.

Don't worry about making cds or anything silly for it, it's really not neccessary. Just check out symantec's site, grab the fix, and patch it up (after running shutdown -a, or you'll never have time to do it ;) )
  • mercerm
  • Born
  • Born
  • mercerm
  • Posts: 1

Post 3+ Months Ago

After I connect to the internet (dial-up), I will soon get a message saying that the system is shutting down by NT AUTHORITY/SYSTEM. I get 60 seconds and it cuts off, it says by lsass.exe or something. When I run Norton anti-virus, it picks up the welchia virus and the backdoor.sdbot virus. Norton was unable to to delte or quarantine, it kept failing.
I found a welchia virus tool that took it off, but I can't get rid of this backdoor.sdbot virus, norton says it's located in windows/system32/system32.exe.

I can't delete it and I tried to in regular and safe mode.

I really would appreciate someone giving me step by step to get rid of this thing.

Last night i used the run: shutdown -a, and downloaded all the current critical updates from microsoft, like 13 of them and then turned my computer off. Help me please!
  • Joyous
  • Newbie
  • Newbie
  • Joyous
  • Posts: 8

Post 3+ Months Ago

What on earth? Welchia has nothing to do with the lsass exploitablity.. it sounds like your computer has a lot of problems :(

Ok, here's my suggestion on what to do..

#1: If welchia is gone, then check out :

http://securityresponse.symantec.com/av ... sdbot.html
http://www.pestpatrol.com/pestinfo/b/ba ... %20Removal

Get rid of the backdoor, if nothing else, adaware or other generic removal programs might even work on it.

#2: Restart your computer, if the window pops up use shutdown -a and follow the link that i posted in the last post to get rid of your lsass problem.

#3: Restart your computer again, and be happy. (Unless you have random other viruses? ;) )
  • Joyous
  • Newbie
  • Newbie
  • Joyous
  • Posts: 8

Post 3+ Months Ago

Oh! And of course, the most important part.

http://www.microsoft.com/downloads/deta ... laylang=en

Get that patch, and apply it.

You'll be safe from sasser. :)
  • meteorogold
  • Born
  • Born
  • meteorogold
  • Posts: 1

Post 3+ Months Ago

hi, i have a seaget personal firewall, and its has bing the only way to stop the turining off my computer. what else can i do!!! to romove sasser ., que mas no se que hacer!! :(
  • Ragnar78
  • Proficient
  • Proficient
  • Ragnar78
  • Posts: 279

Post 3+ Months Ago

Hola que tal?

(its the only spanish i know :P )
Check out the specific details for removal instrunction in this topic, but i'll make it a little bit easier...
APPLY THE MICROSOFT PATCH (MAS IMPORTANTE)
and then get a removal tool for Sasser
  • zoolander
  • Born
  • Born
  • zoolander
  • Posts: 4

Post 3+ Months Ago

so i removed the worm with the removal tool and installed the MS patch, but now i can run my Liveupdate or load up the symantec website. i'm thinking the worm caused this. does anyone know how to fix this problem???
  • Ragnar78
  • Proficient
  • Proficient
  • Ragnar78
  • Posts: 279

Post 3+ Months Ago

Quote:
so i removed the worm with the removal tool and installed the MS patch, but now i can run my Liveupdate or load up the symantec website. i'm thinking the worm caused this. does anyone know how to fix this problem???


???
you can or you can't?
if you can't, then reinstall your NAV...
  • zoolander
  • Born
  • Born
  • zoolander
  • Posts: 4

Post 3+ Months Ago

doh sorry typo. i meant i can't. i've already tried reinstalling :(
  • Ragnar78
  • Proficient
  • Proficient
  • Ragnar78
  • Posts: 279

Post 3+ Months Ago

Sorry, but i dont think sasser attacks or tries to disable AVs...
Can you tell me if Sasser rebooted your PC a LOT of times?
This might have affected windows stability...so you might consider reparing it...and resinstall all the patches...
And if its only Norton that is not installing, i heared from some people that they had some problems installing it on their machines (up to 3 or 4 tries before it worked so...)
  • FireFox
  • Born
  • Born
  • FireFox
  • Posts: 1

Post 3+ Months Ago

Hi all. :?

Ok Can this file Lsass.exe realy be moved from your system.??

