Solved

lsass.exe error shuts down XP Home in 60 seconds!

Posted on 2004-04-18
179
399,420 Views
Last Modified: 2011-08-18
"C:\windows\system32\lsass.exe terminated unexpectedly with status code 128.  Your computer will now shut down in __ seconds..."

This is the error I'm dealing with on a friend's 1 year old white box pc.  XP Home is the original installation.  Is there a way I can replace that file, a hardware issue, an easier fix than a reinstall, or is a reinstall my only answer?  Some people may like reinstalls, but I absolutely refuse to do that unless there is no other possible recourse.  Too much is lost and too much time is needed to get the system back 'the way it was'.

I hope to perform a QuickTech memory test today, but the pc recognizes it fully - which I know does not always mean anything...hence the test.

Thank you.
royalm

0
Comment
Question by:royalm
179 Comments
 
LVL 32

Expert Comment

by:Luc Franken
Comment Utility
Hi royalm,

This is for win2k, but it might apply to winXP also.
http://www.jsiinc.com/SUBM/tip6100/rh6116.htm

Greetings,

LucF
0
 
LVL 32

Expert Comment

by:Luc Franken
Comment Utility
Hmm.. just looked around a bit, do you have a firewall on your computer?
If not, get something like ZoneAlarm (http://www.zonelabs.com) which is free for personal use.
See if the message stops then, especially check for inbound connections in the log of ZoneAlarm.
0
 
LVL 40

Expert Comment

by:Fatal_Exception
Comment Utility
See if you can gather more information from your Event logs...  and post it here..
0
 

Author Comment

by:royalm
Comment Utility
OK everyone, I've tried the W2K possibility, and can't get through the 59 seconds I have to complete the advapi32.dll and copy unless I do it in safe mode.  Is it safe to try this LucF? In Administrator?

The same goes for trying to install ZoneAlarm...again, can this be done in safe mode?  Under Administrator?

And I can't get into an event log let alone try to copy it to a cd or floppy before my time is up, again, is this possible in safe mode?  Under Administrator?

One thing I did run into today was the lsass.exe being quarantined by NAV on a totally different system, by W32.HLLW.GAOBOT.gen.  I ran the fix, and checked the manual removal to see if it was on there, but it wasn't.   Could this have anything to do with it?  I also checked the hosts files to see if any were corrupted or missing.

What should be my next move?

Thanks all,
royalm
0
 
LVL 32

Expert Comment

by:Luc Franken
Comment Utility
Several things:

1) you can stop the countdown by: Start => Run => type "Shutdown -a" (without the quotes and press enter)
2) This tool is made to fix all recent virusses: http://vil.nai.com/vil/stinger/ I suggest you to use it.
3) You should really install zonealarm (again, use 1) in case the countdown begins

LucF
0
 

Author Comment

by:royalm
Comment Utility
Thanks LucF, the countdown stopped and I could install and run stinger and ZoneAlarm.

So when I tried to shut the computer down, the only option was to logoff, no turn off or shutdown button....!!!???  Am I going to have to reinstall XP?  I have worked on so many XP machines that needed reinstalled, I know I'm never putting it on my computers even though I have a Pro version in the box yet!  

royalm
0
 
LVL 32

Expert Comment

by:Luc Franken
Comment Utility
>>Am I going to have to reinstall XP?<<
Probably not, at least not without trying to figure out what is bothering you. :)

First, I assume you have ran stinger.
Try a hard reboot (as in: hold the power key for about 4 seconds till the computer shuts down)
Now boot again, use this tool and post the logfile (Don't delete anything) so we can try a manual search for strange things on your computer.
http://www.spychecker.com/program/hijackthis.html

LucF
0
 

Author Comment

by:royalm
Comment Utility
LucF, Here is the log file, I didn't notice anything suspicious, and you were right about the countdown beginning again on reboot.  

Logfile of HijackThis v1.97.7
Scan saved at 11:09:40 AM, on 4/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Caere\OmniPagePro90\opware32.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\olehelp.exe
C:\Documents and Settings\Kathy Antoszewski\My Documents\HijackThis.exe
C:\WINDOWS\system32\spoolsv.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.find-online.net/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.find-online.net/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.find-online.net/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.find-online.net/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.find-online.net/index.htm
O1 - Hosts: 69.50.187.196 auto.search.msn.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINDOWS\Downloaded Program Files\ycomp5_1_1_0.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\Downloaded Program Files\ycomp5_1_1_0.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OmniPage] C:\Program Files\Caere\OmniPagePro90\opware32.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [olehelp] C:\WINDOWS\olehelp.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://D:\content\include\XPPatchInstaller.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_1_0.cab

0
 

Author Comment

by:royalm
Comment Utility
I also have the App Event Log for Fatal Exception saved as .txt...hope it's readable.  royalm

4/23/2004      3:32:33 PM      Application Hang      Error      (101)      1002      N/A      KATHY      Hanging application rundll32.exe, version 5.1.2600.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
4/23/2004      11:06:14 AM      Winlogon      Error      None      1015      N/A      KATHY      A critical system process, C:\WINDOWS\system32\lsass.exe, failed with status code 128.  The machine must now be restarted.
4/23/2004      11:05:45 AM      TrueVector Service      Error      None      5007      N/A      KATHY      "TrueVector engine: File ""C:\WINDOWS\Internet Logs\KATHY.ldb"" was corrupt and has been copied to ""C:\WINDOWS\Internet Logs\xDB2.tmp"".  File ""C:\WINDOWS\Internet Logs\KATHY.ldb"" was corrupt and has been deleted."
4/23/2004      11:05:44 AM      TrueVector Service      Error      None      5007      N/A      KATHY      "TrueVector engine: File ""C:\WINDOWS\Internet Logs\IAMDB.RDB"" was corrupt, restoring from backup ""C:\WINDOWS\Internet Logs\BACKUP.RDB""."
4/23/2004      11:05:44 AM      TrueVector Service      Error      None      5007      N/A      KATHY      "TrueVector engine: File ""C:\WINDOWS\Internet Logs\IAMDB.RDB"" was corrupt and has been copied to ""C:\WINDOWS\Internet Logs\xDB1.tmp"".  File ""C:\WINDOWS\Internet Logs\IAMDB.RDB"" was corrupt and has been deleted."
4/23/2004      11:05:35 AM      NProtectService      Information      None      3      S-1-5-18      KATHY      The service was started.
4/23/2004      7:40:36 AM      Winlogon      Error      None      1015      N/A      KATHY      A critical system process, C:\WINDOWS\system32\lsass.exe, failed with status code 128.  The machine must now be restarted.
4/23/2004      7:40:21 AM      NProtectService      Information      None      3      S-1-5-18      KATHY      The service was started.
4/23/2004      7:08:03 AM      Winlogon      Error      None      1015      N/A      KATHY      A critical system process, C:\WINDOWS\system32\lsass.exe, failed with status code 128.  The machine must now be restarted.
4/23/2004      7:07:48 AM      NProtectService      Information      None      3      S-1-5-18      KATHY      The service was started.
4/22/2004      11:45:36 PM      Winlogon      Error      None      1015      N/A      KATHY      A critical system process, C:\WINDOWS\system32\lsass.exe, failed with status code 128.  The machine must now be restarted.
4/22/2004      11:45:21 PM      NProtectService      Information      None      3      S-1-5-18      KATHY      The service was started.
4/22/2004      11:44:35 PM      Userenv      Warning      None      1517      S-1-5-18      KATHY      Windows saved user KATHY\Administrator registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.

