re cannot remove sasser

[Julian Hales]

UPDATE

I tried to remove the Lsass virus off xp pro by doing a couple of things one
below in safe mode was below with trend sysclean, safe mode, restore off
etc, but get -error 94. until it got to the error it said no virus found.

I also went to grisoft and downloaded the tool for removal it said of
Sasser, about 157 virus checkd, just before the 60 sec countdown box appeard
once online, after reboot again in safemode etc ran it and said NO virus
found, also ran avg av normal with lated upsdate but said no av found.

My boss is called me a liar, even tho he saw it restart, he saw LSASS in tas
monitor etc etc.

Guys im stumped.

As soon as the machines online the windw pops up etc for reboot, but not if
not connected online.

help!



1) Download the following two items...

Trend Sysclean Package
http://www.trendmicro.com/download/dcs.asp

Latest Trend signature files.
http://www.trendmicro.com/download/pattern.asp

Create a directory.
On drive "C:\"
(e.g., "c:\New Folder")
or the desktop
(e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")

Download SYSCLEAN.COM and place it in that directory.
Dowload the signature files (pattern files) by obtaining the ZIP file.
For example; lpt216.zip

Extract the contents of the ZIP file and place the contents in the same
directory as
SYSCLEAN.COM.

2) Disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
3) Reboot your PC into Safe Mode
4) Using the Trend Sysclean utility, perform a Full Scan of your
platform and
clean/delete any infectors found
5) Restart your PC and perform a "final" Full Scan of your platform
6) Re-enable System Restore and re-apply any System Restore preferences,
(e.g. HD space to use suggested 400 ~ 600MB),
7) Reboot your PC.
8) Create a new Restore point
9) Please report back your results

Dave





| Hi
|
| Bit of a story, hope your sitting comfortably.
|
| Boss bought a laptop, a 350mhz Dell sort of ok machine, came with XP pro.
|
| The type of guy who doesnt know, want to know and never listens when you
| tell him!
|
| Had no modem so he bought a usb, told him not to connect it until he put
| kerio on, anyway i ended up doing that......couldnt install the modem, so
i
| did that, and then explained how a firewall works.
|
| Hes over my shoulder, im telling him to shut up and let me concentrate,
but
| whats he do, whinge non stop, so when kerio pops up i hit allow rather
then
| deny, and your guessed it, infected with sasser!
|
| Brought it home, the pc not the boss, went to MS and came accross a couple
| of downloads, so downloaded them, says no sasser at all.
|
| Downloaded and installed AVG, comes up clean
|
| same again with Norton 2005 trail, which i tell people not to use, and it
| made the pc crawl along so slow my beard grew faster, again said no virus.
| (not sure if sasser stopped av installation)
|
| Online googling showed what to look for in task manager, and still reboots
| etc.
|
| Can anyone help? av nothing says its on, i know its on, pc knows its on
as
| it reboots but the others dont.
|
| I know no av can be made until a virus is out, and i cant see it being
such
| a new variant nothing picks it up.
|
| thanks.
|
|

 

[Nick FitzGerald]

UPDATE

Sorry -- I've not seen the preceding thread and am not going to look it
up, as the following should have been said by anyone competent to give
you "advice" on fixing this, so I'll assume you've either been given
incompetent advice _OR_ that you have not been following the good advice
you've already had.

Arrogant?

Whatever! I am giving you excellent, free advice...

And you do wnat to fix it, right?

Read on then...

I tried to remove the Lsass virus ...

There is no such thing. Stop guessing at stuff you clearly don't know
and just tell us the observed facts. It helps diagnosing things no
end...

... off xp pro by doing a couple of things one
below in safe mode was below with trend sysclean, safe mode, restore off
etc, but get -error 94. until it got to the error it said no virus found.

I also went to grisoft and downloaded the tool for removal it said of
Sasser, about 157 virus checkd, just before the 60 sec countdown box appeard
once online, after reboot again in safemode etc ran it and said NO virus
found, also ran avg av normal with lated upsdate but said no av found.

My boss is called me a liar, even tho he saw it restart, he saw LSASS in tas
monitor etc etc.

That does _NOT_ mean it is infected with Sasser (though the odds are
very high it will be infected with something that spreads through the
LSASS vulnerability).

Guys im stumped.

As soon as the machines online the windw pops up etc for reboot, but not if
not connected online.

Anyway, what it does tell us is that you most likely on a badly infested
network _AND_ the machine is not suitably patched with the MS04-011
update which removes the security vulnerability by which Sasser and many
other things currently common things spread.

It also tells us the machine is not running with either the Internet
Connection Firewall enabled or a third-party s/w firewall (usually
called "personal firewalls" or PFWs), AND that you are not behind a
suitable hardware firewall or at least a NAT router.

help!

Simple.

1. Start up in safe mode and enable ICF on _ALL_ your network
connections. If you read the MS04-011 security bulletin:

http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

you will find details for doing this in the "LSASS Vulnerability -
CAN-2003-0533" sub-section of the "Vulnerability Details" section. Of
course, staying online long enough to read that page may be an issue
but I assume you have access to another, non-affected machine as you
clearly can read and post News...

Restart normally.

Wait a few minutes. If the "shutdown in 60 seconds" dialog does not
appear "as normal", try the former advice again -- it may well work if
you aren't being popped off the network every few minutes...

If you still get the "shutdown..." dialogs, post again.

Even if you do not keep getting restarted, it is quite possible the
machine is infected with a new variant of some bot that is unknown to
your current virus scanners. Removing the LSASS vulnerability with
the MS04-011 patch won't prevent it from continuing to work -- just
prevent other things coming in the same way...

