hmmmm...... AVG has a cmd prompt version. Ig uess im stupid for not having tried that as it doesnt seem to piss off lsass.exe

I hope this works...

Scroll down to removal instructions:



BTW, this is the Sasser, not Bagle.N. Bagle.N is what Panda calls some other worm.

Thats actually just for sasser and requires one to be able to run a scan. I have Bagle.N worm and am unable to boot into a normal window without SLOWNESS. I think i've got however i'd still like to know if it is possible to extand the time to shutdown for either a LSASS.exe failure or a SVCHOST failure. Possibly from 60sec to 999sec. I know it is possible somewhere in admin tools, and somewhere via command prompt.

You would already be done if you had just followed my instruction....

I apologize. I didn't see that part simply because you used a link on sasser.

:cheers:
No problem. :D
Besides, you have the Sasser. First Google result for Bagle.N:


And the Symantec version:


These shutdown viruses (Sasser, Blaster, etc.) are annyoing, though. It's good to remember this kind of stuff for removing viruses in the future.

Make sure you use Windows update and all that good crap after your done. You might just get it again otherwise. :P

:cheers:

My problem wasn't that i didn't have the fix. I've got fixes to a dozen virii including Bagle, and Sasser. Howver, the shutdown timout was stopping me, and i didn't read far enough into your post to understand you were giving me exactly what i needed. That and i've been working on a half dozen PC's since 8am this morn, and it's now midnight. Maybe i should know how to stop the shutdown sequence if my job is a PC tech. Go figure...

Thx

Well now that i've run AVG in safe mode w/cmd it won't let me log back on to safe /cmd. It will start and comes up with the login screen, but then logs off immediately. Any thoughts?

Whatever. I'll hit it again in the morning.

I'm not sure if the file is the same for you, but I had luck deleting it from outside Windows. I think the file was called aserv2.exe (something like that), but check the Norton thing again for file names if it's not there. If you need to access an NTFS partition from outside Windows, go here:


Deleting the virus itself should stop the problem entirely. If not, then something has done irrevocable damage to the system. I saw one Sasser computer that couldn't get to XP in any mode. I reinstalled without reformatting to save the guy's files (he asked me to), but the damn thing managed to run itself again and gave me the shutdown crap after I finished installing. I couldn't remember the command, so I shutdown and used that Floppy to remove the virus file. It's a real lifesaver when you have no Internet access and forget a command like that. :D

:cheers:

Well, since I AM at work and this IS a computer store, I have no problems with getting to the internet. I also have a computer here for the sole purpose of data backup. When winlogon started malfuntioning, and would immediately log me off after loggin in, even in safe mode, I just decided it was not worth dealing with and did a fresh install of XP. Thank god for serial numbers on the back of PC cases. Once inside I found that my adventure with AVG in safe mode (before winlogin went south) actually got all but one virus. I wish I had figured out what was causing winlogon to do that, it felt like a startup script that auto logged off. Whatever... next time i'll have this NTFS startup disk. Thx.

No problem... :D
I'm pretty sure it's Sasser or something it brings that does that. The computer I worked on had the same problem with Winlogon dying (or I assume so since I couldn't get to the login screen). Perhaps replacing it with the same file from a different computer (or XP disc) would fix the problem. :confused:

I've actually seen two different types of Winlogin screw-ups.
1. Winlogin creates "Fatal Errors" that will stop the logon process by showing error windows.
2. Winlogin logs you on briefly enough to see the background, but immediately logs you out.

I think the first may be solved by replacing the winlogon.exe file, and possibly some ajoined dll's, but the 2nd seems more like a startup script (that launches even in safe mode mind you) that is either built into winlogon.exe, or a related dll, or is a separate file pointed to by a service... wait... lsass.exe and svchost.exe are services that run in safe mode, right? Maybe the virus has a backup plan that runs a logoff script if the virus file is not found, or is unable to start. It seems that the only time i've had this is when i use AVG in safe mode to rip the virus out, not when using a fix tool, or even AVG in normal GUI. Hmmm.... I don't know enough about writing code to solve that one, but i'm darn sure I could replace lsass.exe and svchost.exe to see if they are the problem.