 This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.
4/22/2004      11:09:57 PM      VSS      Error      None      8193      N/A      KATHY      Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance.  hr = 0x80040206.
4/22/2004      11:09:57 PM      EventSystem      Error      (50)      4609      N/A      KATHY      The COM+ Event System detected a bad return code during its internal processing.  HRESULT was 8007043C from line 44 of d:\nt\com\com1x\src\events\tier1\eventsystemobj.cpp.  Please contact Microsoft Product Support Services to report this error.
4/22/2004      11:07:49 PM      Winlogon      Error      None      1015      N/A      KATHY      A critical system process, C:\WINDOWS\system32\lsass.exe, failed with status code 128.  The machine must now be restarted.
4/22/2004      11:07:34 PM      NProtectService      Information      None      3      S-1-5-18      KATHY      The service was started.
4/22/2004      11:06:48 PM      Userenv      Warning      None      1517      S-1-5-18      KATHY      Windows saved user KATHY\Administrator registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.

 This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.
4/22/2004      11:05:48 PM      VSS      Error      None      8193      N/A      KATHY      Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance.  hr = 0x80040206.
4/22/2004      11:05:48 PM      EventSystem      Error      (50)      4609      N/A      KATHY      The COM+ Event System detected a bad return code during its internal processing.  HRESULT was 8007043C from line 44 of d:\nt\com\com1x\src\events\tier1\eventsystemobj.cpp.  Please contact Microsoft Product Support Services to report this error.
4/22/2004      11:03:35 PM      Winlogon      Error      None      1015      N/A      KATHY      A critical system process, C:\WINDOWS\system32\lsass.exe, failed with status code 128.  The machine must now be restarted.
4/22/2004      11:03:20 PM      NProtectService      Information      None      3      S-1-5-18      KATHY      The service was started.
4/22/2004      10:20:42 PM      Winlogon      Error      None      1015      N/A      KATHY      A critical system process, C:\WINDOWS\system32\lsass.exe, failed with status code 128.  The machine must now be restarted.
4/22/2004      10:20:27 PM      NProtectService      Information      None      3      S-1-5-18      KATHY      The service was started.
4/22/2004      10:19:17 PM      Userenv      Warning      None      1517      S-1-5-18      KATHY      Windows saved user KATHY\Administrator registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.

 This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.
4/22/2004      10:12:23 PM      VSS      Error      None      8193      N/A      KATHY      Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance.  hr = 0x80040206.
4/22/2004      10:12:23 PM      EventSystem      Error      (50)      4609      N/A      KATHY      The COM+ Event System detected a bad return code during its internal processing.  HRESULT was 8007043C from line 44 of d:\nt\com\com1x\src\events\tier1\eventsystemobj.cpp.  Please contact Microsoft Product Support Services to report this error.
0
 
LVL 40

Expert Comment

by:Fatal_Exception
Comment Utility
Whoa...  Lots of bad things happening here...  

I would open up msconfig and stop everything from starting at boot, and all services other than the Windows services too...

Start > Run > msconfig

Stop everything in the startup tab (except perhaps your AV)

Go to Services tab and tick the Hide Windows Services..  Again, stop everything (except perhaps your AV)

Reboot, and ck your event logs again...   You may also want to ck your Services to make sure that everything that is meant to startup at boot is actually starting...  You can go to Black Viper to see what is needed to start the system...

http://www.blackviper.com/WinXP/servicecfg.htm
0
 
LVL 32

Expert Comment

by:Luc Franken
Comment Utility
You have a nice browser hijacker :(

Use this tool to get rid of it:
http://209.133.47.200/~merijn/files/CWShredder.exe

How do I prevent it from happening again?
http://209.133.47.200/~merijn/cwschronicles.html#byteverify
0
 
LVL 32

Accepted Solution

by:
Luc Franken earned 240 total points
Comment Utility
I think I found your problem, it's a very new virus:

W32/Sasser.worm
http://vil.nai.com/vil/content/v_125007.htm

Use this tool to get rid of it:
http://vil.nai.com/vil/stinger/

Also take a look here:
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
And be sure to get windows up-to-date from http://windowsupdate.microsoft.com
0
 

Assisted Solution

by:shlew
shlew earned 20 total points
Comment Utility
Also see:
http://www.blackviper.com/AskBV/tech10.htm

Why is Remote Procedure Call shutting down my computer after 60 seconds?
Why is LSASS.exe shutting down my computer after 60 seconds?
Why is svchost.exe crashing my computer?
Why is dllhost.exe taking 100% of my CPU time?

…. The main indication of this is a 60 second shutdown counter just after connecting to the internet or "right after" an attack attempt.
0
 
LVL 40

Assisted Solution

by:Fatal_Exception
Fatal_Exception earned 240 total points
Comment Utility
I just left a telephone support call with the same indications as this thread..  He did have the Sasser Worm and I used Symantec's removal tool to correct...   Nice one LucF..!!!

and thanks..

FE
0
 
LVL 32

Expert Comment

by:Luc Franken
Comment Utility
Thanks FE :)

I just noticed the updates at Mcafee and Symantec today... so it is a very new exploid :( I hate it when this happens...

LucF
0
 
LVL 40

Expert Comment

by:Fatal_Exception
Comment Utility
Credit where credit is deserved..!!    :)
0
 

Author Comment

by:royalm
Comment Utility
OK everyone,

One thing I can say is that I have learned so much from all of you, and being a fellow tech, this networking is good, and your time and effort are astonishing!  Thank you.  Here is what I have done...unfortunately too quickly because I believe the fixsasser tool may have worked!

