You have a worm which is called the Sasser Worm.

It hits the Lsass.exe 's vulnerability. If you have antivirus then update it and scan your PC. If not try a web scan from some of the biggest companies like Norton Mcafee or TrendMicro.

Also, update windows and obtain the latest patches.

In case it's the worm/virus which I'm 90% sure, this is what you should do to stop the Sasser Worm:

1. Open Windows Task Manager by pressing CTRL+SHIFT+ESC.
2. In the list of running programs, locate the malware file(s) detected earlier.
3. Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system.
4. Do the same for all detected malware files in the list of running processes.
5. To check if the malware process has been terminated, close Task Manager, and then open it again.
6. Close Task Manager.
7. Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing during startup. To remove the autostart entries do the following:

1. Open Registry Editor. To do this, click Start, type Run, type Regedit, then press Enter.
2. In the left panel, double-click the following:

   HKEY_LOCAL_MACHINE > Software>Microsoft>Windows>CurrentVersion>Run
   

3. In the right panel, locate and delete the entry or entries:

   avserve.exe = %Windows%\avserve.exe
   

4. Close Registry Editor.

I searched the net for lsass.exe error, and came to this forum, and saw this post of my exact problem.

I followed everythign that was said to do, but it would seem it didn't do much for my computer, it still comes up with the error after about 20-40 mins and restarts, just to do it again after another amount of time.

• I've deleted the autostart file from the registry and closed it from the task manager
• I've ran the Symantec removal tool and it said I didn't have the virus.
• I'm downloading an antivirus even though I've scanned my computer and that's how I got rid of what I first came upon which was a file MSBLAST.exe.

Can somebody please help me out? I even did a system restore, so I have no programs on my computer which means it does not have the updates for Windows and I can't get them because it takes longer than 20 mins to get them.

There are a couple of key things in avoiding a reoccurrence.

1. Make sure you have the patch installed. The patch was released on April 13 in critical updates and you should install it if you haven't done so already. You may need to run the worm removal tool first before downloading the patch if you hadn't done so prior.
2. The patch should take care of things, but if you are on XP enable the Firewall, or get a firewall program like ZoneAlarm, or use Symantec's or McAfee's Firewall if available.
3. If you are on XP, make sure you disable the "restore" as described in the Symantec security response article before running the removal tool.
4. In the last 30 days, there have been over 100 viruses/trojans/worms identified. Here are some "best practices that Symantec recommends:

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.

If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.

Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.

Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.

Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.

Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.

Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

If you have a hardware firewall or your company uses a hardware firewall you should be at low risk on Sasser. BTW it appears two more variants appeared over the weekend.

Hi guys, I need some help. I definitely have this Sasser worm going on but the fix-it tool from Microsoft doesn't work. I am not a computer genius in the least I stumbled across this site trying to find a solution to this problem. If anyone has any tips for me it would be great.

I have tried deleting the lsass.exe in the running processes window. I am denied access even though I am an administrator. I have also tried running the removal tool I downloaded from Norton. It comes back saying that there is no Sasser Worm on the computer. What am I missing?

We have 2 computers with lsass.exe in the running processes both windows 2000.

To everyone else: thank you for replying. I came back here a few days after I started the thread, because I found it on my laptop (gar!) and it came back after I tried to remove it. Good thing I discovered all the info here.

I'm going to run the Symantec tool, download Windows patches and crank up the firewall. I'll let you know if anything else happens.

In the meantime, I've just had the Task Manager open so I can kill inetman.exe and cool.exe when they come up on the list of processes. Works so far.

le sigh

I must admit I don't know the full info on this virus, but have seen a similar problem to yours today.

I was working on a poor guy's computer who had got this over the weekend. When I arrived his machine was in a constant reboot loop (I.E. it crashed & burnt before even hitting the desktop. Safemode was screwed too!). He told me of a system message he got earlier regarding LSASS.exe so I pretty much guessed it was the Sasser virus. Because of the reboot loop I had to use a disc to load the machine (I use the excellent ERD commander by Winternals) this allowed me to run the Symantec tool, and sure enough, I found 18 copies of the virus!

Unfortunately, even with all of the above, his machine was still constantly rebooting. I tried a few more things but in the end, had to rebuild the OS. Even tried an in-place upgrade to keep his settings but that did the same thing! Man, this virus can suck! 😈

I can only guess that perhaps there is some destructive element of Sasser that can occur that may be wrecking lsass.exe? It's a pretty essential service.

