Virus alert LSA Shell

Discussion in 'NOD32 version 2 Forum' started by Devin, May 1, 2004.

Thread Status:
Not open for further replies.
  1. Devin

    Devin Guest

    Please help me fast I don't know how to remove this:

    My comp says that it's something wrong with this program:

    LSA Shell (Export Version)

    And it's located here

    WINDOWS\System32\Isass.exe


    But NOD32 does not seem to find the problem help me.

    The prob is evertime I start my Internet some screen shows up and says it going to restart in ca 50 sec

    Help me!!
     
  2. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Devin,

    Sounds like sasser, databased by NOD32 in update v1.745. Please make sure to update timely. In the meanwhile, give Stinger a go as mentioned in the link provided above.

    regards.

    paul
     
  3. anders

    anders Eset Staff Account

    Joined:
    Oct 25, 2002
    Posts:
    410
    Make sure you have all security updates from www.windowsupdate.com. If you have Windows XP (or Windows 2000?) enable automatic updates.

    Best regards,
    Anders
     
  4. izi

    izi Registered Member

    Joined:
    Jan 19, 2004
    Posts:
    354
    Location:
    Slovenia
  5. Covert

    Covert Guest

    Oy all- I have it too, but remember: what happens is that the timer starts once you log on to the internet. In 50 seconds you're done, period, so there is no hope of downloading a patch or update. I'm sending this post from work, since logging on from my home computer is a no-go. Additionally, I have a new message that "me (or my computer) is attempting to access <insert seemingly random address here>"

    I wrote down a few...

    186.221.165.51

    or

    57.152.132.85

    but I'm too chicken to go there to see what's in store for me. I dunno :(
     
  6. Dean

    Dean Guest

    Click on "To see what data this error report contains", then click on "to view technical information about the error report. You should see the error file or files

    eg:

    C:\DOCUME~1\user1\LOCALS~1\Temp\WER1.tmp.dir00\lsass.exe.mdmp
    C:\DOCUME~1\user1\LOCALS~1\Temp\WER1.tmp.dir00\appcompat.txt

    Start a DOS windows, cd to that location:
    C:\Documents and Settings\user1\Local Settings\Temp\WER1.tmp.dir00>dir
    Volume in drive C has no label.
    Volume Serial Number is 90EE-A830

    Directory of C:\Documents and Settings\user1\Local Settings\Temp\WER1.tmp
    .dir00

    05/08/2004 07:44 AM <DIR> .
    05/08/2004 07:44 AM <DIR> ..
    05/08/2004 07:44 AM 16,486 appcompat.txt
    05/05/2004 09:29 PM 4,279,898 lsass.exe.hdmp
    05/05/2004 09:29 PM 235,502 lsass.exe.mdmp
    05/08/2004 07:44 AM 1,754 manifest.txt
    4 File(s) 4,533,640 bytes
    2 Dir(s) 1,017,528,320 bytes free

    Then, remove the file(s) that have errors

    Dean.
     
  7. izi

    izi Registered Member

    Joined:
    Jan 19, 2004
    Posts:
    354
    Location:
    Slovenia
    Hi Covert!

    When this window pop-up with shutdown: in command promt write 'shutdown -a'.

    izi
     
  8. thecrow

    thecrow Registered Member

    Joined:
    May 8, 2004
    Posts:
    23
    btw
    this is from Sygate logfile

    is it from Sasser worm atteck ?
    i sometimes get these every 10 min

    Somebody is scanning your computer.
    Your computer's TCP ports:
    2745, 1025, 445, 3127 and 6129 have been scanned from 217.132.199.245.
     
  9. adeel_461

    adeel_461 Registered Member

    Joined:
    May 10, 2004
    Posts:
    1
     
  10. sig

    sig Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    716
    As noted above, you most likely are infected with the Sasser worm and your computer needs to be disinfected. A PC is vulnerable to this infection if the latest MS critical update security patches have not been installed and the PC is not firewalled from the internet. If your using XP at least activate the XP firewall.

    See this thread for more info a ways down on the thread: https://www.wilderssecurity.com/showthread.php?t=29140

    Here's a link to McAfee's Stinger utility that removes many common worms/viruses. (Edited to add: looks like Stinger's been updated again so I imagine it covers the current Sasser variants.) http://vil.nai.com/vil/stinger/
     
    Last edited: May 10, 2004
  11. coolwaterstream

    coolwaterstream Registered Member

    Joined:
    Jun 5, 2004
    Posts:
    1
    Hey.. if you are in the middle of downloading a patch or doing something to get rid of this stupid "thing", all you have to do to stop the shutdown countdown is this...

    Go to Start and click Run
    Type in SHUTDOWN -A

    that will stop the shutdown and u can proceed.
     
  12. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    You got the same problem? Mine started 3 days ago. Fully patched WinXP+SP1 system with latest NOD32 (also latest updates) and i get Lsass RPC error,very similar to one which pops up due to Sasser. Formated whole disk and reinstalled everything and again i got this. It doesn't matter if i connect to net or not,i get this. I also use McAfee Personal Firewall 5 Plus,but i think this is not the problem. I'll post second error picture on next post since each is limited to only one attachement...
     

    Attached Files:

  13. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    I found that this Event (found in Event Log under Application) is related according to the upper thing...

    I'm 390% that this is not a Sasser that i know...
    System was scanned with KAV,avast!,avast! Virus Cleaner,HouseCall and NOD32 at highest settings and nothing found. Need help!
     

    Attached Files:

  14. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,756
    Location:
    Texas
    Still worth a try to clean it and see if it works.

    http://tinyurl.com/ywbw9
     
  15. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Ok found another Event Log entry related to NOD32. Looks like IMON confilcts with something o_O
     

    Attached Files:

  16. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,756
    Location:
    Texas
    Last edited: Jun 5, 2004
  17. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Ok i got it. Its no worm. Its IMON. I uninstalled NOD32 and in instaled it again without IMON and system works fine. Such error just don't fall from the sky and i think it might be serious. I was testing my system for 3 days and on second day i got that NOD32 couses this. After that i reformated machine and reinstalled. Same s**t. Today i found that third log entry and according to it i disabled IMON and it works now. ESET programmers should take a look around this...
     
  18. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Anyone? I cannot use email clients because email is not scanned (IMON has to be fully disabled if i don't want to see that LSASS RPC error). I can use webmail instead for this time which is protected by AMON,but i hope for some help from ESET team.
     
  19. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,756
    Location:
    Texas
    RejZor

    While you are waiting for Eset, you could use Popcorn to view your mail on the server. If you choose to, you can download what mail YOU believe to be safe.
    Freeware for one account. Read all about it.

    http://www.ultrafunk.com/products/popcorn/
     
  20. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    If the lsass issue perists even with the latest version of NOD32 available on our website installed (2.000.9), please email support@nod32.com for the latest version of imon which has the problem eventually solved.
     
  21. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
  22. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    There's been several newer versions of imon made since. You might have a version which has not the problem completely remedied.
     
  23. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Ok what now? Has it been fixed? Can i download fixed (Commercial) version or do i still have to ask support to send me those fix files?
     
  24. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    I would suggest still asking support, I have only come across 1 in 400+ PC's with this problem. Eset support will be able to email you or give you a link for a newer version of IMON/Nod32.

    Cheers :D
     
Thread Status:
Not open for further replies.