I used the Stinger, CWshredder, and HijackThis! many times, and spent HOURS with the BlackViper site info.  The Stinger was new to me.  Then I tried a repair w/recovery console one more time, and still nothing.  Although after all of this, the PC was definitely zestier.

I finally wiped and re-installed XP on the 29th, played/tested it until late on the 30th, then returned it back to my friend.  What gets me is if the sasser was the culprit, why did it take so long for the Antivirus powers that be to get the updates updated?  Since nothing else worked, I'll wager that the fix tool would have.

So, with all the info I have been graciously given, and the dedication and time that LucF and Fatal Exception have shown for me and my 'lsass' problem, I believe you definitely deserve the point credits promised and my most gateful thanks.
royalam
0
 
LVL 40

Expert Comment

by:Fatal_Exception
Comment Utility
Anytime..  come on back and see us again soon..

and thanks..

FE
0
 
LVL 32

Expert Comment

by:Luc Franken
Comment Utility
Ditto ;o)

LucF
0
 

Expert Comment

by:shlew
Comment Utility
Well, I certainly learned a lot too...and thanks for asking the question!
0
 

Expert Comment

by:vamsee_konda
Comment Utility
hello royalM,

you have been infected with the sasser worm.
download windows fix for it from microsoft site at:
http://www.microsoft.com/security/incident/sasser.asp

or the symantec fix tool at :
http://www.symantec.com/avcenter/venc/data/w32.sasser.worm.html

it is a good idea to enable ur firewall in Win xp, and make sure u have the latest windows updates

vamsee
0
 

Expert Comment

by:wingtech
Comment Utility
I am not so sure that sasser is the answer here.

I have just been dealing with this on a pc which was connecting through a USB DSL modem ( UK BT Internet)

About 1 minute after connnection the same popup would appear and the system would shut down. It was not possible to shut it down more quickly, nor was it possible to interrupt the shudown as that thread seemed to have the highest priority and could not be intercepted.

The MS patch was already in place and the Symantec FixSasser tool and also Stinger v2.5.5 could find no Sasser infection. W32/Nachii was found (A Welchia variant) which also hits the RPC component.

Cleaning up made little difference, but switching to an ethernet based Internet connection did. Switch back and the problem appeared.

Whatever was the cause in my case was resolved by using a router to connect to the DSL. The problem is still there but avoided!

Not ideal but, hey, it works!

If that helps someone at guru level decide what is going on then I look forward to hearing. Otherwise, I hope it helps someone else find a workaround.

Cheers
0
 

Expert Comment

by:nachbund
Comment Utility
LucF hi,
i friend has the same problem! but whats differs is that  his RPC does not function! i dont know what to do and how to restore the RPC! can u help me too? i tried to manually operate it but i didn't manage to do it! what can i do?
btw whats the commad to format NTFS file system?
thanks a lot for reading.

                       nachbund
                         
0
 
LVL 40

Expert Comment

by:Fatal_Exception
Comment Utility
nach..  you really need to open your own question for this...  
0
 

Expert Comment

by:sillver
Comment Utility
Hello,
its problem was new virus which was Sasser for W2000 and XP..
you can be installing patch files from microsoft website.....>>>>
 for W2000 the name is (Windows2K- KB835732)(
 for XP        the name is (Win xp KB35732)

thanks>>>>>>
0
 

Expert Comment

by:LeePollard
Comment Utility
My company has dealt with al lof the above mentioned viruses.  If once you are able to run the "fix" and eliminate the culprit, yo uneed to try to see if you can then access eithe rwww.symantec.com, www.mcafee.com, or any other AV web site.  If not, then you need to replace the c:\windows\systems32\drivers\etc\hosts file (assuming your OS is on the C drive).

This should resolve the issue.  I used the hosts file off of my own computer and it worked perfectly.
0
 
LVL 32

Expert Comment

by:Luc Franken
Comment Utility
wingtech,

>>I am not so sure that sasser is the answer here
I am pretty sure, welchia will give a message, the same as the blaster virus:

"svchost.exe has created an error...."

With this sasser worm, you get:

"lsass.exe has created an error...."

At the moment I posted that comment only sasser and sasser.b existed, and those where the only ones to create that error message.
Hope that answers your question :)

LucF

p.s. to add some valuable information:
Even the cheapest firewall, like the build in winXP one, or a free one like Zonealarm would have prevented blaster/welchia/sasser etc from spreading as fast as it does at the moment. Just closing some ports on the firewall will do the trick (like in wingtechs case, the router takes care of that)
0
 

Expert Comment

by:mauricej74
Comment Utility
I just had a similar problem with an employee's notebook, Win2K Professional.  It actually had McAfee already on it and up-to-date but was infected to high-heaven with viruses, found after doing a full scan.  My problems started after installing the Win2K Updates using the critical update tool in Windows; IT downloaded all the updates and installed them all and rebooted.  After that, after getting on an internet connection, I get the lsass error message!  Before getting the updates the PC was working fine.  I thought maybe AV had corrupted the download, but the KB article that explains the directories to look for to uninstall the SP don't match what is on this system.  Strange
0
 

Author Comment

by:royalm
Comment Utility
Hi everyone,

I wonder that if sasser is causing all of these problems, might the latest MS patch for all 5 sassers (at this point) be the answer?  The original sasser fix tool I have had to be run several times to rid sasser...it always showed up after a reboot.  Here is the address if someone is interested.
http://update.internetweek.com/cgi-bin4/DM/y/eg2V0GMj8R0G4X0CW2K0A7.

Here is the name of the little file you can download from there.
Windows-KB841720-ENU-V4.exe

I'm running out of sasser-filled pc's to play around with, so I haven't tried this yet.

royalm
0
 
LVL 32

Expert Comment

by:Luc Franken
Comment Utility
Yep, I noticed the same thingy :( All virusscanner manufactors are also updating their tools to be able to get rid of the newer versions. But, just with a firewall and with windows updated you're pretty safe for this kind of crap :)

LucF
0
 

Expert Comment

by:scottie_clark
Comment Utility
re: viruses, worms and other nasties:

I find that if I have a PC with a potential infection - boot up in Safe Mode (press F8 when starting up, at the point when the screen goes blank, ie just between the PCs BIOS screen disappearing and the Windows startup screen appearing) and then run any virus scan (NAV, Stinger, etc)

This is a much more reliable method of clearing out anything that has infected your PC!
0
 

Expert Comment

by:vadlapatis
Comment Utility
I-Worm/Sasser
This worm spreads by internet exploiting MS Windows LSASS service vulnerability described in MS Security Bulletin MS04-011. This worm has some new variants from the saturday first catch.

go to the link

http://www.grisoft.com/us/us_ts_removers.php

download i-worm/sasser removal tool

then donload micro soft patch from

http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

then switch to safe mode and execute removal tool it removes the sasser.exe files then restart  get boot in to normal mode and load patch file download from microsoft site ur pc will be alright

be careful while download check patch that siutes ur OS



0
 

Expert Comment

by:brlconsulting
Comment Utility
Can I add my two penneth worth.

