lsass.exe error shuts down XP Home in 60 seconds!

Hi royalm,

This is for win2k, but it might apply to winXP also.
http://www.jsiinc.com/SUBM/tip6100/rh6116.htm

Greetings,

LucF

Hmm.. just looked around a bit, do you have a firewall on your computer?
If not, get something like ZoneAlarm (http://www.zonelabs.com) which is free for personal use.
See if the message stops then, especially check for inbound connections in the log of ZoneAlarm.

See if you can gather more information from your Event logs...  and post it here..

OK everyone, I've tried the W2K possibility, and can't get through the 59 seconds I have to complete the advapi32.dll and copy unless I do it in safe mode.  Is it safe to try this LucF? In Administrator?

The same goes for trying to install ZoneAlarm...again, can this be done in safe mode?  Under Administrator?

And I can't get into an event log let alone try to copy it to a cd or floppy before my time is up, again, is this possible in safe mode?  Under Administrator?

One thing I did run into today was the lsass.exe being quarantined by NAV on a totally different system, by W32.HLLW.GAOBOT.gen.  I ran the fix, and checked the manual removal to see if it was on there, but it wasn't.   Could this have anything to do with it?  I also checked the hosts files to see if any were corrupted or missing.

What should be my next move?

Thanks all,
royalm

Several things:

1) you can stop the countdown by: Start => Run => type "Shutdown -a" (without the quotes and press enter)
2) This tool is made to fix all recent virusses: http://vil.nai.com/vil/stinger/ I suggest you to use it.
3) You should really install zonealarm (again, use 1) in case the countdown begins

LucF

Thanks LucF, the countdown stopped and I could install and run stinger and ZoneAlarm.

So when I tried to shut the computer down, the only option was to logoff, no turn off or shutdown button....!!!???  Am I going to have to reinstall XP?  I have worked on so many XP machines that needed reinstalled, I know I'm never putting it on my computers even though I have a Pro version in the box yet!  

royalm

>>Am I going to have to reinstall XP?<<
Probably not, at least not without trying to figure out what is bothering you. :)

First, I assume you have ran stinger.
Try a hard reboot (as in: hold the power key for about 4 seconds till the computer shuts down)
Now boot again, use this tool and post the logfile (Don't delete anything) so we can try a manual search for strange things on your computer.
http://www.spychecker.com/program/hijackthis.html

LucF

LucF, Here is the log file, I didn't notice anything suspicious, and you were right about the countdown beginning again on reboot.  

Logfile of HijackThis v1.97.7
Scan saved at 11:09:40 AM, on 4/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Caere\OmniPagePro90\opware32.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\olehelp.exe
C:\Documents and Settings\Kathy Antoszewski\My Documents\HijackThis.exe
C:\WINDOWS\system32\spoolsv.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.find-online.net/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.find-online.net/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.find-online.net/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.find-online.net/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.find-online.net/index.htm
O1 - Hosts: 69.50.187.196 auto.search.msn.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINDOWS\Downloaded Program Files\ycomp5_1_1_0.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\Downloaded Program Files\ycomp5_1_1_0.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OmniPage] C:\Program Files\Caere\OmniPagePro90\opware32.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [olehelp] C:\WINDOWS\olehelp.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://D:\content\include\XPPatchInstaller.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_1_0.cab

I also have the App Event Log for Fatal Exception saved as .txt...hope it's readable.  royalm

4/23/2004      3:32:33 PM      Application Hang      Error      (101)      1002      N/A      KATHY      Hanging application rundll32.exe, version 5.1.2600.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
4/23/2004      11:06:14 AM      Winlogon      Error      None      1015      N/A      KATHY      A critical system process, C:\WINDOWS\system32\lsass.exe, failed with status code 128.  The machine must now be restarted.
4/23/2004      11:05:45 AM      TrueVector Service      Error      None      5007      N/A      KATHY      "TrueVector engine: File ""C:\WINDOWS\Internet Logs\KATHY.ldb"" was corrupt and has been copied to ""C:\WINDOWS\Internet Logs\xDB2.tmp"".  File ""C:\WINDOWS\Internet Logs\KATHY.ldb"" was corrupt and has been deleted."
4/23/2004      11:05:44 AM      TrueVector Service      Error      None      5007      N/A      KATHY      "TrueVector engine: File ""C:\WINDOWS\Internet Logs\IAMDB.RDB"" was corrupt, restoring from backup ""C:\WINDOWS\Internet Logs\BACKUP.RDB""."
4/23/2004      11:05:44 AM      TrueVector Service      Error      None      5007      N/A      KATHY      "TrueVector engine: File ""C:\WINDOWS\Internet Logs\IAMDB.RDB"" was corrupt and has been copied to ""C:\WINDOWS\Internet Logs\xDB1.tmp"".  File ""C:\WINDOWS\Internet Logs\IAMDB.RDB"" was corrupt and has been deleted."
4/23/2004      11:05:35 AM      NProtectService      Information      None      3      S-1-5-18      KATHY      The service was started.
4/23/2004      7:40:36 AM      Winlogon      Error      None      1015      N/A      KATHY      A critical system process, C:\WINDOWS\system32\lsass.exe, failed with status code 128.  The machine must now be restarted.
4/23/2004      7:40:21 AM      NProtectService      Information      None      3      S-1-5-18      KATHY      The service was started.
4/23/2004      7:08:03 AM      Winlogon      Error      None      1015      N/A      KATHY      A critical system process, C:\WINDOWS\system32\lsass.exe, failed with status code 128.  The machine must now be restarted.
4/23/2004      7:07:48 AM      NProtectService      Information      None      3      S-1-5-18      KATHY      The service was started.
4/22/2004      11:45:36 PM      Winlogon      Error      None      1015      N/A      KATHY      A critical system process, C:\WINDOWS\system32\lsass.exe, failed with status code 128.  The machine must now be restarted.
4/22/2004      11:45:21 PM      NProtectService      Information      None      3      S-1-5-18      KATHY      The service was started.
4/22/2004      11:44:35 PM      Userenv      Warning      None      1517      S-1-5-18      KATHY      Windows saved user KATHY\Administrator registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.

