Computer Support Forum

Which one is it??? MBR, sasser, worse?

Question: Which one is it??? MBR, sasser, worse?

3 days ago when i visited a questionable streaming site my pc got infected with malware. After the infection i could not open any programs. In safe mode i scanned with my AV Kaspersky and malwarebytes: noumerous infections found and deleted.

But now still when my pc is idle, the cpu runs at +- 23% (4 gb processor ). I read in the log the it may be a possible MBR rootkit infection, tried to fix this with windows boot disk: recovery console: fixmbr, fixboot. But no succes. (i have this proces on and off running 2% of cpu: Isass.exe)

the logs of the cleaning procedure are attached.


any help would be greatly appriciated,
Memphisto

BTW let me know if you need that last log.

Relevance 100%
Preferred Solution: Which one is it??? MBR, sasser, worse?

I recommend downloading and running Reimage. It's a computer repair tool that has been proven to identify and fix many Windows problems with a high level of success.

I've used it in the past to identify and fix everything from blue screens (BSOD's), ActiveX errors, corrupt files and processes, dll/exe/sys errors, recover lost memory, Windows update problems, defragging, malware removal etc.

You can download it direct from this link http://downloadreimage.com/download.php. (This link will automatically start a download of Reimage that you can save to your computer.)

Answer: Which one is it??? MBR, sasser, worse?

We still need the C:\MGLogs.zip --> from running the C:\MGTools.exe.

Also, download TDSSKiller from Kaspersky to your directly onto your Desktop
Now double click the TDSSkiller.exe file to run it ( if using Vista or Windows 7 do not double click on it but rather, right click and select Run As Administrartor. )
Allow the application to run if prompted by Windows or any security programs you have installed
It will start the scan and run rather quickly and will notify you of whether anything is found or not.
Follow the instructions to delete/quarantine if asks you what to do when if finds something.
Whether an infection is found or not, a log file should be created on your C: drive ( or whatever drive you boot from) in the root folder named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run. Please attach this log to your next reply. (See: HOW TO: Attach Items To Your Post )

9 more replies
Relevance 52.89%

Please try to keep this near the top for a while so others cane check the link click here

Answer:Sasser.a and Sasser.b prevention and cure

yep but by now a lot has already bin posted.johnny.

10 more replies
Relevance 47.97%

Hi all,

I started the day on a high note, before turning on the computer that is, thinking I was going to get some things done. This was not to be: So we start at:

FAIR:
After XP loaded it said that it had recovered from a serious error Product ID _251... so I did some digging around and got some info from microsoft's web pages complete with registry fixes (deleting bad entries, etc.)

I did a quick scan with malwarebytes and it found some stuff that I deleted and when I did a restart it didn't come up correctly.

Went into safe mode and it came up.
(made a HUGE mistake here. Did not copy files I wanted to save when I had the opportunity)
Closed out of safe mode and let it start normally.
Would not boot normally.
Tried to boot in to safe mode and now its recycling back to POST, we have gone to...
BAD:
Hmmm. So I thought how about putting the XP disk in and then do an install leaving file system intact.
When I got to the point of doing the install I chickened out because it said that it might delete the My Documents folder (had some things in there I didn't want to lose) I've done this procedure before and perhaps I should have taken the second opportunity to recover gracefully but I did not.

I hit F3 to cancel out of the install to try and boot from my other HD that has XP (but with some driver issues that I had yet fixed.)

I went into the CMOS to change boot order and notice that the hard drive (the one that I was trying to boot into is not showing ... Read more

Answer:HD/Filesystem prob:Went from fair to bad; then to worse, much worse

Test the HDD with the drive manufacturers disk tools (preferably using a different PC). Run the short and long tests. If either test fails or has errors, the drive is faulty.

4 more replies
Relevance 47.97%

My icons are disappearing
The computer is running slow
Viruses have completely taken over my computer
I am going through financial difficulties right now and would REALLY appreciate help.
I understand computers therefore I can take direction fairly well..
Just please tell me what I need to do.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:19:43 AM, on 5/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\system32\svcd\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDO... Read more

Answer:It's Getting Worse & Worse. PLEASE. I cannot afford to bring it anywhere:( LOG INSIDE

7 more replies
Relevance 46.33%

Initially it was Edge not working properly, now it mostly crashes. Even the new "amazing" feature of tab previews doesn't work properly. Imagine, I moved back to Chrome after so many years of being a happy IE user. Cortana was a bit iffy with "Hey Cortana". Now she doesn't listen to what I say at all, even when I press the button. The notification center has its own mood. Often decides to hide until I restart for absolutely no reason at all. Same goes for the sound volume and other flyouts on the desktop.
In short, there is massive degradation of various major features with every new build. And since I post all the issues I find using the feedback app, I know it is not just me experiencing these things. This is disastrous.
So, is it just me or you experience similar issues yourself?

Answer:Is it just me or does Windows 10 get worse and worse with every new build?

It's just you.

10 more replies
Relevance 46.33%

i've had verizondsl for about half a year or so now, and from last month to present, the connection has been horrible.. sometimes it would just hang for up to a minute at a time, with the modem activity light blinking slowly (loss of connectivity).. before it started, speeds were decent, and although slow compared to the optimum cable i was used to, it was sufficient. now it's just pure garbage. if it weren't for the fact that we're getting free cable, i would immediately switch to roadrunner

i figure asking you guys is probly much more helpful than those scripted outsourced fools at tech support. i tried all that "reset your modem" "unplug the ethernet cord" "make sure you're computer is on" crap already and would like some REAL answers..

PS- at my old house, we used to have verizon as well, and after a while it just stopped all of a sudden and when we called to see what happened, they said since there was construction in the area, they must have switched our phone line over to one with a further CO, and we were now too far to service. verizon is teh gay.
 

Answer:verizondsl getting worse and worse speeds

Well try plugging the modem into the demark jack if you have one (by where the phone line comes into your house). See if this still happensl. If it doesn't maybe something happened to your internal phone lines. (this probalby won't be the issue I'm betting).

Beyond doing that phone your ISP and get them to file a support ticket or whatever they call it there. When I was having trouble with my DSL connection a couple years ago I phoned up, they sent a guy from the telephone company to test the line and they replaced a device at the CO and the connection has been perfect ever since.




The [H]orde needs You!
 

15 more replies
Relevance 46.33%

I bought a Think Pad in April last year which does not start anymore, no lights,nothing.I wanted to send it back to Lenovo for guarantee.Ther ist only ONE problem, there is no sticker on the laptop which shows me the serial numer. Obviously there supposed to be on, but it is missing!!!I do have the invoice which shows the purchase date, but no serial either.I already quit wasted some time to with this bull**bleep**, I hopefully do not need a layer for that.Here you see the last response of the "support" manager -Dear Michael Mueller,Unfortunately I have to inform you that you have no guarantee for this machine.Repair of machines that do not have a sticker can only be carried out by a Lenovo service partner.Lenovo Service Partner:https://pcsupport.lenovo.com/de/de/serviceproviderIf you have any further questions about this service case, please send us an e-mail to [email protected] or call us on the free phone number DE 0800 - 500 4618 / AT 0810-100-654 / CH 0800-55-54-54. Lenovo regularly conducts customer surveys on service quality.If you are selected, please take a few minutes to answer the questions.We thank you in advance.  Yours sincerely, Davor KrpanLenovo Technical Support IBM Hrvatska d.o.o. za proizvodnju i trgovinuMiramarska 23, 10 000 Zagreb, HrvatskaUpisan kod Trgova?kog suda u Zagrebu pod br. 080011422Temeljni kapital: 788,000.00 kuna - upla?en u cijelostiDirektor: ?eljka Ti?i??iro ra?un kod: RAIFFEISENBANK AUSTRIA d.d. Zagreb,... Read more

Answer:guarantee handling - bad worse than worse

I just forgot to mentioned, that the purchase was done through the Leonovo online shop itself -  VERSANDBESTÄTIGUNG Ihre Bestellung wurde versendetSehr geehrte(r) Michael Müller,vielen Dank für Ihre Bestellung im Lenovo Online-Shop, der von Digital River unterstützt wird.Die folgenden Produkte wurden versendet.Bestelldatum14. April 2017Bestellnummer23856585462Tracking-nummer1ZAF68846704024055Folgende Artikel wurden versendet: BestellmengeProdukt-SKUProduktnameVersandmengeVersandmenge gesamtBetrag120J1CTO1WWThinkPad 13 2G11800,52EURWenn Sie per Kreditkarte bezahlt haben, wurde Ihre Karte nun belastet.

1 more replies
Relevance 46.33%

I was curious if anyone out there knows anything about this...

I have a self-built computer, three years old now...and day by day it's getting worse and worse!

AMD Athalon XP @ 1.1 GHz
512MB PC2700 DDR-SDRAM
Windows XP Pro.
Radeon 9500 Pro. 128MB DDR

The problems started about six months ago--every time I'd turn on the computer, it'd scan the hard drive for errors, claiming an improper shutdown. Then, two months ago, it started going to a black screen saying a windows file is corrupt, use the XP CD to restore the file--but simply restarting the computer at that point would get it going (only came up on a fresh start).

Then in the recent times, the screen is completely black. I turn on the computer, and no signal is sent (I'm guessing) to the monitor, so it's just flashing the power light...but after waiting approximently 10seconds, and restarting ('reset button'), it would go to the other problems--file corrupt screen, then the error scan...and this latest time, it took 4 resets for the screen to catch a signal...

All wires are plugged in good, and everything seems to be functioning properly, except for, of course, this problem I have...and I really have no idea where to start on fixing this. I planned on keeping this computer for another year or so--and hope this can be fixed! Anyways, any ideas/suggestions, please let me know!

Thanks,
-X

Answer:My Computer - Getting Worse & Worse! Is there hope?

take the graphics card out and insert it back in firmly making sure it is sat properly in its slot. check the manufacturers websites for your motherboard and graphics card and see what the bios updates do, and see if they have any FAQ's to check if anyone else has been having similiar problems to you in terms of people who have the same motherboard or graphics card??