 

[Julian Hales]

Sorry -- I've not seen the preceding thread and am not going to look it
up, as the following should have been said by anyone competent to give
you "advice" on fixing this, so I'll assume you've either been given
incompetent advice _OR_ that you have not been following the good advice
you've already had.

Arrogant?

Whatever! I am giving you excellent, free advice...

And you do wnat to fix it, right?

Read on then...


There is no such thing. Stop guessing at stuff you clearly don't know
and just tell us the observed facts. It helps diagnosing things no
end...

acc to all the websites i checked it goes from a onwards to about h in
variants

That does _NOT_ mean it is infected with Sasser (though the odds are
very high it will be infected with something that spreads through the
LSASS vulnerability).

well according to all the websites i checked the items showing in task bar
relate word for word to what i said

Anyway, what it does tell us is that you most likely on a badly infested
network _AND_ the machine is not suitably patched with the MS04-011
update which removes the security vulnerability by which Sasser and many
other things currently common things spread.

that was the first thing i downloaded. i also if not that installed
something else from the msoft website.

It also tells us the machine is not running with either the Internet
Connection Firewall enabled or a third-party s/w firewall (usually
called "personal firewalls" or PFWs), AND that you are not behind a
suitable hardware firewall or at least a NAT router.

im behind kerio which alerted it but it was allowed rather than denied

Simple.

1. Start up in safe mode and enable ICF on _ALL_ your network
connections. If you read the MS04-011 security bulletin:

http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

read it last week

you will find details for doing this in the "LSASS Vulnerability -
CAN-2003-0533" sub-section of the "Vulnerability Details" section. Of
course, staying online long enough to read that page may be an issue
but I assume you have access to another, non-affected machine as you
clearly can read and post News...

the infacted machine is not part of my lan, this machine is

Restart normally.

Wait a few minutes. If the "shutdown in 60 seconds" dialog does not
appear "as normal", try the former advice again -- it may well work if
you aren't being popped off the network every few minutes...

it only restarts when online, it never did while sat idling.

If you still get the "shutdown..." dialogs, post again.

which i did last time i went online

Even if you do not keep getting restarted, it is quite possible the
machine is infected with a new variant of some bot that is unknown to
your current virus scanners. Removing the LSASS vulnerability with
the MS04-011 patch won't prevent it from continuing to work -- just
prevent other things coming in the same way...

i know which is why i tried it with the latest 2 i could think of.

 

[Gabriele Neukam]

On that special day, Julian Hales, ([email protected])
said...

it only restarts when online, it never did while sat idling.

Aww, the thing comes over *the internet*, and crashes the lsass service,
because it is vulnerable. As long as there is no inet connection, there
is no call from outside, designed to crash lsass. But if you walk out of
the door without a coat, and it is pouring, you'll get wet, of course.

PLEASE INSTALL the lsass vulnerability patch of MS04-011. It doesn't
help downloading it, you must *wear*, pardon, install it.


Gabriele Neukam

(e-mail address removed)

 

[Julian Hales]

On that special day, Julian Hales, ([email protected])
said...


Aww, the thing comes over *the internet*, and crashes the lsass service,
because it is vulnerable. As long as there is no inet connection, there
is no call from outside, designed to crash lsass. But if you walk out of
the door without a coat, and it is pouring, you'll get wet, of course.

PLEASE INSTALL the lsass vulnerability patch of MS04-011. It doesn't
help downloading it, you must *wear*, pardon, install it.

i did install it, i did i did i did

 

[Gabriele Neukam]

On that special day, Julian Hales, ([email protected])
said...

i did install it, i did i did i did

And did it *settle* correctly in the system? The fact, that the *lsass*
service crashes, as soon as you ar online, implicates, that there is
something wrong with this patch; else it wouldn't break down just from
receiving these packets.

I read somewhere, that the first version of the lsass did report that it
was installed, but in fact failed to do it correctly (or completely), in
nearly 50% of the cases. It seems your installation was botched in
exactly that way.

The only way to make sure that your computer is properly patched, is to
fetch the *newest* version of the fix (preferably with a system that is
not vulnerable, eg any old Win9x version or a linux distribution), and
then

- remove the affected computer from the net
- UNinstall the obviously failed patch
- INstall the new (and hopefully now working) patch

and then check if it is fixed.


Gabriele Neukam

(e-mail address removed)

 

[Julian Hales]

On that special day, Julian Hales, ([email protected])
said...


And did it *settle* correctly in the system? The fact, that the *lsass*
service crashes, as soon as you ar online, implicates, that there is
something wrong with this patch; else it wouldn't break down just from
receiving these packets.

nope same problem

I read somewhere, that the first version of the lsass did report that it
was installed, but in fact failed to do it correctly (or completely), in
nearly 50% of the cases. It seems your installation was botched in
exactly that way.

The only way to make sure that your computer is properly patched, is to
fetch the *newest* version of the fix (preferably with a system that is
not vulnerable, eg any old Win9x version or a linux distribution), and
then

- remove the affected computer from the net
- UNinstall the obviously failed patch
- INstall the new (and hopefully now working) patch

Will see if i can remove 'that' patch from the XP removal software list.

Again i ran trend software? sasser removal from safe mode, and each time it
checks it says error - 94, i cant find a referance to that.

AVG with latest update doesnt show any virus, not sure if its a worm tho.

 

[Nick FitzGerald]

"Julian Hales" to "Gabriele Neukam":

nope same problem

I think 50% is a tad high for the general population...

Will see if i can remove 'that' patch from the XP removal software list.

Better -- download MBSA from Microsoft and install and run it on a
"good" XP machine at the same SP level as the problem machine then
locate the XML file it uses for making its checks. Then install
MBSA on the problem machine, copy over the XML file and run MBSA with
the suitable commandline to use that specific XML file.

This does much better checking of patch installation than that done
by WindowsUpdate and the patch installers themselves.