 This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.
4/22/2004      11:09:57 PM      VSS      Error      None      8193      N/A      KATHY      Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance.  hr = 0x80040206.
4/22/2004      11:09:57 PM      EventSystem      Error      (50)      4609      N/A      KATHY      The COM+ Event System detected a bad return code during its internal processing.  HRESULT was 8007043C from line 44 of d:\nt\com\com1x\src\events\tier1\eventsystemobj.cpp.  Please contact Microsoft Product Support Services to report this error.
4/22/2004      11:07:49 PM      Winlogon      Error      None      1015      N/A      KATHY      A critical system process, C:\WINDOWS\system32\lsass.exe, failed with status code 128.  The machine must now be restarted.
4/22/2004      11:07:34 PM      NProtectService      Information      None      3      S-1-5-18      KATHY      The service was started.
4/22/2004      11:06:48 PM      Userenv      Warning      None      1517      S-1-5-18      KATHY      Windows saved user KATHY\Administrator registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.

 This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.
4/22/2004      11:05:48 PM      VSS      Error      None      8193      N/A      KATHY      Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance.  hr = 0x80040206.
4/22/2004      11:05:48 PM      EventSystem      Error      (50)      4609      N/A      KATHY      The COM+ Event System detected a bad return code during its internal processing.  HRESULT was 8007043C from line 44 of d:\nt\com\com1x\src\events\tier1\eventsystemobj.cpp.  Please contact Microsoft Product Support Services to report this error.
4/22/2004      11:03:35 PM      Winlogon      Error      None      1015      N/A      KATHY      A critical system process, C:\WINDOWS\system32\lsass.exe, failed with status code 128.  The machine must now be restarted.
4/22/2004      11:03:20 PM      NProtectService      Information      None      3      S-1-5-18      KATHY      The service was started.
4/22/2004      10:20:42 PM      Winlogon      Error      None      1015      N/A      KATHY      A critical system process, C:\WINDOWS\system32\lsass.exe, failed with status code 128.  The machine must now be restarted.
4/22/2004      10:20:27 PM      NProtectService      Information      None      3      S-1-5-18      KATHY      The service was started.
4/22/2004      10:19:17 PM      Userenv      Warning      None      1517      S-1-5-18      KATHY      Windows saved user KATHY\Administrator registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.

 This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.
4/22/2004      10:12:23 PM      VSS      Error      None      8193      N/A      KATHY      Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance.  hr = 0x80040206.
4/22/2004      10:12:23 PM      EventSystem      Error      (50)      4609      N/A      KATHY      The COM+ Event System detected a bad return code during its internal processing.  HRESULT was 8007043C from line 44 of d:\nt\com\com1x\src\events\tier1\eventsystemobj.cpp.  Please contact Microsoft Product Support Services to report this error.

Whoa...  Lots of bad things happening here...  

I would open up msconfig and stop everything from starting at boot, and all services other than the Windows services too...

Start > Run > msconfig

Stop everything in the startup tab (except perhaps your AV)

Go to Services tab and tick the Hide Windows Services..  Again, stop everything (except perhaps your AV)

Reboot, and ck your event logs again...   You may also want to ck your Services to make sure that everything that is meant to startup at boot is actually starting...  You can go to Black Viper to see what is needed to start the system...

http://www.blackviper.com/WinXP/servicecfg.htm

You have a nice browser hijacker :(

Use this tool to get rid of it:
http://209.133.47.200/~merijn/files/CWShredder.exe

How do I prevent it from happening again?
http://209.133.47.200/~merijn/cwschronicles.html#byteverify

Thanks FE :)

I just noticed the updates at Mcafee and Symantec today... so it is a very new exploid :( I hate it when this happens...

LucF

Credit where credit is deserved..!!    :)

OK everyone,

One thing I can say is that I have learned so much from all of you, and being a fellow tech, this networking is good, and your time and effort are astonishing!  Thank you.  Here is what I have done...unfortunately too quickly because I believe the fixsasser tool may have worked!

I used the Stinger, CWshredder, and HijackThis! many times, and spent HOURS with the BlackViper site info.  The Stinger was new to me.  Then I tried a repair w/recovery console one more time, and still nothing.  Although after all of this, the PC was definitely zestier.

I finally wiped and re-installed XP on the 29th, played/tested it until late on the 30th, then returned it back to my friend.  What gets me is if the sasser was the culprit, why did it take so long for the Antivirus powers that be to get the updates updated?  Since nothing else worked, I'll wager that the fix tool would have.