Email the manufacturer(s) for your motherboard company and graphics company.

2 more replies
Relevance 46.33%

Hi everyone,
My bottom fan on my PC was being very loud, so I opened up my case and unplugged the power supply, and flicked off the power switch on the back. I unscrewed the bottom fan and dusted it a little bit, and then I put it back together how it was before.

The part that I unscrewed also contained my hard drive, and now that it is reseated I cannot boot.


At first I got an error when booting:
Loading operating system . . .
disk boot failure, insert system disk and press enter.

THEN, I tried making sure everything was connected well and tight, and now I am not getting anything displayed on my screen.

Apologies for the lack of knowledge and thanks for the help.

Jeremy
 

Answer:Boot problem, getting worse and worse

It is possible that when you removed the fan and hard drive, you plugged the hard drives SATA cable into a different SATA port on the motherboard. Get into the bios, and make sure that the hard drive is being detected properly
 

1 more replies
Relevance 42.64%

Hello my new bestest friends. I need help ! (as does everyone who comes here) My computer has been running like a bag of you know what for about 3 weeks. IE became corrupt and will not start even after uninstalling and re installing Versions 6 & 7. However this is not the problem as I am currently using safari and finding it great. The problem lies with my computer and it's sluggishness, ever since IE became corrupt my computer seems to have slowed. I am getting occasional Internal memory (blue dos screen) errors and several other little glitches like windows XP's search program will not close after I perform a file search. I have performed several Virus & spyware checks such as AVG and Spyware Doctor also several registry progs like registry Booster.AVG comes up clean, however Spyware Doctor and Registry Booster both show a lot of Registry errors inluding heaps of lnk file and url files. I removed most of these the first time around but discovered it to have deleted all my shortcuts and bookmarks that I much needed (well not so much the shortcuts) It did not remove the actual .exe files but was a major hassle as my dektop shortcuts where wiped. So I performed a system restore and now have everything back.I am wondering are/have these files become corrupt or is this just overkill on the software (spyware Doc & reg booster) behalf?? I have also noticed in my Hijack this log that there are several (missing files).I am so in need of help as i use my computer to p... Read more

Answer:Need Help Computer Getting Worse And Worse!

Hello Krisso,

Welcome to Bleeping Computer

Sorry about the delay. If you still need help, please post a new HijackThis log to make sure nothing has changed, and I'll be happy to look at it for you.

Thanks,
tea

2 more replies
Relevance 39.36%
Question: Sasser F'd me up!

Yesterday I found out that I had the sasser virus on my computer. I couldn?t start up my computer without it restarting on me. I booted it up in safe mode, ran malwarebytes, and deleted all the infected files. When I restarted my computer windows opened fine, but after about 5 minutes, I had an alert pop up telling me that my audio and video won?t work unless I downloaded a new codec. Then my desktop image turned into an ad saying ?Your computer has a virus click here to download program?. I didn?t. I went to reboot in safe mode to run antivirus again, and all I got was a black screen. When booting up in regular mode all I get is a desktop image, but no icons or start menu. What do I do now? Any help would be greatly appreciated.

Answer:Sasser F'd me up!

Don't know anything about the Sasser virus, but noticed yesterday BC has a self help removal guide that might get you started. http://www.bleepingcomputer.com/forums/t/3097/how-to-remove-the-sasser-virus/Then if you feel you still need further help, you can post in the Am I Infected? forum and one of the malware removal experts will help you as soon as they can. Remember, they're volunteers, so be patient.Also, you could run the Microsoft Malicious Software Removal Tool (available with regular Windows Security Patches). I see it has Sasser on its list of malwares it detects/removes. If you're up to date, you should have the tool on you system. BTW you have to log on an Admin user account to run the tool. Click Start, Run, and then type MRT in the run box to execute a scan. I've never had it find anything on my pc, so I don't personally know how effective it is at completely removing malware.

1 more replies
Relevance 39.36%

I'm trying to get my head around this new virus Sasser and what does it actually do to a windows xp or 2000 pc.

I've read the sticky posted by "hewee" and other info posted on Symantec site but I still don't get a real sense of what the ensd user will see.

I've got a few customers complaining to me about their system, all in the last week with most related to basic viruses and spyware which I can cleanup by running a few utilities.

I want to know how to recognize this "Sasser" virus as quickly as possible. Any tips?
 

Answer:Sasser - What does it do?

Presumably the main obvious symptoms of Sasser will be the well-documented multiple spontaneous reboots, and also slow internet connections as Sasser eats up your bandwidth scanning for other machines to infect.

Then there will be the suspiciously named processes running as seen in Task Manger or HJT, but that's assuming a modicum of knowledge on the part of the user.

The other symptom - assuming your customers AV is up to date - will be a message warning them of a Sasser infection! - that's a big assumption of course

I guess the main thing to impress on your customers is the need to ensure Windows Critical Updates are always installed as soon as they are available - for instance anyone who had installed that mid-April Critical Update to fix the lsass.exe vulnerability would never have got infected by Sasser. Clearly when a patch is released the flaw is widely publicised so its likely that a virus to exploit the flaw in unpatched machines will soon follow - tell your users that to motivate them!
 

2 more replies
Relevance 39.36%
Question: Sasser, or not?

Hope I'm in the right place.

Recently my notebook, running XP, has had all sorts of problems, and AVG reported that it had the sasser worm, and that it (AVG) could not heal it. I panicked, deleted AVG, and reinstalled Windows XP.

There were still all kinds of issues, and a box that kept coming up saying System Shutdown, RPC, NT Authority System. When I looked that up on the web it said I had sasser, so I downloaded the fixsasser tool from Symantec. When I ran it, it said sasser was not found on my system. I installed the Windows patch that was recommended too.

So sasser isn't there, apparently, but I'm still getting occasional System Shutdown bla bla messages. Please, does anybody have any suggestions?

Thanks.

Susie
 

Answer:Sasser, or not?

Please follow standard cleanup procedures as given below:

- Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

Make sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


After doing ALL of the above and you still have a problem, make sure you have booted to normal mode and run the steps below:



Download HijackThis 1.99.1

Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file as your backups will not be safely stored.

Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

Run HijackThis and save your log file.

Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post as it will be removed).

Need help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting
 

2 more replies
Relevance 39.36%
Question: sasser again

Need help again from you clever people.Does this sound like a sasser worm to you?My friend installed BT Basic B.Band it seemed OK and connection was made, at least to BT with two flashing PC icons at bottom of screen, BUT then a sixty second timer menu appeared and PC shut down. Restarted OK no further shutdowns or obvious problems but despite an internet connection it is not possible to reach any web sites. Always see "Unable to reach server" and "Page cannot be displayed" (windows XP)Rang BT- they said it is due to a sasser worm.If it is could I download McAfee Avert Stinger on to a floppy via my PC and somehow execute it on to his PC ?2) In this context what does "shutdown -a" do?Is it for a PC which keeps shuting down? I saw the expression on this site.Obviously its a pain not being able to get his PC online so as to download removal toolsspyware etc so any advice gratefully received.

Answer:sasser again

Yes you can run stinger off a floppy - write protect it before putting into the infected machine.shutdown -a will stop it from shutting down.

2 more replies
Relevance 39.36%
Question: Sasser Help please

I have cleaned up a friends PC with the Sasser Clean up tools from this site, but I have one remaining problem which I think may be due to the sasser virus. After clean up there appear to be some keys on the keyboard which are wrongly mapped. e.g. when you press @ you get " and vice versa and when you press# you get \. Is this because sasser has affected the registry files? Also how do I remap the keyboard??

Finally I have completed an online scan with Trend and despite tools like Stinger and the MS sasser removal tool saying there's no infection Trend has found the following Bat Sasser.A in c:\windows\system32\cmd.ftp it says it's non cleanable but gives the option to delete the file. Is it safe simply to delete it? Also why aren't the other sasser tools finding this?
I have put a HJT scan below

Logfile of HijackThis v1.97.7
Scan saved at 19:03:42, on 29/05/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\WINDOWS\BCMSMMSG.exe
C:\PROGRA~1\G... Read more

Answer:Sasser Help please

6 more replies
Relevance 39.36%
Question: Sasser

From reading a bit on the web, I think I might have a sasser worm.When I tried to login, it briefly mention a file spelt like lsas.exe or something before it powered off. This is the problem I am having with my computer, it keeps turning itself off and its killing me! I can't see ANYTHING working. I first tried to go into the recovery console using my reboot CD but the laptop turned off...then I tried to completely reinstall windows and it did begin deleting files ready to reinstall it but then the laptop turned off.So what I am stuck with now is a laptop which constantly turns itself off and which has vital windows files missing due to an interrupted re-installation (When i tried to login again it said it couldnt find some other vital file, no surprise as it had just been deleted).  This all seems pretty hopeless eh?edit-But now I am confused because maybe my computer was saying it couldn't find lsass.exe, the legitimate login file which makes sense considering I couldn't login. But why on earth would it keep powering off? Might this be a hardware problem?

Answer:Sasser

The file you mention is  lsass.exe and it could be resulting in the problem you describe. More information it here with some sugegsted help to fix it ....http://www.askdavetaylor.com/deleted_lsassexe_from_system32_is_this_a_problem.htmlYes, overheating or other hardware may be causing/contributing to the problem. Make sure the computer's fans are clean and air is flowing easily.Post back if this doesn't work for you. Describe any ongoing problems in each post you make. It will help us to help you.OJ

5 more replies
Relevance 39.36%

I got a new computer today and after surfing the internet for no less than a few minutes I had the sasser virus on my computer!! I can't download any of the Microsoft updates because my computer keeps restarting. Even worse, XP pro won't even start up now. Every time my computer restarts, it is asking me for a boot CD. If I put in the XP pro CD, my only option is to reinstall!

Bah... I don't want to have to reinstall. If anyone has any ideas, please help!

Oh and... the last time I was in Windows XP was when I was in the middle of d/l'ing critical updates, then sasser caused my comp to restart during this. Could this be the reason why I can't get into XP now?
 

