Comments
Read the article that everyone's commenting on.
Subscribe to the RSS Feed for comments on this article.
Some goods links for Leo and everyone out there.
Symantec : http://securityresponse.symantec.com/avcenter/security/Content/10108.html
Spyware/Adware/Keylogger/Firewall protection:
On this link look for SpywareBlaster and Spybot -Search & Destroy and download them. They are free and extremely good. http://www.spychecker.com/software/antispy.html
Full choice of software are at http://www.spychecker.com/moresoftware.html
enjoy :-)
Posted by: Jon at September 2, 2004 5:58 AMJon: The other locations for lsass.exe seem fine .. they're probably in a copy of your installation CD or service pack that's been copied to your hard drive. The buffer overflow attack is probably a report of an external attempt from the internet to exploit your system. Sounds like your firewall is catching it, as it should.
For the record, in Windows capitalization does NOT count - lsass.exe and LSASS.EXE are the same.
Posted by: Leo at September 2, 2004 7:49 PMThanks Leo
I got the Lsass.exe mixed up with Lsasss.exe. I copied and pasted a comment from a forum I stumbled across today.
--------------
Lsass.exe is a normal system file on XP. However, it was the target of the Sasser worm and if the system wasn't up to date on security patches it could have gotten hit by that worm. In fact, if the system isn't up to date on security patches there are quite a few baddies that will eat it alive.
Careful of the spelling too since about version #5 of Sasser (W32.Sasser.E.) places a file on the PC called Lsasss.exe (note the extra letter 's').
If Norton won't scan she has probably been hit. You can take a look Here and download a removal tool Symantec (Norton) has developed. It should work even if the normal AV won't run.
Also be a very good idea to run an online scan at one of the sites that offer the feature. RAV is good.
Since this now looks pretty much like a virus issue, moving the thread to Security.
----------------
Just wondering what the lasting effects of Sasser are. I bought a new laptop and went to windows update to get the patch (ironicaly to protect it from sasser) and in about 10 min of being online got hit. I run a firewall at home so I never had any problems.
I'm on the road right now and can't get to my installation disks to reformat and start fresh (with an antivirus program and a firewall). Right now the lap top is powered down with the battery removed, over time will the virus do any more damage?
Posted by: Tony at September 5, 2004 5:37 AMOnce cleaned and patched, there should be no lasting affects. As you note, you definitely want to be running a firewall. On the road, I'd enable XP's built-in firewall.
Posted by: Leo at September 5, 2004 9:55 PMHi there, it appears I've been hit with the sasser bug. My problem is that the virus seems to have struck my administrative rights. It is a personal home computer with only one user- me- yet I can't seem to find the virus with the removal files because it's hiding in system restore, which I can't disable because I don't have "administrative rights". I've been struggling with this one for awhile now, but don't seem to be able to get over this problem. I can't restore either, because again I don't have the right. If you can help, that would be great, thanks!
Posted by: Ambra Dickie at September 6, 2004 12:48 PMI'd try booting in safe mode (discused in http://ask-leo.com/my_computer_locks_up_and_wont_boot_what_do_i_do_.html ) or using the recovery console and seeing if you can get at the system restore files.
Posted by: Leo at September 6, 2004 9:33 PMWhat is the path for the shutdown -a statement?
Pete
Posted by: Pete at September 7, 2004 6:01 PMTurns out not all machines have shutdown.exe. Using another computer you can download psshutdown from sysinternals: http://ask-leo.com/d-sysinternals
Posted by: Leo at September 7, 2004 7:50 PMok my problems start like this
I'm browsing the net and then the comp just restarts and says that WinXp has recovered from a serious error. Then a little while later I get a message saying that Remote Procedure call has terminated unexpectedly & shuts down in one min. I thought it was MSBLAST but the Symantec remover tool didn't find anything. I was on the internet during both cases. I patched up RPC after running the remover.
Nothing seems wrong until about a week or two later when the computer won't boot and keeps restarting. I don't know what's going on. This has happened two or three times & reinstalling WinXP is the only way out. Please help.
Thanks
Subscribe to the RSS Feed for comments on this article.
To post a comment on "What are "LSASS", "LSASS.EXE" and "Sasser" and how do I know if I'm infected? What do I do if I am?", please return to that article's main page.