So, with all the info I have been graciously given, and the dedication and time that LucF and Fatal Exception have shown for me and my 'lsass' problem, I believe you definitely deserve the point credits promised and my most gateful thanks.
royalam

Anytime..  come on back and see us again soon..

and thanks..

FE

Ditto ;o)

LucF

Well, I certainly learned a lot too...and thanks for asking the question!

hello royalM,

you have been infected with the sasser worm.
download windows fix for it from microsoft site at:
http://www.microsoft.com/security/incident/sasser.asp

or the symantec fix tool at :
http://www.symantec.com/avcenter/venc/data/w32.sasser.worm.html

it is a good idea to enable ur firewall in Win xp, and make sure u have the latest windows updates

vamsee

I am not so sure that sasser is the answer here.

I have just been dealing with this on a pc which was connecting through a USB DSL modem ( UK BT Internet)

About 1 minute after connnection the same popup would appear and the system would shut down. It was not possible to shut it down more quickly, nor was it possible to interrupt the shudown as that thread seemed to have the highest priority and could not be intercepted.

The MS patch was already in place and the Symantec FixSasser tool and also Stinger v2.5.5 could find no Sasser infection. W32/Nachii was found (A Welchia variant) which also hits the RPC component.

Cleaning up made little difference, but switching to an ethernet based Internet connection did. Switch back and the problem appeared.

Whatever was the cause in my case was resolved by using a router to connect to the DSL. The problem is still there but avoided!

Not ideal but, hey, it works!

If that helps someone at guru level decide what is going on then I look forward to hearing. Otherwise, I hope it helps someone else find a workaround.

Cheers

LucF hi,
i friend has the same problem! but whats differs is that  his RPC does not function! i dont know what to do and how to restore the RPC! can u help me too? i tried to manually operate it but i didn't manage to do it! what can i do?
btw whats the commad to format NTFS file system?
thanks a lot for reading.

                       nachbund
                         

nach..  you really need to open your own question for this...  

Hello,
its problem was new virus which was Sasser for W2000 and XP..
you can be installing patch files from microsoft website.....>>>>
 for W2000 the name is (Windows2K- KB835732)(
 for XP        the name is (Win xp KB35732)

thanks>>>>>>

My company has dealt with al lof the above mentioned viruses.  If once you are able to run the "fix" and eliminate the culprit, yo uneed to try to see if you can then access eithe rwww.symantec.com, www.mcafee.com, or any other AV web site.  If not, then you need to replace the c:\windows\systems32\drivers\etc\hosts file (assuming your OS is on the C drive).

This should resolve the issue.  I used the hosts file off of my own computer and it worked perfectly.

wingtech,

>>I am not so sure that sasser is the answer here
I am pretty sure, welchia will give a message, the same as the blaster virus:

"svchost.exe has created an error...."

With this sasser worm, you get:

"lsass.exe has created an error...."

At the moment I posted that comment only sasser and sasser.b existed, and those where the only ones to create that error message.
Hope that answers your question :)

LucF

p.s. to add some valuable information:
Even the cheapest firewall, like the build in winXP one, or a free one like Zonealarm would have prevented blaster/welchia/sasser etc from spreading as fast as it does at the moment. Just closing some ports on the firewall will do the trick (like in wingtechs case, the router takes care of that)

I just had a similar problem with an employee's notebook, Win2K Professional.  It actually had McAfee already on it and up-to-date but was infected to high-heaven with viruses, found after doing a full scan.  My problems started after installing the Win2K Updates using the critical update tool in Windows; IT downloaded all the updates and installed them all and rebooted.  After that, after getting on an internet connection, I get the lsass error message!  Before getting the updates the PC was working fine.  I thought maybe AV had corrupted the download, but the KB article that explains the directories to look for to uninstall the SP don't match what is on this system.  Strange

Hi everyone,

I wonder that if sasser is causing all of these problems, might the latest MS patch for all 5 sassers (at this point) be the answer?  The original sasser fix tool I have had to be run several times to rid sasser...it always showed up after a reboot.  Here is the address if someone is interested.
http://update.internetweek.com/cgi-bin4/DM/y/eg2V0GMj8R0G4X0CW2K0A7.

Here is the name of the little file you can download from there.
Windows-KB841720-ENU-V4.exe

I'm running out of sasser-filled pc's to play around with, so I haven't tried this yet.

royalm

Yep, I noticed the same thingy :( All virusscanner manufactors are also updating their tools to be able to get rid of the newer versions. But, just with a firewall and with windows updated you're pretty safe for this kind of crap :)

LucF

re: viruses, worms and other nasties:

I find that if I have a PC with a potential infection - boot up in Safe Mode (press F8 when starting up, at the point when the screen goes blank, ie just between the PCs BIOS screen disappearing and the Windows startup screen appearing) and then run any virus scan (NAV, Stinger, etc)

This is a much more reliable method of clearing out anything that has infected your PC!

I-Worm/Sasser
This worm spreads by internet exploiting MS Windows LSASS service vulnerability described in MS Security Bulletin MS04-011. This worm has some new variants from the saturday first catch.

go to the link

http://www.grisoft.com/us/us_ts_removers.php

download i-worm/sasser removal tool

then donload micro soft patch from

http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

then switch to safe mode and execute removal tool it removes the sasser.exe files then restart  get boot in to normal mode and load patch file download from microsoft site ur pc will be alright

be careful while download check patch that siutes ur OS

Can I add my two penneth worth.

I have a system which has definitley got the Sasser virus.

I have disabled System Restore.

The Process tab in  Task Manager shows LSASSS.EXE as running.  I have tried ending the process in ordinary mode and safe mode and an error message "Critical process, cannot be stopped".

I have updated Windows with the security patch mentioned above, rebooted and tried both the Norton fix and Stinger, updated today to no good effect.

Anyone any ideas before I throw all my toys out of the pram?

I work for a telephone tech support firm and we have been dealing with the removal of this sasser virus and all its variants (w32.sasser.[a-f].worm)and the w32.blaster.worm and it's variants on a daily basis.

So far the steps for removal that have had the greatest success rate are as follows:

1.) Disconnect your internet connection and boot to safe mode (through F8 on startup)
2.) Log into the administrator account and after the system is loaded press crtl+alt+del to bring up the system task manager and look in proccesses for any of the following:
     a.)avserve.exe
     b.)avserv2.exe
     c.)[random five digit number]_up.exe
     d.)skynet??.exe
and end task on any of them and then close the task manager
3.) msconfig: dissable any of the above programs from auto starting in the startup tab and services tab
4.) regedit: search for any of the above programs in the registry and remove thier keys (might be a good idea to create a backup copy of the regisrty just in case)
5.) restart into normal mode and if you get the shutdown error use the above "shutdown -a" to stop it
6.) enable the XP firewall (network connections and then properties on the type of internet connection you are using and then advanced and check "protect my computer...")
7.) reconnect your intenet and get the above mentioned security patch from Microsoft
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
8.)DL and run the mcafee stinger to remove anything the above steps missed and restart the PC
http://vil.nai.com/vil/stinger/
9.)DL all updates for your AV software and run a full system scan

You should now be virus free and if all of the above steps are done soon enough the file dammage should be minimal and the system should be running fine.

RePhlux,

Thanks for the info.  Did you get the problem whereby when in Task Manager the system would not allow the suspect processes from being shutdown?

Brian

No I can't say that I have come across that yet, but if you remove the reg keys the process should no longer be there anyway after the reboot to normal windows

Thanks again.  I have gone through all the steps again and it seems to have been resolved.  Not too sure why it didin't happen first time round.

Cheers

Brian

Just a little note, lsass is a normal windows system file and shouldn't be stopped/blocked/killed or whatever.

if it keeps coming back, which it should with xp because most people have restore point set. Just turn of the restorepoint or it will continue to reinfect the computer.

Hi,

I have the same problem and I tried to fix it using all the above steps, but still I am unable to fix it.

1)  There is no such process as avserve.exe, avserv2.exe, [random five digit number]_up.exe, skynet??.exe in Windows running process list.
2)  Whenever I type shutdown -a in Start->run, it says command not found.
3)  Already applied the security patch by Microsoft but still issue not resolved.
4)  Downloaded a host of different sasser removal softwares from Microsoft, Symantec and stinger but everybody says: No virus found

Its very annoying as the computer reboots itself very 20 mins or so, not really sure what to do.

Anybody, please help me out.

Thanks,

Hi adesai79

Sadly viruses are not the only causes of random re-boots.

If you have eliminated all the likely viruses, and not just sasser, you could have a look at memory testing.

More than once I have seen re-boots as a symptom of memory, motherboard or cpu failure about to happen.

Another possibility is overheating or poor power supply. Both of these can lead to instability from which the system cannot easily recover. For example adding a new device which uses a lot of power could be hitting the limits of the PSU and also contribute to additional heat.

If you feel that you have eliminated viruses, you could try working through the other possibilities.

Best of luck in the gremlin hunt!

Regards

Neil

Hi,

But it has the same symptoms like Sasser virus. It gives me error in lsass.exe and gives me timer for 60 seconds.

Could it be a different type of virus..?

No, That really does look like it, I am afraid.

Make sure that you are doing your hunting at admin level of security, just in case.

I think that sasser is still your likeliest bet.

Sorry not to offer more help than that.

Sympathies.

Neil

adesai79, You did the right thing by opening your own question:
http://www.experts-exchange.com/Operating_Systems/WinXP/Q_21008581.html

Let's all continue there.

Thanks,

LucF

On the timeout problem, I have had success with changing the date and time in the systray clock, then run the patches or viri fixes! Hey! it works!!

I have been following this question with great interest, since we were having the same symptoms.
It turned out we had the Win32.Korgo.I worm.
Microsoft patch MS04-011 would have stopped it if we had applied it to all our computers.
It must have come in on a laptop.

Check your PC for the Sasser virus.
See www.symantec.com for details and removal tools.  You should also consider patching winxp for this virus to avoid the future crashes.

This is Sasser32 virus. And you should download the critical windows XP patches. First download the Norton sasser scan anti virus tools. Then make a full system scan with that tool. But during the system scan you should disable the system restore points!!!! After system scan the virus should be founded with that program. Then enable your windows fireall and connect the microsoft official web site. On main page you will see the critical warning of microsoft. Folllow that link and download the Sasser Xp patches from Micosoft. Your problem will be solved by his solution. Dear users do not forget to update your operating systems and anti virus tools.

