re: lsass.exe
Tuesday, July 13, 2004 at 9:42 pm
Windows XP Annoyances Discussion Forum
Posted by mojo7819
(5744 messages posted)
You either have a variant of the W32.Sasser Worm or one of the others that exploit
the LSASS.EXE vulnerability in Windows.
You were infected because you do not have a firewall protecting your computer.
There is really no excuse for not running a firewall, considering that there is one
built into Windows XP that will provide more than adequate protection. It is a simple
matter of enabling it.
Enable the XP firewall before proceding.
How To Turn Windows XP Firewall On Or Off
Or you can download, install and run a good quality firewall such as Zone
Alarm.
You can extend the time before shutdown from 60 seconds to about 3 hours. This WILL
NOT clean the worm from your computer, but will prevent it from shutting down for
several hours. This will allow time to download the removal tool, updates to your
anti-virus program or Stinger or run an online virus scan.
To extend the time before shutdown, follow these steps:
Disconnect the computer from the network/Internet connection. (Disconnect the cable
if necessary.)
1. Restart the computer.
2. As soon as Windows opens and you see the Windows desktop, click Start > Run.
3. Type “cmd” in the Run box and press Enter.
4. Type “shutdown –I” and press enter.
5. In the Remote Shutdown Dialog that opens, change 20 seconds to: 9999 and click
OK.
This gives you about three hours to download the removal tool, update the definitions,
and so on.
6. Reconnect the network/Internet connection.
7. Connect to the Internet, and get removal tool or run an A/V scan to remove the
worm.
For the Sasser, you can also end the process(s) that shuts down your computer.
To end the process(s)
follow these instructions:
1. Press Ctrl+Alt+Delete once.
2. Click Task Manager.
3. Click the Processes tab.
4. Double-click the Image Name column header to alphabetically sort the processes.
5. Scroll through the list and look for the following processes:
avserve.exe
avserve2.exe
lsasss.exe (note 3 s’s not 2 as in lasas.exe)
napatch.exe
skynetave.exe
any process with a name consisting of 4 or 5 digits followed by _up.exe (eg 74354_up.exe).
If you find any such process, click it, and then click End Process.
Exit the Task Manager.
You can download the W32.SASSER.WORM Removal Tool
here
Another tool that will remove the Sasser is
Stinger. You must download the newest
version of
Stinger. Earlier versions will not detect all 6 variants of the Sasser Worm.
Make sure to disable system restore before running these removal tools!!
How to disable system Restore.
An online virus scan should take care of any of these worms. Again, make sure to
disable system restore before scanning. An online scanner is available at:
Trend Micro or
Panda or
McAfee or
Symantec
For more information on some of these worms, check the following links:
W32.Sasser.Worm
W32.Sasser.B.Worm
W32.Sasser.C.Worm
W32.Sasser.D.Worm
W32.Sasser.E.Worm
W32.SasserF.Worm
W32.Cycle
W32.Bobax.A
W32.Bobax.B
W32.Bobax.C
W32.Bobax.DW32.Donk.R
W32.Explet.A@mm
W32.Gaobot.AQS
W32.Gaobot.AOL
W32.Korgo.A
W32.Korgo.B
W32.Korgo.C
W32.Korgo.D
W32.Korgo.E
W32.Korgo.F
W32.Korgo.G
W32.Korgo.H
W32.Korgo.I
W32.Korgo.L
W32.Korgo.M
W32.Korgo.N
W32.Korgo.O
W32.Korgo.P
W32.Korgo.Q
W32.Korgo.R
W32.Korgo.S
W32.Korgo.T
W32.Korgo.U
W32.Korgo.V
W32.Korgo.W
W32.Korgo.X
W32.Kibuv.Worm
W32.Kibuv.B
W32.Kibuv.C
W32.Kibuv.D
W32.Kibuv.E
Hacktool.LsassSba
Bloodhound.Exploit.8
Hacktool.THCIISLame
Trojan.Otinet
- Written in response to:
- lsass.exe (Barry: Tuesday, July 13, 2004 at 7:26 pm)
There are presently no replies to this message.
|
|
All messages in this thread [show all]
 | lsass.exe (Barry: Tue, Jul 13, 2004, 7:26 pm) |
 |  | re: lsass.exe (mojo7819: Tue, Jul 13, 2004, 9:42 pm) |
| |
| |
Return to the Windows XP Discussion Forum
|
|
