Computer Problem: I can't get rid of Sasser
May 21, 2004 4:28 AM   Subscribe

I can't get rid of Sasser, it seems. [more inside]
posted by kchristidis to Computers & Internet (15 answers total)
[no there isn't]
posted by ajpresto at 4:41 AM on May 21, 2004

Response by poster: (Note: I was about to post this, when my PC restarted. Gotta love the timing.)

I installed the respective patch (WindowsXP-KB835732-x86-ENU.EXE) as soon as I got notified by the university's mass mailing warning us about the virus. I wasn't infected, but I installed it anyway. That was 3 weeks ago.

Since last week though, I'm having this "random reboots" problem, and checking the "Task Manager" I see there's an "lsass.exe" process running. This isn't good, I know.

To make matters even worse, when I manually choose "Reboot" (from the "Turn Off Computer.." menu), my computer crashes instead and reboots because of the crashing, not because I told it to. The crash is so "slick", I wouldn't even notice it if I didn't get the "checking your hard drive errors" screen on the next boot. When I log in to Windows, it welcomes me with a "your PC recovered from a critical error" message, and gives me this error signature, when I click for "more details".

I re-downloaded and re-installed the MS patch. I tried to reboot; it would do the crash+reboot thing, and on the next boot, I would get the "critical error" message, plus "lsass.exe" is still there in the "Task Manager".

I went to F-Secure's website and downloaded a Sasser-removal tool ("f-sasser.exe"). I run the program, an MS-DOS window came up displaying lines of filepaths the one after the other, got a "No files infected" message. It's notable that "f-sasser.exe" implements a workaround to prevent the MS04-011 exploit from working (that's the crash+reboot thing). But when I tried to reboot, I got the same crash+reboot, etc.

I gave it a lost shot, altering the process and making a few improvements along the way. The instructions that come with "f-sasser.exe" mention that it may be wise to disable "System Restore" because it "might save the infected file into the special folder and copy it back to a hard drive it every time it's been deleted by F-Sasser utility".

So, I disable "System Restore", re-install the MS patch, and without rebooting (to avoid the crash+reboot thing), I run "f-sasser.exe". I get a "No files infected" message once again. To protect myself even further from the crash+reboot thing, I now choose to "Turn Off" the computer (instead of "Reboot", in hopes that I don't call the crash+reboot thing). I turn on the computer after a while, only to see the "checking your hard drive for errors" screen (which means it crashed, once again), and to have Windows welcome me with the same "Your computer recovered from a critical error" message. Oh, and "lsass.exe" is still here.

I've ran out of solutions. Any helpful tips on what to do would be greatly appreciated.
posted by kchristidis at 4:41 AM on May 21, 2004

Response by poster: [ajpresto, look at the first line of my post]
posted by kchristidis at 4:42 AM on May 21, 2004

Best answer: Just having lsass.exe running isn't a sign of infection, as far as I know -- it's a Windows process that's part of the OS. Is there anything else that makes you think this results from Sasser? Have you tried the "Check PC for infection" tool at this Microsoft page? Do you have a firewall between you and the network?
posted by Zonker at 5:09 AM on May 21, 2004

Best answer: From Task List Programs:

Windows NT4/2000/XP/2003 only. LSASS is the Local Security Authentication Server. It verifies the validity of user logons to your PC/Server (in technical jargon : it generates the process that is responsible for authenticating users for the Winlogon service).

There is a caveat, however: If the file lives somewhere other than c:\winnt\system32\lsass.exe or c:\windows\system32\lsass.exe, or is actually lsasss.exe, you may be infected with something. Confirm these points first.

If it's not a virus, there have been a couple of threads (SEE: 6763, 6792) about Windows machines randomly rebooting. It generally points to a hardware issue involving an insufficient power supply, bad RAM, or a dying motherboard. Have you added any new hardware lately?
posted by Danelope at 5:36 AM on May 21, 2004

Do you have any other virus checking running? From your description in the question it almost sounds like you do not scan for viruses (virii?) regular. Just go to mcafee and run their Freescan.

Also update your pc with all updates from windowsupdate, not just the sasser patch.
posted by sebas at 6:17 AM on May 21, 2004

Try using Stinger.exe from Macafee. It's an anti-virus tool that will fit on a floppy if needed. If you have the ability to burn a bootable cd, make a BartPE bootable cd, boot from it, and run stinger. When you boot from a cd, the virus won't start, and you can clean it.

Stinger is not a substitute for full anti-virus software, but it's a good tool in a crisis. On preview, what sebas said.
posted by theora55 at 6:21 AM on May 21, 2004

You might also want to run ad-aware, just to see if that finds anything nasty. Those things really do seem to accumulate on your average computer. and it's free anyway - worth a shot.
posted by milovoo at 8:00 AM on May 21, 2004

Best answer: How to kill Sasser

Ctrl-Alt-Del to Task Manager->Processes.
End any process named avserve.exe or similar.
End any process names *_up.exe, where * if 4-5 numbers.

How to remove Sasser
Download this removal tool
Disable System Restore by right-clicking My Computer and going to Properties.
Checkmark the box "Turn off System Restore".
Run the Removal Tool.
Re-enable System Restore.
posted by linux at 9:32 AM on May 21, 2004

Best answer: Note: if you do not find any processes called avserve*.exe or *_up.exe, then your problem is NOT Sasser.
posted by linux at 9:33 AM on May 21, 2004

Additional Note: Once you are done cleaning your system, run a personal firewall. I prefer Kerio, as I find ZoneAlarm annoying, and is free if the Web module, which prevents popups and ads, is disabled. I run Firefox, so that aspect is already covered.
posted by linux at 9:36 AM on May 21, 2004

I cleaned up a neighbor's computer recently and following the steps in the Microsoft link that Zonker posted worked perfectly.
posted by maurice at 9:39 AM on May 21, 2004

Response by poster: It seems I'm in a much bigger trouble.