I have a system which has definitley got the Sasser virus.

I have disabled System Restore.

The Process tab in  Task Manager shows LSASSS.EXE as running.  I have tried ending the process in ordinary mode and safe mode and an error message "Critical process, cannot be stopped".

I have updated Windows with the security patch mentioned above, rebooted and tried both the Norton fix and Stinger, updated today to no good effect.

Anyone any ideas before I throw all my toys out of the pram?
0
 

Expert Comment

by:RePhlux
Comment Utility
I work for a telephone tech support firm and we have been dealing with the removal of this sasser virus and all its variants (w32.sasser.[a-f].worm)and the w32.blaster.worm and it's variants on a daily basis.

So far the steps for removal that have had the greatest success rate are as follows:

1.) Disconnect your internet connection and boot to safe mode (through F8 on startup)
2.) Log into the administrator account and after the system is loaded press crtl+alt+del to bring up the system task manager and look in proccesses for any of the following:
     a.)avserve.exe
     b.)avserv2.exe
     c.)[random five digit number]_up.exe
     d.)skynet??.exe
and end task on any of them and then close the task manager
3.) msconfig: dissable any of the above programs from auto starting in the startup tab and services tab
4.) regedit: search for any of the above programs in the registry and remove thier keys (might be a good idea to create a backup copy of the regisrty just in case)
5.) restart into normal mode and if you get the shutdown error use the above "shutdown -a" to stop it
6.) enable the XP firewall (network connections and then properties on the type of internet connection you are using and then advanced and check "protect my computer...")
7.) reconnect your intenet and get the above mentioned security patch from Microsoft
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
8.)DL and run the mcafee stinger to remove anything the above steps missed and restart the PC
http://vil.nai.com/vil/stinger/
9.)DL all updates for your AV software and run a full system scan

You should now be virus free and if all of the above steps are done soon enough the file dammage should be minimal and the system should be running fine.
0
 

Expert Comment

by:brlconsulting
Comment Utility
RePhlux,

Thanks for the info.  Did you get the problem whereby when in Task Manager the system would not allow the suspect processes from being shutdown?

Brian
0
 

Expert Comment

by:RePhlux
Comment Utility
No I can't say that I have come across that yet, but if you remove the reg keys the process should no longer be there anyway after the reboot to normal windows
0
 

Expert Comment

by:brlconsulting
Comment Utility
Thanks again.  I have gone through all the steps again and it seems to have been resolved.  Not too sure why it didin't happen first time round.

Cheers

Brian
0
 
LVL 32

Expert Comment

by:Luc Franken
Comment Utility
Just a little note, lsass is a normal windows system file and shouldn't be stopped/blocked/killed or whatever.
0
 

Expert Comment

by:teknowil
Comment Utility
if it keeps coming back, which it should with xp because most people have restore point set. Just turn of the restorepoint or it will continue to reinfect the computer.
0
 

Expert Comment

by:adesai79
Comment Utility
Hi,

I have the same problem and I tried to fix it using all the above steps, but still I am unable to fix it.

1)  There is no such process as avserve.exe, avserv2.exe, [random five digit number]_up.exe, skynet??.exe in Windows running process list.
2)  Whenever I type shutdown -a in Start->run, it says command not found.
3)  Already applied the security patch by Microsoft but still issue not resolved.
4)  Downloaded a host of different sasser removal softwares from Microsoft, Symantec and stinger but everybody says: No virus found

Its very annoying as the computer reboots itself very 20 mins or so, not really sure what to do.

Anybody, please help me out.

Thanks,

0
 

Expert Comment

by:wingtech
Comment Utility
Hi adesai79

Sadly viruses are not the only causes of random re-boots.

If you have eliminated all the likely viruses, and not just sasser, you could have a look at memory testing.

More than once I have seen re-boots as a symptom of memory, motherboard or cpu failure about to happen.

Another possibility is overheating or poor power supply. Both of these can lead to instability from which the system cannot easily recover. For example adding a new device which uses a lot of power could be hitting the limits of the PSU and also contribute to additional heat.

If you feel that you have eliminated viruses, you could try working through the other possibilities.

Best of luck in the gremlin hunt!

Regards

Neil
0
 

Expert Comment

by:adesai79
Comment Utility
Hi,

But it has the same symptoms like Sasser virus. It gives me error in lsass.exe and gives me timer for 60 seconds.

Could it be a different type of virus..?
0
 

Expert Comment

by:wingtech
Comment Utility
No, That really does look like it, I am afraid.

Make sure that you are doing your hunting at admin level of security, just in case.

I think that sasser is still your likeliest bet.

Sorry not to offer more help than that.

Sympathies.

Neil
0
 
LVL 32

Expert Comment

by:Luc Franken
Comment Utility
adesai79, You did the right thing by opening your own question:
http://www.experts-exchange.com/Operating_Systems/WinXP/Q_21008581.html

Let's all continue there.

Thanks,

LucF
0
 

Expert Comment

by:allmarc
Comment Utility
On the timeout problem, I have had success with changing the date and time in the systray clock, then run the patches or viri fixes! Hey! it works!!
0
 

Expert Comment

by:PaulR2117
Comment Utility
I have been following this question with great interest, since we were having the same symptoms.
It turned out we had the Win32.Korgo.I worm.
Microsoft patch MS04-011 would have stopped it if we had applied it to all our computers.
It must have come in on a laptop.
0
 

Expert Comment

by:leptoid
Comment Utility
Check your PC for the Sasser virus.
See www.symantec.com for details and removal tools.  You should also consider patching winxp for this virus to avoid the future crashes.
0
 

Expert Comment

by:serhancetin
Comment Utility
This is Sasser32 virus. And you should download the critical windows XP patches. First download the Norton sasser scan anti virus tools. Then make a full system scan with that tool. But during the system scan you should disable the system restore points!!!! After system scan the virus should be founded with that program. Then enable your windows fireall and connect the microsoft official web site. On main page you will see the critical warning of microsoft. Folllow that link and download the Sasser Xp patches from Micosoft. Your problem will be solved by his solution. Dear users do not forget to update your operating systems and anti virus tools.
0
 

Expert Comment

by:PaulR2117
Comment Utility
Hi Serhancetin,

We actually have the KORGO virus, which started out looking like the 'Sasser'. We applied the MS04-011 patch and removed the worm's file from the system and registry. - Curiously, this file and registry setting didn't show up in NT and 2000 machines that were known to be infected, it only showed up in the XP machines.