I did everythink to get rid of it, scanned with Trojan scanners, Virus utils, ect,ect, i later decided to do another format, anda New Fresh re-install of XP.

When i got XP onto the system, i downloaded the Trojan Tools and Virus Killers Again and did another scan, and guess what, it was found on my system again, how i dont know why.. i found the file in Windows/system32/ directory...

Only way to get rid of this file is to do a Safe Boot mode, and goto that direcory and delete it, as you cant delete it in normal windows mode.!!

But i still like to know that after formatting my drive 2 times and doing a fresh re-install this poxy file was still here.. i enven scanned my CD's and did'nt find it, so i can only think that it must automaticly download itself sectrectly when your first login to the internet, OR it dont get cleaned by any Antivirus or Trojan cleaners..

Any input would be gratefull.

Firefox. 8)
  • Ragnar78
  • Proficient
  • Proficient
  • Ragnar78
  • Posts: 279

Post 3+ Months Ago

A 4 page input...

PATCH YOUR WINDOWS WITH WINDOWS UPDATE
http://www.ozzu.com/ftopic24247.html
  • zoolander
  • Born
  • Born
  • zoolander
  • Posts: 4

Post 3+ Months Ago

Ragnar78 wrote:
Sorry, but i dont think sasser attacks or tries to disable AVs...
Can you tell me if Sasser rebooted your PC a LOT of times?
This might have affected windows stability...so you might consider reparing it...and resinstall all the patches...
And if its only Norton that is not installing, i heared from some people that they had some problems installing it on their machines (up to 3 or 4 tries before it worked so...)


i've read that 1 of the symptons of this worm is that it prevents you from reaching AV sites like symantec. but anyways, i tried these instructions that i found elsewhere:

-----------------------------------
Open the "Hosts" file in notepad and delete eveything in there apart from this line:

127.0.0.1 localhost
-----------------------------------

and there was this big list of AV sites that included symantec and f-secure, so i deleted all those entries and i could reach symantec finally but my liveupdate still wouldn't update. uninstall and reinstall my AV but no luck. did a reboot and i was back to square one...couldn't get to symantec again. looked into the hosts file and saw that list in there again! i deleted the entries again and uninstalled my symantec corp edition AV and surfing to those sites was fine. i rebooted my xp and same problem again. so it looks like to me there's some file(s) still on my system causing the problem...anybody managed to fix this problem??
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23473
  • Loc: Woodbridge VA

Post 3+ Months Ago

Zoolander. Turn off system restore and try again.
  • conorific
  • Proficient
  • Proficient
  • User avatar
  • Posts: 350
  • Loc: NY

Post 3+ Months Ago

FireFox:

We already addressed the issue of whether lsass.exe can be deleted. Once again: the Sasser worm targets a vulnerability in lsass.exe. It's not lsass.exe itself that's causing the problem. It's actually a critical system process.

Next time, please read more carefully and ask for clarification if you don't understand. :wink:
  • zoolander
  • Born
  • Born
  • zoolander
  • Posts: 4

Post 3+ Months Ago

ATNO/TW wrote:
Zoolander. Turn off system restore and try again.


i turned off my system restore when running the removal tool and it's still off. any other suggestions?
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23473
  • Loc: Woodbridge VA

Post 3+ Months Ago

Well, I only had to fix one computer with this worm. Unfortunately , there were two other viruses on the machine. All I did was follow the instructions exactly and used the removal tool for all three (fortunately all three had a removal tool.

The only thing I did different that I don't believe was recomended or suggested as far as I could see was turn on XP's firewall before connecting to the internet again.

I made the assumption that if the perpetrator of the virus had my IP, then the machine was apt to get hit again, probably almost instantaneously.

