possible virus? and how get rid of it...

[Guest]

I have Windows XP.

I use the internet rarely, and it's usually to Yahoo email, and I never open
documents from people I don't know.

I have Norton and it's up-to-date.

I logged onto the internet, and after a few minutes, I got this message that
my computer will shut down in 1 minute. It had something like
system/32/lsass.exe in the message. And then it shut down after 1 minute. It
does this over and over.

I have had this happen before, and I've immediately gone to Microsoft.com to
download any security downloads they had to try and fix it. Plus I've run
Norton. I've always been able to get rid of whatever was in there without an
issue.

This time, I did the same exact thing. I downloaded the Malicious Threat
download that is on Microsoft.com plus ran Norton. Nothing came up from
either scan. But the computer keeps shutting down with that same message.

A window did pop up that suggested a free scan to check the computer
registry, but then after it scans, it wants you to be $40 to fix the problem.
And then another window said to download a patch for $20. I wasn't sure if
these were legit or not. I do not have Service Pack II, so should I download
that? Would that help? I don't know if the computer will stay on long enough
for me to do it, but I can try...

Any thoughts or advice?

 

[RJK]

http://www.google.co.uk/search?hl=en&ie=ISO-8859-1&q=w32.sasser+site:symantec.com&meta=

regards, Richard

 

[MAP]

I have Windows XP.

I use the internet rarely, and it's usually to Yahoo email, and I
never open documents from people I don't know.

I have Norton and it's up-to-date.

I logged onto the internet, and after a few minutes, I got this
message that my computer will shut down in 1 minute. It had something
like system/32/lsass.exe in the message. And then it shut down after
1 minute. It does this over and over.

I have had this happen before, and I've immediately gone to
Microsoft.com to download any security downloads they had to try and
fix it. Plus I've run Norton. I've always been able to get rid of
whatever was in there without an issue.

This time, I did the same exact thing. I downloaded the Malicious
Threat download that is on Microsoft.com plus ran Norton. Nothing
came up from either scan. But the computer keeps shutting down with
that same message.

A window did pop up that suggested a free scan to check the computer
registry, but then after it scans, it wants you to be $40 to fix the
problem. And then another window said to download a patch for $20. I
wasn't sure if these were legit or not. I do not have Service Pack
II, so should I download that? Would that help? I don't know if the
computer will stay on long enough for me to do it, but I can try...

Any thoughts or advice?

You have the sasser worm or blaster.
If Norton can't detect this old threat get yourself another A/V program.
A link for free online virus and trojan scanners.
http://virusall.com/downscan.html

 

[AllenM]

Hi Naturegal,
You've been hit by the sasser worm. take a look at this link and it will
explain it all. And no do not pay anyone $40. You can fix it yourself. May I
suggest you upgrade to SP2 and get the Internet Firewall. Also dowload the
Microsoft Beta Spyware from their home page. Do all of this after you have
resolved your issues.
Allen

 

[AllenM]

I guess sending you the link may help you

http://ask-leo.com/what_are_lsass_l...know_if_im_infected_what_do_i_do_if_i_am.html

 

[David H. Lipman]

From: "Naturegal74" <[email protected]>

| I have Windows XP.
|
| I use the internet rarely, and it's usually to Yahoo email, and I never open
| documents from people I don't know.
|
| I have Norton and it's up-to-date.
|
| I logged onto the internet, and after a few minutes, I got this message that
| my computer will shut down in 1 minute. It had something like
| system/32/lsass.exe in the message. And then it shut down after 1 minute. It
| does this over and over.
|
| I have had this happen before, and I've immediately gone to Microsoft.com to
| download any security downloads they had to try and fix it. Plus I've run
| Norton. I've always been able to get rid of whatever was in there without an
| issue.
|
| This time, I did the same exact thing. I downloaded the Malicious Threat
| download that is on Microsoft.com plus ran Norton. Nothing came up from
| either scan. But the computer keeps shutting down with that same message.
|
| A window did pop up that suggested a free scan to check the computer
| registry, but then after it scans, it wants you to be $40 to fix the problem.
| And then another window said to download a patch for $20. I wasn't sure if
| these were legit or not. I do not have Service Pack II, so should I download
| that? Would that help? I don't know if the computer will stay on long enough
| for me to do it, but I can try...
|
| Any thoughts or advice?