Answer:Help please!! [SASSER]

If you are lucky Windows may have created a System Restore checkpoint before you got infected. To try to run System Restore, if you cannot start in Safe Mode, try the Safe Mode with command prompt option and follow these directions:

http://support.microsoft.com/default.aspx?scid=kb;en-us;304449

Then the first thing you need to do is enable the XP firewall.

http://www.duxcw.com/faq/win/xp/firewall.htm

Then run a detection and removal tool for Sasser, if you think that's it.

http://vil.nai.com/vil/content/v_125007.htm

The firewall should prevent you from getting shutting down if you are not badly infected.
 

1 more replies
Relevance 39.36%
Question: Sasser?

I've been hijacked again and have done all I know how, which includes running the latest versions of Adaware, Spyware Blaster, and CWShredder, as well as removing what I know to be spyware lines via HJT, to get rid of this nasty piece of spyware, but it keeps returning. Can you give me some advice? Here's the HJT logfile from its latest appearance:

Logfile of HijackThis v1.97.7
Scan saved at 1:53:10 PM, on 5/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\WINDOWS\System32\kmw_run.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\KMW_SHOW.EXE
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Documents and Settings\mdrew\Desktop\HijackThis.exe

R1 - HKCU\Soft... Read more

More replies
Relevance 39.36%
Question: Bat Sasser.a

Appreciate some assistance.

Followed all the Microsoft instructions to get rid of Sasser (avserve.exe and avserve2.exe), yesterday. The PC was shut down overnight.

Ran TrendMicro HouseCall today, and it identified BAT SASSER.A located in:
C:\WINDOWS\system32\cmd.ftp

Any ideas on what to do?

Thank you!!
 

Answer:Bat Sasser.a

The infected file can be deleted. If you continue to have problems with this post a HijackThis Scanlog.
 

2 more replies
Relevance 39.36%
Question: Sasser??

Hi everyone,
This is the HJT log from one of my students. She said her computer was running slow, so I had her bring it to the lab. I am having trouble getting the machine to work on my DSL connection and her Norton says that she has the Sasser virus and is unable to repair or remove the file.
Currently running adaware to do some simple clean up, heres the log:

Logfile of HijackThis v1.97.7
Scan saved at 8:20:00 AM, on 5/25/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\WildTangent\Apps\GameChannel.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe
C:\WINDOWS\avserve.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\America Online 9.0\a... Read more

Answer:Sasser??

6 more replies
Relevance 39.36%
Question: SASSER Aid

I successfully removed Sasser with the Norton Tool but the initial instructions called for setting up a shutdown command (command prompt>shutdown -i) in which you list the computer name in the Shutdown Dialog Box so that you have time to load the necessary patch. What I need to know is does this command have to be manually removed or does it end with the first shutdown? Anyone?
 

Answer:SASSER Aid

7 more replies
Relevance 39.36%
Question: Sasser or not?

I have made several service calls in just the last few days on what appeared to be the sasser worm. The symptom was that a sudden notification would pop up saying this system is about to shut down, do a count-down and shut down.

Last night, I got that same pop-up and count-down in Windows 2000 on my own computer and it listed the lsasser executable in the notification box. I have a dual-boot, Windows 2000/Windows 98 system so I rebooted into Windows 98 and scanned the entire machine (definitions from 05/05) and it found nothing.

I then booted back into Windows 2000 and did another scan with Norton Antivirus and definitions from 05/05/2004 and it found nothing. I downloaded the special tool available from Norton for removing all variants of sasser and again it found nothing on any of my four computers on this network.

On every system I have worked on at other locations, Norton reported hits and named files quarantined. It is strange to me that Norton Antivirus nor the sasser removal tool has found anything on any of my four networked systems.

I have had no more sasser shutdowns. This is strange that I had this sasser shutdown and Norton nor AVG finds anything. Can anyone enlighten me on this?
 

More replies
Relevance 39.36%
Question: Help with Sasser

I have lsass.exe in my running processes. This is the sasser worm correct? Well i downloaded the fix from microsoft to fix it, and ran the program. It came up with no infection found, and its still there

Any help would be greatly appreciated.

Answer:Help with Sasser

Well i found this

http://www.neuber.com/taskmanager/pr...lsass.exe.html

5 more replies
Relevance 39.36%
Question: sasser and other

Lately my pc has been freezing up a bit, running slow. I have run adaware, AVG avirus, trend-micro online scan, panda online and a few other antimalware progs like spybot, hwshredder,etc.
Just last night my spybot went crazy, i kept getting these messages saying that spybot was denying certain registry changes, couldnt stop notices so i had to reboot.
The last thing that happened was i got a notice my pc was shutting down,
shutdown initiated by NT authority\system.
Message c windows system32\lsass.exe terminated with status code 128.
system will now shut down and restart.
I googled that today to find its the sasser worm. I am taking steps with that right now, using the symantech sasser worm fix tool.
But i think there are other issues so i am posting my hijack this done today.
I am running win xp pro with sp1. I have AVG a\virus up to date, zonelarm pro, and all the standard a\virus and a\malware programs.

thanks

Logfile of HijackThis v1.99.0
Scan saved at 1244 PM, on 12/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\Grisoft\AV... Read more

Answer:sasser and other

Hello and Welcome. Please subscribe to this thread to get immediate notification of replies as soon as they are posted.

Do a HijackThis scan & place a check next to these items and select "Fix checked":

O4 - HKLM\..\Run: [Messenger Update] messenger.exe
O4 - HKLM\..\RunServices: [Microsoft System] cfg.exe
O4 - HKLM\..\RunServices: [Messenger Update] messenger.exe
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (GTDownloaderCtrl Class) - http://inst.c-wss.com/82/html/gtdownlr.cab


Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component. The program will then begin downloading the latest definition files.
Once the files have been downloaded click on NEXT
Locate the Scan Settings button & configure to: Scan using the following Anti-Virus database:Extended

Scan Options:Scan Archives
Scan Mail Bases
Click OK & have it scan My Computer
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
* Turn off the real time scanner of any existing antivirus program while performing the online scan


* * * * * * CHECK LIST * * * * * * * * * * * * * * * * * * * * *


In your next post, please include fresh ... Read more

7 more replies
Relevance 39.36%
Question: Sasser help.

Hi, I've seen the patchs and repair kits, but here's my question. We have the virus at work, on our network computer. The only programs that we can access is the WinCollect for bad checks, we can't access anything, but yet we have this virus and can't get rid of it, is there anything we can do?
 

Answer:Sasser help.

I'm no expert but my suggestion FWIW is to first download one of the many Sasser removal tools (e.g. Symantec's or M$'s) on any PC you can access the web with (say your home PC if your work/network is compromised) - then just put the tool on a floppy (then run an AV scan on the floppy to make sure you don't bring in any other viruses )

Then copy the tool from the floppy to your server and/or workstations as required and run it to remove Sasser. Then, assuming you can get your network online again, immediately download and install all M$ security patches to date to prevent any re-infection with Sasser. How does that sound - am I barking up the wrong tree?
 

2 more replies
Relevance 39.36%
Question: Trj and Sasser

I have just installed Panda platinum internet security....i have been using avast for a few weeks. when panda scanned my system it found the following (attached is screen print).
are these just double ups on what Avast has found previously or did avast not find them.
 

Answer:Trj and Sasser

well it would av been if it had worked, it found 1 W32 Sasser and 5 Trj
 

1 more replies
Relevance 39.36%
Question: Sasser on XP SP2

I have picked up the Saser worms and when I go onto the Ms site I find that it should not affect me as I have XP with SP2.But I have it!Anyone know what the answer is?TIABill

Answer:Sasser on XP SP2

Checkright click My computer - properties does it say windows XP service pack 2?

4 more replies
Relevance 39.36%
Question: Possible Sasser?

My pc shut down on me twice today and can't help but wonder if it's the Sasser worm. The problem is that I thought it didn't affect Win98 machines.

Also, I've been trying to install a critical update at MS's site. It goes thru alll the motions but every time I click on my Windows Update button it wants to download the same update (823559). What's up with that?

Here's my HJT log...
Logfile of HijackThis v1.97.5
Scan saved at 4:01:41 PM, on 5/6/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\HPSJVXD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\PROGRAM FILES\ISP.COM\DIALER.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://w... Read more

Answer:Possible Sasser?

Try one of these:

http://www.microsoft.com/security/incident/sasser.asp

http://www.net-security.org/software.php?id=560

http://sarc.com/avcenter/venc/data/w32.sasser.removal.tool.html
 

3 more replies
Relevance 39.36%

From this site;
http://www.symantec.com/avcenter/venc/data/w32.sasser.worm.html

"W32.Sasser.Worm can run on (but not infect) Win 95/98/ME computers. Although these OS cannot be infected, they can still be used to infect vulnerable systems that they are able to connect to. In this case, the worm will waste a lot of resources so that programs cannot run properly, including our removal tool. On Win 95/98/ME computers, the tool should be run in Safe mode."
I hope that my machine is not one of these. I was going to post today about a slow down in performance, but I think that when i get home I'll look at this. ( I run ME).
 

Answer:sasser and Win 9x/ME

Thanks Robo

I just can't seem to find info on
a) where to look in ME
b) how to use the tool in ME
c) how to intelligently identify this worm in a non-XP system.

Frustrating........
 

8 more replies
Relevance 39.36%
Question: SASSER :eek:

I need help with the virus sasser. I have tried everything. Could anyone please help me???

Every time I connect to the internet it shuts my computer down.
 

Answer:SASSER :eek:

10 more replies
Relevance 39.36%
Question: Sasser

Hello All:
Ive always appreciated your help here and would like some advice. I was last on my pc at home on friday april 30. i updated my norton definations and ran a full scan. Im at work today and am reading about this sasser worm. I have not yet downloaded the MS patches for XP from April 13th (specifically XP-KB835732). When i turn on my pc at home for the first time tonight, what should i do right away? update my Norton definations (im not sure the April 30th around 5 pm had this on its update)? install the xp patch from MS? Im asking because im hearing infection is happening within minutes of connecting to the internet. I guess another option is to bring in a cd to work tomorrow and save the MS patch to there and install on my pc without connecting to the net (its too big for the floppies i have here)..Any advice would be appreciated
 

Answer:Sasser

Best option is what you said, stay off the net until you install patch from cd. Or, if you want to take a chance online, download MS patch first, then grab sasser tool from MG (just in case), then update your AV.
 

