Problems with LSASS.EXE? You may have the sasser worm

R

roger

How to Tell If Your Computer Is Infected
If your computer is infected with W32.Sasser.worm, you may see a
dialog box with text that refers to LSASS.exe. Some customers whose
computers have been infected may not notice the presence of the worm
at all, while others who are not infected may experience problems
because the worm is attempting to attack their computer. Typical
symptoms may include systems rebooting every few minutes without user
input.


Mitigation Steps for Affected Computers
If your computer is infected with the W32.Sasser.worm,
please do the following:

Enable the Windows XP Internet Connection Firewall or a
third-party firewall on the affected computer.
Disconnect the computer from the Internet.
Restart the computer. If you have problems rebooting,
reboot in safe mode.
Press CTRL+ALT+DEL.
Click the Task Manager.
Click the Processes tab.
Press and hold the CTRL key and then click
C:\WINDOWS\avserve.exe and c:\WINDOWS\system32\*_up.exe.
Click the End Task button.
Click Start.
Click Search and then search for and delete the following
files:
C:\WINDOWS\avserve.exe
C:\WINDOWS\system32\*_up.exe
Click Start again, click Run, and then type: regedit32
Click OK.
In Registry Editor, locate and delete the following
registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on\Run "avserve.exe" = C:\WINDOWS\avserve.exe
Connect the computer to the Internet.
Go to the Windows Update site, and click the Scan for
Updates button.
Download and install the critical updates recommended
after the scan.

More info
http://www.microsoft.com/security/incident/sasser.asp

The stinger tool may also be helpful in detecting and
cleaning the Sasser worm.
http://vil.nai.com/vil/stinger/

Download this update
Microsoft Security Bulletin MS04-011
Security Update for Microsoft Windows (835732)
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx


MORE ON SECURITY:

Three steps you can take to improve your computer's security:
http://www.microsoft.com/security/protect/

321050 Description of a Personal Firewall
http://support.microsoft.com/?id=321050
 
G

Guest

I have tried doing the process with the task manager however when I hold down the control button after its opened nothing happens and the things you are supposed to do next don't show up???
 
R

roger

Hi,

I have tried doing the process with the task manager however when I hold down the control button after its opened nothing happens and the things you are supposed to do next don't show up???
Click to expand...

Download the stinger tool and it may remove the worm..
http://vil.nai.com/vil/stinger/

Update your system and use a firewall. In this Microsoft page they
scan you to see if you have the worm.
What You Should Know About the Sasser Worm and Its Variants
http://www.microsoft.com/security/incident/sasser.asp

PSS Security Response Team Alert - New Worm Sasser
http://www.microsoft.com/technet/Security/alerts/sasser.mspx


Mitigation Steps for Affected Computers
If your computer is infected with the W32.Sasser.worm,
please do the following:

Enable the Windows XP Internet Connection Firewall or a
third-party firewall on the affected computer.
Disconnect the computer from the Internet.
Restart the computer. If you have problems rebooting,
reboot in safe mode.
Press CTRL+ALT+DEL.
Click the Task Manager.
Click the Processes tab.
Press and hold the CTRL key and then click
C:\WINDOWS\avserve.exe and c:\WINDOWS\system32\*_up.exe.
Click the End Task button.
Click Start.
Click Search and then search for and delete the following
files:
C:\WINDOWS\avserve.exe
C:\WINDOWS\system32\*_up.exe
Click Start again, click Run, and then type: regedit32
Click OK.
In Registry Editor, locate and delete the following
registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on\Run "avserve.exe" = C:\WINDOWS\avserve.exe
Connect the computer to the Internet.
Go to the Windows Update site, and click the Scan for
Updates button.
Download and install the critical updates recommended
after the scan.
http://www.microsoft.com/security/incident/sasser.asp


The stinger tool may also be helpful in detecting and
cleaning the Sasser worm.
http://vil.nai.com/vil/stinger/

Download this update
Microsoft Security Bulletin MS04-011
Security Update for Microsoft Windows (835732)
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

Enable your firewall.

MORE ON SECURITY:

Three steps you can take to improve your computer's security:
http://www.microsoft.com/security/protect/

321050 Description of a Personal Firewall
http://support.microsoft.com/?id=321050

More info:

http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.worm.html
http://www.bullguard.com/antivirus/vit_randon_i.aspx
http://www.vsantivirus.com/sasser-a.htm

Good luck
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

lsass.exe help (might be sasser virus) 5
Please apply the MS04-011 patch IMMEDIATELY to protect your system against W32.Sasser worm 4
Sasser Worm Alert 1
Infected with Sasser worm, Mitigation steps don't work 2
UPDATE: Product Support Services - W32.SASSER WORM RELATING TO MS04-011 2
Windows 7 hardest hit by WannaCry worm 1
lsass.exe & apparently not a worm 2
Isass.exe=sasser? 3

Top