Hi Serhancetin,

We actually have the KORGO virus, which started out looking like the 'Sasser'. We applied the MS04-011 patch and removed the worm's file from the system and registry. - Curiously, this file and registry setting didn't show up in NT and 2000 machines that were known to be infected, it only showed up in the XP machines.

However, we are getting repeated mesages from our virus scanner (eTrust V7)

"Win32/Korgo.R.Worm was detected in C:\SYSTEM VOLUME\_RESTORE{E7276E57-....\A0005793.EXE"

A full scan with our virus software didn't apparently detect or remove this virus - but at least it is catching it as it moves into this 'Restore' directory.
It seems to me that there is still an infected machine somewhere in the LAN that is reinfecting the others.

I'm fairly new to XP. What did you mean by your reference;

""But during the system scan you should disable the system restore points!!!!""

I believe he means just disable System Restore..

Although this thread has been closed for quite some time, it seems that there is still an interest...  So I will post the best fix I have found for Sasser...

The problem

Sasser is a denial of service (DoS) worm that exploits a flaw in a Windows 2000 or non-64-bit Windows XP machine's Local Security Authority Subsystem Service (LSASS). IT security pros must install a patch to prevent unattended systems from falling prey to Sasser's destruction. However, administering the patch is a challenge because infected systems keep rebooting before it can be installed.

The cause

Sasser causes a stack-based buffer overflow in certain Active Directory service functions in the LSASRV.DLL file of the LSASS. Applying the patch provided in Microsoft Security Bulletin MS04-011 is the only way to protect your system from reinfection.
 
The solution

Here is the solution for expanding the amount of time it takes before your computer reboots due to the Sasser worm. Keep in mind that you will have only about 20 seconds to complete the steps, and you must already know the system's name before beginning this process:
 
Tip:  To find your computer's name, open Control Panel and click on the System icon.
 
1.      Disconnect from the Internet.
2.      Restart.
3.      As soon as possible in the boot process, click on Start, Run, and enter cmd to open the command line interface.
4.      At the DOS prompt, enter shutdown -i and press [Enter].
(This command opens the control panel for remote administration of other systems, but for this process you will just need to enter the name of your computer.)
5.      Click Add, enter the name, and then click OK.
6.      Now modify the warning message delay setting from the standard 20 (seconds) to a large number, such as 9999. After patching, you can reset the warning message delay if you wish.
(That should temporarily disable the shutdown sequence long enough for you to log on to the Internet and download the patch.)

Alternative solution

An alternative method for stopping the reboot cycle on XP-only systems is to enter shutdown.exe –a at the command prompt. That aborts the shutdown process completely and is obviously much faster for XP systems.

click on System &#305;n the Control Panel-click on System Restore- and click on Turn off system Restore on all drives...else the anti virus can't delete the files with virus..after this operation,  you must to turn on .this feature is to protect system files

for removing korgo virus follow this url http://securityresponse.symantec.com/avcenter/venc/data/w32.korgo.removal.tool.html ..I used &#305;n there, it is efficient

if you still need help with the lsass.exe error email me > ** e-mail removed per http:help.jsp#hi99 **

If you could not obtain the right removal tool, or if you are still infected
after running it, you can do the following to stop the worm from crashing LSASS.exe.

Create a file called %systemroot%\debug\dcpromo.log and make the file read-only.
To do this, type the following command:

echo dcpromo >%systemroot%\debug\dcpromo.log & attrib +r %systemroot%\debug\dcpromo.log

NOTE: This is the most effective mitigation technique as it completely mitigates
this vulnerability by causing the vulnerable code to never be executed.
This work-around will work for packets sent to any vulnerable port.

Download this from
http://securityresponse.symantec.com/avcenter/FxSasser.exe
run it in safe mode if it doesnt works
and then install this
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
for future protection from sasser worms ;)

Come on...
This question is closed for almost two months now, and we're starting to have duplicate comments here...

Thanks,

LucF

I have an error that occurs when I log onto the internet.  The NT authority error.  This causes shutdown in 60 seconds.  I run XP.  From what I see it is a worm (blaster or Sasser).  However, everytime I test for it I get nothing.  Could it possibly be related to not activating my windows yet?  I should have that resolved in a day or so.  Nonethe less all of the patches and stuff are not seeming to work either.  HELP?

jeff.. open another thread.  this one is closed and I doubt you will find help here..  

FE

You infected by sasser worm or the variant.
-Download stinger from http://vil.nai.com/vil/stinger/ 
-Download the security update patch from microsoft. (WindowsXP-KB835732-x86-ENU.EXE)
-Just turn off your system restore (right click in my computer > properties)
Your virus will not removed if your turn on this function.

-Reboot in safe mode.
-Scan with stinger.
-Then patch it.

Back to your windows and turn on your system restore.

Sometimes, even if you Anti-Virus is up-to-date and you run an Anti-Spyware program, it still is not enough to kill a virus/worm/trojan/spyware.

What you do is do a CTRL-ALT-DEL and check your running TASKS. One or more of them is the bad program causing you to reboot. You have to write down the suspicious task and reboot, but this time press F8 to run in SAFE MODE. Once in SADE MODE, locate the bad programs and their folders and delete or rename them. When you reboot again in NORMAL MODE, if this happens again repeat these steps again.