However, we are getting repeated mesages from our virus scanner (eTrust V7)

"Win32/Korgo.R.Worm was detected in C:\SYSTEM VOLUME\_RESTORE{E7276E57-....\A0005793.EXE"

A full scan with our virus software didn't apparently detect or remove this virus - but at least it is catching it as it moves into this 'Restore' directory.
It seems to me that there is still an infected machine somewhere in the LAN that is reinfecting the others.

I'm fairly new to XP. What did you mean by your reference;

""But during the system scan you should disable the system restore points!!!!""

0
 
LVL 40

Expert Comment

by:Fatal_Exception
Comment Utility
I believe he means just disable System Restore..

0
 
LVL 40

Expert Comment

by:Fatal_Exception
Comment Utility
Although this thread has been closed for quite some time, it seems that there is still an interest...  So I will post the best fix I have found for Sasser...

The problem

Sasser is a denial of service (DoS) worm that exploits a flaw in a Windows 2000 or non-64-bit Windows XP machine's Local Security Authority Subsystem Service (LSASS). IT security pros must install a patch to prevent unattended systems from falling prey to Sasser's destruction. However, administering the patch is a challenge because infected systems keep rebooting before it can be installed.

The cause

Sasser causes a stack-based buffer overflow in certain Active Directory service functions in the LSASRV.DLL file of the LSASS. Applying the patch provided in Microsoft Security Bulletin MS04-011 is the only way to protect your system from reinfection.
 
The solution

Here is the solution for expanding the amount of time it takes before your computer reboots due to the Sasser worm. Keep in mind that you will have only about 20 seconds to complete the steps, and you must already know the system's name before beginning this process:
 
Tip:  To find your computer's name, open Control Panel and click on the System icon.
 
1.      Disconnect from the Internet.
2.      Restart.
3.      As soon as possible in the boot process, click on Start, Run, and enter cmd to open the command line interface.
4.      At the DOS prompt, enter shutdown -i and press [Enter].
(This command opens the control panel for remote administration of other systems, but for this process you will just need to enter the name of your computer.)
5.      Click Add, enter the name, and then click OK.
6.      Now modify the warning message delay setting from the standard 20 (seconds) to a large number, such as 9999. After patching, you can reset the warning message delay if you wish.
(That should temporarily disable the shutdown sequence long enough for you to log on to the Internet and download the patch.)

Alternative solution

An alternative method for stopping the reboot cycle on XP-only systems is to enter shutdown.exe –a at the command prompt. That aborts the shutdown process completely and is obviously much faster for XP systems.

0
 

Expert Comment

by:serhancetin
Comment Utility
click on System &#305;n the Control Panel-click on System Restore- and click on Turn off system Restore on all drives...else the anti virus can't delete the files with virus..after this operation,  you must to turn on .this feature is to protect system files

for removing korgo virus follow this url http://securityresponse.symantec.com/avcenter/venc/data/w32.korgo.removal.tool.html ..I used &#305;n there, it is efficient
0
 

Expert Comment

by:Zeratul9
Comment Utility
if you still need help with the lsass.exe error email me > ** e-mail removed per http:help.jsp#hi99 **
0
 

Expert Comment

by:raimonabraham
Comment Utility
If you could not obtain the right removal tool, or if you are still infected
after running it, you can do the following to stop the worm from crashing LSASS.exe.

Create a file called %systemroot%\debug\dcpromo.log and make the file read-only.
To do this, type the following command:

echo dcpromo >%systemroot%\debug\dcpromo.log & attrib +r %systemroot%\debug\dcpromo.log

NOTE: This is the most effective mitigation technique as it completely mitigates
this vulnerability by causing the vulnerable code to never be executed.
This work-around will work for packets sent to any vulnerable port.
0
 

Expert Comment

by:shenazzer
Comment Utility
Download this from
http://securityresponse.symantec.com/avcenter/FxSasser.exe
run it in safe mode if it doesnt works
and then install this
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
for future protection from sasser worms ;)
0
 
LVL 32

Expert Comment

by:Luc Franken
Comment Utility
Come on...
This question is closed for almost two months now, and we're starting to have duplicate comments here...

Thanks,

LucF
0
 

Expert Comment

by:jeffatkinsonlpc
Comment Utility
I have an error that occurs when I log onto the internet.  The NT authority error.  This causes shutdown in 60 seconds.  I run XP.  From what I see it is a worm (blaster or Sasser).  However, everytime I test for it I get nothing.  Could it possibly be related to not activating my windows yet?  I should have that resolved in a day or so.  Nonethe less all of the patches and stuff are not seeming to work either.  HELP?
0
 
LVL 40

Expert Comment

by:Fatal_Exception
Comment Utility
jeff.. open another thread.  this one is closed and I doubt you will find help here..  

FE
0
 
LVL 5

Expert Comment

by:shanyuen
Comment Utility
You infected by sasser worm or the variant.
-Download stinger from http://vil.nai.com/vil/stinger/
-Download the security update patch from microsoft. (WindowsXP-KB835732-x86-ENU.EXE)
-Just turn off your system restore (right click in my computer > properties)
Your virus will not removed if your turn on this function.

-Reboot in safe mode.
-Scan with stinger.
-Then patch it.

Back to your windows and turn on your system restore.
0
 

Expert Comment

by:dracoolio
Comment Utility
Sometimes, even if you Anti-Virus is up-to-date and you run an Anti-Spyware program, it still is not enough to kill a virus/worm/trojan/spyware.