OK, I'm having a huge problem. I know it's Sasser because the computer just keeps rebooting. Uhh, I can't even get into Windows with Safe mode before it reboots itself. When the whole warning thing came out, Microsoft refused to let me download a security update. No, my XO is not cracked. Microsoft is just a bunch of bastards. Their Sesser helpline doesn't even work.

Uhh... Anyway, this began two nights ago when I got back from work. The computer screen was completely frozen, and when I rebooted the computer it just kept restarting. PLEASE tell me I don't have to wipe my system.

For the record, in case anyone didn't know, typing shutdown -a in run will stop the shutdown process.

Was very helpful when I'm trying to remove the stupid thing, giving yourself a minute isn't very useful. 😉

For the record, when I first tried to remove it, I was under the impression it was the blaster worm until I figured out that lsass.exe was causing it all the time.

As of the update, squeaky clean and working fine, as it did before the stupid Sasser worm.

Don't worry about making CDs or anything silly for it, it's really not necessary. Just check out Symantec's site, grab the fix, and patch it up (after running shutdown -a, or you'll never have time to do it 😉 )

After I connect to the internet (dial-up), I will soon get a message saying that the system is shutting down by NT AUTHORITY/SYSTEM. I get 60 seconds and it cuts off, it says by lsass.exe or something. When I run Norton anti-virus, it picks up the Welchia virus and the backdoor.sdbot virus. Norton was unable to delete or quarantine, it kept failing.

I found a Welchia virus tool that took it off, but I can't get rid of this backdoor.sdbot virus, Norton says it's located in windows/system32/system32.exe. I can't delete it and I tried to in regular and safe mode.

I really would appreciate someone giving me step by step to get rid of this thing.

Last night I used the run: shutdown -a, and downloaded all the current critical updates from Microsoft, like 13 of them, and then turned my computer off.

So I removed the worm with the removal tool and installed the MS patch, but now I can't run my Liveupdate or load up the Symantec website. I'm thinking the worm caused this. Does anyone know how to fix this problem?

Can this file Lsass.exe really be moved from your system?

I did everything to get rid of it, scanned with Trojan scanners, Virus utils, etc, etc. I later decided to do another format and a new fresh re-install of Windows.

When I got XP onto the system, I downloaded the Trojan Tools and Virus Killers Again and did another scan, and guess what, it was found on my system again, how I don't know why. I found the file in the Windows/system32 directory.

The only way to get rid of this file is to do a Safe Boot mode, and go to that directory and delete it, as you can't delete it in normal windows mode.

But I still like to know that after formatting my drive 2 times and doing a fresh re-install this poxy file was still here. I even scanned my CDs and did'nt find it, so I can only think that it must automatically download itself secretly when your first login to the internet, OR it doesn't get cleaned by any Antivirus or Trojan cleaners.

I was very pleased to find this page whilst searching for virus solutions. As many have written, my PC started shutting down every twenty minutes, with the same error warning. Sadly last week, it began doing it the moment I logged on to the net. Not being a computer wiz, and desperate for a solution being I couldn't search the net for one.

I got the LSA Shell lsass.exe file, and not wanting to delete it, not knowing what it was, I made it unstable by renaming it. It's all good, as I can now log onto the internet and have had no such troubles since, but my question is:

What does the LSA Shell program do?! The net appears to run as per normal without it. Should I need it, is it something I can delete and copy from a friend's computer, or will it in some way be unique to each machine?

Ive done everything, Ive Disabled System restore, Ive ran the sasser remove tool and ive tried to get rid of it manually. When I ran the sasser removal tool it said that lsass was not found anywhere on my computer. Then I pressed ctrl + alt + delete and sure enough lsass.exe and its possy were running. Make sense? Hell no.

I have seen the strings on lSASS.exe and have the same issue - yet when I boot up, I get a blank screen and can do nothing - tried safe mode, safe mode with prompt - Am I dead in the water or is there a saviour out there?

Is there a way in Windows 2000 to stop the Sasser worm shutdown process long enough to upload the worm removal tools?

I'm going insane here! Thanks.

Great help topic here. I'm trying to buy some more time to download the patches, but the command shutdown does not work for me on Windows 2000:

1. Went to Start > Run
2. Typed shutdown -a and get:

   Cannot find the file 'shutdown' (or one of its components). Make sure path and filename are correct
   

3. Went to Cmd Prompt this time:

   shutdown -a
   'shutdown' is not recognized as an internal or external command.
   

Does anyone know the command to abort the shutdown on Win2K?