7 more replies
Relevance 39.36%
Question: Sasser

I've got a definite virus showing the Sasser symptoms. I found this handy little guide at Ask Leo, and was able to follow the steps to at least disable the shutdown, but after that, the newfangled beast balked all my attempts to actually get rid of it, and the guide doesn't seem to be recent enough to address the new problems.

Not only can I not run Windows Update or the standard firewall (either I get an error message, or simply nothing happens), but I also can't open any browser. Chrome, Firefox, and IE all just won't open - meaning, I can't download any updates, patches, or anti-viruses.

Any help to fix it, or at least get around the browser problem somehow? Please? I want my laptop back.
 

More replies
Relevance 39.36%

Hi VogFollowing your advice about the Sasser worm, I downloaded the Macafee ?Stinger? removal tool. I followed all instructions (including disabling System Restore). Stinger reported finding the Sasser worm and removing it. At this point I posted my ?thanks? message to you and checked the ?problem solved? box.However?.. ten minutes later while I was still on the internet, I got the dreaded error report again, and the computer duly shut down.I ran the Stinger again and it found nothing.Having had a look at the manual removal instructions, I have checked in the c:\windows folder and cannot see the file AVSERVE.EXE. I have also looked in the registry and cannot see the ?avserve? value in HKEY_LOCALMACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.If you have any other suggestions to solve this problem I would be enormously grateful!

Answer:To VoG - Sasser still there!

Very strange. Do you still get the LSA Shell message before the NT Authority shutdown message?

5 more replies
Relevance 39.36%
Question: sasser!!!

hi tech support guys,

i've definately got the sasser virus and it wouldn't suprise me if i had a few other trojans on it as well!! been tryin everythin' to fix my computer, but still strugglin'. please help me!!! below is a HJT log that was just taken. hope it helps. cheers guys
seb

Logfile of HijackThis v1.99.1
Scan saved at 16:07:27, on 15/11/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hijack This\HijackThis.exe

O2 - BHO: (no name) - {00000000-59D4-4008-9058-080011001200} - (no file)
O2 - BHO: (no name) - {00000000-C1EC-0345-6EC2-4D0300000000} - (no file)
O2 - BHO: (no name) - {00000000-F09C-02B4-6EC2-AD0300000000} - (no file)
O2 - BHO: (no name) - {3ceff6cd-6f08-4e4d-bccd-ff7415288c3b} - (no file)
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: (no name) - {7b55bb05-0b4d-44fd-81a6-b136188f5deb} - (no file)
O2 - BHO: (no name) - {8333c319-0669-4893-a418-f56d9249fca6} - (no file)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: (no name) - {9c691a33-7dda-4c2f-be4c-c176083f35cf} - (no file)
O2 - BHO: adobep... Read more

Answer:sasser!!!

14 more replies
Relevance 38.95%

I watched this video and it showed a Isass.exe in the Processes list and said it was the sasser worm.

I check my processes and I have the same thing running


I did a complete scan with AVG Free, Ad-Aware, Microsoft Spyware-Beta, and Malicious Software Removal Tool, all came back clean except Ad-Aware, which found a tracking cookie.

edit: found this, appears I am OK
http://www.softwarepatch.com/tips/isass.html
 

Answer:Do I have the sasser worm?

The article should have also mentioned that lsass.exe is also a Windows security process (for logins and such). The worm was named Sasser since it affected (can't think of a better term) the lsass.exe process.

If you have Service Pack 2 or have updated Windows in the past year, you're fine.
 

2 more replies
Relevance 38.95%
Question: Sasser Worm Maybe?

Yesterday i had an infection on a computer on our network. Was the recently popular XP antivirus 2008 or something along those lines. I removed with Malwarebytes' with no problem but since then have had some odd problems. After removing it i was unable to print. This happened at the end of the day so i decided to wait till morning to deal with it. Upon arriving at the office this morning, the computer will no longer boot to the desktop. Right before the login screen, an error pops up reading:

lsass.exe - Application Error
The instruction at 0x00401000 referenced memory at 0x00401000. The memory could not be written.

Hitting OK to "debug" or Cancel to end doesn't matter. I then attempt to log in as administrator or user and the desktop background will load and that's it. I check the task manager and there is no explorer.exe running. If i try to run it i get an error that it can not be found. I went into the command prompt from the task manager and checked the c:\windows directory and explorer.exe is there.

Ive tried repairing windows by booting off the XP Pro disk to no avail. I got the same problem when booting in Safe Mode. The lsass.exe app error points to a Sasser Worm but explorer.exe not loading is throwing me off so not sure if this is the problem or not. Any help will be appreciated as i am in the office troubleshooting this as we speak. Thanks.

Answer:Sasser Worm Maybe?

Sasser is an older infection that has not been around in some time so you are dealing with more serious malware.Ive tried repairing windows by booting off the XP Pro disk to no avail.If you cannot boot up and cannot repair, then your options are significantly limited.Some types of malware can result in a system so badly damaged that a Repair Install will NOT help!. Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards. Starting over by wiping your drive, reformatting, and performing a clean install of the OS removes everything and is the safest action.In case you need help with this, please review "How to partition and format a hard disk in Windows XP".These links include step by step instructions:"Clean Install Windows XP"."Reformat & Clean Install Windows XP or Vista"."XP Clean Install Interactive Setup".If you need additional assistance with reformatting, you can start a new topic in the Windows XP Home and Professional forum.

2 more replies
Relevance 38.95%
Question: Sasser Virus?

Hi.

My computer has been acting a bit odd. A little on the slow side for a few days, but nothing too bad.
Today it shut down by itself, which was really weird. And when I every time I run AdAware (which is maybe twice a day) it finds infections.

Anyway, just now Sygate told me LSA Shell (Export Version) is trying to access the internet. I googled it, and the first few sites I read seemed to indicate that it's harmless so I allowed it. But then I read that the export version is actually a virus.

Is it?? Am I infected??

Thanks

Answer:Sasser Virus?

Welcome to BC. let's do a scan and see what it says.Please download Malwarebytes Anti-Malware and save it to your desktop.alternate download link 1alternate download link 2Make sure you are connected to the Internet.Double-click on Download_mbam-setup.exe to install the application.When the installation begins, follow the prompts and do not make any changes to default settings.When installation has finished, make sure you leave both of these checked:Update Malwarebytes' Anti-MalwareLaunch Malwarebytes' Anti-MalwareThen click Finish.MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.On the Scanner tab:Make sure the "Perform Quick Acan" option is selected.Then click on the Scan button.If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button. The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".Click OK to close the message box and continue with the removal process.Back at the... Read more

2 more replies
Relevance 38.95%

My computer has a virus which acts like the sasser virus, in that a window pops up saying that a certain process has not functioned properly, then gives me a 60 second countdown and shuts off. However, i have run programs to take care of the sasser virus and bobax (similar to sasser) and both have failed.

Here is the HiJackthis log:

Deckard's System Scanner v20070426.43
Run by Owner on 2007-05-27 at 20:59:33
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2007-05-28 02:59:39 UTC - RP1 - System Checkpoint


Backed up registry hives.

Performed disk cleanup.


-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 9:01:46 PM, on 5/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5346.0005)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Fi... Read more

Answer:Need help with Sasser-like virus

Bump~

19 more replies
Relevance 38.95%

This is what happens:

at startup-

LSA Shell (export version) encountered a problem and needs close

followed after 1-2 min by-

Remote Call Procedure has failed system shutting down save any changes blah blah blah. time left until shutdown 30 sec.
AVG 7.0 detects-
msblast.exe
teekids.exe
both worms

after the end of the test it claims to automatically "heal" the files.
Help

Thankyou
 

Answer:Possible Sasser Infection + others

Please do this. Click here to download Hijack This. Click on the Hijackthis.exe.

Click the "Scan" button when the scan is finished the scan button will become "Save Log" click that and save the log.

Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.

DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required. Someone here will be glad to advise you on what to fix.

*Note: When you download Hijack This Do Not download it to a temp folder or to the desktop. Create a permanent folder somewhere like in My Documents and name it Hijack This and put it in that folder.
 

1 more replies
Relevance 38.95%

Hi there.
Firstly the problem is that whenever i log onto my machine a message pops up saying i have 60 seconds until it shuts down on me. I've done some research and it seems to be that lsass.exe or somethiing similar is the culprit. I have to use the CMD prompt "shutdown -a" to stop the timer, but it still hasn't got rid of the virus. Which lags the machine to an extent where it is unusable.

Here is my computer specs -
Windows XP Home SP2
1GB RAM
110GB HD

I have looked up most solutions, but most of them turn to updating to SP2, but i have already been on SP2 since 2005 or something similar. I have scanned with spyboy S + D and it came up with alot of stuff. Once i removed all entries and restarted the box still came up giving me 60 seconds. I can't get Norton Anti Virus to start up, it just goes blank and stops responding.

Any suggestions are valued because i'm in a tricky spot at the moment.

Answer:Sasser Variant *need Help!*

I have to use the CMD prompt "shutdown -a" to stop the timer, but it still hasn't got rid of the virus.That command does not eliminate the virus. It just gives you time to disinfect the computer.I have scanned with spyboy S + DSpybot S&D is an anti-spyware, not an ANTI-VIRUS... That's the reason it couldn't deal with the problem.See if you can perform Online Virus Scan with Kaspersky. Follow this link: http://www.kaspersky.com/virusscannerWhile you wait for further help from the experts check out this article

4 more replies
Relevance 38.95%
Question: Sasser?? yikes!

Just happened to look at my running tasks, and noticed something called Isass.exe .. my computer seems to be running fine, but this worries me .. I've done all the critical updates from Microsoft, and I'm loaded with virus protection. I never open suspicious emails .. HELPPPPP! .. I'm including my most recent HJT log ..

