blaster/sasser worm

i have only a few seconds...i have this worm my pc keeps shutting down. does anyone have any removal tips or removal tools or links to them i can quickly download...i'll keep checking back once my pc is up and running again.

thanks!

 

Is it blaster or sasser? Blaster gives message about RPC service, sasser about lsass.

 

Hi,
Yes I do...The first thing that you need to do that will help stop it from shutting you down is to "enable your firewall" (ICF that comes with Windows Xp)...Then go to www.microsoft.com for the patch and then to www.symantec.com for the removal...

Keep us posted...

 

Good idea, but too late - won't stop the shutdown.

How to stay on line long enough: article here http://www.pcmag.com/article2/0,4149,1217741,00.asp

Excerpt from the article:

quote
On most machines Blaster triggers a Windows shut down sequence with a 60-second warning, leaving no time for downloading. Your first step is to abort the shutdown by entering the command "shutdown /a" (no quotes) in the Start menu's Run dialog
end quote

Regards - Charles

 

i think its lsass..i'm on my way out but i will eal with it when i am back and use a networked pc to check this board.

If all fails i think i may reformat my drive since its a mess anyhow and i need to start fresh BUT...i have tons of emails i cant afford to lose...

i know there is a Outlook Express directory somewhere containing all my folders and mails that i can copy over to my d drive while i format...can anyone guide me there and may be suggest how to import that back into a fresh OE?

many thanks in advance!

 

Transferring Outlook Express

 

ok, i've done the 'shutdown /a' command in the run prompt and have run both the sasser and blaster worm removal tool and still nothing has helped, both programs say they havent found it...i'm still being prompted with the NT authorities...windows is shutting down countdown window.

i'm stuck =(

 

Hi,
I am as confused as I'm sure others are. There's only two well known things that do the shutdown and you say you have done both removals on both of them.

When I had to do the removals for sasser, one of the requirements was to do an end task in the task manager for Isass.

The second one was to enable the firewall (built in by Xp)

The third was the patch from Microsoft.

The fourth was the removal.

All in that order. Yes you have to move fast on the first two, and then it was possible to do the last two. I know this has been very aggravating for you but can you try the above and report back. If the box that comes up does not have the words "Isass" at the top left side, then my guess would be there are other issues pending...

 

The shutdown /a command should give you about three hours. There must be a space after shutdown when typed. You can also try resetting the RPC service. Start>run, type services.msc, hit enter. Locate Remote Procedure Call and right click>properties. Reset all to restart the service and OK out. Master Green is right about the firewall in one respect. You don't have to be infected to get the shutdown, only unprotected. Incoming attacks alone can shut it down, and a running firewall will stop that. Have you been to Windows Update yet? Can you post a HijackThis log? Do an online virus scan?

RAV

Housecall

 

http://grc.com/default.htm
Go to the above link, and get the DCombobulator, it will turn off that particular service of RPC.

 

Mastergreen, i will give your suggestions a try but first i have a few questions to your response:


When I had to do the removals for sasser, one of the requirements was to do an end task in the task manager for Isass. <<<<d oes this need to be done immediately? i do this while the countdown window is onscreen and i do not see it.

The second one was to enable the firewall (built in by Xp)

The third was the patch from Microsoft. <<< which patch am i downloading?

The fourth was the removal.

Inthe shutdown box the only indication that its teh sass virus is that it points to my system32/lsass.exe file as having encountered a problem.

After doing the first 3 i should run the removal tools then as i've typed shutdown /a and have prevented my pc from shutting down, run both blaster and sasser worm removal tools as well as a few online scans and they all showed my system as being clean

 

Hi,
There may be other issues going on. I never try to give in to a computer but I think your computer needs to be taken to a computer tech. This way he/she can see whats exactly happening. Otherwise we may be days trying to figure this out and I'm not so sure you want too...When a problem gets posted here, someone is always able to provide good support and information but for now I will speak for myself, and go with my suggestion...Keep us posted...

 

http://www.microsoft.com/downloads/...7e-1b6b-4fc3-90d4-9fa42d14cc17&displaylang=en

http://www.microsoft.com/security/incident/sasser_printxp.mspx

Everything you need to do it yourself.

 

i will give these a try and end up formatting i think...when i try to end task lsass it states 'it cannot end the process as its an important running function ' or something to that nature....

I'll give the patch a try and some removal tools if not i'll reformat...either way i'll keep you guys posted..thanks for your tips!


if i have any more questions i'll be sure to post them here!

 

hmm... I've downloaded the patch and that has seemed to stop my pc from shutting down however i cannot delete the lsass.exe. i can go into wn32 and delete the application but it comes back...and it sits in my task manager but it cannot be removed. None of my removal tools recognize it either! is there anything else i can do?

 

You cannot delete the Lsass.Exe file, it is a legitimate windows file. WindowsXP keeps putting it back from the C:\Windows\System32\Dllcache folder, as it should be there. This file is not the worm, it's a process that is exploited by it.

 

Hi,
Now try and see if you can go to www.symantec.com and find the removal tool for it...

 

Sasser drops a file lsasss (note the extra letter). Lsass is normally the legit windows piece that needs to run.

 

What kind of firewall are you using?

And, if you are using XP, delete all of your prior Restore Points. (Sorry to those who think I sound like a broken record!)

Johanna