*** To everyone who'd like to post a question/comment here, please note THIS QUESTION IS CLOSED! ***
*** The answers can be found at http:#10970667 http:#10972424 and http:#10972463                       ***
*** Fatal_Exception made a nice summary at http:#11412130                                                            ***
*** If you have this problem, check those comments, if you think you have something to include, please ***
*** check if it hasn't been said above before more dupplication occurs.                                                ***
***                                                                                                                                                 ***
*** Thanks for reading this, LucF                                                                                                      ***

your problem is even though you may have god rid of the problem there is a back door still open on your system which it is useing to redownlaod its self back on you system.

what you need to do is:

1. go start > run and type in "shutdown -a"
2. install a firewall e.g sygate from "http://www.sygate.com/firewall/" (this a realy good free one)
3. then you will need a real good antivirus software not a free one e.g "norton antivirus"
4. run the antivirus (make sure its a good one dont use a free online one
5. then you will need to downlaod "Sasser (A-F) Worm Removal Tool (KB841720)" from:      

http://www.microsoft.com/downloads/details.aspx?FamilyID=76c6de7e-1b6b-4fc3-90d4-9fa42d14cc17&displaylang=en

6. run the Sasser removal tool
7. then make sure u do not have any spyware on your system use somthing like "pestpatrol"

From Overdrive

Your shutdown button has gone because you typed in "shutdown -a" it does not happend all the but if your win xp insterlation is not installed properly this can happend to get the button back simply type in

"shutdown +a"

Notice the +a

From Overdrive

I give up :(

*grin*  Does not seem like anyone is paying attention to you here, eh?  Like talking to a wall..  

Funny thing is that it seems that this question is cursed.  Something just wants to keep this question going..  Very weird..  :)

FE

It's cursed indeed... there are about 500 questions about the Sasser virus, and this is the only one with, till your comment, 65 comments posted... I can't imagine any other sasser question beat that :o)

LucF

I stopped coming into the thread and just deleted it for a while.  Now it is just curiosity that makes me come back to see who could be still posting to it...  And the most amazing thing is that the new questions get answered..  :)

Be affraid, this question is becomming a whole new version of EE :) No more points, no longer knowing who the asker is, no longer worrying about grades, a lot of duplicate comments etc, etc. In fact, I kind of like it...

Yea..  we could really abuse this if we wanted, eh?    Just throw something on the wall and see if it sticks...  *grin*

ROTFL!

your problem is even though you may have god rid of the problem there is a back door still open on your system which it is useing to redownlaod its self back on you system.
what you need to do is:
1. go start > run and type in "shutdown -a"

You can find this tool at microsoft toolkit

Whoa! Cursed indeed :o)

And we meet again in this incredible black hole of a thread..!!  :)

I just can't believe it anymore... it's too much... I'm heading back to the Lounge...

Ha..  when I got the email that this thread had been accessed again - twice - I knew you would be here for comment..  

What are they serving in the lounge today?  Too early here for alcohol..  :)

For me it's too late for coffee :) So I'll get started with the alcohol.

At this moment nothing is really happening in the lounge... I'm still getting myself together from meeting this freak => http:Q_21067661.html seems like he's not responding anymore...

I started to post then thought better of it..  Religon and Politics in one thread..??  You know what they say about mixing the two, and the reason for the separation of Church and State (US Constitution..)  

I think that thread is out of control..

don't worry about it, what I've heard, that freak has been suspended :o) what a surprize!

I had exactly the same virus as you and I managed to get rid of it. My PC also crashed in LSASS.exe a couple of minutes after being on the internet too. I just deleted the netsky.exe in my windows folder and then the problem went completely. My shutdown button on the start menu disappeared too, but if you just log off and then shutdown from the logon screen you'll be OK.

*grin*  howdy, Luc..!!

ROTFLOL! At least now I know why this question is cursed... it's no 2 on the Time Tested Site Wide Solutions on the main page :o)

ANYONE... CLOSE THIS TOPIC PLEASE.....

hahahaha IT'S CLOSED ALLREADY!

This comment was the moment it was closed => http:#10973807 posted on 05/03/2004

LucF

So... how to telling administrator to closing this topic ?
Email from the comment of this topic still sending to me.
Please close it, it's like spam mail.

You are one of people causing this mess, this question was closed allready when you posted your first comment at http:#11690774, nothing has to be closed AS IT'S CLOSED ALLREADY, if you don't want to get notifications, just click the "unsubscribe" link just above the comment box.

You might want to read the helppages on how to use EE, as it seems you don't know yet: http:help.jsp

LucF

*grin*  I have been getting this in my email for what...??  4 months now..??  Got to the point that it is just a curiousity now...