What you do is do a CTRL-ALT-DEL and check your running TASKS. One or more of them is the bad program causing you to reboot. You have to write down the suspicious task and reboot, but this time press F8 to run in SAFE MODE. Once in SADE MODE, locate the bad programs and their folders and delete or rename them. When you reboot again in NORMAL MODE, if this happens again repeat these steps again.
0
 
LVL 32

Expert Comment

by:Luc Franken
Comment Utility
*** To everyone who'd like to post a question/comment here, please note THIS QUESTION IS CLOSED! ***
*** The answers can be found at http:#10970667 http:#10972424 and http:#10972463                       ***
*** Fatal_Exception made a nice summary at http:#11412130                                                            ***
*** If you have this problem, check those comments, if you think you have something to include, please ***
*** check if it hasn't been said above before more dupplication occurs.                                                ***
***                                                                                                                                                 ***
*** Thanks for reading this, LucF                                                                                                      ***
0
 

Expert Comment

by:overdrive_dos
Comment Utility
your problem is even though you may have god rid of the problem there is a back door still open on your system which it is useing to redownlaod its self back on you system.

what you need to do is:

1. go start > run and type in "shutdown -a"
2. install a firewall e.g sygate from "http://www.sygate.com/firewall/" (this a realy good free one)
3. then you will need a real good antivirus software not a free one e.g "norton antivirus"
4. run the antivirus (make sure its a good one dont use a free online one
5. then you will need to downlaod "Sasser (A-F) Worm Removal Tool (KB841720)" from:      

http://www.microsoft.com/downloads/details.aspx?FamilyID=76c6de7e-1b6b-4fc3-90d4-9fa42d14cc17&displaylang=en

6. run the Sasser removal tool
7. then make sure u do not have any spyware on your system use somthing like "pestpatrol"

From Overdrive
0
 

Expert Comment

by:overdrive_dos
Comment Utility
Your shutdown button has gone because you typed in "shutdown -a" it does not happend all the but if your win xp insterlation is not installed properly this can happend to get the button back simply type in

"shutdown +a"

Notice the +a

From Overdrive
0
 
LVL 32

Expert Comment

by:Luc Franken
Comment Utility
I give up :(
0
 
LVL 40

Expert Comment

by:Fatal_Exception
Comment Utility
*grin*  Does not seem like anyone is paying attention to you here, eh?  Like talking to a wall..  

Funny thing is that it seems that this question is cursed.  Something just wants to keep this question going..  Very weird..  :)

FE
0
 
LVL 32

Expert Comment

by:Luc Franken
Comment Utility
It's cursed indeed... there are about 500 questions about the Sasser virus, and this is the only one with, till your comment, 65 comments posted... I can't imagine any other sasser question beat that :o)

LucF
0
 
LVL 40

Expert Comment

by:Fatal_Exception
Comment Utility
I stopped coming into the thread and just deleted it for a while.  Now it is just curiosity that makes me come back to see who could be still posting to it...  And the most amazing thing is that the new questions get answered..  :)
0
 
LVL 32

Expert Comment

by:Luc Franken
Comment Utility
Be affraid, this question is becomming a whole new version of EE :) No more points, no longer knowing who the asker is, no longer worrying about grades, a lot of duplicate comments etc, etc. In fact, I kind of like it...
0
 
LVL 40

Expert Comment

by:Fatal_Exception
Comment Utility
Yea..  we could really abuse this if we wanted, eh?    Just throw something on the wall and see if it sticks...  *grin*
0
 
LVL 32

Expert Comment

by:Luc Franken
Comment Utility
ROTFL!
0
 
LVL 5

Expert Comment

by:shanyuen
Comment Utility
your problem is even though you may have god rid of the problem there is a back door still open on your system which it is useing to redownlaod its self back on you system.
what you need to do is:
1. go start > run and type in "shutdown -a"

You can find this tool at microsoft toolkit
0
 
LVL 32

Expert Comment

by:Luc Franken
Comment Utility
Whoa! Cursed indeed :o)
0
 
LVL 40

Expert Comment

by:Fatal_Exception
Comment Utility
And we meet again in this incredible black hole of a thread..!!  :)
0
 
LVL 32

Expert Comment

by:Luc Franken
Comment Utility
I just can't believe it anymore... it's too much... I'm heading back to the Lounge...
0
 
LVL 40

Expert Comment

by:Fatal_Exception
Comment Utility
Ha..  when I got the email that this thread had been accessed again - twice - I knew you would be here for comment..  

What are they serving in the lounge today?  Too early here for alcohol..  :)
0
 
LVL 32

Expert Comment

by:Luc Franken
Comment Utility
For me it's too late for coffee :) So I'll get started with the alcohol.

At this moment nothing is really happening in the lounge... I'm still getting myself together from meeting this freak => http:Q_21067661.html seems like he's not responding anymore...
0
 
LVL 40

Expert Comment

by:Fatal_Exception
Comment Utility
I started to post then thought better of it..  Religon and Politics in one thread..??  You know what they say about mixing the two, and the reason for the separation of Church and State (US Constitution..)  

I think that thread is out of control..
0
 
LVL 32

Expert Comment

by:Luc Franken
Comment Utility
don't worry about it, what I've heard, that freak has been suspended :o) what a surprize!
0
 

Expert Comment

by:alexsilcock
Comment Utility
I had exactly the same virus as you and I managed to get rid of it. My PC also crashed in LSASS.exe a couple of minutes after being on the internet too. I just deleted the netsky.exe in my windows folder and then the problem went completely. My shutdown button on the start menu disappeared too, but if you just log off and then shutdown from the logon screen you'll be OK.
0
 
LVL 40

Expert Comment

by:Fatal_Exception
Comment Utility
*grin*  howdy, Luc..!!
0
 
LVL 32

Expert Comment

by:Luc Franken
Comment Utility
ROTFLOL! At least now I know why this question is cursed... it's no 2 on the Time Tested Site Wide Solutions on the main page :o)
0
 
LVL 5

Expert Comment

by:shanyuen
Comment Utility
ANYONE... CLOSE THIS TOPIC PLEASE.....
0
 
LVL 32

Expert Comment

by:Luc Franken
Comment Utility
hahahaha IT'S CLOSED ALLREADY!

This comment was the moment it was closed => http:#10973807 posted on 05/03/2004

LucF
0
 
LVL 5

Expert Comment

by:shanyuen
Comment Utility
So... how to telling administrator to closing this topic ?
Email from the comment of this topic still sending to me.
Please close it, it's like spam mail.
0
 
LVL 32

Expert Comment

by:Luc Franken
Comment Utility
You are one of people causing this mess, this question was closed allready when you posted your first comment at http:#11690774, nothing has to be closed AS IT'S CLOSED ALLREADY, if you don't want to get notifications, just click the "unsubscribe" link just above the comment box.