I'm not exactly a computer genius but I know a thing or two about Sasser. I still have it and have had it for months now. It's a tricky bastard. I've downloaded loads of removal tools for it but none seem to work 🙄 It seems to work in the exact same way as the blaster virus which I have also had in the past, but that was easy to get rid of. A small window pops up after about two minutes of being on the internet. It tells me that isass.exe has unexpectedly terminated and the system will shutdown in sixty seconds. In response to someone earlier let me please make it clear: isass.exe is not the virus; do not modify this file otherwise u will be pretty screwed.

The reason the system is restarting is that the virus has corrupted a Windows file so after so long of the port being opened to the internet it terminates isass which is the cause of the system reboot. It works in the same way as to the blaster virus, it causes the process RCE to terminate which pops up the same window.

Someone else had a query on temporarily preventing the shutdown on a 2k computer I believe. You said you tried opening run and executing shutdown - a or shutdown /a. I have another solution which I quite luckily stumbled upon. Now as long as the window pops up displaying the time left until shutdown this should work. All you have to do is turn your clock back a few hours! That's it. However, make sure you don't turn it back over midnight to the previous day. For example, if the time is 1:00 am don't turn it back to 11:00 pm, otherwise this will cause an immediate reboot.

Iv'e tried downloading various removal tools and none seem to find it. I have Sophos antivirus and downloaded .ide files for the different variants of it (a-f) that didn't work. It must be Sasser because after being on the internet for about 3 mins it terminates the process lsass.exe - making the window thing pop up giving me 60 seconds until it reboots. I know how to prevent it from rebooting though. It seems to work in a similar way to the Blaster Worm though the RCE process isn't terminated.

Also, I have a couple of other questions: can it gradually become more unstable? Someone posted about lsass being totally wrecked and the PC not even being able to reach the desktop before reboot. Could this happen to me because I've had Sasser a long time?

My final question is about a solution someone posted on the same board. If I were to buy a new external hard drive that plugs into my USB port, could I make that the main drive and my internal one the slave, or would I have to get someone in to fit a whole new internal one; and if so could I still use my current internal one as an external slave?

Does anybody know how the virus came so that it can be avoided? Is it spread through network computers or just from the net off of some websites?

I have the same problem with my laptop running on XP. I get the whole shutdown in 60 secs msg and this happens even when I'm off the internet. I ran the Sasser and blaster removal kit and it came up saying that I did NOT have either of the worms on my machine.

I've faithfully gone through all 6 pages of this thread - almost everyone who has this problem has one of the worms in their system. So has anyone seen this msg pop up when the worm is not there? Or am I not running the right tool to find the worm? I am not able to do anything for 5 mins at a time on my laptop, it's maddening!

On Windows 2k, the best way to stop LSASS from crashing is by running the following in the command prompt:

echo dcpromo >%systemroot%\debug\dcpromo.log & attrib +r %systemroot%\debug\dcpromo.log

If you're already infected or think you are, look for these signs and kill the process if it's running in the task manager.

1. Anything with 4 or more numbers and "_up.exe" (for example, 12345_up.exe)
2. Anything starting with avserve (for example, avserve.exe, avserve2.exe)
3. Or the following processes: skynetave.exe, hkey.exe, msiwin84.exe, or wmiprvsw.exe

Haven't tried the dcpromo.log fix on XP, should still work though.

Okay, I'm having problems. My laptop is running WinXP home.

I had a corrupt win32/config/system file. I used the recovery console and renamed the old system file. I then went to my repair folder but only found a system.bak file. I copied it to my system folder and took off the bak extension. Now I get the lsass.exe error message at boot up and it won't let me get to the desktop.

So I try to go to the recovery console again, (I was going to replace the new system file with another from my desktop) but the recovery console won't let me enter without an admin password! What?! I never used one on my laptop before! Was there a default password on that system.bak file?

My last resort is to take out the HDD and stick it on my desktop, get my important files and do a fresh install.

I have noticed that in my taskman process that there is lsass.

This lsass.exe has problems, its memory usage keeps raising. Normally it would be about 5MB usage, but after an hour of being online, it is over 200MB usage. This extremely lags my computer once it passes my 512MB limit.

I read on a website that if you have this virus it disables access to anti-virus websites. Well because of that I can't download the removal tool. I did a scan with my AVG antivirus and a scan on microsoft.com and they both found nothing.

MY svchost.exe uses tons of CPU now! Before it was always under 1%, but now it is never under 20%. This lags my computer also when I'm running other stuff.

When I play this game called Stronghold it lags more than it used to. The taskman says it uses around 100% CPU. Before I got this virus or whatever it is, it was never over 10%.

I hope someone can help me, if not thanks anyway for having a great site like this up to help out people.