Forums

Forums (http://www.abandonia.com/vbullet/index.php)
-   Tech Corner (http://www.abandonia.com/vbullet/forumdisplay.php?f=23)
-   -   Issas.exe (http://www.abandonia.com/vbullet/showthread.php?t=14429)

gufu1992 08-06-2007 03:00 AM

OK - process library find this to be dangerous process(trojan). Using Pocess explorer to close it shows message what the system must reastart(and no close or cancel buttons!)... So - anyone knows a free solution to clean it off?

Scatty 08-06-2007 06:46 AM

Did you scan it with an anti-virus program and tried to repair the file if it's repairable?

Japo 08-06-2007 08:27 AM

Are you sure it's Isass and not lsass?

C:\WINDOWS\SYSTEM32\lsass.exe is a core Windows process and you shouldn't mess with it. If you did it was to be expected that you would crash the system.

http://www.greatis.com/appdata/n/_/_..._lsass.exe.htm

Some malware are named the same as core Windows programs in an attempt to disguise themselves. But they can't replace Win's apps because Win protects them, so they place themselves in another folder. For example C:\WINDOWS\lsass.exe is malware.

http://www.greatis.com/appdata/d/_/_..._lsass.exe.htm

Also attempting to confuse the user by the name, isass.exe is also malware.

http://www.greatis.com/appdata/d/i/isass.exe.htm

But C:\WINDOWS\SYSTEM32\lsass.exe should not be messed with.

_r.u.s.s. 08-06-2007 03:58 PM

you r not even able to mess with it since windows uses it all the time :bleh:

Scatty 08-06-2007 04:02 PM

Yes you are. You boot from a boot floppy or better boot CD with some extra menu and whatnot, delete all lsasses and Isasses executables that are not in the c:\windows\system folder and are happy.

_r.u.s.s. 08-06-2007 04:30 PM

well i meant in windows, but yes thats an option =)

Ghost 08-06-2007 04:52 PM

I have not heard of Isass. Lsass is a normal Windows process that had a hole in it some years ago. This hole is exploited by the Sasser worm. There is a patch for it. Sasser is not easy to remove, however, even with the patch.

gufu1992 08-06-2007 08:50 PM

Thank you - I learned that in other forums... so thank you again...

ianfreddie07 10-06-2007 06:38 AM

It is a sasser worm, all right. But I think I have a program called FxSasser that eliminates the worm, even when on startup it says: "system cannot find lsass.exe blabla" but the original Lsass.exe is in the WINDOWS/System32 folder. The program FxSasser by Symantec is the solution.

Linky: FxSasser

_r.u.s.s. 10-06-2007 09:23 AM

just edit the registry, and delete it from autoruns..
[H_current_user\software\microsoft\windows\currentv ersion\run]
[H_local_machine\software\microsoft\windows\current version\run] +(Run-;RunOnce;RunOnceEx;RunServices)
and then in 'hkey_users', but its in key with an universal number so you ll have to search for it

jg007 13-06-2007 08:54 PM

you could try MS own sasser removal tool if it is sasser -

http://www.microsoft.com/security/ma...e/default.mspx

also from MS -

Win32/Sasser.A is a network worm that exploits the Local Security Authority Subsystem Service (LSASS) vulnerability fixed in Microsoft Security Update MS04-011. The worm targets Windows 2000 and Windows XP computers that have not installed the MS04-011 security update. Infected computers attempt to spread the worm to other unprotected computers by randomly scanning IP addresses and infecting vulnerable computers.

also ..

ms information on one of the variants of sasser

gufu1992 14-06-2007 02:07 AM

No stop!
All ok - it's I not l!

jg007 15-06-2007 07:27 PM

(okay second time round grrr stoopid computer:)

okay then

1. download utoruns from Microsoft
2. boot into windows safe mode
3. run autoruns
4. search for ISSAS ( NOT LSSAS ) and remove tick next to occurences
5. reboot
6. search for the file and :titan: it

if no joy then also see -

http://wiki.answers.com/Q/How_do_you_remov..._computer_virus


The current time is 07:27 PM (GMT)

Powered by vBulletin® Version 3.7.1
Copyright ©2000 - 2025, Jelsoft Enterprises Ltd.