Help with lsass

[Ken]

After a complete virus scan with McAfee up to date to day,
and a system restore to three days ago, I can't fix a
problem with lsass causing my mouse and keyboard to freeeze
and my computer to be shut down. Help.
szAppName : lsass.exe szAppVer : 5.1.2600.1106
szModName : unknown
szModVer : 0.0.0.0 offset : 00000000

Please send any reply to my email address,
(e-mail address removed) as well, so I can check it from
another computer, since this one stays up only a few minutes
and it takes too long to download messages to news groups.
THanks.


Ken

 

[Guest]

I think my problem is similar, my companies security
system runs off of xp home. I keep having lsass.exe'
unexpectedly terminating with a status code of 1073741819
but windows support doesn't give me any information. I
could definetly use your help. Please post back to this
board, its faster for me to get replies here, withouth
access to the manager's office.

thanks,
Matt

 

[Kenrick Fu]

Your computer is infected with a new Sasser worm exploiting the LSASS Buffer
Overrun Vulnerability.

To clean your system:

NOTE: If your system keeps restarting, you can abort the system shut down
by:
Click Start, click Run and type "shutdown -a" (without quotations),
then click OK.

1. Download the worm removal tool from
http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.removal.tool.html

2. After the worm has been removed, download and install the critical update
IMMEDIATELY from
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

 

[Malke]

I think my problem is similar, my companies security
system runs off of xp home. I keep having lsass.exe'
unexpectedly terminating with a status code of 1073741819
but windows support doesn't give me any information. I
could definetly use your help. Please post back to this
board, its faster for me to get replies here, withouth
access to the manager's office.

thanks,
Matt

Sorry, no free email support. You both have the W32.Sasser worm. Here is
a link to information on how to fix it:

http://www.sarc.com/avcenter/venc/data/w32.sasser.worm.html

Get the worm off your system and then immediately patch XP:

http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

Malke

 

[Ken]

Not to be ungrateful for the help, but if my virus scan
software can't find the worm, it's going to be hard to get
rid of.

Ken

 

[Malke]

Not to be ungrateful for the help, but if my virus scan
software can't find the worm, it's going to be hard to get
rid of.

Ken

Update your virus definitions. All the well-known av companies have new
definitions covering Sasser. In addition, Symantec has a removal tool
already. Here's a link to it, which you would have found if you had
followed the first link I provided you:

http://securityresponse.symantec.com/avcenter/venc/data
w32.sasser.removal.tool.html

Note that the url wraps in my newsreader and you'll need to enter it
into your browser's addressbar on one line.

Malke

 

[Ken]

That's good advice, but I've updated my McAfee software
twice this weekend, and downloaded and ran the Symantec
Sasser removal tool today. None of them can find any virus
or worm. NOw what do I try? Thanks.


Ken

 

[Kelly]

Note: Don't depend on one AV, ever. Run all of these, all of them:

Follow the procedures mentioned here and good luck:
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.irc.ratsou.b.html

Free Online Virus Scan
http://housecall.trendmicro.com/housecall/start_corp.asp

Ad-Aware
http://www.lavasoftusa.com/

Spybot
http://tinyurl.com/btf8

CWShredder (Line 313)
http://www.kellys-korner-xp.com/xp_tweaks.htm

Hijack This
http://www.spychecker.com/program/hijackthis.html

 

[Todd Ellison]

I'm having the same problem Ken is. I don't see any indication of
infection from the Symantec tool or FSecure's online scan. I also don't
see the registry symptoms, or the files dropped in the Windows
directory. Still, at every login (on several machines) we are getting
lsass crashes. The interesting thing is that the process doesn't
actually go away, it is still running in the task manager.

Does anyone have any ideas if this is a corruption or mutation of the
Sasser worm? Any ideas how to get rid of it?

Port 445 is now blocked from outside, and the machines are all patched
according to Windows Update, so I don't think that the machines are just
getting attacked again.

Thanks
Todd

 

[Malke]

I'm having the same problem Ken is. I don't see any indication of
infection from the Symantec tool or FSecure's online scan. I also
don't see the registry symptoms, or the files dropped in the Windows
directory. Still, at every login (on several machines) we are getting
lsass crashes. The interesting thing is that the process doesn't
actually go away, it is still running in the task manager.

Does anyone have any ideas if this is a corruption or mutation of the
Sasser worm? Any ideas how to get rid of it?

Port 445 is now blocked from outside, and the machines are all patched
according to Windows Update, so I don't think that the machines are
just getting attacked again.

Thanks
Todd

Todd - See my reply to your post (instead of here in this hijacked
thread).

Malke

 

[Todd Ellison]

Todd - See my reply to your post (instead of here in this hijacked
thread).

Malke

I did. Sorry, one reply was via Google groups and I didn't realize I
was double posting.

I appreciate the reply.

Todd