Fellas, I am down in a big way. I have a friend who is working on a fix, but as of right now I am 100% completely down. Sasser inundated me. The computer comes on and shuts right back down. I have a funny feeling I will be down for a few weeks at least. My AC at the house just took a dump on me Sunday evening too, and I am looking at several thousand bucks for that So I will still be working and helping, but on a more limited basis. I will attatch this on my dealer forum, so anyone who asks will be able to see it, but I wanted it in general so if you guys see a question about S-F not responding very quickly, you can direct them there. Thanks, Seth "no computer" A.
see your other post Good Luck........ Once you Get back online, Get a Good AntiVirus with AutoUpdate and Kerio Personal Firewall.... Kerio has the Added advantage over some that activaly Scans not only Incoming and Outging Connections but ANY program that trys to Start up on the system. if it has not been seen before it pops up and asks your permission before the program is allowed to run also any program that has been changes since the last time you ran it, your alerted to that, probally the best firewall I have ever USed
Easy fix Seth. Download the Sasser removal tool. http://securityresponse.symantec.com/avcen...er/FxSasser.exe and start running it. It should stop the reboots and remove the worm. Then go to windows update http://windowsupdate.microsoft.com/ and download and install all the critical updates. That should fix you up. B)
Is this the "program" labeled "lsass" in the [control/alt/delete] box? My friend has this and it throws up a window that says something of the effect, " blah blah blah...quit/save all information...your computer will shut down in 45 seconds". Then, there's a countdown. If this is it, I'll be sure to bring this fix over in the morning...and I'll tell him to be a bit more cautious when d/l crap off the internet. Thanks
no that is not sasser http://www.liutilities.com/products/wintas...slibrary/lsass/ lsass - lsass.exe - Process Information Process File: lsass or lsass.exe Process Name: Local Security Authority Service Description: Windows Local Security Authority Server Process handles Windows security mechanisms. It verifies the validity of user logons to your computer or server. Technically, the software generates the process that is responsible for authenticating users for the Winlogon service. Company: Microsoft Corp. System Process: Yes Security Risk ( Virus/Trojan/Worm/Adware/Spyware ): No Common Errors: N/A Just take a Upto date Virus Software with you... What exactly is it doing, and how did you come to the conclusion is was sasser?
also note there are currently 6 varaints on the net of the sassar worm varaints a-f f being added to the list 5/10 so I am sure we can expect more varaints soon
Mine is an interesting variant in that it will not allow a keystroke. I am offered no warning, just an immediate shutdown. My anti-virus and firewall were both updated the day before it surfaced in my computer, so they were useless. When the computer stays booted for a few minutes I can see both my firewalls and both my anti-virus have been disabled. A note, I use ME. While it is indicated that ME and older OS are not affected, it seems to be a fairly common belief that MS just doesn't want to create a patch and offer support for OS platforms they are no longer selling... let's save money at the customers expense Unfortunately, being the moron I am, I continued to start the computer and drive it deeper into the drive. Everytime I started the computer it degenerated more. Downloading the repair would be great if: 1) I could get online with the computer and 2) If MS would admit older systems are affected and create a repair patch of ME OSs
well it is not MS that need to admit it in reality MS never admits anything until the security compaines put it out there the lsass vularablity would not have been admitted by MS direction until Sasser came out to the begin with However, I would Highly Advice Upgrading or DOWNGRADING from ME, ME in by FAR the worst windwos version out 98 was ALOT better 2000 was better yet XP is ok if your system has the Resources to pull it off also how did you come to know it was sasser????? it does not really sound like sasser here is what that worm does When W32.Sasser.F.Worm runs, it does the following: 1. Attempts to create a mutex named billgate and exits if the attempt fails. This ensures that no more than one instance of the worm can run on a computer at any time. 2. Copies itself as %Windir%\napatch.exe. Note: %Windir% is a variable. The worm locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location. 3. Adds the value: "napatch.exe"="%Windir%\napatch.exe" to the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run so that the worm runs when you start Windows. 4. Uses the AbortSystemShutdown API to hinder the attempts to shut down or restart the computer. 5. Starts an FTP server on TCP port 5554. This server is used to spread the worm to other hosts. 6. Retrieves the IP addresses of the infected computer, using the Windows API, gethostbyname. Note: The worm will ignore any of the following IP addresses: * 127.0.0.1 * 10.x.x.x * 172.16.x.x - 172.31.x.x (inclusive) * 192.168.x.x * 169.254.x.x 7. Generates another IP address, based on one of the IP addresses retrieved from the infected computer. * 25% of the time, the last two octets of the IP address are changed to random numbers. For example, if A.B.C.D is the IP address retrieved in step 7, C and D will be random. * 23% of the time, the last three octets of the IP address are changed to random numbers. For example, if A.B.C.D is the IP address retrieved in step 7, B, C, and D will be random. * 52% of the time, the IP address is completely random. Notes: * Because the worm creates completely random addresses 52% of the time, any IP address can be infected, including those ignored in step 6. * This process is made up of 128 threads, which demands a lot of CPU time. As a result, an infected computer may become so slow and barely usable. 8. Connects to the generated IP address on TCP port 445 to determine whether a remote computer is online. 9. If a connection is made to a remote computer, the worm will send shell code to it, which may cause it to open a remote shell on TCP port 9996. 10. Uses the shell on the remote computer to reconnect to the infected computer's FTP server, running on TCP port 5554, and to retrieve a copy of the worm. This copy will have a name consisting of four or five digits, followed by _up.exe. For example, 74354_up.exe. 11. The Lsass.exe process will crash after the worm exploits the Windows LSASS vulnerability. Windows will display the alert and shut down the system in one minute. 12. Creates a file at C:\win2.log that contains the IP address of the computer that the worm most recently attempted to infect, as well as the number of infected computers.
BTW, I don't know if it is in fact sasser. I just assumed that because the program closing down my friends computer was "lsass", so I thought that was just a different way of "spelling it". We can stay on his computer for no more than about 5 minutes before it tells us to save any current data in use, and shut down any software currently being run. It then gives a 45 second countdown...Also, about a week ago, whatever the problem is also disallowed him to open any document/program. You could double click it, and nothing would happen. The screen would blink for a quick second...and that was it. He's runnng XP, btw. On a sidenote, he is a bit of an idiot, though. He has a dsl connection with whatever "firewall" software Verizon gave him...and he doesn't have any virus software ...and he frequently downloads content from Kazaa. Maybe this is his come uppance?? Anyway, I'll tell him to take his computer and throw it off the roof...
If you have ME (aka the bastard child of 98) you cant get the sasser worm. I dont belive it has the same service to have the vunerability. You probably have another type of virus.
Your Friend (this is getting Compliacted with 2 of you asking question so I will probally split this post) proablly does have the sasser worm see Item 11 of my List above the LSASS.exe is a System program, but the sasser virus uses that program for is exploit. and then crashes it which in turn crash's the PC
I got a new hard drive today, and upgraded my RAM too. I am hoping to be up and running tonight. I need some links. Manufacturers, stores, etc. I am wiped out right now, and need to start from scratch. Thankfully I had alot of free time this weekend and got my center channel finished . Pics forthcoming. So I hope to rejoin you fellas this evening.
I haven't been able to access my e-mails bud. As soon as I am able to I will let you know if I know anything
he did not tell you......... He miss shipped it to me, and "hope" I will be Nice and ship it to you He does not know me really well :lmfao: :lmfao: :lmfao: :lmfao: :lmfao: :bye: h34r: :angry: :lmfao:
