Solved

lsass.exe error shuts down XP Home in 60 seconds!

Posted on 2004-04-18
179
399,530 Views
Last Modified: 2011-08-18
"C:\windows\system32\lsass.exe terminated unexpectedly with status code 128.  Your computer will now shut down in __ seconds..."

This is the error I'm dealing with on a friend's 1 year old white box pc.  XP Home is the original installation.  Is there a way I can replace that file, a hardware issue, an easier fix than a reinstall, or is a reinstall my only answer?  Some people may like reinstalls, but I absolutely refuse to do that unless there is no other possible recourse.  Too much is lost and too much time is needed to get the system back 'the way it was'.

I hope to perform a QuickTech memory test today, but the pc recognizes it fully - which I know does not always mean anything...hence the test.

Thank you.
royalm

0
Comment
Question by:royalm
179 Comments
 
LVL 32

Expert Comment

by:LucF
ID: 10854211
Hi royalm,

This is for win2k, but it might apply to winXP also.
http://www.jsiinc.com/SUBM/tip6100/rh6116.htm

Greetings,

LucF
0
 
LVL 32

Expert Comment

by:LucF
ID: 10854234
Hmm.. just looked around a bit, do you have a firewall on your computer?
If not, get something like ZoneAlarm (http://www.zonelabs.com) which is free for personal use.
See if the message stops then, especially check for inbound connections in the log of ZoneAlarm.
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 10855136
See if you can gather more information from your Event logs...  and post it here..
0
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

 

Author Comment

by:royalm
ID: 10896115
OK everyone, I've tried the W2K possibility, and can't get through the 59 seconds I have to complete the advapi32.dll and copy unless I do it in safe mode.  Is it safe to try this LucF? In Administrator?

The same goes for trying to install ZoneAlarm...again, can this be done in safe mode?  Under Administrator?

And I can't get into an event log let alone try to copy it to a cd or floppy before my time is up, again, is this possible in safe mode?  Under Administrator?

One thing I did run into today was the lsass.exe being quarantined by NAV on a totally different system, by W32.HLLW.GAOBOT.gen.  I ran the fix, and checked the manual removal to see if it was on there, but it wasn't.   Could this have anything to do with it?  I also checked the hosts files to see if any were corrupted or missing.

What should be my next move?

Thanks all,
royalm
0
 
LVL 32

Expert Comment

by:LucF
ID: 10896980
Several things:

1) you can stop the countdown by: Start => Run => type "Shutdown -a" (without the quotes and press enter)
2) This tool is made to fix all recent virusses: http://vil.nai.com/vil/stinger/ I suggest you to use it.
3) You should really install zonealarm (again, use 1) in case the countdown begins

LucF
0
 

Author Comment

by:royalm
ID: 10899309
Thanks LucF, the countdown stopped and I could install and run stinger and ZoneAlarm.

So when I tried to shut the computer down, the only option was to logoff, no turn off or shutdown button....!!!???  Am I going to have to reinstall XP?  I have worked on so many XP machines that needed reinstalled, I know I'm never putting it on my computers even though I have a Pro version in the box yet!  

royalm
0
 
LVL 32

Expert Comment

by:LucF
ID: 10899457
>>Am I going to have to reinstall XP?<<
Probably not, at least not without trying to figure out what is bothering you. :)

First, I assume you have ran stinger.
Try a hard reboot (as in: hold the power key for about 4 seconds till the computer shuts down)
Now boot again, use this tool and post the logfile (Don't delete anything) so we can try a manual search for strange things on your computer.
http://www.spychecker.com/program/hijackthis.html

LucF
0
 

Author Comment

by:royalm
ID: 10900600
LucF, Here is the log file, I didn't notice anything suspicious, and you were right about the countdown beginning again on reboot.  

Logfile of HijackThis v1.97.7
Scan saved at 11:09:40 AM, on 4/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Caere\OmniPagePro90\opware32.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\olehelp.exe
C:\Documents and Settings\Kathy Antoszewski\My Documents\HijackThis.exe
C:\WINDOWS\system32\spoolsv.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.find-online.net/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.find-online.net/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.find-online.net/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.find-online.net/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.find-online.net/index.htm
O1 - Hosts: 69.50.187.196 auto.search.msn.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINDOWS\Downloaded Program Files\ycomp5_1_1_0.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\Downloaded Program Files\ycomp5_1_1_0.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OmniPage] C:\Program Files\Caere\OmniPagePro90\opware32.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [olehelp] C:\WINDOWS\olehelp.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://D:\content\include\XPPatchInstaller.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_1_0.cab

0
 

Author Comment

by:royalm
ID: 10903312
I also have the App Event Log for Fatal Exception saved as .txt...hope it's readable.  royalm

4/23/2004      3:32:33 PM      Application Hang      Error      (101)      1002      N/A      KATHY      Hanging application rundll32.exe, version 5.1.2600.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
4/23/2004      11:06:14 AM      Winlogon      Error      None      1015      N/A      KATHY      A critical system process, C:\WINDOWS\system32\lsass.exe, failed with status code 128.  The machine must now be restarted.
4/23/2004      11:05:45 AM      TrueVector Service      Error      None      5007      N/A      KATHY      "TrueVector engine: File ""C:\WINDOWS\Internet Logs\KATHY.ldb"" was corrupt and has been copied to ""C:\WINDOWS\Internet Logs\xDB2.tmp"".  File ""C:\WINDOWS\Internet Logs\KATHY.ldb"" was corrupt and has been deleted."
4/23/2004      11:05:44 AM      TrueVector Service      Error      None      5007      N/A      KATHY      "TrueVector engine: File ""C:\WINDOWS\Internet Logs\IAMDB.RDB"" was corrupt, restoring from backup ""C:\WINDOWS\Internet Logs\BACKUP.RDB""."
4/23/2004      11:05:44 AM      TrueVector Service      Error      None      5007      N/A      KATHY      "TrueVector engine: File ""C:\WINDOWS\Internet Logs\IAMDB.RDB"" was corrupt and has been copied to ""C:\WINDOWS\Internet Logs\xDB1.tmp"".  File ""C:\WINDOWS\Internet Logs\IAMDB.RDB"" was corrupt and has been deleted."
4/23/2004      11:05:35 AM      NProtectService      Information      None      3      S-1-5-18      KATHY      The service was started.
4/23/2004      7:40:36 AM      Winlogon      Error      None      1015      N/A      KATHY      A critical system process, C:\WINDOWS\system32\lsass.exe, failed with status code 128.  The machine must now be restarted.
4/23/2004      7:40:21 AM      NProtectService      Information      None      3      S-1-5-18      KATHY      The service was started.
4/23/2004      7:08:03 AM      Winlogon      Error      None      1015      N/A      KATHY      A critical system process, C:\WINDOWS\system32\lsass.exe, failed with status code 128.  The machine must now be restarted.
4/23/2004      7:07:48 AM      NProtectService      Information      None      3      S-1-5-18      KATHY      The service was started.
4/22/2004      11:45:36 PM      Winlogon      Error      None      1015      N/A      KATHY      A critical system process, C:\WINDOWS\system32\lsass.exe, failed with status code 128.  The machine must now be restarted.
4/22/2004      11:45:21 PM      NProtectService      Information      None      3      S-1-5-18      KATHY      The service was started.
4/22/2004      11:44:35 PM      Userenv      Warning      None      1517      S-1-5-18      KATHY      Windows saved user KATHY\Administrator registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.

 This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.
4/22/2004      11:09:57 PM      VSS      Error      None      8193      N/A      KATHY      Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance.  hr = 0x80040206.
4/22/2004      11:09:57 PM      EventSystem      Error      (50)      4609      N/A      KATHY      The COM+ Event System detected a bad return code during its internal processing.  HRESULT was 8007043C from line 44 of d:\nt\com\com1x\src\events\tier1\eventsystemobj.cpp.  Please contact Microsoft Product Support Services to report this error.
4/22/2004      11:07:49 PM      Winlogon      Error      None      1015      N/A      KATHY      A critical system process, C:\WINDOWS\system32\lsass.exe, failed with status code 128.  The machine must now be restarted.
4/22/2004      11:07:34 PM      NProtectService      Information      None      3      S-1-5-18      KATHY      The service was started.
4/22/2004      11:06:48 PM      Userenv      Warning      None      1517      S-1-5-18      KATHY      Windows saved user KATHY\Administrator registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.

 This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.
4/22/2004      11:05:48 PM      VSS      Error      None      8193      N/A      KATHY      Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance.  hr = 0x80040206.
4/22/2004      11:05:48 PM      EventSystem      Error      (50)      4609      N/A      KATHY      The COM+ Event System detected a bad return code during its internal processing.  HRESULT was 8007043C from line 44 of d:\nt\com\com1x\src\events\tier1\eventsystemobj.cpp.  Please contact Microsoft Product Support Services to report this error.
4/22/2004      11:03:35 PM      Winlogon      Error      None      1015      N/A      KATHY      A critical system process, C:\WINDOWS\system32\lsass.exe, failed with status code 128.  The machine must now be restarted.
4/22/2004      11:03:20 PM      NProtectService      Information      None      3      S-1-5-18      KATHY      The service was started.
4/22/2004      10:20:42 PM      Winlogon      Error      None      1015      N/A      KATHY      A critical system process, C:\WINDOWS\system32\lsass.exe, failed with status code 128.  The machine must now be restarted.
4/22/2004      10:20:27 PM      NProtectService      Information      None      3      S-1-5-18      KATHY      The service was started.
4/22/2004      10:19:17 PM      Userenv      Warning      None      1517      S-1-5-18      KATHY      Windows saved user KATHY\Administrator registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.

 This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.
4/22/2004      10:12:23 PM      VSS      Error      None      8193      N/A      KATHY      Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance.  hr = 0x80040206.
4/22/2004      10:12:23 PM      EventSystem      Error      (50)      4609      N/A      KATHY      The COM+ Event System detected a bad return code during its internal processing.  HRESULT was 8007043C from line 44 of d:\nt\com\com1x\src\events\tier1\eventsystemobj.cpp.  Please contact Microsoft Product Support Services to report this error.
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 10903729
Whoa...  Lots of bad things happening here...  

I would open up msconfig and stop everything from starting at boot, and all services other than the Windows services too...

Start > Run > msconfig

Stop everything in the startup tab (except perhaps your AV)

Go to Services tab and tick the Hide Windows Services..  Again, stop everything (except perhaps your AV)

Reboot, and ck your event logs again...   You may also want to ck your Services to make sure that everything that is meant to startup at boot is actually starting...  You can go to Black Viper to see what is needed to start the system...

http://www.blackviper.com/WinXP/servicecfg.htm
0
 
LVL 32

Expert Comment

by:LucF
ID: 10907708
You have a nice browser hijacker :(

Use this tool to get rid of it:
http://209.133.47.200/~merijn/files/CWShredder.exe

How do I prevent it from happening again?
http://209.133.47.200/~merijn/cwschronicles.html#byteverify
0
 
LVL 32

Accepted Solution

by:
LucF earned 240 total points
ID: 10970667
I think I found your problem, it's a very new virus:

W32/Sasser.worm
http://vil.nai.com/vil/content/v_125007.htm

Use this tool to get rid of it:
http://vil.nai.com/vil/stinger/

Also take a look here:
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
And be sure to get windows up-to-date from http://windowsupdate.microsoft.com
0
 

Assisted Solution

by:shlew
shlew earned 20 total points
ID: 10972424
Also see:
http://www.blackviper.com/AskBV/tech10.htm

Why is Remote Procedure Call shutting down my computer after 60 seconds?
Why is LSASS.exe shutting down my computer after 60 seconds?
Why is svchost.exe crashing my computer?
Why is dllhost.exe taking 100% of my CPU time?

…. The main indication of this is a 60 second shutdown counter just after connecting to the internet or "right after" an attack attempt.
0
 
LVL 40

Assisted Solution

by:Fatal_Exception
Fatal_Exception earned 240 total points
ID: 10972463
I just left a telephone support call with the same indications as this thread..  He did have the Sasser Worm and I used Symantec's removal tool to correct...   Nice one LucF..!!!

and thanks..

FE
0
 
LVL 32

Expert Comment

by:LucF
ID: 10973466
Thanks FE :)

I just noticed the updates at Mcafee and Symantec today... so it is a very new exploid :( I hate it when this happens...

LucF
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 10973485
Credit where credit is deserved..!!    :)
0
 

Author Comment

by:royalm
ID: 10973807
OK everyone,

One thing I can say is that I have learned so much from all of you, and being a fellow tech, this networking is good, and your time and effort are astonishing!  Thank you.  Here is what I have done...unfortunately too quickly because I believe the fixsasser tool may have worked!

I used the Stinger, CWshredder, and HijackThis! many times, and spent HOURS with the BlackViper site info.  The Stinger was new to me.  Then I tried a repair w/recovery console one more time, and still nothing.  Although after all of this, the PC was definitely zestier.

I finally wiped and re-installed XP on the 29th, played/tested it until late on the 30th, then returned it back to my friend.  What gets me is if the sasser was the culprit, why did it take so long for the Antivirus powers that be to get the updates updated?  Since nothing else worked, I'll wager that the fix tool would have.

So, with all the info I have been graciously given, and the dedication and time that LucF and Fatal Exception have shown for me and my 'lsass' problem, I believe you definitely deserve the point credits promised and my most gateful thanks.
royalam
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 10974701
Anytime..  come on back and see us again soon..

and thanks..

FE
0
 
LVL 32

Expert Comment

by:LucF
ID: 10974951
Ditto ;o)

LucF
0
 

Expert Comment

by:shlew
ID: 10975435
Well, I certainly learned a lot too...and thanks for asking the question!
0
 

Expert Comment

by:vamsee_konda
ID: 10992862
hello royalM,

you have been infected with the sasser worm.
download windows fix for it from microsoft site at:
http://www.microsoft.com/security/incident/sasser.asp

or the symantec fix tool at :
http://www.symantec.com/avcenter/venc/data/w32.sasser.worm.html

it is a good idea to enable ur firewall in Win xp, and make sure u have the latest windows updates

vamsee
0
 

Expert Comment

by:wingtech
ID: 11016421
I am not so sure that sasser is the answer here.

I have just been dealing with this on a pc which was connecting through a USB DSL modem ( UK BT Internet)

About 1 minute after connnection the same popup would appear and the system would shut down. It was not possible to shut it down more quickly, nor was it possible to interrupt the shudown as that thread seemed to have the highest priority and could not be intercepted.

The MS patch was already in place and the Symantec FixSasser tool and also Stinger v2.5.5 could find no Sasser infection. W32/Nachii was found (A Welchia variant) which also hits the RPC component.

Cleaning up made little difference, but switching to an ethernet based Internet connection did. Switch back and the problem appeared.

Whatever was the cause in my case was resolved by using a router to connect to the DSL. The problem is still there but avoided!

Not ideal but, hey, it works!

If that helps someone at guru level decide what is going on then I look forward to hearing. Otherwise, I hope it helps someone else find a workaround.

Cheers
0
 

Expert Comment

by:nachbund
ID: 11017918
LucF hi,
i friend has the same problem! but whats differs is that  his RPC does not function! i dont know what to do and how to restore the RPC! can u help me too? i tried to manually operate it but i didn't manage to do it! what can i do?
btw whats the commad to format NTFS file system?
thanks a lot for reading.

                       nachbund
                         
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 11021431
nach..  you really need to open your own question for this...  
0
 

Expert Comment

by:sillver
ID: 11025242
Hello,
its problem was new virus which was Sasser for W2000 and XP..
you can be installing patch files from microsoft website.....>>>>
 for W2000 the name is (Windows2K- KB835732)(
 for XP        the name is (Win xp KB35732)

thanks>>>>>>
0
 

Expert Comment

by:LeePollard
ID: 11028710
My company has dealt with al lof the above mentioned viruses.  If once you are able to run the "fix" and eliminate the culprit, yo uneed to try to see if you can then access eithe rwww.symantec.com, www.mcafee.com, or any other AV web site.  If not, then you need to replace the c:\windows\systems32\drivers\etc\hosts file (assuming your OS is on the C drive).

This should resolve the issue.  I used the hosts file off of my own computer and it worked perfectly.
0
 
LVL 32

Expert Comment

by:LucF
ID: 11031942
wingtech,

>>I am not so sure that sasser is the answer here
I am pretty sure, welchia will give a message, the same as the blaster virus:

"svchost.exe has created an error...."

With this sasser worm, you get:

"lsass.exe has created an error...."

At the moment I posted that comment only sasser and sasser.b existed, and those where the only ones to create that error message.
Hope that answers your question :)

LucF

p.s. to add some valuable information:
Even the cheapest firewall, like the build in winXP one, or a free one like Zonealarm would have prevented blaster/welchia/sasser etc from spreading as fast as it does at the moment. Just closing some ports on the firewall will do the trick (like in wingtechs case, the router takes care of that)
0
 

Expert Comment

by:mauricej74
ID: 11051974
I just had a similar problem with an employee's notebook, Win2K Professional.  It actually had McAfee already on it and up-to-date but was infected to high-heaven with viruses, found after doing a full scan.  My problems started after installing the Win2K Updates using the critical update tool in Windows; IT downloaded all the updates and installed them all and rebooted.  After that, after getting on an internet connection, I get the lsass error message!  Before getting the updates the PC was working fine.  I thought maybe AV had corrupted the download, but the KB article that explains the directories to look for to uninstall the SP don't match what is on this system.  Strange
0
 

Author Comment

by:royalm
ID: 11054071
Hi everyone,

I wonder that if sasser is causing all of these problems, might the latest MS patch for all 5 sassers (at this point) be the answer?  The original sasser fix tool I have had to be run several times to rid sasser...it always showed up after a reboot.  Here is the address if someone is interested.
http://update.internetweek.com/cgi-bin4/DM/y/eg2V0GMj8R0G4X0CW2K0A7.

Here is the name of the little file you can download from there.
Windows-KB841720-ENU-V4.exe

I'm running out of sasser-filled pc's to play around with, so I haven't tried this yet.

royalm
0
 
LVL 32

Expert Comment

by:LucF
ID: 11054187
Yep, I noticed the same thingy :( All virusscanner manufactors are also updating their tools to be able to get rid of the newer versions. But, just with a firewall and with windows updated you're pretty safe for this kind of crap :)

LucF
0
 

Expert Comment

by:scottie_clark
ID: 11063800
re: viruses, worms and other nasties:

I find that if I have a PC with a potential infection - boot up in Safe Mode (press F8 when starting up, at the point when the screen goes blank, ie just between the PCs BIOS screen disappearing and the Windows startup screen appearing) and then run any virus scan (NAV, Stinger, etc)

This is a much more reliable method of clearing out anything that has infected your PC!
0
 

Expert Comment

by:vadlapatis
ID: 11074226
I-Worm/Sasser
This worm spreads by internet exploiting MS Windows LSASS service vulnerability described in MS Security Bulletin MS04-011. This worm has some new variants from the saturday first catch.

go to the link

http://www.grisoft.com/us/us_ts_removers.php

download i-worm/sasser removal tool

then donload micro soft patch from

http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

then switch to safe mode and execute removal tool it removes the sasser.exe files then restart  get boot in to normal mode and load patch file download from microsoft site ur pc will be alright

be careful while download check patch that siutes ur OS



0
 

Expert Comment

by:brlconsulting
ID: 11106856
Can I add my two penneth worth.

I have a system which has definitley got the Sasser virus.

I have disabled System Restore.

The Process tab in  Task Manager shows LSASSS.EXE as running.  I have tried ending the process in ordinary mode and safe mode and an error message "Critical process, cannot be stopped".

I have updated Windows with the security patch mentioned above, rebooted and tried both the Norton fix and Stinger, updated today to no good effect.

Anyone any ideas before I throw all my toys out of the pram?
0
 

Expert Comment

by:RePhlux
ID: 11132117
I work for a telephone tech support firm and we have been dealing with the removal of this sasser virus and all its variants (w32.sasser.[a-f].worm)and the w32.blaster.worm and it's variants on a daily basis.

So far the steps for removal that have had the greatest success rate are as follows:

1.) Disconnect your internet connection and boot to safe mode (through F8 on startup)
2.) Log into the administrator account and after the system is loaded press crtl+alt+del to bring up the system task manager and look in proccesses for any of the following:
     a.)avserve.exe
     b.)avserv2.exe
     c.)[random five digit number]_up.exe
     d.)skynet??.exe
and end task on any of them and then close the task manager
3.) msconfig: dissable any of the above programs from auto starting in the startup tab and services tab
4.) regedit: search for any of the above programs in the registry and remove thier keys (might be a good idea to create a backup copy of the regisrty just in case)
5.) restart into normal mode and if you get the shutdown error use the above "shutdown -a" to stop it
6.) enable the XP firewall (network connections and then properties on the type of internet connection you are using and then advanced and check "protect my computer...")
7.) reconnect your intenet and get the above mentioned security patch from Microsoft
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
8.)DL and run the mcafee stinger to remove anything the above steps missed and restart the PC
http://vil.nai.com/vil/stinger/
9.)DL all updates for your AV software and run a full system scan

You should now be virus free and if all of the above steps are done soon enough the file dammage should be minimal and the system should be running fine.
0
 

Expert Comment

by:brlconsulting
ID: 11132160
RePhlux,

Thanks for the info.  Did you get the problem whereby when in Task Manager the system would not allow the suspect processes from being shutdown?

Brian
0
 

Expert Comment

by:RePhlux
ID: 11132175
No I can't say that I have come across that yet, but if you remove the reg keys the process should no longer be there anyway after the reboot to normal windows
0
 

Expert Comment

by:brlconsulting
ID: 11171249
Thanks again.  I have gone through all the steps again and it seems to have been resolved.  Not too sure why it didin't happen first time round.

Cheers

Brian
0
 
LVL 32

Expert Comment

by:LucF
ID: 11171370
Just a little note, lsass is a normal windows system file and shouldn't be stopped/blocked/killed or whatever.
0
 

Expert Comment

by:teknowil
ID: 11191961
if it keeps coming back, which it should with xp because most people have restore point set. Just turn of the restorepoint or it will continue to reinfect the computer.
0
 

Expert Comment

by:adesai79
ID: 11193252
Hi,

I have the same problem and I tried to fix it using all the above steps, but still I am unable to fix it.

1)  There is no such process as avserve.exe, avserv2.exe, [random five digit number]_up.exe, skynet??.exe in Windows running process list.
2)  Whenever I type shutdown -a in Start->run, it says command not found.
3)  Already applied the security patch by Microsoft but still issue not resolved.
4)  Downloaded a host of different sasser removal softwares from Microsoft, Symantec and stinger but everybody says: No virus found

Its very annoying as the computer reboots itself very 20 mins or so, not really sure what to do.

Anybody, please help me out.

Thanks,

0
 

Expert Comment

by:wingtech
ID: 11197866
Hi adesai79

Sadly viruses are not the only causes of random re-boots.

If you have eliminated all the likely viruses, and not just sasser, you could have a look at memory testing.

More than once I have seen re-boots as a symptom of memory, motherboard or cpu failure about to happen.

Another possibility is overheating or poor power supply. Both of these can lead to instability from which the system cannot easily recover. For example adding a new device which uses a lot of power could be hitting the limits of the PSU and also contribute to additional heat.

If you feel that you have eliminated viruses, you could try working through the other possibilities.

Best of luck in the gremlin hunt!

Regards

Neil
0
 

Expert Comment

by:adesai79
ID: 11200679
Hi,

But it has the same symptoms like Sasser virus. It gives me error in lsass.exe and gives me timer for 60 seconds.

Could it be a different type of virus..?
0
 

Expert Comment

by:wingtech
ID: 11201203
No, That really does look like it, I am afraid.

Make sure that you are doing your hunting at admin level of security, just in case.

I think that sasser is still your likeliest bet.

Sorry not to offer more help than that.

Sympathies.

Neil
0
 
LVL 32

Expert Comment

by:LucF
ID: 11201254
adesai79, You did the right thing by opening your own question:
http://www.experts-exchange.com/Operating_Systems/WinXP/Q_21008581.html

Let's all continue there.

Thanks,

LucF
0
 

Expert Comment

by:allmarc
ID: 11207848
On the timeout problem, I have had success with changing the date and time in the systray clock, then run the patches or viri fixes! Hey! it works!!
0
 

Expert Comment

by:PaulR2117
ID: 11384964
I have been following this question with great interest, since we were having the same symptoms.
It turned out we had the Win32.Korgo.I worm.
Microsoft patch MS04-011 would have stopped it if we had applied it to all our computers.
It must have come in on a laptop.
0
 

Expert Comment

by:leptoid
ID: 11400682
Check your PC for the Sasser virus.
See www.symantec.com for details and removal tools.  You should also consider patching winxp for this virus to avoid the future crashes.
0
 

Expert Comment

by:serhancetin
ID: 11404900
This is Sasser32 virus. And you should download the critical windows XP patches. First download the Norton sasser scan anti virus tools. Then make a full system scan with that tool. But during the system scan you should disable the system restore points!!!! After system scan the virus should be founded with that program. Then enable your windows fireall and connect the microsoft official web site. On main page you will see the critical warning of microsoft. Folllow that link and download the Sasser Xp patches from Micosoft. Your problem will be solved by his solution. Dear users do not forget to update your operating systems and anti virus tools.
0
 

Expert Comment

by:PaulR2117
ID: 11411938
Hi Serhancetin,

We actually have the KORGO virus, which started out looking like the 'Sasser'. We applied the MS04-011 patch and removed the worm's file from the system and registry. - Curiously, this file and registry setting didn't show up in NT and 2000 machines that were known to be infected, it only showed up in the XP machines.

However, we are getting repeated mesages from our virus scanner (eTrust V7)

"Win32/Korgo.R.Worm was detected in C:\SYSTEM VOLUME\_RESTORE{E7276E57-....\A0005793.EXE"

A full scan with our virus software didn't apparently detect or remove this virus - but at least it is catching it as it moves into this 'Restore' directory.
It seems to me that there is still an infected machine somewhere in the LAN that is reinfecting the others.

I'm fairly new to XP. What did you mean by your reference;

""But during the system scan you should disable the system restore points!!!!""

0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 11411989
I believe he means just disable System Restore..

0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 11412130
Although this thread has been closed for quite some time, it seems that there is still an interest...  So I will post the best fix I have found for Sasser...

The problem

Sasser is a denial of service (DoS) worm that exploits a flaw in a Windows 2000 or non-64-bit Windows XP machine's Local Security Authority Subsystem Service (LSASS). IT security pros must install a patch to prevent unattended systems from falling prey to Sasser's destruction. However, administering the patch is a challenge because infected systems keep rebooting before it can be installed.

The cause

Sasser causes a stack-based buffer overflow in certain Active Directory service functions in the LSASRV.DLL file of the LSASS. Applying the patch provided in Microsoft Security Bulletin MS04-011 is the only way to protect your system from reinfection.
 
The solution

Here is the solution for expanding the amount of time it takes before your computer reboots due to the Sasser worm. Keep in mind that you will have only about 20 seconds to complete the steps, and you must already know the system's name before beginning this process:
 
Tip:  To find your computer's name, open Control Panel and click on the System icon.
 
1.      Disconnect from the Internet.
2.      Restart.
3.      As soon as possible in the boot process, click on Start, Run, and enter cmd to open the command line interface.
4.      At the DOS prompt, enter shutdown -i and press [Enter].
(This command opens the control panel for remote administration of other systems, but for this process you will just need to enter the name of your computer.)
5.      Click Add, enter the name, and then click OK.
6.      Now modify the warning message delay setting from the standard 20 (seconds) to a large number, such as 9999. After patching, you can reset the warning message delay if you wish.
(That should temporarily disable the shutdown sequence long enough for you to log on to the Internet and download the patch.)

Alternative solution

An alternative method for stopping the reboot cycle on XP-only systems is to enter shutdown.exe –a at the command prompt. That aborts the shutdown process completely and is obviously much faster for XP systems.

0
 

Expert Comment

by:serhancetin
ID: 11413639
click on System &#305;n the Control Panel-click on System Restore- and click on Turn off system Restore on all drives...else the anti virus can't delete the files with virus..after this operation,  you must to turn on .this feature is to protect system files

for removing korgo virus follow this url http://securityresponse.symantec.com/avcenter/venc/data/w32.korgo.removal.tool.html ..I used &#305;n there, it is efficient
0
 

Expert Comment

by:Zeratul9
ID: 11471095
if you still need help with the lsass.exe error email me > ** e-mail removed per http:help.jsp#hi99 **
0
 

Expert Comment

by:raimonabraham
ID: 11513607
If you could not obtain the right removal tool, or if you are still infected
after running it, you can do the following to stop the worm from crashing LSASS.exe.

Create a file called %systemroot%\debug\dcpromo.log and make the file read-only.
To do this, type the following command:

echo dcpromo >%systemroot%\debug\dcpromo.log & attrib +r %systemroot%\debug\dcpromo.log

NOTE: This is the most effective mitigation technique as it completely mitigates
this vulnerability by causing the vulnerable code to never be executed.
This work-around will work for packets sent to any vulnerable port.
0
 

Expert Comment

by:shenazzer
ID: 11652067
Download this from
http://securityresponse.symantec.com/avcenter/FxSasser.exe
run it in safe mode if it doesnt works
and then install this
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
for future protection from sasser worms ;)
0
 
LVL 32

Expert Comment

by:LucF
ID: 11653825
Come on...
This question is closed for almost two months now, and we're starting to have duplicate comments here...

Thanks,

LucF
0
 

Expert Comment

by:jeffatkinsonlpc
ID: 11690202
I have an error that occurs when I log onto the internet.  The NT authority error.  This causes shutdown in 60 seconds.  I run XP.  From what I see it is a worm (blaster or Sasser).  However, everytime I test for it I get nothing.  Could it possibly be related to not activating my windows yet?  I should have that resolved in a day or so.  Nonethe less all of the patches and stuff are not seeming to work either.  HELP?
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 11690351
jeff.. open another thread.  this one is closed and I doubt you will find help here..  

FE
0
 
LVL 5

Expert Comment

by:shanyuen
ID: 11690774
You infected by sasser worm or the variant.
-Download stinger from http://vil.nai.com/vil/stinger/ 
-Download the security update patch from microsoft. (WindowsXP-KB835732-x86-ENU.EXE)
-Just turn off your system restore (right click in my computer > properties)
Your virus will not removed if your turn on this function.

-Reboot in safe mode.
-Scan with stinger.
-Then patch it.

Back to your windows and turn on your system restore.
0
 

Expert Comment

by:dracoolio
ID: 11695410
Sometimes, even if you Anti-Virus is up-to-date and you run an Anti-Spyware program, it still is not enough to kill a virus/worm/trojan/spyware.

What you do is do a CTRL-ALT-DEL and check your running TASKS. One or more of them is the bad program causing you to reboot. You have to write down the suspicious task and reboot, but this time press F8 to run in SAFE MODE. Once in SADE MODE, locate the bad programs and their folders and delete or rename them. When you reboot again in NORMAL MODE, if this happens again repeat these steps again.
0
 
LVL 32

Expert Comment

by:LucF
ID: 11695551
*** To everyone who'd like to post a question/comment here, please note THIS QUESTION IS CLOSED! ***
*** The answers can be found at http:#10970667 http:#10972424 and http:#10972463                       ***
*** Fatal_Exception made a nice summary at http:#11412130                                                            ***
*** If you have this problem, check those comments, if you think you have something to include, please ***
*** check if it hasn't been said above before more dupplication occurs.                                                ***
***                                                                                                                                                 ***
*** Thanks for reading this, LucF                                                                                                      ***
0
 

Expert Comment

by:overdrive_dos
ID: 11727726
your problem is even though you may have god rid of the problem there is a back door still open on your system which it is useing to redownlaod its self back on you system.

what you need to do is:

1. go start > run and type in "shutdown -a"
2. install a firewall e.g sygate from "http://www.sygate.com/firewall/" (this a realy good free one)
3. then you will need a real good antivirus software not a free one e.g "norton antivirus"
4. run the antivirus (make sure its a good one dont use a free online one
5. then you will need to downlaod "Sasser (A-F) Worm Removal Tool (KB841720)" from:      

http://www.microsoft.com/downloads/details.aspx?FamilyID=76c6de7e-1b6b-4fc3-90d4-9fa42d14cc17&displaylang=en

6. run the Sasser removal tool
7. then make sure u do not have any spyware on your system use somthing like "pestpatrol"

From Overdrive
0
 

Expert Comment

by:overdrive_dos
ID: 11727770
Your shutdown button has gone because you typed in "shutdown -a" it does not happend all the but if your win xp insterlation is not installed properly this can happend to get the button back simply type in

"shutdown +a"

Notice the +a

From Overdrive
0
 
LVL 32

Expert Comment

by:LucF
ID: 11728448
I give up :(
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 11730007
*grin*  Does not seem like anyone is paying attention to you here, eh?  Like talking to a wall..  

Funny thing is that it seems that this question is cursed.  Something just wants to keep this question going..  Very weird..  :)

FE
0
 
LVL 32

Expert Comment

by:LucF
ID: 11730924
It's cursed indeed... there are about 500 questions about the Sasser virus, and this is the only one with, till your comment, 65 comments posted... I can't imagine any other sasser question beat that :o)

LucF
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 11731020
I stopped coming into the thread and just deleted it for a while.  Now it is just curiosity that makes me come back to see who could be still posting to it...  And the most amazing thing is that the new questions get answered..  :)
0
 
LVL 32

Expert Comment

by:LucF
ID: 11731049
Be affraid, this question is becomming a whole new version of EE :) No more points, no longer knowing who the asker is, no longer worrying about grades, a lot of duplicate comments etc, etc. In fact, I kind of like it...
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 11731226
Yea..  we could really abuse this if we wanted, eh?    Just throw something on the wall and see if it sticks...  *grin*
0
 
LVL 32

Expert Comment

by:LucF
ID: 11731255
ROTFL!
0
 
LVL 5

Expert Comment

by:shanyuen
ID: 11751834
your problem is even though you may have god rid of the problem there is a back door still open on your system which it is useing to redownlaod its self back on you system.
what you need to do is:
1. go start > run and type in "shutdown -a"

You can find this tool at microsoft toolkit
0
 
LVL 32

Expert Comment

by:LucF
ID: 11751880
Whoa! Cursed indeed :o)
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 11751958
And we meet again in this incredible black hole of a thread..!!  :)
0
 
LVL 32

Expert Comment

by:LucF
ID: 11752002
I just can't believe it anymore... it's too much... I'm heading back to the Lounge...
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 11752161
Ha..  when I got the email that this thread had been accessed again - twice - I knew you would be here for comment..  

What are they serving in the lounge today?  Too early here for alcohol..  :)
0
 
LVL 32

Expert Comment

by:LucF
ID: 11752259
For me it's too late for coffee :) So I'll get started with the alcohol.

At this moment nothing is really happening in the lounge... I'm still getting myself together from meeting this freak => http:Q_21067661.html seems like he's not responding anymore...
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 11756108
I started to post then thought better of it..  Religon and Politics in one thread..??  You know what they say about mixing the two, and the reason for the separation of Church and State (US Constitution..)  

I think that thread is out of control..
0
 
LVL 32

Expert Comment

by:LucF
ID: 11756824
don't worry about it, what I've heard, that freak has been suspended :o) what a surprize!
0
 

Expert Comment

by:alexsilcock
ID: 11834246
I had exactly the same virus as you and I managed to get rid of it. My PC also crashed in LSASS.exe a couple of minutes after being on the internet too. I just deleted the netsky.exe in my windows folder and then the problem went completely. My shutdown button on the start menu disappeared too, but if you just log off and then shutdown from the logon screen you'll be OK.
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 11836072
*grin*  howdy, Luc..!!
0
 
LVL 32

Expert Comment

by:LucF
ID: 11838365
ROTFLOL! At least now I know why this question is cursed... it's no 2 on the Time Tested Site Wide Solutions on the main page :o)
0
 
LVL 5

Expert Comment

by:shanyuen
ID: 11838512
ANYONE... CLOSE THIS TOPIC PLEASE.....
0
 
LVL 32

Expert Comment

by:LucF
ID: 11838583
hahahaha IT'S CLOSED ALLREADY!

This comment was the moment it was closed => http:#10973807 posted on 05/03/2004

LucF
0
 
LVL 5

Expert Comment

by:shanyuen
ID: 11839815
So... how to telling administrator to closing this topic ?
Email from the comment of this topic still sending to me.
Please close it, it's like spam mail.
0
 
LVL 32

Expert Comment

by:LucF
ID: 11839872
You are one of people causing this mess, this question was closed allready when you posted your first comment at http:#11690774, nothing has to be closed AS IT'S CLOSED ALLREADY, if you don't want to get notifications, just click the "unsubscribe" link just above the comment box.

You might want to read the helppages on how to use EE, as it seems you don't know yet: http:help.jsp

LucF
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 11840556
*grin*  I have been getting this in my email for what...??  4 months now..??  Got to the point that it is just a curiousity now...
0
 
LVL 32

Expert Comment

by:LucF
ID: 11840581
Question analizer results for now:

28 Contributors 86 Posts

LucF:- 25 *************************
Fatal_Exception:- 17 *****************
royalm:- 6 ******
shlew:- 2 **
vamsee_konda:- 1 *
wingtech:- 3 ***
nachbund:- 1 *
sillver:- 1 *
LeePollard:- 1 *
mauricej74:- 1 *
scottie_clark:- 1 *
vadlapatis:- 1 *
brlconsulting:- 3 ***
RePhlux:- 2 **
teknowil:- 1 *
adesai79:- 2 **
allmarc:- 1 *
PaulR2117:- 2 **
leptoid:- 1 *
serhancetin:- 2 **
Zeratul9:- 1 *
raimonabraham:- 1 *
shenazzer:- 1 *
jeffatkinsonlpc:- 1 *
shanyuen:- 4 ****
dracoolio:- 1 *
overdrive_dos:- 2 **
alexsilcock:- 1 *

Seems like we are the main spammers FE :o)
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 11844315
Now you have me feeling guilty...  :)
0
 
LVL 32

Expert Comment

by:LucF
ID: 11844461
Don't feel all too guilty :) I'm the master spammer here.
I sure hope royalm found the "unsubscribe" link allready...

Btw, you might want to try Xxaviers question analizer yourself, just copy/paste this into the address bar:

javascript: function d(){A=new Array();s='';t=0;r=new RegExp('[0-9html_Q.]*$','i');r1=new RegExp('[0-9]{6,}$');r2=new RegExp('undefined');for (i=0;i<document.anchors.length;i++){if (r1.test(document.anchors[i].name)){ix=document.anchors[i].parentNode.childNodes[2].innerHTML;A[ix]+='*';t+=1}}c=0;for (j in A){A[j]= A[j].replace(r2,'');A[j]=':- '+A[j].length+' '+A[j]}for (j in A){ s+='<br>'+j ;s+=A[j];c++}b=0;w=window.open('','','');w.document.write(c+' Contributors ' +t+' Posts<br>'+s);}d()

Then press enter. I just love it :)

LucF
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 11844683
I see what it is supposed to do, but cannot get it to work..  Is this the whole script?
0
 
LVL 32

Expert Comment

by:LucF
ID: 11845280
Hmm... I should maybe have noted: IE6 only... just copy/paste in the address bar and press enter.

Then a new window should pop-up containing that information (maybe some kind of pop-up stopper blocks it for you)

LucF
0
 

Expert Comment

by:jeffatkinsonlpc
ID: 11845329
You guys...e-mail between yourself.  This is not the way it is supposed to work.  I asked the question initially and got my answer.  But close the topic already and move on.  
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 11845349
Yea, thought of that and pressed ctrl to allow the popup...  This works a little like the javascript I have on my home page for discovering exactly where the URL is hooked to...  

www.doverproductions.com

Have to go out to a client's, but will be back to test some more..

FE
0
 
LVL 32

Expert Comment

by:LucF
ID: 11845505
jeffatkinsonlpc,

You're 100% right, this is not the way it's supposed to work, read the helppages and you'll see that you asked your question the wrong way. Seems like this question has been flooded allready with enough comments from people like you.

So, if you don't like it, as I said above, the unsubscribe link is just one click away :o)
But don't blame us, YOU'RE one of the people that started this mess. Both FE and I helped on the initial question.

FE, so it works now?
Btw, I'm offline for a couple of days from now, I'm sure you can handle this question on your own LOL! cya,

LucF
0
 
LVL 13

Expert Comment

by:dungla
ID: 11857544
Hi all,

i met the same error message, using Win XP Pro, SP1, Norton Installed. When scanning, found the blaster the fixed. Restart, running Blaster Removal tool from both norton and microsoft, found nothing, connect to internet, still the error lsass.exe shut down in 60secs.
Running Sasser Removal tool both from norton and MS, found nothing and still have this error. (already turn off system restore before running removal tool and install update from microsft window update website, all critical update)

Anyone help me?
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 11857597
Please open another thread for your question..  This has been closed a long, long time.....
0
 

Expert Comment

by:hautine
ID: 12099438
Your computer is infected by worm called sasser.
What yopu need to do is to Download the fix from http://www.symantec.com
Then also download the fix pack for this from the Microsoft Website.

However this might be a problem if your computer is shutting down in 60 sec so from the command prompt run this command shutdown -i , then specify in the dialogue box that appear 9999 sec so that you have sometime before your computer shutsdowm.

then apply the pack for XP and also run the fix.

0
 
LVL 32

Expert Comment

by:LucF
ID: 12103507
Hey FE, long time no see :)
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 12103719
Ha...  Saw you commenting in some threads last week, so knew you got your server back up and running again.  Hope it was not too much of a disaster..  I have not been at home the past week, as am housesitting for my parents, so my contributions have fallen off lately.  But should be back on line before long.  

and it is always GTCU again..!!

FE
0
 
LVL 32

Expert Comment

by:LucF
ID: 12103822
Yep, my server is running nicely again, cost me a small fortune, but it's certainly worth it as I'm now running on a RAID-5 of 146GB, so certainly enough for my pages :)
Will see you around in the other TA's.

LucF
0
 
LVL 5

Expert Comment

by:ranadastidar
ID: 12141893
just install winxp service 2, it will solve your problem
0
 

Expert Comment

by:aarbk
ID: 12174615
Hi LucF and FE,

Congrats !

This loop has completed its 164th day today and wish this one runs longer ;)

0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 12175509
*grin*
0
 
LVL 32

Expert Comment

by:LucF
ID: 12180256
ROTFLOL! Gotta love that.
0
 

Expert Comment

by:Simple_Simon_thepieman
ID: 12190527
It certainly appears that the cause of the problem is the sasser worm.

First an abort of the shutdown is required.
so go to run in the start menu and type "shutdown /a" (without quotes) or "shutdown -a" this will abort the shut down.

Secondly you can either go to http://www.symantec.com
and download a fix.

But if your running a legitimate copy of XP, Microsoft is aware of the sasser worm and the vulnerability is rectified with a windows update.  Depending on the speed of your connection to the internet you may get the fix from symantec anyway, for no other reason than it is a smaller download.  But I would advise running windows update, for other unforseen security updates.
0
 
LVL 32

Expert Comment

by:LucF
ID: 12190615
aarbk, and it will keep going :)
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 12192066
hahahahahahaha..!!!!!
0
 

Expert Comment

by:jrolson
ID: 12271796
One day after I got a new pc, I got the Sasser virus...lol  Then I installed antivirus software, fixed it up.
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 12272062
Hi, Luc..  :)
0
 
LVL 32

Expert Comment

by:LucF
ID: 12272069
What took you so long? :)
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 12272156
Tired..  needed a nap..  :)
0
 
LVL 32

Expert Comment

by:LucF
ID: 12272169
So do I, it's getting late here in the Netherlands, but I'm sure to see you around here in this question :)
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 12272197
Only reason I have not unsub'd to it, my friend.  Everytime I get an email on this thread it draws a smile...  :)
0
 
LVL 32

Expert Comment

by:LucF
ID: 12272207
Yeah, it sure does :)
0
 
LVL 3

Expert Comment

by:Fermion
ID: 12389881
This thread was infected by the passer wormbot. It causes all answer's to comments to pass over and thus not be noticed.
A most insidious wormbot, it has caused one thread on a tech site in the UK to have over 15,700 comments even though the original question was fully answered after 8 posts.

Indications that the passer wormbot is infecting a thread:
- The question is answered and recognized as being answered, but comments continue(generally normal for awhile)
- Attempts to advise a closed thread appear to go un-noticed.
- The passer wormbot "morphs" into several incarnations of itself, usually 7-12, with different screen names on the thread, and the "morphs" start talking amongst themselves about the original problem. This is usually evidenced by the fact that direct comments to them, such as, THIS THREAD IS CLOSED, are ignored. Wormbots will continue their chatter as long as a thread is left fully open or if they become bored.

Remedy for the passer wormbot:
- There is no remedy, it is a function of thread users' who do not read the entire thread before commenting!!!!!!!

Hahahhahahahaa!!!! Just had to do it.
Fermion.
0
 
LVL 32

Expert Comment

by:LucF
ID: 12389898
ROTFLOL! Finally someone with a bit of good sense!

Thanks for the laughs Fermion.

LucF

p.s. Hi FE :)
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 12389997
I just wonder how ferm found it in the first place..!!  
0
 
LVL 3

Expert Comment

by:Fermion
ID: 12390362
Lounging with a beer :)
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 12390665
*grin*  Good day for a brew..  I figured it was something like that..!!
0
 

Expert Comment

by:Mangolata
ID: 12393747
Ya know, if you.ve not found an answer yet, you might aswell reinstall XP for all of the trouble it has caused.

See you.