You might want to read the helppages on how to use EE, as it seems you don't know yet: http:help.jsp

LucF
0
 
LVL 40

Expert Comment

by:Fatal_Exception
Comment Utility
*grin*  I have been getting this in my email for what...??  4 months now..??  Got to the point that it is just a curiousity now...
0
 
LVL 32

Expert Comment

by:Luc Franken
Comment Utility
Question analizer results for now:

28 Contributors 86 Posts

LucF:- 25 *************************
Fatal_Exception:- 17 *****************
royalm:- 6 ******
shlew:- 2 **
vamsee_konda:- 1 *
wingtech:- 3 ***
nachbund:- 1 *
sillver:- 1 *
LeePollard:- 1 *
mauricej74:- 1 *
scottie_clark:- 1 *
vadlapatis:- 1 *
brlconsulting:- 3 ***
RePhlux:- 2 **
teknowil:- 1 *
adesai79:- 2 **
allmarc:- 1 *
PaulR2117:- 2 **
leptoid:- 1 *
serhancetin:- 2 **
Zeratul9:- 1 *
raimonabraham:- 1 *
shenazzer:- 1 *
jeffatkinsonlpc:- 1 *
shanyuen:- 4 ****
dracoolio:- 1 *
overdrive_dos:- 2 **
alexsilcock:- 1 *

Seems like we are the main spammers FE :o)
0
 
LVL 40

Expert Comment

by:Fatal_Exception
Comment Utility
Now you have me feeling guilty...  :)
0
 
LVL 32

Expert Comment

by:Luc Franken
Comment Utility
Don't feel all too guilty :) I'm the master spammer here.
I sure hope royalm found the "unsubscribe" link allready...

Btw, you might want to try Xxaviers question analizer yourself, just copy/paste this into the address bar:

javascript: function d(){A=new Array();s='';t=0;r=new RegExp('[0-9html_Q.]*$','i');r1=new RegExp('[0-9]{6,}$');r2=new RegExp('undefined');for (i=0;i<document.anchors.length;i++){if (r1.test(document.anchors[i].name)){ix=document.anchors[i].parentNode.childNodes[2].innerHTML;A[ix]+='*';t+=1}}c=0;for (j in A){A[j]= A[j].replace(r2,'');A[j]=':- '+A[j].length+' '+A[j]}for (j in A){ s+='<br>'+j ;s+=A[j];c++}b=0;w=window.open('','','');w.document.write(c+' Contributors ' +t+' Posts<br>'+s);}d()

Then press enter. I just love it :)

LucF
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 40

Expert Comment

by:Fatal_Exception
Comment Utility
I see what it is supposed to do, but cannot get it to work..  Is this the whole script?
0
 
LVL 32

Expert Comment

by:Luc Franken
Comment Utility
Hmm... I should maybe have noted: IE6 only... just copy/paste in the address bar and press enter.

Then a new window should pop-up containing that information (maybe some kind of pop-up stopper blocks it for you)

LucF
0
 

Expert Comment

by:jeffatkinsonlpc
Comment Utility
You guys...e-mail between yourself.  This is not the way it is supposed to work.  I asked the question initially and got my answer.  But close the topic already and move on.  
0
 
LVL 40

Expert Comment

by:Fatal_Exception
Comment Utility
Yea, thought of that and pressed ctrl to allow the popup...  This works a little like the javascript I have on my home page for discovering exactly where the URL is hooked to...  

www.doverproductions.com

Have to go out to a client's, but will be back to test some more..

FE
0
 
LVL 32

Expert Comment

by:Luc Franken
Comment Utility
jeffatkinsonlpc,

You're 100% right, this is not the way it's supposed to work, read the helppages and you'll see that you asked your question the wrong way. Seems like this question has been flooded allready with enough comments from people like you.

So, if you don't like it, as I said above, the unsubscribe link is just one click away :o)
But don't blame us, YOU'RE one of the people that started this mess. Both FE and I helped on the initial question.

FE, so it works now?
Btw, I'm offline for a couple of days from now, I'm sure you can handle this question on your own LOL! cya,

LucF
0
 
LVL 13

Expert Comment

by:dungla
Comment Utility
Hi all,

i met the same error message, using Win XP Pro, SP1, Norton Installed. When scanning, found the blaster the fixed. Restart, running Blaster Removal tool from both norton and microsoft, found nothing, connect to internet, still the error lsass.exe shut down in 60secs.
Running Sasser Removal tool both from norton and MS, found nothing and still have this error. (already turn off system restore before running removal tool and install update from microsft window update website, all critical update)

Anyone help me?
0
 
LVL 40

Expert Comment

by:Fatal_Exception
Comment Utility
Please open another thread for your question..  This has been closed a long, long time.....
0
 

Expert Comment

by:hautine
Comment Utility
Your computer is infected by worm called sasser.
What yopu need to do is to Download the fix from http://www.symantec.com
Then also download the fix pack for this from the Microsoft Website.

However this might be a problem if your computer is shutting down in 60 sec so from the command prompt run this command shutdown -i , then specify in the dialogue box that appear 9999 sec so that you have sometime before your computer shutsdowm.

then apply the pack for XP and also run the fix.

0
 
LVL 32

Expert Comment

by:Luc Franken
Comment Utility
Hey FE, long time no see :)
0
 
LVL 40

Expert Comment

by:Fatal_Exception
Comment Utility
Ha...  Saw you commenting in some threads last week, so knew you got your server back up and running again.  Hope it was not too much of a disaster..  I have not been at home the past week, as am housesitting for my parents, so my contributions have fallen off lately.  But should be back on line before long.  

and it is always GTCU again..!!

FE
0
 
LVL 32

Expert Comment

by:Luc Franken
Comment Utility
Yep, my server is running nicely again, cost me a small fortune, but it's certainly worth it as I'm now running on a RAID-5 of 146GB, so certainly enough for my pages :)
Will see you around in the other TA's.

LucF
0
 
LVL 5

Expert Comment

by:ranadastidar
Comment Utility
just install winxp service 2, it will solve your problem
0
 

Expert Comment

by:aarbk
Comment Utility
Hi LucF and FE,

Congrats !

This loop has completed its 164th day today and wish this one runs longer ;)

0
 
LVL 40

Expert Comment

by:Fatal_Exception
Comment Utility
*grin*
0
 
LVL 32

Expert Comment

by:Luc Franken
Comment Utility
ROTFLOL! Gotta love that.
0
 

Expert Comment

by:Simple_Simon_thepieman
Comment Utility
It certainly appears that the cause of the problem is the sasser worm.

First an abort of the shutdown is required.
so go to run in the start menu and type "shutdown /a" (without quotes) or "shutdown -a" this will abort the shut down.

Secondly you can either go to http://www.symantec.com
and download a fix.

