Solved

LSA Shell (export version) encountered a problem, and goes on to say I should send an error report to Microsoft.

Posted on 2004-09-21
9
339 Views
Last Modified: 2008-03-03
When I boot up i get  LSA Shell (export version) encountered a problem, and goes on to say I should send an error report to Microsoft. After I click don't send the system either hangs or reboots. Sometimes it reboots before windows completes. In safe mode I have tried to run adaware, spysweeper, adaway-spy, these all fail to finish a complete scan. Nortons sasser-g remover did complete but it didn't find anything.  Any Ideas?
0
Comment
Question by:whiwex
  • 3
  • 3
  • 3
9 Comments
 
LVL 57

Accepted Solution

by:
Pete Long earned 500 total points
ID: 12111129
Instructions for patching and cleaning vulnerable Windows 2000 and Windows XP systems:

Vulnerable Windows 2000 and Windows XP machines may have the LSASS.EXE process crash every time a malicious worm packet targets the vulnerable machine which can occur very shortly after the machine starts up and initialises the network stack.

When cleaning a machine that is vulnerable to the Sasser worm it is necessary to first prevent the LSASS.EXE process from crashing, which in turn causes the machine to reboot after a 60 second delay.  This reboot cannot be aborted on Windows 2000 platforms using the Shutdown.exe or psshutdown.exe utilities and can interfere with the downloading and installation of the patch as well as removal of the worm.

1. To prevent LSASS.EXE from shutting down the machine during the cleaning  process:

a. Unplug the network cable from the machine

b. If you are running Windows XP you can enable the built-in Internet Connection Firewall using the instructions found here: Windows XP

http://support.microsoft.com/?id=283673 and then plug the machine back into the network and go to step 2.

c. If you are running Windows 2000, you won't have a built-in firewall and must use the following work-around to prevent LSASS.EXE from crashing.

This workaround involves creating a read-only file named 'dcpromo.log' in
the "%systemroot%\debug" directory.  Creating this read-only file will prevent the vulnerability used by this worm from crashing the LSASS.EXE process.

i.      NOTE:  %systemroot% is the variable that contains the name of the Windows installation directory.  For example if Windows was installed to the "c:\winnt" directory the following command will create a file called dcpromo.log in the c:\winnt\debug directory.  The following commands must be typed in a command prompt (i.e. cmd.exe) exactly as they are written below.

1. To start a command shell, click Start and then click run and type 'cmd.exe' and press enter.

2.Type the following command:

echo dcpromo >%systemroot%\debug\dcpromo.log

For this workaround to work properly you MUST make the file read-only by typing the following command:

3. attrib +R %systemroot%\debug\dcpromo.log

4. After enabling the Internet Connection Firewall or creating the read-only dcpromo.log you can plug the network cable back in and you must download and install the MS04-011 patch from the MS04-011 download link for the affected machines operating system before cleaning the system.  If the system is cleaned before the patch is installed it is possible that the system could get re-infected prior to installing the patch.

a. Here is the URL for the bulletin which contains the links to the download location for each patch:

http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx

b. If your machine is acting sluggish or your Internet connection is slow you should use Task Manager to kill the following processes and then try downloading the patch again (press the Ctrl + Alt + Del keys simultaneously and select Task Manager):

i. Kill any process ending with '_up.exe' (i.e. 12345_up.exe)  ii. Kill any process starting with 'avserv' (i.e. avserve.exe, avserve2.exe)

iii. Kill any process starting with 'skynetave' (i.e. skynetave.exe)  iv. Kill hkey.exe  v. Kill msiwin84.exe  vi. Kill wmiprvsw.exe

5. Note there is a legitimate system process called 'wmiprvse.exe'that does NOT need to be killed.

c. allow the system to reboot after the patch is installed.

6. Run the Sasser cleaner tool from the following URL:

a. For the on-line ActiveX control based version of the cleaner you can run it directly from the following URL:

 http://www.microsoft.com/security/incident/sasser.asp

b. For the stand-alone download version of the cleaner you can download it from the following URL:

 http://www.microsoft.com/downloads/details.aspx?FamilyId=76C6DE7E-1B6B-4FC3-90D4-9FA42D14CC17&displaylang=en

7. Determine if the machine has been infected with a variant of the Agobot worm which can also get on the machine using the same method as the Sasser worm.

a. To do this run a full antivirus scan of your machine after ensuring your antivirus signatures are up to date.

b. If you do NOT have an antivirus product installed you can visit HouseCall from TrendMicro to perform a free scan using the following

URL:

http://housecall.trendmicro.com/
0
 

Author Comment

by:whiwex
ID: 12111483
If I boot to normal mode the machine reboots before I can do any of the above.
whiwex
 
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 12111756
start > run > shutdown -a {enter}
0
 

Author Comment

by:whiwex
ID: 12112662
 If I remove the hard drive and install it in another pc. Could I run the anti virus and remove it from the corrupted drive?
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 57

Expert Comment

by:Pete Long
ID: 12113122
If you slave it in another PC and scan it then yes :)
0
 
LVL 3

Expert Comment

by:dheeruthakur
ID: 12113446
actually its termenate rpc service, your system have reeboting problem also. check your system for sasser and blaster virus. (effectad system xp and 2000). you find tools and patches in microsoft site and also take help in google.

    after updated service pack. you install sasser and blaster patch. after this your problem will solved.
0
 
LVL 3

Expert Comment

by:dheeruthakur
ID: 12113466
sasser patch xp - WindowsXP-KB835732-x86-ENU.EXE
2000  patch - Windows2000-KB835732-x86-ENU.EXE
0
 
LVL 3

Expert Comment

by:dheeruthakur
ID: 12113579
do this it solve your problem, i solved today in one computer -
" Rundll32.exe entry point not found: error message when you open my computer system properties or the system configuration utility

http://support.microsoft.com/?kbid=832323

dheerendra
(network engineer)
0
 

Author Comment

by:whiwex
ID: 12160170
Problem was a bad power supply. Replaced it and everything is working fine.
Thanks
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Staging desktop / laptop tools 5 100
Windows Server 2016 Failover Cluster Question 3 66
Search also sub-folder 1 61
SCCM And Branchcache Server 1 60
Introduction Often we come across situations wherein our batch files would be needing to reboot Windows for a variety of reasons. A few of them would be like: (1) Setup files have been updated whose changes can take effect only after a reboot …
In this article we will discuss all things related to StageFright bug, the most vulnerable bug of android devices.
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now