The owner of the computer hasn't had any problems since and it's been at least 3 or 4 days now, I think. Not sure if that will work for you,. I'm just relating what I did, and it was fixed on the first try.
  • Kal-el
  • Born
  • Born
  • Kal-el
  • Posts: 2
  • Loc: Cambridge, UK

Post 3+ Months Ago

Hello,

I was very pleased to find this page whilst searching for virus solutions.
As many have written, my PC started shutting down every twenty minutes, with the same error warning. Sadly last week, it began doing it the moment I logged on to the net. Not being a computer wiz, and desperate for a solution being I couldn't search the net for one. I got the LSA Shell lsass.exe file, and not wanting to delete it, not knowing what it was, I made it unstable by renaming it. It's all good, as I can now log onto the internet and have had no such troubles since, but my question is.....
What does the LSA Shell programme do?! The net appears to run as per normal without it. Should I need it, is it something I can delete and copy from a friends computer, or will it in some way be unique to each machine?
Can some body please help me!!?
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23473
  • Loc: Woodbridge VA

Post 3+ Months Ago

Kal-el

re: what Lsass is:

Quote:
Windows Local Security Authority Server Process handles Windows security mechanisms. It verifies the validity of user logons to your computer or server. Technically, the software generates the process that is responsible for authenticating users for the Winlogon service.


Quoted from Wintasks
http://www.liutilities.com/products/win ... ary/lsass/

You probably don't want to be without it, but your workaround now at least gives you the chance to get rid of the worm and start fresh.

Welcome to OZZU and good luck.
  • Kal-el
  • Born
  • Born
  • Kal-el
  • Posts: 2
  • Loc: Cambridge, UK

Post 3+ Months Ago

Thanks very much for making a reply, I'll take steps to get rid of the worm as advised in earlier posts.
All the best
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23473
  • Loc: Woodbridge VA

Post 3+ Months Ago

OK -- but be careful about rebooting. Based on what you said you did, if you reboot, with your current changes to lsass, I seriously suspect, you'll never be able to logon again. And if I recall correctly, the removal tool will require reboot, so make sure you rename lsass back before you do...otherwise have your restore disk handy.
  • DuckIT
  • Graduate
  • Graduate
  • User avatar
  • Posts: 155
  • Loc: London, UK

Post 3+ Months Ago

Nice idea though for fault finding! Would be interested in knowing what happens if it gets rebooted with it renamed. Care to try it in the name of science? :lol: (I'm joking, please don't try it!!)

S
  • down4thecause
  • Born
  • Born
  • down4thecause
  • Posts: 1

Post 3+ Months Ago

Ive done everything, Ive Disabled System restore, Ive ran the sasser remove tool and ive tried to get rid of it manually. When I ran the sasser removal tool it said that lsass was not found anywhere on my computer. Then I pressed ctrl+alt+delete and sure enough lsass.exe and its possy were running. Make sense? Hell no.

Sean
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23473
  • Loc: Woodbridge VA

Post 3+ Months Ago

lsass.exe is not the virus. It's supposed to be there.
  • bajanmac
  • Born
  • Born
  • bajanmac
  • Posts: 1

Post 3+ Months Ago

I have seen the strings on lSASS.exe and have the same issue - yet when I boot up, I get a blank screen and can do nothing - tried safe mode, safe mode with prompt - Am I dead in the water or is there a saviour out there?
bajan
  • UNFLUX
  • Genius
  • Genius
  • User avatar
  • Posts: 6367
  • Loc: twitter.com/unflux

Post 3+ Months Ago

welcome to ozzu. no sense in starting a new thread ;)
  • Donna
  • Newbie
  • Newbie
  • Donna
  • Posts: 9

Post 3+ Months Ago

Is there a way in Windows 2000 to stop the sasser worm shutdown process long enough to upload the worm removal tools?

I'm going insane here! Thanks. (-:
All assistance appreciated.

Donna
  • basdog22
  • Novice
  • Novice
  • User avatar
  • Posts: 21
  • Loc: Hellas

Post 3+ Months Ago

Start ---> Run ---> cmd (or command) and then:

you write ---> shutdown /a

which means abort shutdown

:wink:
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23473
  • Loc: Woodbridge VA

Post 3+ Months Ago

I believe it's shutdown -a (so if the /a doesn't work try that)
  • Neko
  • Born
  • Born
  • Neko
  • Posts: 2

Post 3+ Months Ago

Ok,I hear you all are the ones to come for Sasser help. I've tried virtualy everthing,includeing restoreing the compter more than once. But,not matter what I do I can't seem to rid myself of the thing. My Norton can't work on a Windows XP operatating system,which would be what I have,so I can't get it that way. So,I ask,will you please tell me,in fairly simple terms,I'm only fourteen,how free my comp from the virus?