But if your running a legitimate copy of XP, Microsoft is aware of the sasser worm and the vulnerability is rectified with a windows update.  Depending on the speed of your connection to the internet you may get the fix from symantec anyway, for no other reason than it is a smaller download.  But I would advise running windows update, for other unforseen security updates.
0
 
LVL 32

Expert Comment

by:Luc Franken
Comment Utility
aarbk, and it will keep going :)
0
 
LVL 40

Expert Comment

by:Fatal_Exception
Comment Utility
hahahahahahaha..!!!!!
0
 

Expert Comment

by:jrolson
Comment Utility
One day after I got a new pc, I got the Sasser virus...lol  Then I installed antivirus software, fixed it up.
0
 
LVL 40

Expert Comment

by:Fatal_Exception
Comment Utility
Hi, Luc..  :)
0
 
LVL 32

Expert Comment

by:Luc Franken
Comment Utility
What took you so long? :)
0
 
LVL 40

Expert Comment

by:Fatal_Exception
Comment Utility
Tired..  needed a nap..  :)
0
 
LVL 32

Expert Comment

by:Luc Franken
Comment Utility
So do I, it's getting late here in the Netherlands, but I'm sure to see you around here in this question :)
0
 
LVL 40

Expert Comment

by:Fatal_Exception
Comment Utility
Only reason I have not unsub'd to it, my friend.  Everytime I get an email on this thread it draws a smile...  :)
0
 
LVL 32

Expert Comment

by:Luc Franken
Comment Utility
Yeah, it sure does :)
0
 
LVL 3

Expert Comment

by:Fermion
Comment Utility
This thread was infected by the passer wormbot. It causes all answer's to comments to pass over and thus not be noticed.
A most insidious wormbot, it has caused one thread on a tech site in the UK to have over 15,700 comments even though the original question was fully answered after 8 posts.

Indications that the passer wormbot is infecting a thread:
- The question is answered and recognized as being answered, but comments continue(generally normal for awhile)
- Attempts to advise a closed thread appear to go un-noticed.
- The passer wormbot "morphs" into several incarnations of itself, usually 7-12, with different screen names on the thread, and the "morphs" start talking amongst themselves about the original problem. This is usually evidenced by the fact that direct comments to them, such as, THIS THREAD IS CLOSED, are ignored. Wormbots will continue their chatter as long as a thread is left fully open or if they become bored.

Remedy for the passer wormbot:
- There is no remedy, it is a function of thread users' who do not read the entire thread before commenting!!!!!!!

Hahahhahahahaa!!!! Just had to do it.
Fermion.
0
 
LVL 32

Expert Comment

by:Luc Franken
Comment Utility
ROTFLOL! Finally someone with a bit of good sense!

Thanks for the laughs Fermion.

LucF

p.s. Hi FE :)
0
 
LVL 40

Expert Comment

by:Fatal_Exception
Comment Utility
I just wonder how ferm found it in the first place..!!  
0
 
LVL 3

Expert Comment

by:Fermion
Comment Utility
Lounging with a beer :)
0
 
LVL 40

Expert Comment

by:Fatal_Exception
Comment Utility
*grin*  Good day for a brew..  I figured it was something like that..!!
0
 

Expert Comment

by:Mangolata
Comment Utility
Ya know, if you.ve not found an answer yet, you might aswell reinstall XP for all of the trouble it has caused.

See you.

:o}
0
 

Expert Comment

by:Mangolata
Comment Utility
actually, it might be a virus because W32 Sasser did that to my PC and i wiped it and it stopped be annoying
0
 
LVL 32

Expert Comment

by:Luc Franken
Comment Utility
hahahahahahahahahaha
0
 

Expert Comment

by:Mangolata
Comment Utility
what are you laughing at
0
 
LVL 32

Expert Comment

by:Luc Franken
Comment Utility
Mangolata,

This question has been going on for months now, it's nothing personal but it seems like you haven't taken the time to read all the suggestions and to note that this question has been closed from 05/03/2004

LucF
0
 
LVL 40

Expert Comment

by:Fatal_Exception
Comment Utility
Yep..  the only ones watching this now are Luc, Fermion, and me...  Everytime I see this thread come into my inbox, I get a chuckle..  :)
0
 

Expert Comment

by:Mangolata
Comment Utility
Note to all especialy LucF:

I am a 10 year old kid and i was born on 20/01/94 and well what else do i need to say.

Mangolata
0
 
LVL 40

Expert Comment

by:Fatal_Exception
Comment Utility
For a 10 year old kid, that was a quite a lucid response to the question..  good for you Mangolata...  :)
0
 

Expert Comment

by:Mangolata
Comment Utility
Thank You
0
 

Expert Comment

by:Hackrack
Comment Utility
Ok Its a W32 Sasser Worm & i think you have fixed it already. But, It is command that will help you if Message showing "Windows will shutdown....". To stop shutting down of window Go in Start -> Run & type ''shutdown -a''  with administrative privilage & shutting down of windows will stop. In this way you can easily & quickly remove the virus.
0
 
LVL 32

Expert Comment

by:Luc Franken
Comment Utility
And also that has been said about 10x now :o)
0
 
LVL 40

Expert Comment

by:Fatal_Exception
Comment Utility
rotfl
0
 
LVL 4

Expert Comment

by:BjornEricsson
Comment Utility
I might just add to this enormous thread that I've had the same problems with lsass.exe and RPC calls where I already had the new sasser file on a write-protected floppy downloaded from work and scanned through the machine at once but voila, nothing found an the problems remained.
Solution to my problem? Simply installed "Buffer UPnOQ315000_WXP_SP1_x86_ENU.exe" from Vole, it acctually helped.
0
 
LVL 40

Expert Comment

by:Fatal_Exception
Comment Utility
You think..??  (enormous)  *grin*

Actually, thanks for the tip..  most worthwhile comment in this thread for quite some time..

FE
0
 
LVL 40

Expert Comment

by:Fatal_Exception
Comment Utility
BTW:  Hi LucF..  :)
0
 
LVL 4

Expert Comment

by:BjornEricsson
Comment Utility
Simply thought it was about time :)
0
 
LVL 32

Expert Comment

by:Luc Franken
Comment Utility
Hi FE :)

Well, yeah, finally some added information instead duplicated.

LucF
0
 

Expert Comment

by:ugnius2
Comment Utility
Original lsass.exe is not related to security threats http://www.2-spyware.com/file-lsass-exe.html, but the computer shuts down definately because of sasser worm.
0
 
LVL 32

Expert Comment

by:Luc Franken
Comment Utility
:)
Hi FE!
Happy hollidays everyone.

LucF
0
 
LVL 40

Expert Comment

by:Fatal_Exception
Comment Utility
:o)

Absolutely!!
0
 
LVL 3

Expert Comment

by:NoirLuna
Comment Utility
Just get the sasser patch and run it.
0