Why won't virus scans find Saser?

Posted on 2004-11-05
Medium Priority
Last Modified: 2011-10-03
I am getting the following error reports everytime I go online;

The error: "C:\Windows\system32\lsass.exe terminated unexpectantly with status code -1073741819"

LSA Shell (Export Version) has encountered a problem and needs to close. We are sorry for any inconvience.

The system is shutting down. Please save all work in progress and log off. Any unsaved changes will be lost. The shutdown was initiated by NT Authority\SYSTEM.
The system process "C:\winnt\system32\lsass.exe' terminated unexpectedly with status code 128. The system will now shutdown and restart.

From what I have read, this is symptomatic of the sasser worm. I have updated Norton, downloaded and run stinger, FXsasser and Fix balst but none of them find sasser or stop the problem. I ran all these with System restore disabled as your open question answers suggested.
Will thje problem stop if I switch to broadband?
Cheers, Tim
Question by:timspaceman
LVL 57

Accepted Solution

Pete Long earned 1000 total points
ID: 12503366
are the patches on the clients up to date?

Instructions for patching and cleaning vulnerable Windows 2000 and Windows XP systems:

Vulnerable Windows 2000 and Windows XP machines may have the LSASS.EXE process crash every time a malicious worm packet targets the vulnerable machine which can occur very shortly after the machine starts up and initialises the network stack.

When cleaning a machine that is vulnerable to the Sasser worm it is necessary to first prevent the LSASS.EXE process from crashing, which in turn causes the machine to reboot after a 60 second delay.  This reboot cannot be aborted on Windows 2000 platforms using the Shutdown.exe or psshutdown.exe utilities and can interfere with the downloading and installation of the patch as well as removal of the worm.

1. To prevent LSASS.EXE from shutting down the machine during the cleaning  process:

a. Unplug the network cable from the machine

b. If you are running Windows XP you can enable the built-in Internet Connection Firewall using the instructions found here: Windows XP

http://support.microsoft.com/?id=283673 and then plug the machine back into the network and go to step 2.

c. If you are running Windows 2000, you won't have a built-in firewall and must use the following work-around to prevent LSASS.EXE from crashing.

This workaround involves creating a read-only file named 'dcpromo.log' in
the "%systemroot%\debug" directory.  Creating this read-only file will prevent the vulnerability used by this worm from crashing the LSASS.EXE process.

i.      NOTE:  %systemroot% is the variable that contains the name of the Windows installation directory.  For example if Windows was installed to the "c:\winnt" directory the following command will create a file called dcpromo.log in the c:\winnt\debug directory.  The following commands must be typed in a command prompt (i.e. cmd.exe) exactly as they are written below.

1. To start a command shell, click Start and then click run and type 'cmd.exe' and press enter.

2.Type the following command:

echo dcpromo >%systemroot%\debug\dcpromo.log

For this workaround to work properly you MUST make the file read-only by typing the following command:

3. attrib +R %systemroot%\debug\dcpromo.log

4. After enabling the Internet Connection Firewall or creating the read-only dcpromo.log you can plug the network cable back in and you must download and install the MS04-011 patch from the MS04-011 download link for the affected machines operating system before cleaning the system.  If the system is cleaned before the patch is installed it is possible that the system could get re-infected prior to installing the patch.

a. Here is the URL for the bulletin which contains the links to the download location for each patch:


b. If your machine is acting sluggish or your Internet connection is slow you should use Task Manager to kill the following processes and then try downloading the patch again (press the Ctrl + Alt + Del keys simultaneously and select Task Manager):

i. Kill any process ending with '_up.exe' (i.e. 12345_up.exe)  ii. Kill any process starting with 'avserv' (i.e. avserve.exe, avserve2.exe)

iii. Kill any process starting with 'skynetave' (i.e. skynetave.exe)  iv. Kill hkey.exe  v. Kill msiwin84.exe  vi. Kill wmiprvsw.exe

5. Note there is a legitimate system process called 'wmiprvse.exe'that does NOT need to be killed.

c. allow the system to reboot after the patch is installed.

6. Run the Sasser cleaner tool from the following URL:

a. For the on-line ActiveX control based version of the cleaner you can run it directly from the following URL:


b. For the stand-alone download version of the cleaner you can download it from the following URL:


7. Determine if the machine has been infected with a variant of the Agobot worm which can also get on the machine using the same method as the Sasser worm.

a. To do this run a full antivirus scan of your machine after ensuring your antivirus signatures are up to date.

b. If you do NOT have an antivirus product installed you can visit HouseCall from TrendMicro to perform a free scan using the following



Expert Comment

ID: 12506221
I would agree with PeteLong regarding the use  of Trend Micro's online scanner, I have done this in the past and it worked like a charm.

Author Comment

ID: 12506401
Did the system root business and ran stinger again in safe mode - still didn't find anything but the problem seems to have gone away. Cheers chaps.
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

LVL 57

Expert Comment

by:Pete Long
ID: 12506450

Expert Comment

ID: 12509250
Firstly, as soon as the 60 sec timer starts..
Click start
then click run
in the run box type ===> shutdown -a
That will stop your computer restarting.

Then do all your windows updates (all the critical ones)

broadband only makes it worse because your computer is crashing from a denial of service attack from other infected computers on your subnet. broadband allows more packets to be sent at one go... therefore if you are not patched and most preferably protected by a firewall, the same thing will keep happening.

Expert Comment

ID: 12511882

Patch updation is the key solution. E.G., for Windows 2000, the patch windows 835732 is to be applied. Until this is done,whatever else you do,  how many ever times you run fxsasser etc.,  the worm attack will continue to expoit the windows vulnerability and your pc will get rebooted with the said message.
LVL 11

Expert Comment

by:Paul S
ID: 12518567
those messages are symptoms of the virus. They do not always indicate infection. I suspect that you are getting the message because your system was being attacked by a internet worm, not because you were infected.  be sure to install the windows updates for those vuneralbilities.

You need to get a firewall. Use zone alarm for dial-up and get a router if you have highspeed internet.

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
When you put your credit card number into a website for an online transaction, surely you know to look for signs of a secure website such as the padlock icon in the web browser or the green address bar.  This is one way to protect yourself from oth…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question