Question analizer results for now:

28 Contributors 86 Posts

LucF:- 25 *************************
Fatal_Exception:- 17 *****************
royalm:- 6 ******
shlew:- 2 **
vamsee_konda:- 1 *
wingtech:- 3 ***
nachbund:- 1 *
sillver:- 1 *
LeePollard:- 1 *
mauricej74:- 1 *
scottie_clark:- 1 *
vadlapatis:- 1 *
brlconsulting:- 3 ***
RePhlux:- 2 **
teknowil:- 1 *
adesai79:- 2 **
allmarc:- 1 *
PaulR2117:- 2 **
leptoid:- 1 *
serhancetin:- 2 **
Zeratul9:- 1 *
raimonabraham:- 1 *
shenazzer:- 1 *
jeffatkinsonlpc:- 1 *
shanyuen:- 4 ****
dracoolio:- 1 *
overdrive_dos:- 2 **
alexsilcock:- 1 *

Seems like we are the main spammers FE :o)

Now you have me feeling guilty...  :)

Don't feel all too guilty :) I'm the master spammer here.
I sure hope royalm found the "unsubscribe" link allready...

Btw, you might want to try Xxaviers question analizer yourself, just copy/paste this into the address bar:

javascript: function d(){A=new Array();s='';t=0;r=new RegExp('[0-9html_Q.]*$','i');r1=new RegExp('[0-9]{6,}$');r2=new RegExp('undefined');for (i=0;i<document.anchors.length;i++){if (r1.test(document.anchors[i].name)){ix=document.anchors[i].parentNode.childNodes[2].innerHTML;A[ix]+='*';t+=1}}c=0;for (j in A){A[j]= A[j].replace(r2,'');A[j]=':- '+A[j].length+' '+A[j]}for (j in A){ s+='<br>'+j ;s+=A[j];c++}b=0;w=window.open('','','');w.document.write(c+' Contributors ' +t+' Posts<br>'+s);}d()

Then press enter. I just love it :)

LucF

I see what it is supposed to do, but cannot get it to work..  Is this the whole script?

Hmm... I should maybe have noted: IE6 only... just copy/paste in the address bar and press enter.

Then a new window should pop-up containing that information (maybe some kind of pop-up stopper blocks it for you)

LucF

You guys...e-mail between yourself.  This is not the way it is supposed to work.  I asked the question initially and got my answer.  But close the topic already and move on.  

Yea, thought of that and pressed ctrl to allow the popup...  This works a little like the javascript I have on my home page for discovering exactly where the URL is hooked to...  

www.doverproductions.com

Have to go out to a client's, but will be back to test some more..

FE

jeffatkinsonlpc,

You're 100% right, this is not the way it's supposed to work, read the helppages and you'll see that you asked your question the wrong way. Seems like this question has been flooded allready with enough comments from people like you.

So, if you don't like it, as I said above, the unsubscribe link is just one click away :o)
But don't blame us, YOU'RE one of the people that started this mess. Both FE and I helped on the initial question.

FE, so it works now?
Btw, I'm offline for a couple of days from now, I'm sure you can handle this question on your own LOL! cya,

LucF

Hi all,

i met the same error message, using Win XP Pro, SP1, Norton Installed. When scanning, found the blaster the fixed. Restart, running Blaster Removal tool from both norton and microsoft, found nothing, connect to internet, still the error lsass.exe shut down in 60secs.
Running Sasser Removal tool both from norton and MS, found nothing and still have this error. (already turn off system restore before running removal tool and install update from microsft window update website, all critical update)

Anyone help me?

Please open another thread for your question..  This has been closed a long, long time.....

Your computer is infected by worm called sasser.
What yopu need to do is to Download the fix from http://www.symantec.com
Then also download the fix pack for this from the Microsoft Website.

However this might be a problem if your computer is shutting down in 60 sec so from the command prompt run this command shutdown -i , then specify in the dialogue box that appear 9999 sec so that you have sometime before your computer shutsdowm.

then apply the pack for XP and also run the fix.

Hey FE, long time no see :)

Ha...  Saw you commenting in some threads last week, so knew you got your server back up and running again.  Hope it was not too much of a disaster..  I have not been at home the past week, as am housesitting for my parents, so my contributions have fallen off lately.  But should be back on line before long.  

and it is always GTCU again..!!

FE

Yep, my server is running nicely again, cost me a small fortune, but it's certainly worth it as I'm now running on a RAID-5 of 146GB, so certainly enough for my pages :)
Will see you around in the other TA's.

LucF

just install winxp service 2, it will solve your problem

Hi LucF and FE,

Congrats !

This loop has completed its 164th day today and wish this one runs longer ;)

*grin*

ROTFLOL! Gotta love that.

It certainly appears that the cause of the problem is the sasser worm.

First an abort of the shutdown is required.
so go to run in the start menu and type "shutdown /a" (without quotes) or "shutdown -a" this will abort the shut down.

Secondly you can either go to http://www.symantec.com
and download a fix.

But if your running a legitimate copy of XP, Microsoft is aware of the sasser worm and the vulnerability is rectified with a windows update.  Depending on the speed of your connection to the internet you may get the fix from symantec anyway, for no other reason than it is a smaller download.  But I would advise running windows update, for other unforseen security updates.

aarbk, and it will keep going :)

hahahahahahaha..!!!!!

One day after I got a new pc, I got the Sasser virus...lol  Then I installed antivirus software, fixed it up.

Hi, Luc..  :)

What took you so long? :)

Tired..  needed a nap..  :)

So do I, it's getting late here in the Netherlands, but I'm sure to see you around here in this question :)

Only reason I have not unsub'd to it, my friend.  Everytime I get an email on this thread it draws a smile...  :)

Yeah, it sure does :)

This thread was infected by the passer wormbot. It causes all answer's to comments to pass over and thus not be noticed.
A most insidious wormbot, it has caused one thread on a tech site in the UK to have over 15,700 comments even though the original question was fully answered after 8 posts.