Thanks so much in advance ..

Logfile of HijackThis v1.97.7
Scan saved at 3:40:13 PM, on 5/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\WINDOWS\System32\S3tray2.exe
C:\Program Files\Softex\OmniPass\scureapp.exe
C:\Program Files\Com... Read more

Answer:Sasser?? yikes!

10 more replies
Relevance 38.95%
Question: Sasser symptoms!

Hey everyone, I'm hoping that someone could help me out with this puzzle

I'm running XP Pro with Service Pack 2 and all updates (checked yesterday)

I'm getting the "NT Authority/System" shutting down box we all know from sasser and I believe MS Blast. I can of course run shutdown /a in the Run command and that stops it.. but it is a big annoyance.

When the window pops up the "Message" part appears in be in Spanish and a crude online translation shows it to be taunting from the creator. It gives me a 30 second count down before it shuts off the pc.

From what I can gather (I never actually got the virus) Sasser worked by terminating lsass.exe and the action the service took was to shut down?
This is where I'm confused.

I've been monitoring the tasks and processes via the default task manager and "Security task manager". There are no suspicious processes. When the window pops up to shut down the PC "lsass.exe" is still running. I've also gone to services and told RCP the action to take is to restart on failure.

I've tried the MS Blast and Sasser removal tools and none of them picked anything up.

Thanks for any help

Answer:Sasser symptoms!

ive had the virus before... honestly id have to find how to fix it
i can send u a file IM me or PM me
blitze105 AOL and YAHOO
[email protected] for msn

6 more replies
Relevance 38.95%
Question: Sasser Worm?

Someone please help me. My computer keeps restarting unexpectedly, often with a textbox saying lsass.exe has been terminated unexpectedly, and counting down from 1 minute the computer shuts down. I tried running spybot, mcafee antivirus, and others but they all shut down unexpectedly while scanning. Spybot was in the midst of catching something when it shut down....now when itry running it an error message says "this application has been changed, check for viruses instantly!"

I suspect some type of worm,...someone please help.
Logfile of HijackThis v1.99.1
Scan saved at 10:39:09 AM, on 1/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Opera\Opera.exe
C:\Documents and Settings\Owner.ITA\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gateway.com/g/sidepanel.h...s=DTP&M=GT4024
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.h...s=DTP&M=GT4024
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.h...s=DTP&M=GT4024
R0 - HKLM... Read more

Answer:Sasser Worm?

Please, any response will be helpful. This is my only chance, since i cannot scan anything. I can't even scan for viruses online without the browser shutting down. Nor can i download any new antivirus software because a popup says the files are corupt when i try to install.

2 more replies
Relevance 38.95%

Sasser.D can run on but not infect Windows 95, 98, and ME PCshttp://www.sarc.com/avcenter/venc/data/w32.sasser.d.htmlW32.Sasser.D.Worm can run on (but not infect) Windows 95/98*Grinler computers. Although these operating systems cannot be infected, they can still be used to infect vulnerable systems that they are able to connect to. Firewall port blocking is the best defense to keep these systems from generating unnecessary network traffic.

Answer:Sasser.D can run on Windows 95, 98, or ME

Analysis of Windows 9x and ME impactsThe bottom line is that there are none other than someone copying the actual infected code to a Windows 98 PC and launching it.Symantec retracted this on the "D" variant as it's now found on the "A", "B", and "C" variants. Other AV vendors aren't reporting this but I've affirmed the potential with McAfee. Thankfully it is a REMOTE and potentially RARE issue. While Sasser can run on W/9x as a Win32 process, it must be MANUALLY copied by the user. So far I'm not aware of any automatic injections of the Sasser worm Win32 code as a "process" into W/9x workstations. This is most likely a minor issue, and the threads here if there is any "Sasser and W/9x impacts" news http://www.symantec.com/avcenter/venc/data...asser.worm.htmlhttp://www.symantec.com/avcenter/venc/data...ser.b.worm.htmlhttp://www.symantec.com/avcenter/venc/data...ser.c.worm.htmlW32.Sasser.C.Worm can run on (but not infect) Windows 95/98*Grinler computers. Although these operating systems cannot be infected, they can still be used to infect vulnerable systems that they are able to connect to. In this case, the worm will waste a lot of resources so that programs cannot run properly, including our removal tool. (On Windows 95/98*Grinler computers, the tool should be run in Safe mode.)

1 more replies
Relevance 38.95%
Question: Sasser Worm A

A friend of mine who has the worm and can't get online...she is also a member here as well. But can't get to this forum. Is trying to find where she needs to go to do a full recovery of her computer not just system restore but recovery of it all so it can go back to the way it was when she first got it.

She can't find where in her pc it is. She has noting in "All Programs" that says her comuputer name and tools!

Any ideas please?
 

Answer:Sasser Worm A

11 more replies
Relevance 38.95%
Question: Sasser Virus?

Hi,

My firewall is telling me that something called "LSA Shell (export version)" wants access. My research says it may be the Sasser virus. That's what Cheeseball81 suggested in a post a while back. Is it possible someone could take a look at this log and tell me if it's clean, or if I have the Sasser virus? Thanks.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:10:50 PM, on 4/30/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\... Read more

More replies
Relevance 38.95%

according to the removal tool but something is happening here.

Symptoms:
Slow to start
Slow to run anything
Settings Alert from Symantec telling me UI amy need to uninstall at startup
Can't scan with Norton Antivirus
If Explorer is atteplted then it gives a shutdown box and closes in a minute
Goes to screensaver even while working (goes black first , then eventually runs the screen saver very slowly, eventually can go back)

Things I've tried:
Sasser removal tool (no sasser)
Beagel removal tool (no beagel)
McAfee stinger (no viruses)
Ad-aware (removed all, mostly "Claria" and "Cyboot" or something like that)
Spybot (removed all)
Hijackthis (removed yahoo!companion)

Symantec says to do Live Update but I am not sure I can or not (I am currently with my laptop at the library trying to figure this out, I will try to do that when I get home but am not sure it is the problem)

Any info would help
 

Answer:I don't have sasser on my laptop

8 more replies
Relevance 38.95%

Hello everone. I am running Windows XP Home, SP3, and have been having major issues lately, and I'm hoping for some help. I have all the classic symptoms of a Sasser infection, namely the box telling me lsass.exe has failed, and that the system will reboot. I'm using Antivir Avira, but the scan detects nothing. I also use Spybot, which I had to uninstall because every time I ran a Spybot scan, it would crash the system. I also tried downloading the Microsoft Malicious Software Removal Tool, and ran a quick scan that came back clean. I troed to run a full scan immediatley after the quick scan, and twice it crashed the computer.I'm at my wits end here, please help!! Here is my HiJack This log, which I just ran. Please let me know what to do next. HUGE THANK YOU's in advance!!Logfile of Trend Micro HijackThis v2.0.2Scan saved at 19:30, on 2008-07-15Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16674)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Windows Defender\MsMpEng.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exeC:\Program Files\Avira\A... Read more

Answer:Possible Sasser Infection?

Hello and welcome to BCWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. We aim to provide the valuable service known to come from BC to every member we can, but sometimes it takes just a little longer to get to every request for help.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.Upon completing the steps below a staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.Thanks and again sorry for the delay. Please download Deckard's System Scanner (DSS) and save to your Desktop.alternate download siteDSS will do the following:Create a new System Restore point in Windows XP and Vista.Clean your Temporary Files, Downloaded Program Files, Internet Cache Files, and empty the Recycle Bin on all drives.Check some important areas of your system and produce a report for an analyst to review.Automatically run HijackThis. It will also install and place a shortcut to HijackThis on your desktop if you do not already have it installed. So if HijackThis is not installed and DSS prompts you to download it, please answer yes.You must be logged onto an account with administrator priv... Read more

2 more replies
Relevance 38.95%

I have Win XP Home and after logging in as admin the background shows, but no icons until 3-4 minutes later. The hard drive light however is not as busy as before. CPU usuage in task man. is low as well. Out of sheer coincedence when I right click one of the svchost.exe (USER=Network Service) to shut it down I get the timed RPC error with a 60 second time out. After that is shut down, but before the restart, the computer starts to load everything normal. I've run antivirus scan (up to date) and finds nothing. You can also run in safe mode flawlessly. Any help would be appreciated. Thanks!

Answer:Is this blaster/sasser or something else

Hello and welcome. Please run another scan.Next run MBAM:Please download Malwarebytes Anti-Malware (v1.36) and save it to your desktop.alternate download link 1alternate download link 2If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.Make sure you are connected to the Internet.Double-click on mbam-setup.exe to install the application.When the installation begins, follow the prompts and do not make any changes to default settings.When installation has finished, make sure you leave both of these checked:Update Malwarebytes' Anti-MalwareLaunch Malwarebytes' Anti-MalwareThen click Finish.MBAM will automatically start and you will be asked to update the program before performing a scan.If an update is found, the program will automatically update itself.Press the OK button to close that box and continue.If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.On the Scanner tab:Make sure the "Perform Quick Scan" option is selected.Then click on the Scan button.If asked to select the drives to scan, leave all the drives selected and click on the Start Scan ... Read more

5 more replies
Relevance 38.95%
Question: sasser Worm

this is the latest thing to overwell microsoft

it has 2 variants (known as of 5/2/04 around 1:00pm)
sasser.a/sasser.b
they allong with the Agobot/Baobot and Phatbot are attacking machines unpatched by MS04-011

mostly this is about sasser

doesn't effect win 95, win 98, or win ME,
does effect win 2000, and XP

LSASS (local security authority subsystem service) is exploited and issued a shell command to invoke FTP.EXE to pull the random file over file is 15,872 bytes and is placed in systemroot\system32 (c:\windows\system32) and then executed it then copies itself to systemroot (c:\windows) and adds avserve.exe to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\windows\CurrentVersion\Run key. At this point it's running as LOCALSYSTEM logged on user. The original file (16210_up.exe) is left on the system, so there are now two copies

may ge error message

"lsass.exe - application error"
"the instruction "0x0083f878" referenced memory at 0x00000023", The memory could not be "read"
click ok to terminate the program
click cancle to debug the program""



windows error reporting will say something like
LSA Shell (export Version)
encountered a problem and needed to close.

solve by going to microsoft.com and on the right side right under a green picture that says "protect your pc..." is a link "Sasser worm alert: What to do" you can follow that.

basicly
1>... Read more

Answer:sasser Worm

http://www.majorgeeks.com/vb/showthread.php?t=32099

We (XP) saw Sasser for the first time Friday night.

