1
   

lsass.exe Virus - HELP!!!

 
 
skinnz
 
Reply Sun 2 May, 2004 10:50 am
Hi,

Anyone know how to get rid of the virus causing thisa message? I have tried a bunch of virus scanners but they all miss it.

"This system is shutting down. Please save all... This shutdown was initiated by NT AUTHORITY\SYSTEM.

Message: The system process 'c:\windows\system32\lsass.exe' terminated unexpectedly with the status code -1073741676. The system will now shut down and restart."

Thanks,

Brian
  • Topic Stats
  • Top Replies
  • Link to this Topic
Type: Discussion • Score: 1 • Views: 4,309 • Replies: 3
No top replies

 
Craven de Kere
 
  1  
Reply Sun 2 May, 2004 03:36 pm
Brian,

This seems like a brand new virus and A2K is getting thousands of hits from it because it gives a similar message as the blaster worm.

It seems like the major AVC software vendors can't remove it yet (though they should be able to soon) so right now we are in the dark and have to guess at manual means for removal.

http://www.securityfocus.com/bid/10108/solution/ That site describes a vulnerability that probably started all this for you. You should patch that.

See if the trojan dumped the files listed on this Mcafee write up:

http://vil.nai.com/vil/content/v_100930.htm

I'm also finding references to these files in searches:

76FE.tmp.exe

info.dll

update.dll

rasautou.exe

xax.exe

1B78.TMP.EXE

90E8.TMP.EXE

bg2.dll

spmdll.dll

Some report notepad.exe being overwriten so try to use notepad and if it doesn't work delete notepad.exe

If the restarts are coming too fast for you to work on anything run msconfig and from the services tab uncheck "Windows
Security Update (Manufacturer: unknown)".

I have yet to aee anyone report a solution or fix, and not having this infection makes it hard for me to guess while in the dark but this is what I'd do given the info I have:

1) I'd do the msconfig trick above.
2) I'd update my AV defnitions.
3) I'd do a windows update
4) I'd search for the files mentioned above and copy them to a disk and delete them (copying just in case they are false positives).
5) I'd run a full system scan using both your existing AV software and online ones (let me know if you need links for online ones).
0 Replies
 
Craven de Kere
 
  1  
Reply Sun 2 May, 2004 03:39 pm
Here is another write up (in case this is the W32.Sasser.Worm).

http://vil.nai.com/vil/content/v_125007.htm

Try using Stinger ( http://vil.nai.com/vil/stinger ) to remove it as it seems like they updated it within the last few days.
0 Replies
 
Craven de Kere
 
  1  
Reply Sun 2 May, 2004 04:37 pm
Brian,

Here's the best that I found so far, and it was just updated today:

http://www.microsoft.com/security/incident/sasser.asp
0 Replies
 
 

Related Topics

Clone of Micosoft Office - Question by Advocate
Do You Turn Off Your Computer at Night? - Discussion by Phoenix32890
The "Death" of the Computer Mouse - Discussion by Phoenix32890
Windows 10... - Discussion by Region Philbis
Surface Pro 3: What do you think? - Question by neologist
Windows 8 tips thread - Discussion by Wilso
GOOGLE CHROME - Question by Setanta
.Net and Firefox... - Discussion by gungasnake
Hacking a computer and remote access - Discussion by trying2learn
 
  1. Forums
  2. » lsass.exe Virus - HELP!!!
Copyright © 2024 MadLab, LLC :: Terms of Service :: Privacy Policy :: Page generated in 0.03 seconds on 07/22/2024 at 05:10:39