Indications that the passer wormbot is infecting a thread:
- The question is answered and recognized as being answered, but comments continue(generally normal for awhile)
- Attempts to advise a closed thread appear to go un-noticed.
- The passer wormbot "morphs" into several incarnations of itself, usually 7-12, with different screen names on the thread, and the "morphs" start talking amongst themselves about the original problem. This is usually evidenced by the fact that direct comments to them, such as, THIS THREAD IS CLOSED, are ignored. Wormbots will continue their chatter as long as a thread is left fully open or if they become bored.

Remedy for the passer wormbot:
- There is no remedy, it is a function of thread users' who do not read the entire thread before commenting!!!!!!!

Hahahhahahahaa!!!! Just had to do it.
Fermion.

ROTFLOL! Finally someone with a bit of good sense!

Thanks for the laughs Fermion.

LucF

p.s. Hi FE :)

I just wonder how ferm found it in the first place..!!  

Lounging with a beer :)

*grin*  Good day for a brew..  I figured it was something like that..!!

Ya know, if you.ve not found an answer yet, you might aswell reinstall XP for all of the trouble it has caused.

See you.

:o}

actually, it might be a virus because W32 Sasser did that to my PC and i wiped it and it stopped be annoying

hahahahahahahahahaha

what are you laughing at

Mangolata,

This question has been going on for months now, it's nothing personal but it seems like you haven't taken the time to read all the suggestions and to note that this question has been closed from 05/03/2004

LucF

Yep..  the only ones watching this now are Luc, Fermion, and me...  Everytime I see this thread come into my inbox, I get a chuckle..  :)

Note to all especialy LucF:

I am a 10 year old kid and i was born on 20/01/94 and well what else do i need to say.

Mangolata

For a 10 year old kid, that was a quite a lucid response to the question..  good for you Mangolata...  :)

Thank You

Ok Its a W32 Sasser Worm & i think you have fixed it already. But, It is command that will help you if Message showing "Windows will shutdown....". To stop shutting down of window Go in Start -> Run & type ''shutdown -a''  with administrative privilage & shutting down of windows will stop. In this way you can easily & quickly remove the virus.

And also that has been said about 10x now :o)

rotfl

I might just add to this enormous thread that I've had the same problems with lsass.exe and RPC calls where I already had the new sasser file on a write-protected floppy downloaded from work and scanned through the machine at once but voila, nothing found an the problems remained.
Solution to my problem? Simply installed "Buffer UPnOQ315000_WXP_SP1_x86_ENU.exe" from Vole, it acctually helped.

You think..??  (enormous)  *grin*

Actually, thanks for the tip..  most worthwhile comment in this thread for quite some time..

FE

BTW:  Hi LucF..  :)

Simply thought it was about time :)

Hi FE :)

Well, yeah, finally some added information instead duplicated.

LucF

Original lsass.exe is not related to security threats http://www.2-spyware.com/file-lsass-exe.html, but the computer shuts down definately because of sasser worm.

:)
Hi FE!
Happy hollidays everyone.

LucF

:o)

Absolutely!!

Just get the sasser patch and run it.

:)  Morning World!  back at ya, Luc!

:) Nice to see you again FE, I've just returned from a week of skiing in the Alpes. Got a chuckle when I again saw two notifs from this question.

Nice..  Skiing in the Alps..  Something 95% of the West can only dream about and watch on TV..!!

A well, that's the nice thing about living in the NL, the Alpes are only about 600 Miles from here :)

Must be a beautiful drive to get there!  :)

It sure is... when you drive in daylight, I normally drive at night because of the traffic jams in that direction during these times of the year :)

:o)

I see this thread is still running a year later! I found it when putting up a search about Lsass.exe error and I've read through nearly all of it and noted down a lot of extremely interesting and useful stuff.
The problem is that I have this error message on a brand new hard disk which I just formatted and installed XP Pro. It had never been connected to the Internet!
I'll try the "shutdown - a" command in order to set up the connection and update Norton...

I should say that I got an error mesage while installing which I think mentioned Lsass...

Any ideas on this one?

Thanks in advance

Keith

Hi Keith,

It doesn't seem to me like you're having troubles with Sasser, but for fast help, please create your own question by clicking the following link:
http://www.experts-exchange.com/Operating_Systems/WinXP/askQuestion.jsp

LucF

p.s. Hi FE

:)

Hello ,
        download this patch from given website its due to Sasser worm Scroll Down there are Os Given Below u can select the one ur using to get the patch downloaded ...
 
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx


After downloading that patch download this Sasser Removal From http://www.Symantec.com Or url given below by doing this u can get Rid of this worm from ur pc By doing this ur other computers on ur network will be safe from this worm which existed on ur computer

http://securityresponse.symantec.com/avcenter/FxSasser.exe

you're right LucF - I shuldn't have tried to cash in on a paid up thread - the points should be there for the taking. I'll put the question in the normal way.

The other letters about downloading sasser removal patches are quite right certiainly - as were the different letters in the same vein during this whole correspondence - but as i said, this HD has never been and is still not connected to the Internet. That is what intrigues me...