This was before Symantec had a name for it.

When will people learn to update....
 

14 more replies
Relevance 38.95%

Couple of days ago, my system encountered a message saying it was closing down. This only happened online and the culprit, so the window claimed, was 'lsasse.exe'.
I took this to be the Sasser worm. I run an up-to-date antivirus (Avast) and Firewall. I ran Spybot, Spyware Blaster, Ad-Aware and my Avast, but nothing was detected.
I checked 'msconfig' for signs of an executable file at startup. Nothing.
I have never before been bothered by worms etc, so I downloaded from Symantec their Sasser removal tool, ran it but again nothing was detected. Is there perhaps a new strain of this pest??
I was forced to return my computer to its virgin state and install everything all over again. I now also have a Trojan guard.
Can anyone tell me how I got stung by this 'exe' file in the first place and whether there's anything else I can do to prevent this happening again??
As you know, reinstalling everything is a real pain....
Regards
 

Answer:New Variant Sasser?

8 more replies
Relevance 38.95%
Question: Sasser Worm

undefinedundefined
Are downloads available to get rid of this virus?
 

Answer:Sasser Worm

http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.removal.tool.html
 

2 more replies
Relevance 38.95%

Hey, I recently got an error message with a 60 second countdown until shutdown, error code 107374819. I googled this and apparently it is the sasser virus. However, I got no straight answer about how to solve this. Log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 9:57:28 PM, on 5/6/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Alwil Software\Avast4\aswUpdSv.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\Viewpoint\Common\ViewpointService.exeC:\WINDOWS\system32\ZoneLabs\vsmon.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXEC:\Program Files\ATI Technologies\ATI.ACE\cli.exeC:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeC:\Program Files\QuickTime\QTTask.exeC... Read more

Answer:sasser virus? please help

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.comDDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the resul... Read more

2 more replies
Relevance 38.95%

I have lsass. exe in
c\windows\system32 and
c\windows\system32\dllcache though I was able to delete it from c\windows.servicepackfiles\i386

I ran eztrust, noadware, symantec removal and microsoft removal KB841720 but none of them detect it.

MS states to download security update 835732 but the download fails every time.... although that is only involved in preventing reinfection anyway, so my first priority is what will find and remove the worm?
 

Answer:HELP; a sasser worm that won't die

16 more replies
Relevance 38.95%

I recently acquired the sasser. worm virus. I used the removal tool and it deleted it, but now I have the w32.spybot.worm virus. I've tried everything to get rid of it. I've been on my computer for 30 hours in two days. Can someone please help me.
 

Answer:From sasser to spybot...

Click on this courtesy of SexyTech in an earlier post

http://forums.techguy.org/t155295.html
 

1 more replies
Relevance 38.95%

Hey guys,

I installed all those critcal updates and norton system works immediatly after I formatted my computer. Somehow I got infected with the Sasser virus. Norton AnitVirus has the pop up screen saying "High Risk", Virus detected.

Object Name -C:\Windows/avserve2.exe
Virus Name- W32.Sasser.gen
Action taken- unable to repair this file, access to file was denied

I've done a search on trying to get rid of it by using Windows-KB841720-ENU-V4.exe but it's says it doesn't detect it...how can this be? This norton antivirus pop up won't go away. And what good is norton if It can't prevent this! Grrrrr...

Help please, thanks.
 

Answer:I have Sasser, but it's not being detected!

6 more replies
Relevance 38.95%

A friend has a problem with her PC, she has XP and when she connects to the net a message pops up.
This system is shutting down. Please save all work in progress and log off. Any unsaved changes will be lost. This shut down was initiated by NT AUTHORITY\SYSTEMClick to expand...


Time before shutdown: 00:00:60Click to expand...


Message The system process'C:\WINDOWS\system32\lsass.exe' terminated unexpectedly with status code-1073741819. The system will not shut down and restart.Click to expand...

The PC then shuts down and reboots.
I have searched the net for info on this problem and it all points to the Sasser worm. I scanned the PC with AVG, it found nothing I have used both the symantic W32.Sasser.Worm fixtool 1.0.3 and 1.0.4 both did not find an infection.
I also took this hijack log

Logfile of HijackThis v1.95.1
Scan saved at 8:43:57 p.m., on 26/07/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\system\hpsysdrv.exe
C:\Windows\system32\HpSrvUI.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Microsoft Works\WksSb.exe
C:\... Read more

Answer:Possible Sasser infection

Lets begin by downloading and running http://www3.ns.sympatico.ca/c.bennett03/newdotnet uninstall.exe

Then reboot the system

Upon reboot rescan with hijack and puyt a check next to each of the following then close all browser windows and click "fix checked"

O4 - HKLM\..\Run: [KAZAA] C:\Program Files\KaZaA\kazaa.exe /SYSTRAY

O4 - HKLM\..\Run: [Prein] C:\DOCUME~1\Owner\LOCALS~1\Temp\appE.tmp

O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s

O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe

O16 - DPF: {3B02AAA2-327C-40ED-A849-4BE819AE5385} (ImgSizer Control) - file://C:\Documents and Settings\Owner\Local Settings\Temp\~DlfnTmp0\imgSizer.ocx

O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partners/shockwave/meninblackII/install.cab
Then delete all temp files as per http://www.personal-computer-tutor.com/deletingtempfiles.htm
Finally run a full system scan here
 

2 more replies
Relevance 38.95%

Can you tell me what virus this is? I have a virus on an old (but important) win2000sp4 computer that seems to act like a sasser: After startup, a small fake password box appears on the desktop with a 10 second system shutdown countdown. If it is clicked on, it puts a timer in the upper left desktop corner, which counts down about another 50 seconds then shuts down the computer, and seems to use a fake "it is now safe to turn off your computer " screen.

Malwarebytes in safe mode or normal (the one time I somehow stopped the shutdown) mode finds nothing. Using "shutdown -a" does not stop the shutdown or just crashes the shutdown.exe program, then it shuts down anyway.

The one google reference I found sounds exactly like this: http://www.techspot.com/vb/topic34623.html , but that was from 2004 and it is hard to believe malwarebytes can't find a virus from 2004.

I am working through your required Run and removal processes, but from safe mode it will likely take me the rest of the day, and I am wondering should I even try to install Spybot search and destroy while in safe mode as it will not be able to update, and if the malwarebytes will cause interference?

Thanks.
 

Answer:Is this a sasser variant?

urbmd said:





The one google reference I found sounds exactly like this: http://www.techspot.com/vb/topic34623.html , but that was from 2004 and it is hard to believe malwarebytes can't find a virus from 2004.Click to expand...

That was 2005 and CyberSitter is not a virus. Also Malwarebytes is not an antivirus program.





urbmd said:





I am working through your required Run and removal processes, but from safe mode it will likely take me the rest of the day, and I am wondering should I even try to install Spybot search and destroyClick to expand...

Spybot is not part of the READ & RUN ME.

Just finish the READ & RUN ME and attach the logs. Then we may be able to give you more specific answers to what your problem might be, but CyberSitter does sound like a candidate.
 

3 more replies
Relevance 38.95%
Question: sasser worm

I am working on a computer that I know has the sasser worm. I know exactly how to treat and get rid of the worm, however the worm causes the computer to shutdown before the desktop can be viewed. I am wondering if there is any way to stop the shut down without having access  to the desktop? If anyone has any suggestions or has encountered this problem PLEASE respond!Thak you in advance

Answer:sasser worm

What You Should Know About the Sasser Worm

6 more replies
Relevance 38.95%

I think I've been infected and/or hijacked. Please help me get clean.

Here's the log file:

Logfile of HijackThis v1.97.7
Scan saved at 9:28:40 PM, on 6/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Creative\SB Wireless Music\Media Server\SBWMsvr.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\Common files\WinTools\WToolsA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svch... Read more

Answer:Please help - WToolsA.exe & maybe Sasser

hi biotic00,
before i go on i want u to download adaware6 which can be downloaded from www.lavasoftusa.com and spybot-search & destroy from download.com or by searching through google. also download CWSShredder from www.merijn.org. after that make sure that you boot into safe mode and have system restore turned off before u run any of the programs. also update them before running a scan. first run adaware and then fix all the problems that are shown. make sure that u have scan within archives turned on under customize. after that run spybot and fix all the problems that are shown (in red). now run CWSShredder and then click on fix it and then run HijackThis and post a new log.
 

2 more replies
Relevance 38.95%

I just posted my hijack log but no one helped so i deleted some things myself already, but as I was looking, I saw something at the bottom about Sasser. It's the 4th one up from the bottom. This is my brothers computer and I don't know much about the sasser virus so I don't know if that is something good or bad. Please help me!

Logfile of HijackThis v1.97.7
Scan saved at 8:21:40 AM, on 6/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS.0\System32\smss.exe
C:\WINDOWS.0\system32\winlogon.exe
C:\WINDOWS.0\system32\services.exe
C:\WINDOWS.0\system32\lsass.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS.0\system32\spoolsv.exe
C:\WINDOWS.0\system32\cisvc.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS.0\System32\svchost.exe
C:\WINDOWS.0\System32\Tablet.exe
C:\WINDOWS.0\system32\ZoneLabs\vsmon.exe
C:\WINDOWS.0\system32\cidaemon.exe
C:\WINDOWS.0\system32\winlogon.exe
C:\WINDOWS.0\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\SRNMIC~1\SOLOSENT.EXE
C:\PROGRA~1\SRNMIC~1\SOLOCFG.EXE
C:\WIN... Read more

Answer:Do I have Sasser virus???

