Brad_Zakreski
08-13-2009, 10:01 PM
This is a dead give away if the machine keeps shutting off every 60s or you get an error like "c:\Windows\Cursors\lsass.exe" cannot be found during boot.
Here are your solutions:
Removal using the W32.Sasser Removal Tool
Symantec Security Response has developed a removal tool to clean the infections of W32.Sasser.Worm. Use this tool first, as it is the easiest way to remove this threat.
Manual Removal
The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines. **Remember to unzip and run the exe.**
1. End the malicious process (Windows NT/2000/XP).
2. Disable System Restore (Windows XP).
3. Update the virus definitions.
4. Run a full system scan and delete all the files detected as W32.Sasser.Worm.
5. Reverse the change made to the registry.
For details on each of these steps, read the following instructions.
1. To end the malicious process
On Windows NT/2000/XP computers, you must first end the malicious process. Follow these instructions:
1. Press Ctrl+Alt+Delete once.
2. Click Task Manager.
3. Click the Processes tab.
4. Double-click the Image Name column header to alphabetically sort the processes.
5. Scroll through the list and look for the following processes:
* avserve.exe
* any process with a name consisting of four or five digits, followed by _up.exe (for example, 74354_up.exe).
6. If you find any such process, click it, and then click End Process.
7. Exit the Task Manager.
5. To reverse the change made to the registry
1. Click Start, and then click Run. (The Run dialog box appears.)
2. Type regedit
Then click OK. (The Registry Editor opens.)
3. Navigate to the key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run
4. In the right pane, delete the value:
"avserve.exe"="%Windir%\avserve.exe"
5. Exit the Registry Editor.
Install Rising Anti-virus run it and clean all susptected files. Lastly do a search for the lsass file. The lsass.exe file is located in the folder C:\Windows\System32. In other cases, lsass.exe is a virus, spyware, trojan or worm! You'll have to do a search for it in the registry too and hack it out, just be sure you cut the boot part and not the actual necessary file for windows.
Here are your solutions:
Removal using the W32.Sasser Removal Tool
Symantec Security Response has developed a removal tool to clean the infections of W32.Sasser.Worm. Use this tool first, as it is the easiest way to remove this threat.
Manual Removal
The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines. **Remember to unzip and run the exe.**
1. End the malicious process (Windows NT/2000/XP).
2. Disable System Restore (Windows XP).
3. Update the virus definitions.
4. Run a full system scan and delete all the files detected as W32.Sasser.Worm.
5. Reverse the change made to the registry.
For details on each of these steps, read the following instructions.
1. To end the malicious process
On Windows NT/2000/XP computers, you must first end the malicious process. Follow these instructions:
1. Press Ctrl+Alt+Delete once.
2. Click Task Manager.
3. Click the Processes tab.
4. Double-click the Image Name column header to alphabetically sort the processes.
5. Scroll through the list and look for the following processes:
* avserve.exe
* any process with a name consisting of four or five digits, followed by _up.exe (for example, 74354_up.exe).
6. If you find any such process, click it, and then click End Process.
7. Exit the Task Manager.
5. To reverse the change made to the registry
1. Click Start, and then click Run. (The Run dialog box appears.)
2. Type regedit
Then click OK. (The Registry Editor opens.)
3. Navigate to the key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run
4. In the right pane, delete the value:
"avserve.exe"="%Windir%\avserve.exe"
5. Exit the Registry Editor.
Install Rising Anti-virus run it and clean all susptected files. Lastly do a search for the lsass file. The lsass.exe file is located in the folder C:\Windows\System32. In other cases, lsass.exe is a virus, spyware, trojan or worm! You'll have to do a search for it in the registry too and hack it out, just be sure you cut the boot part and not the actual necessary file for windows.