-Thanks in advance!
  • Neko
  • Born
  • Born
  • Neko
  • Posts: 2

Post 3+ Months Ago

Um...nevermind....I'm gotten rid of it and updated as many things as possable. But just incase i'm going to check for the virus once a day.
  • SSH-Raj
  • Expert
  • Expert
  • User avatar
  • Posts: 588

Post 3+ Months Ago

just run a firewall that'll solve the problem.
  • db
  • Born
  • Born
  • db
  • Posts: 2

Post 3+ Months Ago

Great help topic here. I'm trying to buy some more time to download the patches, but the command 'shutdown' does not work for me on Windows 2000.

Start > Run > shutdown -a
"Cannot find the file 'shutdown' (or one of its components). Make sure path and filename are correct blah blah blah...."

Prompt> shutdown -a
'shutdown' is not recognized as an internal or external command, blah blah...


Anyone know the command to abort the shutdown on Win2K?
  • db
  • Born
  • Born
  • db
  • Posts: 2

Post 3+ Months Ago

Ok after some searching around, I'll answer my own question so that someone else may benefit.

shutdown.exe is not included with Win2K, but is offered as part of the Windows 2000 Resourse Kit ($69.99)

Some Googling turned up a link to that single file itself at this site.


Thanks for this helpful topic.
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23473
  • Loc: Woodbridge VA

Post 3+ Months Ago

We are delighted that you found useful information in it. And thanks for the updated tip. That was information I was unaware of. Welcome to OZZU.
  • BSRipper
  • Newbie
  • Newbie
  • BSRipper
  • Posts: 6
  • Loc: Ohio

Post 3+ Months Ago

Hey guys just an update! The Sasser worm will make it so you can't log on. It happened to me the only way to fix it at this point is to reload.
  • Mat28590
  • Born
  • Born
  • Mat28590
  • Posts: 3

Post 3+ Months Ago

Hey guys im mat. Im not exactly a computer genius but i know a thing or two about sasser. I still have it and have had it for months now. It's a tricky bastard. Ive downloaded loadsa removal tools for it but none seem to work :roll: It seems to work in the exact same way a blaster which i have also had in the past, but that was easy to get rid of. That is a small window pops up after about two minutes of being on the internet. It tells me that isass.exe has unexpectadly terminated and the system will shutdown in sixty seconds. In response to someone earlier let me please make it clear: isass.exe is not the virus; do not modify this file otherwise u will be pretty screwed. The reason the system is restarting is because the virus has corrupted a windows file so after so long of the port being opened to the internet it terminates isass which is the cause of the system reboot. It works in the same way to blaster, the blaster virus causes the process RCE to terminate which pops up the same window.

Now i've only just turned 14, therefore if you are in the same situation as me of not being able to remove the virus i'm afraid i can't help you there. However I have told you what not to do and your decission to listen to me or not is up to you.

Someone else had a query on temporarily preventing the shutdown on a 2k computer i believe. You said you tried opening run and executing <shutdown - a> or <shutdown /a>. I have another solution of which i quite luckily stumbled upon. Now as long as the window pops up displaying the time left until shutdown this should work. All you have to do is turn your clock back a few hours! That's it. However make sure you don't turn it back over midnight to the previous day. For example: the time is 01.00 don't turn it back to 23.00, otherwise this will cause immediate reebot.

Thankyou for your time and i hope i have been some assistance of what not to do. Please post if you have any solutions for me.

Mat
  • Mat28590
  • Born
  • Born
  • Mat28590
  • Posts: 3

Post 3+ Months Ago

Hey guys it's me again (mat) Does any1 know how 2 make an external hard drive your main drive and your current one the slave,

thanks in advance
  • Mat28590
  • Born
  • Born
  • Mat28590
  • Posts: 3

Post 3+ Months Ago

Hi there i'm mat (again, more questions), i just made a post regarding sasser worm on the board entitled summin like "lsass.exe terminates with..." I was kinda hoping u could help me. I've had it for a while now, and just can't seem to get rid of it. Iv'e tried downloaded various removal tools and none seem to find it. I have sophos antivirus and downloaded .ide files for the different variants of it (a-f) that didn't work. It must be sasser cos after being on the internet for about 3 mins it terminates the process lsass.exe - making the window thing pop up giving me 60 seconds until it reboots. I know how to prevent it rebooting though. It seems to work in a similar way to blaster though the RCE process isn't terminated.