:o}
0
 

Expert Comment

by:Mangolata
ID: 12393758
actually, it might be a virus because W32 Sasser did that to my PC and i wiped it and it stopped be annoying
0
 
LVL 32

Expert Comment

by:LucF
ID: 12393882
hahahahahahahahahaha
0
 

Expert Comment

by:Mangolata
ID: 12394185
what are you laughing at
0
 
LVL 32

Expert Comment

by:LucF
ID: 12394519
Mangolata,

This question has been going on for months now, it's nothing personal but it seems like you haven't taken the time to read all the suggestions and to note that this question has been closed from 05/03/2004

LucF
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 12395321
Yep..  the only ones watching this now are Luc, Fermion, and me...  Everytime I see this thread come into my inbox, I get a chuckle..  :)
0
 

Expert Comment

by:Mangolata
ID: 12398413
Note to all especialy LucF:

I am a 10 year old kid and i was born on 20/01/94 and well what else do i need to say.

Mangolata
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 12399671
For a 10 year old kid, that was a quite a lucid response to the question..  good for you Mangolata...  :)
0
 

Expert Comment

by:Mangolata
ID: 12402036
Thank You
0
 

Expert Comment

by:Hackrack
ID: 12437468
Ok Its a W32 Sasser Worm & i think you have fixed it already. But, It is command that will help you if Message showing "Windows will shutdown....". To stop shutting down of window Go in Start -> Run & type ''shutdown -a''  with administrative privilage & shutting down of windows will stop. In this way you can easily & quickly remove the virus.
0
 
LVL 32

Expert Comment

by:LucF
ID: 12438232
And also that has been said about 10x now :o)
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 12439296
rotfl
0
 
LVL 4

Expert Comment

by:BjornEricsson
ID: 12515259
I might just add to this enormous thread that I've had the same problems with lsass.exe and RPC calls where I already had the new sasser file on a write-protected floppy downloaded from work and scanned through the machine at once but voila, nothing found an the problems remained.
Solution to my problem? Simply installed "Buffer UPnOQ315000_WXP_SP1_x86_ENU.exe" from Vole, it acctually helped.
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 12515371
You think..??  (enormous)  *grin*

Actually, thanks for the tip..  most worthwhile comment in this thread for quite some time..

FE
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 12515375
BTW:  Hi LucF..  :)
0
 
LVL 4

Expert Comment

by:BjornEricsson
ID: 12515461
Simply thought it was about time :)
0
 
LVL 32

Expert Comment

by:LucF
ID: 12516398
Hi FE :)

Well, yeah, finally some added information instead duplicated.

LucF
0
 

Expert Comment

by:ugnius2
ID: 12902903
Original lsass.exe is not related to security threats http://www.2-spyware.com/file-lsass-exe.html, but the computer shuts down definately because of sasser worm.
0
 
LVL 32

Expert Comment

by:LucF
ID: 12902983
:)
Hi FE!
Happy hollidays everyone.

LucF
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 12903274
:o)

Absolutely!!
0
 
LVL 3

Expert Comment

by:NoirLuna
ID: 13211398
Just get the sasser patch and run it.
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 13213997
:)  Morning World!  back at ya, Luc!
0
 
LVL 32

Expert Comment

by:LucF
ID: 13232974
:) Nice to see you again FE, I've just returned from a week of skiing in the Alpes. Got a chuckle when I again saw two notifs from this question.
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 13233215
Nice..  Skiing in the Alps..  Something 95% of the West can only dream about and watch on TV..!!
0
 
LVL 32

Expert Comment

by:LucF
ID: 13233259
A well, that's the nice thing about living in the NL, the Alpes are only about 600 Miles from here :)
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 13233377
Must be a beautiful drive to get there!  :)
0
 
LVL 32

Expert Comment

by:LucF
ID: 13233384
It sure is... when you drive in daylight, I normally drive at night because of the traffic jams in that direction during these times of the year :)
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 13233503
:o)
0
 

Expert Comment

by:keithbraithwaite
ID: 13323283
I see this thread is still running a year later! I found it when putting up a search about Lsass.exe error and I've read through nearly all of it and noted down a lot of extremely interesting and useful stuff.
The problem is that I have this error message on a brand new hard disk which I just formatted and installed XP Pro. It had never been connected to the Internet!
I'll try the "shutdown - a" command in order to set up the connection and update Norton...

I should say that I got an error mesage while installing which I think mentioned Lsass...

Any ideas on this one?

Thanks in advance

Keith
0
 
LVL 32

Expert Comment

by:LucF
ID: 13323534
Hi Keith,

It doesn't seem to me like you're having troubles with Sasser, but for fast help, please create your own question by clicking the following link:
http://www.experts-exchange.com/Operating_Systems/WinXP/askQuestion.jsp

LucF

p.s. Hi FE
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 13323707
:)
0
 

Expert Comment

by:shenazzer
ID: 13324070
Hello ,
        download this patch from given website its due to Sasser worm Scroll Down there are Os Given Below u can select the one ur using to get the patch downloaded ...
 
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx


After downloading that patch download this Sasser Removal From http://www.Symantec.com Or url given below by doing this u can get Rid of this worm from ur pc By doing this ur other computers on ur network will be safe from this worm which existed on ur computer

http://securityresponse.symantec.com/avcenter/FxSasser.exe
0
 

Expert Comment

by:keithbraithwaite
ID: 13325033
you're right LucF - I shuldn't have tried to cash in on a paid up thread - the points should be there for the taking. I'll put the question in the normal way.

The other letters about downloading sasser removal patches are quite right certiainly - as were the different letters in the same vein during this whole correspondence - but as i said, this HD has never been and is still not connected to the Internet. That is what intrigues me...
0
 
LVL 32

Expert Comment

by:LucF
ID: 13325308
Keith, I've subscribed to your new question and will see if I can find anything for you.

LucF
0
 

Expert Comment

by:PaulR2117
ID: 13329151
Maybe one of the apps or media you installed were infected :?
0
 

Expert Comment

by:MattsBusinessCentre
ID: 14449205
FE & LucF

get a room! ;)
0
 
LVL 32

Expert Comment

by:LucF
ID: 14449370
*grin*
0
 

Expert Comment

by:keithbraithwaite
ID: 14449406
suddenly started getting postings from this question again... got it all "sassed" out long ago thanks to you guys, though it wasn't my question to start with!
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 14449886
Wow, have not been back here in a while!  :)
0
 
LVL 32

Expert Comment

by:LucF
ID: 14449932
We all need a break once in a while :P
0
 
LVL 11

Expert Comment

by:lbertacco
ID: 14808166
All pcs I have with XP and Norton Antivirus report this "warning". The cause seems to be NAV itself since if I disable any of the programs that are automatically executed at startup, the problem remains - except for NAV. If I disable NAV at startup (using sysinternals autoruns.exe), then the problem disappers.
Can anyone confirm this beheaviour?
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 14811608
Been so long, I forget what the original problem was in this thread!  :)
0
 

Expert Comment

by:keithbraithwaite