Also, in windows explorer I have folders named "Windows.0" and "Windows~0" Is that normal? I don't know how they got there.
 

2 more replies
Relevance 38.95%

hi, my computer keeps going to a blue screen after beeing on for about 2 minutis, unless in safe mode. if i use safe mode with networking, it also shuts down after around 2 minuts but gives me a 60 second warning to save things and says it was because of C/windows/system32/services.exe closing unexpectidly and gives the code 1073741819 i am running windows xp, but i am using a different computer to post this, i have enough time to run and post a hijackthis log before shutdown so will do in about a minuite thanks!

Answer:I Think It Is The Sasser Worm :(

log - Logfile of HijackThis v1.99.1Scan saved at 16:19:50, on 18/01/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\savedump.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\hkcmd.exeC:\WINDOWS\system32\igfxpers.exeC:\Program Files\Java\jre1.5.0_09\bin\jusched.exeC:\Program Files\Dell\Media Experience\DMXLauncher.exeC:\Program Files\Common Files\InstallShield\UpdateService\issch.exeC:\Program Files\Common Files\AOL\ACS\AOLDial.exeC:\Program Files\Real\RealPlayer\RealPlay.exeC:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exeC:\Program Files\McAfee.com\VSO\oasclnt.exeC:\PROGRA~1\mcafee.com\agent\mcagent.exeC:\Program Files\Google\Google Desktop Search\GoogleDesktop.exeC:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exeC:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exeC:\Program Files\... Read more

4 more replies
Relevance 38.95%

I cannot get rid of Sasser and my computer keeps on rebooting !
I ran the Symantec tool but Sasser wasn't detected! Also ran Stinger a few days ago and Sasser was detected but deleted but cama back! my computer reboots and freezes again and again. What shoud be done now? Here is my HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 19:46:38, on 06/01/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS.000\System32\smss.exe
C:\WINDOWS.000\SYSTEM32\winlogon.exe
C:\WINDOWS.000\system32\services.exe
C:\WINDOWS.000\system32\lsass.exe
C:\WINDOWS.000\system32\svchost.exe
C:\WINDOWS.000\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS.000\System32\svchost.exe
C:\WINDOWS.000\system32\MSTask.exe
C:\WINDOWS.000\System32\WBEM\WinMgmt.exe
C:\WINDOWS.000\system32\cmd.exe
C:\WINDOWS.000\SYSTEM32\FTP.EXE
C:\WINDOWS.000\Explorer.EXE
C:\WINDOWS.000\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS.000\system32\Atiptaxx.exe
C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\Program Files\VIA Technologies, Inc\VIA Audio Driver Setup Program\AudioDeck\AudioDeck.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS.000\system32\svchost.exe
C:\WINDOWS.000\System32\svchost.exe
... Read more

Answer:Sasser on my computer!

14 more replies
Relevance 38.95%
Question: Re: Sasser virus

Rick.....When you say memory ......are you refering to the RAM ? If your computer is infected with Blaster and Sasser.....why dont you run the removal tools and get rid of them.http://www.microsoft.com/security/incident/sasser.asphttp://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.htmlMake sure you get your Anti Virus updated to protect your computer and get all the latest updates and patches from Micro Soft.http://v4.windowsupdate.microsoft.com/en/default.aspHope this helps.dl65  

Answer:Re: Sasser virus

If you're talking about a card that contains memory without being powered then I'd say no, you're just spreading the infection and if you mean RAM chips then no it wouldn't be a problen coz as soon as the power is not supplied the data will be lost.However, RAM chips can keep a residual charge for over 24 hours after being removed. But this is most unlikely to be able to be transferred.

1 more replies
Relevance 38.95%
Question: Re: sasser worm b

chuck.....re sasser......go to ....http://v4.windowsupdate.microsoft.com/en/default.asphttp://www.symantec.com/index.htmthese sites will give you a good insite into the Worm.Good Luckdl65  

Answer:Re: sasser worm b

often wondered if m$oft are putting these viruses in the system to test their own software  and firewall as it strange that it only affect windows 2k xp home and pro all ntfs files and all that have remote access next i guess longhorn will suffer this fate?its a pity that all the updates m$oft have produced cause pc crashes thats strange also?and pcs who dont have updates on them like mine never crash thats strange also.watch this space.the sasser b is part of the netsky virus/worm  my advice is it aint broke dont fix it

1 more replies
Relevance 38.95%

Haven't been able to shake this one. I think it's sasser or a mutation,Seems to put me in a shell, so everything LOOKS ok. I think it mutates the Symantec and Sophos software so nothing shows.I've reinstalled OS (XP Media Edition) several times with no luck,Also, there is a mystery partition on the HD that I can't acces, delete, etc...Have ran SB S%D prior to this log, and it only showed some tracking cookies.Logfile of HijackThis v1.99.1Scan saved at 12:50:03 AM, on 7/6/2005Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Symantec Shared\ccProxy.exeC:\WINDOWS\ehome\ehSched.exeC:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\System32\nvsvc32.exeC:\Program Files\Common Files\Sony Shared\WMPl... Read more

Answer:I think it's sasser or a mutation

If you still need help, could you please post a fresh log?

2 more replies
Relevance 38.95%
Question: Sasser Worm?

Hi, a couple of days ago I was trying to watch a video that was on someone's blog and when I clicked on it there was a download for the adobe flash player and something called setup.exe. Without thinking I downloaded it and when it was installing I immediately canceled it when I read "SecurityFighter" at the top of it. I then scanned with AVG and nothing out of the ordinary showed up. So I tried MalwareBytes.

That's where the problems started...I got the "you do no have permission to access this program" message. After restarting I go the dreaded Sasser Worm popup:



But instead of lsass.exe it says services.exe. I can stop this with shutdown -a but I can't do much after that. No applications open except for Task Manager, regedit or control panel. Some help would really be appreciated, thanks!

Answer:Sasser Worm?

Oh and by the way, I've tried to scan with dds and gmer, but with dds it closes immediately and with gmer it closes after about an hour of scanning...I guess I'm kinda stuck. But another new thing is that after I restarted all of my programs are now opening, It's just the malware scanners that won't work.

19 more replies
Relevance 38.95%

I have removed the Sasser worm from my computer (so I thought) but today AVG detected and alerted me to I-worm/Sasser.B in the C:\System Volume Information folder (it gave the exact address of an exe file). On running AVG to remove it, nothing was found! Can anyone tell me what to do next - I can't even locate this folder on the C drive.

Answer:I-worm/Sasser.B and AVG

It is in s System Restore point. AVG cannot clean a file in an RP.To remove either turn off SR then on again click here but note that will remove all of your restore points The alternative is to make a note of the full file name then delete that point only click here

1 more replies
Relevance 38.95%

This is weird and started a few weeks back at the same time as th last big saaser scare.

My computer began shutting down. I called Emachines and figured from their message it must have been the sasser worm. Did everything they and microsoft and norton prescibed. Voila no virus.

Then I noticed the fan was making noise (sound of a bad bearing). PC is only 18 mos old and not refurbished. I took the fan out, cleaned the carbon buildup off of the contacts, replaced it. Still shutting down.

Other symptoms:

The CD Rom is getting hot. Kind of cooking the CDs I guess.

Run any CD for more than 10 minutes and down goes the ship.

Specs:
1.8 GHz 40 GB HD 394 MB DDR CD ROM only

Looked at all connections (but main power cord)

Power supply seems abnormally warm, but fan sounds ok now.

????????????????????????????
 

Answer:no sasser, but still shutting down

6 more replies
Relevance 38.95%

After removing sasser from my pc (running xp home)I'm still getting the 60 second countdown to system shutdown.Also, when the pc boots-up and goes into desktop, the screen goes black and desktop re-appears in 8-bit colour. Changing the display settings back to 32-bit works okay until the next boot-up.Can anybody please help?

Answer:problems after sasser

How did you remove it??? That may give us a clue.

3 more replies
Relevance 38.95%

but thought this info would be useful for the less informed.click herejohnny.

Answer:sasser ( i know posted before)

Your link appears to be duff .

6 more replies
Relevance 38.95%
Question: W32.Sasser.B.worm

I am having a look at my friends laptop, as she said she had a virus on it. I have switched it on and her norton anti virus came up with virus alert. It said C:\WINDOWS\avserve2.exe, it says norton is unable to repair this file.another box said: programme control High Risk, avserve2 is trying to access the internet.Can anyone give me any guidance on getting rid of this.

Answer:W32.Sasser.B.worm

Try this click here

2 more replies
Relevance 38.95%

undefined I have recently formatted my computer and now i have the sasser worm i have tried alot of things to try and get rid of it. nothing is working i have norton and im pretty sure my fire walls working anyother ideas please i have been trying to fix this for 4 days now and im all out of ideas..
 

Answer:i need help sasser worm

Hi go here it has all the information that you need! You can check your pc to see if it is infected if it is you can download the patch dat is available on this page too! Here u go...
http://www.microsoft.com/security/incident/sasser.mspx
 

1 more replies
Relevance 38.95%
Question: Sasser recovery !

Hi everyone, I am a relative novice to solving pc problems, and i would welcome any advice on helping me solve my problem. I recently had Broadband installed, and at the same time contracted the sasser virus. I managed to stop my PC from repeatedly closing down, and I then also purchased Norton antivirus 2004 to help clean up my pc. It seems to have done the job, however I have been advised that if i have certain .exe files in my task manager (which i do- Isass.exe) I still have the virus. I have tried to close this application but the system will not allow me to stop it each time i try to end the application. I have tried to install Windows service pack 2 on several occasions but this keeps failing also.I am on the verge of calling in the cavalary (pc world) but i would like to try and solve this myself (hopefully with your help!) Thank you in advance for your helpDanny

Answer:Sasser recovery !