Also I have a couple of other questions: can it gradually become more unstable. Someone posted about lsass being totally wrecked and the pc not even being able to reach the desktop before reboot. Could this happen to me cos i've had sasser a long time...

My final question is about a solution someone posted on the same board. If I were to buy a new external hardrive which plugs to my usb port, could I make that the main drive and my internal one the slave or would I have to get someone in to fit a whole new internal one; and if so could I still use my current internal one as an external slave.

Thankyou for your time reading this message, perhaps you could read my posted messages as well if time allows. A response would be appretiated very much.

Mat
  • mas77
  • Proficient
  • Proficient
  • User avatar
  • Posts: 258

Post 3+ Months Ago

does anybody know how the virus came so that it can be avoided, is it spread through network computers or just from the net off some websites
  • BSRipper
  • Newbie
  • Newbie
  • BSRipper
  • Posts: 6
  • Loc: Ohio

Post 3+ Months Ago

It spreads through the net piggy backing on downloads and email
  • mas77
  • Proficient
  • Proficient
  • User avatar
  • Posts: 258

Post 3+ Months Ago

I know that but piggy places like what, be more specific
  • BSRipper
  • Newbie
  • Newbie
  • BSRipper
  • Posts: 6
  • Loc: Ohio

Post 3+ Months Ago

Here is a link on all the different sasser worm varients I found it at McAfee
http://vil.nai.com/vil/alphar.asp
  • lalitha07
  • Born
  • Born
  • lalitha07
  • Posts: 1

Post 3+ Months Ago

Hi,

I have the same problem on my laptop running on XP. I get the whole shutdown in 60 secs msg and this happens even when Im off the internet. I ran the sasser and blaster removal kit and it came up saying that I did NOT have either of the worms on my machine.

Ive faithfully gone thro all 6 pages of this thread - almost everyone whio has this problem has one of the worms in their system. So has anyone seen this msg pop up when the worm is not there? Or am I not running the right tool to find the worm? I am not able to doing anything for 5 mins at a time on my laptop, its maddening, please help!

thanks,
lalitha.
  • Animefoo
  • Born
  • Born
  • Animefoo
  • Posts: 2
  • Loc: Los Angeles

Post 3+ Months Ago

On windows 2k, the best way to stop LSASS from crashing is by running the following in the command prompt:

echo dcpromo >%systemroot%\debug\dcpromo.log & attrib +r %systemroot%\debug\dcpromo.log

If you're already infected, or think you are, look for these signs and kill the process if it's running in the task manager

anything with 4 or more numbers and “_up.exe” (for example, 12345_up.exe)

anything starting with avserve (for example, avserve.exe, avserve2.exe)

or the following processes: skynetave.exe, hkey.exe, msiwin84.exe, or wmiprvsw.exe


Haven't tried the dcpromo.log fix on XP, should still work though.

If all else fails, there's always housecall.antivirus.com.

Good Luck.
  • woohooo
  • Born
  • Born
  • woohooo
  • Posts: 1

Post 3+ Months Ago

Hi All,

Okay, I'm having problems. My laptop is running winxp home. I had a corrupt win32/config/system file. I used recovery console and renamed the
old system file. I then went to my repair folder but only found a system.bak file. I copied it to my system folder and took off the bak extension. Now I get the lsasse.exe error message at boot up and it won't let me get to the desktop. So I try to go to recovery console again, (I was going to replace the new system file with another from my desktop) but the recovery console won't let me enter without a admin password!!! What?! I never used one on my laptop before! Was there a default password on that
system.bak file? Please help! My last resort is to take out the hdd and stick it in my desktop, get my important files and do a fresh install.

Byron
  • MacemanDerek
  • Born
  • Born
  • MacemanDerek
  • Posts: 4

Post 3+ Months Ago

I have noticed that in my taskmans process that there is lsass
This lsass.exe has problems, its memory usage keeps raising. normaly it would be about 5mb usage. But after an hour of being online it is over 200mb usage. This extremely lags my computer once it passes my 512mb limit. I read on a website that if you have this virus it disables access to anti-virus websites. Well because of that i cant download the removal tool. I did a scan with my AVG antivirus and a scan on microsoft.com they both found nothing.