Although it "sounds" like the Sasser worm, I have seen information of occurences which cause
a Lsass NT Shutdown situation that mirrors a Lsass Exploit such as Sasser.

You indicated thaty Norton and the MS Malicious software scanners found nothing.

What you don't indicate is if you are at SP2 level.

When you get the shutdown message, go to; Start --> Run
enter; shutdown -a

This will halt the shutdown and give you a chance to Download the McAfee worm removal tool,
Stinger: http://vil.nai.com/vil/stinger/

Please read the following URL:
http://www.microsoft.com/security/incident/sasser_printxp.mspx

Please install and/or verify that the patch that fixes the Lsass vulnerability that the
Sasser and other infectors exploit has indeed been installed --
KB835732
http://www.microsoft.com/downloads/...9E-DA3F-43B9-A4F1-AF243B6168F3&displaylang=en

 

[NoNoBadDog!]

http://www.google.co.uk/search?hl=en&ie=ISO-8859-1&q=w32.sasser+site:symantec.com&meta=

regards, Richard

You have either the Sasser or Blaster Worm.

Your Norton *IS NOT* up to date. Norton, when properly installed and
updated, will detect all forms of Blaster and Sasser. In addition, if you
had an AMD64 processor, you computer would have been immune to this attack.

Blaster and Sasser have been around for nearly two years.

It does not matter how often you go on the internet. You must have a
working, updated Antivirus program, a software firewall (not the one that
comes with windows SP2), and preferably a router to give you a hardware
layer of protection. The fact that you use yahoo mail makes you vulnerable,
as yahoo is a favorite vehicle for viruses, worms and trojans to propagate.

I would suggest that you read up on internet security, and please change
your own security practices to prevent this in the future.

Bobby

 

[Guest]

Hi Naturegal.....
A really good addition to your Norton is the AVG antivirus scanner...
It's a free software program and will not only locate the problem, it will
also remove it by deletingit or move it into "THE VAULT- QUARINTINE".
I also have Norton and where some features are good, parts miss deep
components..
Sometimes, it's good to have several spyware and anti virus software loaded
to use...where one misses it, surely the other will find it.
Here is a list of good programs...

Norton

AVG by Grisoft ----> http://free.grisoft.com/doc/2/lng/us/tpl/v5
(Go to bottom of page to find download area...also offers a free Firewall
download.)

Ad Aware

PC Bug Doctor

Registry Mechnic

Good Luck...
Apeke

 

[David H. Lipman]

From: "MAP" <[email protected]>


|
| You have the sasser worm or blaster.
| If Norton can't detect this old threat get yourself another A/V program.
| A link for free online virus and trojan scanners.
| http://virusall.com/downscan.html
|
| --
| Mike Pawlak
|

Mike:

It would not be the Blaster worm. See my reply to "NoNoBadDog!".

 

[Steve N.]

You have either the Sasser or Blaster Worm.

Your Norton *IS NOT* up to date. Norton, when properly installed and
updated, will detect all forms of Blaster and Sasser. In addition, if you
had an AMD64 processor, you computer would have been immune to this attack.

Blaster and Sasser have been around for nearly two years.

It does not matter how often you go on the internet. You must have a
working, updated Antivirus program, a software firewall (not the one that
comes with windows SP2), and preferably a router to give you a hardware
layer of protection. The fact that you use yahoo mail makes you vulnerable,
as yahoo is a favorite vehicle for viruses, worms and trojans to propagate.

I would suggest that you read up on internet security, and please change
your own security practices to prevent this in the future.

Bobby

I suggest you do a little test;

Go into Task manager, Processes and start killing off instances of SVCHOST.

What happens?

Steve

 

[MAP]

Saw it Dave,Thanks.

Mike:

It would not be the Blaster worm. See my reply to "NoNoBadDog!".

 

[MAP]

Although it "sounds" like the Sasser worm, I have seen information of

occurences which cause
a Lsass NT Shutdown situation that mirrors a Lsass Exploit such as Sasser.

If you have this info handy David I would like to read up on it.