Cavalry (PC World) - NOT.Try running Stinger click here

7 more replies
Relevance 38.95%

ive been given a laptop as a gift running Xp. but it has no sp1 or sp2 installed, and it appears to have lsass.exe, which i assume is a version of sasser, which closes the pc down after i have been on the net for 16 minutes. BUT ONLY IF I GO on the net, at no other time does it affect the pc!!

question - -

how should i tackle this problem?

should i go to the microsft web site & download & run the sasser removal tool and then install sp1 & sp2

or

should i install sp1 and sp2 first (do i need to install sp1 if i intend to immediately install sp2) - then will i need to run the microsoft sasser removal tool ?

or

is there a better order in which to cure this problem.

Note, AVG & macafee have both failed to find this virus and so cannot remove it....
 

Answer:SP2 / sasser removal

7 more replies
Relevance 38.95%

I've got a laptop here which I'm trying to connect to Broadband but it keeps crashing the computer and coming up with the exact same message as you get if your Pc is infected with the Sasser worm, unfortunatly all my attempts to remove it have failed. I can't even find it, the registry hasn't got the file listed as I tried to do it manually but theres no sign of any file called Apoint or anything close. The Symantic removal tool, the Microsoft one and the McFee one have all failed to find it. Anyone any ideas as to what to do next?

Answer:Is this the Sasser worm?

Try Avast! Cleaner click here which gets rid of the Sasser vurus variants A - F

10 more replies
Relevance 38.95%
Question: W32 Sasser.B.worm

Norton AV has just poped up to inform me that I have the above virus in "E:\windows\system32\12511" and is unable to repair the file.What should I do about removing it from my computer.Rusty

Answer:W32 Sasser.B.worm

Run Stinger click here

2 more replies
Relevance 38.95%
Question: sasser worm

does anybody know how to get rid of the sasser worm?regards,bd

Answer:sasser worm

download stinger click here you made need to get a friend to do it for you start up your comp in safe mode ( press F8 repeatedly at start up ) run stinger it will remove it and most others

4 more replies
Relevance 38.95%
Question: Sasser Worm Help

I have the Sasser virus, and I get the shutdown box every time I try to log on. Most sites tell me to use start - run to abort the shut down but I cant get there before the box shuts my computer down.

Someone on this site told me to use start-run but the problem is I cant get to the screen to go to the start menu before the virus shuts me down. Help?

thanks guys

Answer:Sasser Worm Help

http://www.techsupportforum.com/f50/...lp-305963.html

2 more replies
Relevance 38.95%
Question: Sasser Worm help

I have the Sasser virus, and I get the shutdown box every time I try to log on. Most sites tell me to use start - run to abort the shut down but I cant get there before the box shuts my computer down. Help?

thanks guys

Answer:Sasser Worm help

http://www.techsupportforum.com/f50/...lp-305963.html

2 more replies
Relevance 38.95%
Question: Sasser query

I went to the wondows update page, and when i scanned there was nothing in the critical column, does that mean i dont need it or is it just a error?Regards.

Answer:Sasser query

What OS? TR

10 more replies
Relevance 38.95%
Question: 1-Worm/Sasser.D

I have checked the archive and the answer is not there-not all of it anyway.A friend has just restarted to use his laptop after several months.It is running Xp,and didn't appear to have a Virus Protector or a Firewall installed,or am I missing something?I thought there was one built into Xp.I use '98 on my machine so not too much background with Xp.Installed and updated AVG and then scanned, several infected files found that were removed, but 1-Worm/Sasser.D remained.Tried again this AM and unable to run AVG, unable to access the 'Task Manager' Msconfig'or 'Regedit'Had also installed 'Zonealarm'and again problems with being unable to run 'The True Vector Internet Monitor'.On the Microsoft site I checked out this problem and it suggested that before attempting to use their removal Tool, Update KB835732 should be installed-done.Thats were I am at the moment,I'm sure someone out there has had similar problems,please HELP.Much appreciated in anticipation.

Answer:1-Worm/Sasser.D

click here for the Symantec removal tool.After that, go tostartrunsfc /scannowto run the system file checker.Then reinstall AVG.

10 more replies
Relevance 38.95%

I have been informed that I may the Sasser Worm so I have been referred to this site for assistance. Here is a link to the forum that I have been posting to for some history:

Help! Missing File: <Windows Root>\System32\hal.dll

When I attempt to boot-up my Dell 8400, I get the following error message

Isass.exe - System Error
When trying to update a password, this return status indicates that the value provided as the current password is not current.

When I click "ok" to close the message, the computer reboots again and goes thru the same cycle.

Thanks,
EDO

More replies
Relevance 38.95%

Hi,

I'm not sure if anyone has put up anything about this or already asked, but is there anyway I can protect my computer from getting the Sasser worm. I am currently running Norton AV and the Firewall but I'm sure there is something I will have to do to safeguard my computer, as most new viruses can make it past the firewalls these days.

By the way, I am not computer literate, so I have a lot of trouble understanding certain things when it comes to my PC... I know silly really, but I am always weary of doing things to the computer in case I can't put the thing back to normal afterwards, so bear with me if you reply.
 

Answer:The New Sasser Virus

6 more replies
Relevance 38.95%
Question: sasser worm

help! i can't get rid of it via virus protection and can not stan on net long enough to download updates. have downloaded several sasser removal kits but nothing works. would be grateful for any help. [email protected]
thank you
 

Answer:sasser worm

Try the MS tool, you can downlaod it here.
Once downloaded, unplug your internet connection, re-boot into safe mode and run the tool.
http://go.microsoft.com/fwlink/?linkid=40587
 

2 more replies
Relevance 38.95%
Question: sasser virus

would appear to be running rampant, and is purported to be one of the most virulent around does not arrive by mail just sits on the net and waits for a silly bugger with insufficient cover.johnny.

Answer:sasser virus

be warned.johnny.

10 more replies
Relevance 38.95%
Question: sasser sucks

i just cleaned up a sasser infection on my girlfriends computer. it was easy to clean up, thats why i am not sure i got it all. i need someone to take a look at this logfile before i am confident that it is clean. also, is there any information about how to read hjt logfiles, understand what is going on, and determine which entries are problems? i am a very hands on person and i would like to learn how to do some of this myself. yall are always such a great help to me and i would like to teach myself so i can help others. thanks so much guys.

Logfile of HijackThis v1.97.7
Scan saved at 12:01:41 PM, on 5/5/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\Microsoft.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\In... Read more

Answer:sasser sucks

7 more replies
Relevance 38.95%
Question: sasser worm

help! i can't get rid of it via virus protection and can not stan on net long enough to download updates. have downloaded several sasser removal kits but nothing works. would be grateful for any help. [email protected]
thank you
 

Answer:sasser worm

Publishing your email address is not a good idea .....

Go here and download hijackthis to its own folder awayfrom the desktop and post back here the log that it produces so we can see how to help you .....

http://www.majorgeeks.com/download3155.html
 

1 more replies
Relevance 38.95%

just been infected. Can anyone help. Running XP home

Answer:HELP PLEASE I-worm/sasser

The Microsoft article on this is MS04-011 and the update number is 835732. Go on to MS website, SUPPORT and key in the above in search bar.

7 more replies
Relevance 38.54%

I have been having problems with Internet Explorer shutting down and error messages. In searching around I found in McAfee, traffic monitor, active programs, the program which shows as; LSA Shell (Export Version) and then under that is, I guess, the real file name which is "C:\Windows\System32\SASS.EXE". I can't see it in Windows explorer, neither McAfee nor Malwarebytes can find any viruses or any problems. I added Malwarebytes to try and find what I figured McAfee couldn't.

I have scanned with McAfees tools for sasser with no luck. I downloaded, from Microsoft, the program that is supposed to be automatically downloaded and run to eliminate the sasser trojan. It showed nothing. I have all the symptoms, but I can only see the sass file in McAfee as an active program.

Do I have a trojan? If so, how do I get rid of it.
 

More replies
Relevance 38.54%

Hi there,
I'm new to this forum and have spent the last 6 hrs battling my pc!
It started off when I downloaded a piece of software called hide my ip, it asked me to download something else in order for it to connect (sorry if i'm not explaining it enough) it then told me to restart the pc to take effect, which i didn't do for another hour or so.

When it rebooted I got a pop up box saying:

"The system is shutting down. Please save all work ...... by NTAUTHORITY\SYSTEM
The system process 'C:\WINDOWS\system32\lsass.exe' terminated unexpectedly with status code - 1073741819

There have also been over pop up boxes saying over things have had to close inc LSA Shell etc.

On my laptop I managed to get back online and have gone through google looking at everything and trying microsoft patches (which I already had the most updated version) managed to get my Panda virus checker to go through everything and it came up clear, so did the microsoft malicious software checker, spyware Dr and the symmantec sasser worm removal tool.

I've done everything that the pchell.com/virus/sasser said to do but had none of the symptoms to fix.

At the moment I can get safe mode on and now safe mode with networking.
I'm running XP and SERVICE PACK 2
Virus Checker is PANDA SECURITY
Please help me someone! Is it the Sasser worm? If so how come nothing can pick it up?

Answer:Infected - Possible Sasser Worm?

How To Remove The Sasser VirusDownload and scan with MS Malicious Software Removal Tool.click on the link "Skip the details and download the tool"Download and run Symantec's W32.Sasser Removal Tool.Sasser is an old infection so your issue may not be related to it. If the above does not help, then do this:Please download ATF Cleaner by Atribune & save it to your desktop.Double-click ATF-Cleaner.exe to run the program.Under Main "Select Files to Delete" choose: Select All.Click the Empty Selected button.If you use Firefox browser click Firefox at the top and choose: Select AllClick the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.If you use Opera browser click Opera at the top and choose: Select AllClick the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.Click Exit on the Main menu to close the program.Please download AVG Anti-Rootkit and save to your desktopDouble click avgarkt-setup-1.1.0.42.exe to install. By default it will install to C:\Program Files\GRISOFT\AVG Anti-RootkitAccept the license and follow the prompts to install.You will be asked to reboot to finish the installation so click "Finish".After rebooting, double-click the icon for AVG Anti-Rootkit on your desktop.You will see a window with four buttons at the bottom. Click "Search For Rootkits" and the scan will begin.You will see the progress bar moving from left to right. The scan will ta... Read more

1 more replies