Weird sasser problem Somehow I seem to have got the sasser worm, even though in theory I shouldn't be able to. my xp service pack 2 machine reboots after giving this lsass error and i have to abort the shutdown by using "shutdown -a". Also, my computer goes slow when I connect to the net. Basically, it has all the traits of the sasser worm being on my computer. However: i have winxp sp2 installed. i have McAfee antivirus fully updated and it doesn't report any virus. I have a firewall active. i ran windows malicious software removal tool and it shows no infections as did another similar tool (is this because I have installed and ran it after doing "shutdown -a" maybe?) Also, i can't install the patch available from microsoft because I already have SP2 on my computer so it won't let me. Im stumped. What is it and what do I need to do?
Look at the Virus Warning thread for the links, but run housecall and download and run TDS-3. What's the full error message? Is it "lsass.exe operation failed click ok"? Does it give the location of the lsass.exe file? I've seen a couple of reports of this on t'internet, but no solutions as of yet. If you're bored and have got time: ctrl+alt+delete, look at all your running processes and google them - see if any are suspicious.
:spangled: Well puzzled, it seems just like the original sasser... :spangled: Do you have this patch: http://www.microsoft.com/technet/security/bulletin/MS04-044.mspx ? Have you tried the Symantec Removal tool: http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.removal.tool.html Also the McAfee Stinger: http://vil.nai.com/vil/stinger/ No other info at the mo I'm afraid...
Ran Stinger last night and it said I was clean. Just installed that patch before and its having no effect as of yet. And the Symantec Removal tool crashes when it gets to my other 'data' drive thats a bit fucked anyway. Thanks mate.
Have you tried Housecall and TDS-3 ? Housecall's definitions are updated almost daily so if it's summinck new it might get rid of it. TDS-3 will get rid of it if it has trojan-like tendencies (which sasser does), but you'll need to manually update it (see the website). What's the other drive that you have? It's not an old c drive WinXP installation that you're now using as a slave, is it?
The other drive is just something that still has some data on it that is still useable, hence it still being there. I never access it tho and can't write to it. Its been there since last May. Im trying the two things you suggested now. Dunno if it helps but I can't log in to certain things such as my hotmail, ebay etc too.
Did you use the most up-to-date MS malware remover? It was only updated on the 8th: http://www.microsoft.com/security/malwareremove/default.mspx Are you trying to log onto hotmail via ie? Try firefox if you really need access. If you press ctrl+alt+del can you see avserve.exe or xxxxx_up.exe (x being a number)? Also, try http://scan.sygatetech.com/pretrojanscan.html to see if there is an active trojan running.
In order: Yes, i have used the latest version. I will use firefox if need be. I've had a look at the processes and cant find anything that you or any other sites suggest. The trojan scan didnt find anything either. Nor did housecall.
The only thing I can suggest is a repair of Windows (boot off xp cd as if you were to install, then when it detects the partition, select the repair option). Once that's done, use Windows update. If no joy after that, I'm at a loss completely - it's almost impossible that you have sasser, especially if you're patched as there's no vulnerability to exploit. :spangled: soz.
