Solved

System shuts down in normal mode every time with error message above.

Posted on 2008-11-02
12
385 Views
Last Modified: 2011-10-19
When I boot up in normal mode and login in the computer runs for about a minute and then I get a dialogue box with the error message: ." this system is shutting down..the process c:\windows\system32\isass.exe teminated  code is 1073741819'.

After the message goes thru a 60 second count down, the system seems to hang and the only way to restart the computer is with a hard boot.

I am using a Dell Workstation 690.

Jeff Waymack
206 634-0849
0
Comment
Question by:Starbuck67
  • 7
  • 5
12 Comments
 
LVL 5

Expert Comment

by:two_people_hk
ID: 22864333
"lsass.exe" is the Local Security Authentication Server. It verifies the validity of user logons to your PC/Server. It generates the process responsible for authenticating users for the Winlogon service. This process is performed by using authentication packages such as the default Msgina.dll. If authentication is successful, Lsass generates the user's access token, which is used to launch the initial shell. Other processes that the user initiates inherit this token. More info

Note: The lsass.exe file is located in the folder C:\Windows\System32. In other cases, lsass.exe is a virus, spyware, trojan or worm! Check this with Security Task Manager.

Virus with same name:
W32.Nimos.Worm - Symantec Corporation
W32.Sasser.E.Worm (Lsasss.exe) - McAfee
W32.HLLW.Lovgate.C@mm - Symantec Corporation

Try to fix it by the following tools:
http://vil.nai.com/vil/stinger/

W32/Sasser.worm
http://vil.nai.com/vil/content/v_125007.htm

Also take a look here:
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
And be sure to get windows up-to-date from http://windowsupdate.microsoft.com
0
 
LVL 5

Expert Comment

by:two_people_hk
ID: 22864370
Another method:
When starting your PC and when you get the error and your PC sarts to shutdown..Type this command in Run--> shutdown -a , This will extend the shutdown time and don't panic you will sometimes not be able to shutdown the PC through shutdown option too, Not connect to internet and download the file from Norton.
http://www.symantec.com/security_response/writeup.jsp?docid=2004-050114-1706-99
Run the file to scan your PC and this will remove the worm from your PC.
0
 

Author Comment

by:Starbuck67
ID: 22864482
Hi Two People Hk,

I have attached more information (screen captures and HiJacks Log for your reference.

I had already downloaded and run the Symantec utility in safe mode. Nothing was found.

Jeff
Applic-Event-Error-1.jpg
Error-Report-Content.jpg
Services---ContollerInfo-1.jpg
Services---ContollerInfo-2.jpg
Shut-Down-DB.jpg
System-Event-Error-1.jpg
hijackthis.log
0
 
LVL 5

Expert Comment

by:two_people_hk
ID: 22864511
You may try this:
http://www.pandasecurity.com/activescan/index/?track=1&Lang=en-US&IdPais=63
Scan "Local Disks". You may be infected and a online scanner is best for ensuring the scanner has not been manipulated.
0
 
LVL 5

Expert Comment

by:two_people_hk
ID: 22864522
Please make a update for your windows as well.
0
 

Author Comment

by:Starbuck67
ID: 22867994
HI,

What do you mean "Please make a update for your windows as well."?

Jeff
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 

Author Comment

by:