--
Mike Pawlak

Although it "sounds" like the Sasser worm, I have seen information of
occurences which cause a Lsass NT Shutdown situation that mirrors a
Lsass Exploit such as Sasser.

You indicated thaty Norton and the MS Malicious software scanners
found nothing.

What you don't indicate is if you are at SP2 level.

When you get the shutdown message, go to; Start --> Run
enter; shutdown -a

This will halt the shutdown and give you a chance to Download the
McAfee worm removal tool, Stinger: http://vil.nai.com/vil/stinger/

Please read the following URL:
http://www.microsoft.com/security/incident/sasser_printxp.mspx

Please install and/or verify that the patch that fixes the Lsass
vulnerability that the Sasser and other infectors exploit has indeed
been installed --
KB835732

http://www.microsoft.com/downloads/...9E-DA3F-43B9-A4F1-AF243B6168F3&displaylang=en

 

[Johnny Lingo]

You have either the Sasser or Blaster Worm.

Your Norton *IS NOT* up to date. Norton, when properly installed and
updated, will detect all forms of Blaster and Sasser. In addition, if you
had an AMD64 processor, you computer would have been immune to this
attack.

If his version of Norton is older, it may not detect the virus. He would
need to have at least Norton AntiVirus 2004 (maybe 2003) to detect it as it
has a newer engine.You can run all the updates you want with an older
version, and not detect the virus as the engine just won't see it!

 

[David H. Lipman]

|
| If you have this info handy David I would like to read up on it.
|
| --
| Mike Pawlak

Here 'ya go Mike...

W32/Sasser.worm.a -- http://vil.nai.com/vil/content/v_125007.htm
W32/Lovsan.worm.a -- http://vil.nai.com/vil/content/v_100547.htm

 

[Alan Smith]

You have either the Sasser or Blaster Worm.

Your Norton *IS NOT* up to date. Norton, when properly installed and
updated, will detect all forms of Blaster and Sasser. In addition, if you
had an AMD64 processor, you computer would have been immune to this
attack.

Blaster and Sasser have been around for nearly two years.

It does not matter how often you go on the internet. You must have a
working, updated Antivirus program, a software firewall (not the one that
comes with windows SP2), and preferably a router to give you a hardware
layer of protection. The fact that you use yahoo mail makes you
vulnerable, as yahoo is a favorite vehicle for viruses, worms and trojans
to propagate.

I would suggest that you read up on internet security, and please change
your own security practices to prevent this in the future.

Bobby

get the latest version of AVG. It's free.

 

[Bruce Chambers]

I have Windows XP.

I use the internet rarely, and it's usually to Yahoo email, and I never open
documents from people I don't know.

I have Norton and it's up-to-date.

I logged onto the internet, and after a few minutes, I got this message that
my computer will shut down in 1 minute. It had something like
system/32/lsass.exe in the message. And then it shut down after 1 minute. It
does this over and over.

I have had this happen before, and I've immediately gone to Microsoft.com to
download any security downloads they had to try and fix it. Plus I've run
Norton. I've always been able to get rid of whatever was in there without an
issue.

This time, I did the same exact thing. I downloaded the Malicious Threat
download that is on Microsoft.com plus ran Norton. Nothing came up from
either scan. But the computer keeps shutting down with that same message.

A window did pop up that suggested a free scan to check the computer
registry, but then after it scans, it wants you to be $40 to fix the problem.
And then another window said to download a patch for $20. I wasn't sure if
these were legit or not. I do not have Service Pack II, so should I download
that? Would that help? I don't know if the computer will stay on long enough
for me to do it, but I can try...

Any thoughts or advice?

You've apparently contracted the latest worm, W32.Sasser.Worm,
specifically designed to attack people who do not update their
computers promptly and who do not practice "safe hex." In other
words, like Blaster, this worm was developed and distributed _after_ a
patch for the vulnerability was announced and made publicly available.
Further, and also like Blaster, this worm could not affect any
computer whose user had taken the basic precaution of using a properly
configured firewall.

To stay on-line long enough to get the necessary updates, patches,
and removal tools, click Start > Run, and enter "shutdown -a" when the
next Shutdown countdown begins. This will abort the shut down. Also,
make sure you've enabled a firewall before starting, to preclude any
more intrusions while getting the updates/patches/tools.

What You should Know about the Sasser Worm and its Variants
http://www.microsoft.com/security/incident/sasser.asp

Microsoft Security Bulletin MS04-011
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

W32.Sasser.Worm
http://www.symantec.com/avcenter/venc/data/w32.sasser.worm.html

A tool is available to remove the Sasser worm variants
http://support.microsoft.com/default.aspx?scid=kb;EN-US;841720

W32.Sasser.Worm Removal Tool
http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.removal.tool.html

McAfee AVert Stinger Virus Removal Tool
http://vil.nai.com/vil/stinger/

--

Bruce Chambers

Help us help you:



You can have peace. Or you can have freedom. Don't ever count on having
both at once. - RAH

 

[Steve N.]

From: "Naturegal74" <[email protected]>

| I have Windows XP.
|
| I use the internet rarely, and it's usually to Yahoo email, and I never open
| documents from people I don't know.
|
| I have Norton and it's up-to-date.
|
| I logged onto the internet, and after a few minutes, I got this message that
| my computer will shut down in 1 minute. It had something like
| system/32/lsass.exe in the message. And then it shut down after 1 minute. It
| does this over and over.
|
| I have had this happen before, and I've immediately gone to Microsoft.com to
| download any security downloads they had to try and fix it. Plus I've run
| Norton. I've always been able to get rid of whatever was in there without an
| issue.
|
| This time, I did the same exact thing. I downloaded the Malicious Threat
| download that is on Microsoft.com plus ran Norton. Nothing came up from
| either scan. But the computer keeps shutting down with that same message.
|
| A window did pop up that suggested a free scan to check the computer
| registry, but then after it scans, it wants you to be $40 to fix the problem.
| And then another window said to download a patch for $20. I wasn't sure if
| these were legit or not. I do not have Service Pack II, so should I download
| that? Would that help? I don't know if the computer will stay on long enough
| for me to do it, but I can try...
|
| Any thoughts or advice?

Although it "sounds" like the Sasser worm, I have seen information of occurences which cause
a Lsass NT Shutdown situation that mirrors a Lsass Exploit such as Sasser.

You indicated thaty Norton and the MS Malicious software scanners found nothing.

What you don't indicate is if you are at SP2 level.

When you get the shutdown message, go to; Start --> Run
enter; shutdown -a

This will halt the shutdown and give you a chance to Download the McAfee worm removal tool,
Stinger: http://vil.nai.com/vil/stinger/

Please read the following URL:
http://www.microsoft.com/security/incident/sasser_printxp.mspx

Please install and/or verify that the patch that fixes the Lsass vulnerability that the
Sasser and other infectors exploit has indeed been installed --
KB835732
http://www.microsoft.com/downloads/...9E-DA3F-43B9-A4F1-AF243B6168F3&displaylang=en

Start killing off SVCHOST processes and see what happens.

The problem is determining what is causing which interdependant system
service to crash. Worms? The OP indicates that has been fairly well
eliminated.

Steve

 

[Richard Urban]

There was a discussion here a few weeks ago regarding constantly renewing a
subscription for an older version of an antivirus software product vs.
paying a few bucks more and getting the latest version (with the newest
bells and whistles) with a one year subscription.

I mentioned the same thing you just did. From the response I received I
guess that many people just don't get the concept that newer antivirus
versions have the newest, and therefore most thorough, scan engine.

I finally just bailed out of the discussion.

--
Regards,

Richard Urban

If you knew as much as you think you know,
You would realize that you don't know what you thought you knew!

 

[Richard Urban]

You should really mention that you only want to have one "real time scanner"
operational at a time, no matter how many antivirus products you have
installed.

--
Regards,

Richard Urban

If you knew as much as you think you know,
You would realize that you don't know what you thought you knew!

 

[David H. Lipman]

From: "Richard Urban" <[email protected]>

| You should really mention that you only want to have one "real time scanner"
| operational at a time, no matter how many antivirus products you have
| installed.
|
| --
| Regards,
|
| Richard Urban

Richard:

That's a very good and valid point !