MY svchost.exe uses tons of CPU now! Before it was always under 1%, now it is never under 20%. This lags my computer also when im running other stuff.

When i play this game called 'Stronghold' it lags more then it used too. The taskman says it uses around 100% cpu. Before i got this virus or what ever it is, it was never over 10%.

I hope someone can help me, if not thanks anyway for having a great site like this up to help out people.
  • WoRd Of WiSdOm
  • Proficient
  • Proficient
  • User avatar
  • Posts: 284
  • Loc: Riverside,California

Post 3+ Months Ago

Lsass is normal the sasser worm creates the Lsass but with lower case entry (lsass or something like that)
  • MacemanDerek
  • Born
  • Born
  • MacemanDerek
  • Posts: 4

Post 3+ Months Ago

i know it is a normal file to have, but it isnt normal to use 200mb of ram, crash programs, disable antivirus websites and a bit more.
  • MacemanDerek
  • Born
  • Born
  • MacemanDerek
  • Posts: 4

Post 3+ Months Ago

I FEEL SO PROUD OF MYSELF!

I went to C:\WINDOWS\system32\drivers\host

I opened that host file in a hex editor, went to the end of it and there was a list of all disabled antivirus websites. I deleted that section and now they work! I AM SO PROUD!!!

But my lsass and svchost problems still r messed up :(
  • greensean1
  • Born
  • Born
  • greensean1
  • Posts: 4

Post 3+ Months Ago

how do i know what edition of the sasser virus i have?
  • LAbrego
  • brego from LA
  • Web Master
  • User avatar
  • Posts: 2856

Post 3+ Months Ago

greensean1, most of the removal tools for sasser are good for every variant, try them, they should remove any variant you could have.
  • dnyres
  • Born
  • Born
  • User avatar
  • Posts: 1
  • Loc: Los Angeles

Post 3+ Months Ago

Hi Maggie,

I sent you a private message regarding this particular issue.. let me know if it works..

Cliff

conorific wrote:
Every twenty minutes or so, I get a message stating that lsass.exe has terminated with -(bunch of numbers) and the system will shut down in 60 seconds. I run Windows XP Home. What's happening, and how can I stop it?
  • ugnius
  • Born
  • Born
  • ugnius
  • Posts: 1

Post 3+ Months Ago

Original lsass.exe is not related to security threats, but the computer shuts down definately because of sasser worm. Sometimes other parasite - Eblaster uses the same filename lsass.exe and shuts down the computer.
  • micky123
  • Newbie
  • Newbie
  • User avatar
  • Posts: 10
  • Loc: India

Post 3+ Months Ago

Guys,

There are so many messages regarding this issue, that im not very sure whether this is prudent to post or whether you guys already know about this!!!

The best way to rid the system of the virus is:

Wait for the message to come up
Then click on start -> Run-> type shutdown -a then click OK
The timer should stop counting down and give you a connection to the net.
Once your online you need to visit this website and download stinger:

http://vil.nai.com/vil/stinger/

This would fix the issue 100%, its tried and tested!!!

Of course there are a few things that we need to keep in mind -----
For one you should be a quick typist :-)

Hope this helps
  • __B_O_O_M__
  • Born
  • Born
  • __B_O_O_M__
  • Posts: 1

Post 3+ Months Ago

say hi to all coz im newbie here,

:cry: heres my problem all my files i cant open it :cry:

it says windows cannot find (all my files) then it says
~~> Make Sure you typed the name correctly,and then try again,To search for a file,click the srat buttonand click search ive keep on searching files but always like that,coz this past few minutes i run my anti virus(F-Secure) then scanning done i deleted all the viruses including this lssa.exe after that i restart my system after that all my files are error/cannot be read or rundll32/issa.exe says is missing,
what should i do? :cry: :cry: :cry: :cry: :cry:

can some1 here help me with kinda' problem of mine plzzzzzzzzzzzzz


thankz

Post Information

  • Total Posts in this topic: 99 posts
  • Users browsing this forum: No registered users and 16 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
 

© 1998-2016. Ozzu® is a registered trademark of Unmelted, LLC.