First of all, thank you everyone for your replies. The MS page says that my PC is not infected. The filename's "lsass.exe" (with two "s") and it's in "C:\Windows\System32". No hardware added lately. I've got Ad-aware installed and I run it regularly. I update my PC with all Windows updates regularly. No antivirus installed (="asking for trouble").

I ran McAfee FreeScan. As I had already guessed thanks to your informative posts, it showed no signs of Sasser.

But. It found that the following files are infected with the BackDoor-ACH virus:
- C:\WINDOWS\system32\regsrv.exe
- C:\WINDOWS\Temp\tapisrv.exe
- C:\WINDOWS\winampw.exe

I checked that other AskMe thread where suggestions for the best free antivirus programs are made, and I downloaded what seemed to be a common favorite, AVG 6.

I installed it, rebooted my PC, let it scan my drives, it identified the 3 files as being infected with "BackDoor.Optix".

Problem #1: In the case of "regsrv.exe", the "Virus Removal" window came, and its "explanation" paragraph read: "The virus cannot be removed from the infected object by healing. The entire infected object must be removed. Click the "Move to VIRUS VAULT" button to safely remove the infected object. The infected object may be accessed or restored later if needed. Or click "Ignore This Virus" and the infected object will remain on your computer unchanged. We recommend you select the "Move To VIRUS VAULT".

- My common sense says this is a critical system file so I'm afraid to remove it. What can I do?

Problem #2: It said it healed "winampw.exe" and "tapisrv.exe". But now, every time I try to run an executable file I get a "cannot find the *.exe file" message, or "check for driver path", etc. It's insane.

So, I undeleted "winampw.exe" from the "Virus Vault" (=brough back the infected file). Now all of my executable files run normally.

- So problem #2 is: I can't let "winampw.exe" get healed because then I won't be able to run any executable files on my computer. How can I remedy this craziness?

I'd appreciate all the help I can get on this, folks. I'd appreciate it immensely.
posted by kchristidis at 3:19 PM on May 21, 2004

Best answer: To address #1, I don't believe regsrv.exe is a vital system file. If it were, the fact that it's infected by a virus would have hindered its operation. There are common (actual) system files that begin with "regsvr", but that's different than what you've encountered.

In my experience, "healing" files works so infrequently that it's not worth the effort or the (false) sense of security. If it's infected with a virus, delete it and delete it fast.

To address #2, the reason this is happening is because the virus has told Windows to run all executables by passing them to winampw.exe. The file with this name merely passes along the execution, and likely attempts to re-infect a machine if other copies of it have been deleted. This ensures the virus stays in place. (It's likely the virus has already propagated elsewhere since you restored the file.)

Open up the Registry Editor (Start > Run > regedit.exe) and look at HKEY_CLASSES_ROOT\exefile\shell\open\command and HKEY_CLASSES_ROOT\exefile\shell\runas\command. These values should contain a pointer back to winampw.exe. On a clean Windows 2000 (and likely XP as well) install, the values for both are "%1" %*. Unfortunately, this same technique may have been used in a variety of places and associated with a variety of executable files, so searching for "winampw.exe" may be the only method to find them all.

You probably won't like my final advice, but it's the best advice you will receive: back up all of your data (making sure to include your Outlook .PST files and browser bookmarks), reformat your hard drive, and perform a clean install ASAP. If your computer has been compromised by a backdoor (or several backdoors), nothing on your system can be trusted until you have done so. There's no way to determine what the viruses or the (prospective) script kiddies have done to your machine after it was backdoored, so there's no way to determine what your machine might be doing in the background. This could include anything from participating in DDoS attacks to being used as a browser proxy to relaying spam and so on.

As the old saying goes, take off and nuke it from orbit. It's the only way to be sure.
posted by Danelope at 5:28 PM on May 21, 2004

Response by poster: Dan, thank you for the taking time to write such a detailed and informative reply; I appreciate it.

I was coming here to post an update on my situation, when I saw your message. I have managed to workaround problem #2, implementing a fix similar to the one you suggested. I found the solution here. So, problem #2 solved (and thank you for the tip to search for other "winampw" instances in the registry - just did it, no other instances found.)

Now, in what concerns problem #1: I did a bit of Googling, stumbling upon a post that treated "regsrv.exe" as non-important file. I just read your post claiming the same, so I went ahead, killed the "regsrv.exe" process using the Task Manager, ran AVG and "healed" that file too. So, I guess problem #1 is also solved.

Now, according to AVG, my PC is 100% clean (no infected files). I also searched my computer for those files that were infected ("winampw.exe", "regsrv.exe" and "tapisrv.exe"); it seems they're gone too.

Question: when AVG says it's healed a file, does it mean it removes it too? It doesn't make sense to do, but that seems to be the case here.

Despite the happy messages AVG is giving me now, I'm seriously considering your last words of advice (that is, I can see you have a major point). From a geek point of view, setting up a new system from scratch can be fun (and I've been there lots of times), but my current setup contains lots of programs, and I've fine-tuned the options in each and every one of them; thus, the idea of "formatting" the drive doesn't look so appealing. But security is security, so I guess I have no other option than biting the bullet and formatting the drive.

[By the way, lesson learned; antivirus (AVG) installed and firewall (Agnitum Outpost) is being set up as we speak.]
posted by kchristidis at 5:56 AM on May 22, 2004

« Older How do I best document an online copyright...   |   Constipation - am I ok? Newer »
This thread is closed to new comments.