Link to home
Start Free TrialLog in
Avatar of kg2199
kg2199

asked on

LSA Shell (Export Version)

I keep getting a message that there is a problem with LSA Shell (Export Version).  A few minutes later Windows NT shuts down & restarts my computer.  What is the problem?
ASKER CERTIFIED SOLUTION
Avatar of ghana
ghana
Flag of Germany image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Some additonal explanation about the Sasser worms: In summary this worm and its variants exploit vulnerabilies in operating systems Windows 2000/XP/Server 2003 that do not have the security patch MS04-011 installed. The worm does not use email or websites to infect other computers. It does directly infect a computer that is connected to the internet. As part of the exploit the process LSASS.EXE may crash wich can cause the visible symptom with the message about LSA Shell (Export Version).

To remove Sasser from your system you can use the removal descriptions in the links mentioned below. Or you can use an automated recovery tool like McAfee's Stinger or Trend Micro's Damage Cleanup Services (DSC):
Stinger: http://vil.nai.com/vil/stinger
DSC: http://www.trendmicro.com/download/dcs.asp

To prevent similar problems in the future I would recommend to protect internet connected computers with all available MS-patches. MBSA 1.2 (Microsoft Baseline Security Analyzer) is a free application that is able to check your computer whether all necessary patches are installed or not. If not it will list these patches. In addition there will be a link to the corresponding security bulletin where you can download the patch. Running MBSA once a week will make sure that your computer is up to date.

Link to MBSA: http://support.microsoft.com/?kbid=320454

Virus descriptions about Sasser.A:
CA: http://www3.ca.com/threatinfo/virusinfo/virus.aspx?id=39012
McAfee: http://vil.nai.com/vil/content/v_125007.htm
Sophos: http://www.sophos.com/virusinfo/analyses/w32sassera.html
Symantec: http://www.symantec.com/avcenter/venc/data/w32.sasser.worm.html
Trend Micro: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SASSER.A


Virus descriptions about Sasser.B:
CA: http://www3.ca.com/threatinfo/virusinfo/virus.aspx?id=39021
McAfee: http://vil.nai.com/vil/content/v_125008.htm
Sophos: http://www.sophos.com/virusinfo/analyses/w32sasserb.html
Symantec: http://www.symantec.com/avcenter/venc/data/w32.sasser.b.worm.html
Trend Micro: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SASSER.B


Virus descriptions about Sasser.C:
CA: http://www3.ca.com/threatinfo/virusinfo/virus.aspx?id=39025
McAfee: http://vil.nai.com/vil/content/v_125009.htm
Symantec: http://www.symantec.com/avcenter/venc/data/w32.sasser.c.worm.html
Trend Micro: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SASSER.C

The new version (variant) of this virus is known as Sasser.F; visit the link to Trend Micro for more info:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SASSER.F
(its new, since the last post by ghana)

Either the Trend Micro or Symantec removal tools for Sasser should do the trick.  Or you can download and run the latest version of Microsoft's removal tool for Sasser...
Link to Microsoft page for Sasser Worm Removal Tool:
http://www.microsoft.com/downloads/details.aspx?familyid=76C6DE7E-1B6B-4FC3-90D4-9FA42D14CC17&displaylang=en


You may also want to check for the Gaobot/Agobot virus as well; it frequently scans for systems that are RPC-vulnerable (or already are infected with Sasser virus).  There are two new versions of Agobot out and about, and they frequently can be found on a system already infected with Sasser.  The Symantec removal tool for Gaobot might help, but it does not search for all known variants of Gaobot.  I would recommend following the Trend Micro instructions for detecting and removing Gaobot, which you can view here:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_AGOBOT.GN
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_AGOBOT.TT

Hope this helps.




Avatar of vadlapatis
vadlapatis

hey this works out !!!!!!

I-Worm/Sasser
This worm spreads by internet exploiting MS Windows LSASS service vulnerability described in MS Security Bulletin MS04-011. This worm has some new variants from the saturday first catch.

go to the link

http://www.grisoft.com/us/us_ts_removers.php

download i-worm/sasser removal tool

then donload micro soft patch from

http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

then switch to safe mode and execute removal tool it removes the sasser.exe files then restart  get boot in to normal mode and load patch file download from microsoft site ur pc will be alright

be careful while download check patch that siutes ur OS
hey,

im having the same problem but i can't seem to activate any of ur anti-sassers.
every now and then, a box appears telling me that there is a problem in the LSA Shell (Export Version) and in few minutes, another box telling me that the windows will shut down and a one minute timer ticks, if i don't do anything it DOES shutdown...
i only figured how to stop the timer and shuting down but not how to fix the whole problem.
if you could help me, i would really appreciate it.

anthony
Disconnect the network cable.
enable the windows xp firewall.
disable system restore.
boot to safe mode.
download and scan for the virus using stinger.
to disable the shutdown:

click start
click run
type shutdown /a