LSA Shell Probs and others

  Lady Lara 23:26 02 Apr 2005
Locked

I am getting an LSA SHell (Export Version) error and windows then tries to shutdown using NT Authority thing. Have done an AVG update and scanned system... nothing found!!!

When I reboot i get backdoor trojans (collected 5L and trojan backddor sdbot 158. Selected delete and heal each time told it was done

Stopped System restore and ran scan in safe mode. Nothing found.

Reboot in Normal mode and hey presto system sluggish and more virus found.

HELP !!

  VoG II 23:29 02 Apr 2005

Start, Run, type

shutdown -a

and click OK.

Run Stinger click here

Go to Windows Update and get them all.

  SANTOS7 23:35 02 Apr 2005

click here the lsa shell error is related to (sasser) the link will help......

  Lady Lara 23:37 02 Apr 2005

am running stingerand avg has jumped in twice to sy ait has found the viruses again. Stinger is showing nothing at present

  tasslehoff burrfoot 23:41 02 Apr 2005

he's absolutely right!

(although, just to clarify - do the start run when the box comes up saying "RPC" doodah "shutting down in 60 seconds")

Cheers (and sorry VoG!)

Tas

  tasslehoff burrfoot 23:41 02 Apr 2005

he's absolutely right!

(although, just to clarify - do the start run when the box comes up saying "RPC" doodah "shutting down in 60 seconds")

Cheers (and sorry VoG!)

Tas

  Lady Lara 23:48 02 Apr 2005

am doing the start / run / shutdown -a thing just to stay online with you guys

  VoG II 23:53 02 Apr 2005

Online scan click here

  Lady Lara 23:55 02 Apr 2005

VoG

It won't load the program to run the scan... gets to 90% (ish) then fails. Am looking here while stinger finishes...

click here

see red text area

  tasslehoff burrfoot 23:56 02 Apr 2005

How Can I Remove the Sasser worm?

Follow these steps in removing the Sasser worm.

1) Disconnect your computer from the local area network or Internet

2) Terminate the running program

* Open the Windows Task Manager by either pressing CTRL+ALT+DEL, selecting the Processes tab or selecting Task Manager and then the process tab on WinNT/2000/XP machines.
* Locate one of the following programs (depending on variation), click on it and End Task or End Process

avserve.exe
avserve2.exe
skynetave.exe
any process running with the "_up.exe" suffix

* Close Task Manager

3) Activate the Windows XP Firewall (if running Windows XP) or another firewall to prevent the worm from shutting your system down while downloading the patches. To activate the Windows XP firewall, follow these steps.

* Click on Start, Control Panel
* Double-click on Networking and Internet Connections, then click on Network Connnections
* Right-click on the connection you use to access the Internet and choose Properties
* Click on the Advanced Tab and check the box
"Protect my computer and network by limiting or preventing access to this computer from the Internet"
* Click OK and close out of the Network and Control Panel

3) Download and Install the patches for the LSASS Vulnerability and others

* Microsoft Windows NT® Workstation 4.0 Service Pack 6a
* Microsoft Windows NT Server 4.0 Service Pack 6a
* Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6
* Microsoft Windows 2000 Service Pack 2, Microsoft Windows 2000 Service Pack 3, and Microsoft Windows 2000 Service Pack 4
* Microsoft Windows XP and Microsoft Windows XP Service Pack 1
* Microsoft Windows XP 64-Bit Edition Service Pack 1
* Microsoft Windows XP 64-Bit Edition Version 2003
* Microsoft Windows Serverâ„¢ 2003
* Microsoft Windows Server 2003 64-Bit Edition

5) Remove the Registry entries

* Click on Start, Run, Regedit
* In the left panel go to

HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>Current Version>Run

* In the right panel, right-click and delete the following entry

"avserve.exe"="%Windir%\avserve.exe"
"avserve2.exe"="%Windir%\avserve2.exe"
"skynetave.exe"= "%Windows%\skynetave.exe"

* Close the Registry Editor

6) Delete the infected files (for Windows ME and XP remember to turn off System Restore before searching for and deleting these files to remove infected backed up files as well)

* Click Start, point to Find or Search, and then click Files or Folders.
* Make sure that "Look in" is set to (C:\WINDOWS).
* In the "Named" or "Search for..." box, type, or copy and paste, the file names:

avserve.exe
avserve2.exe
skynetave.exe
C:\win2.log
* Click Find Now or Search Now.
* Delete the displayed files.
* Empty the Recycle bin

7) Reboot the computer and update your antivirus software, and run a thorough virus scan using your favorite antivirus program.

For Automatic Removal of Sasser, download the Symantec removal tool, you'll still need to download the patches above and install them, however this removal tool will stop the Sasser worm from running, remove the items in the registry, and delete the infected files.

copied from click here

word of warning, using regedit can cause problems, make sure you understand the instructions and follow them exactly (and maybe verify they are correct on other sites via google).

I really hope this works.

Cheers

Tas

  VoG II 00:02 03 Apr 2005

Not a lot of point looking at oyher peoples HJT logs.


You can post one if you like. HJT from click here and destructions click here

You will need to post it in sections because of the 800 word limit on this site. Also please double space it by adding a blank line every other line.

This thread is now locked and can not be replied to.

Elsewhere on IDG sites

OnePlus 5 review

Alice Saey's mesmerising animation for Dutch singer Mark Lotterman

iPad Pro 10.5in (2017) review

Comment booster votre iPhone ?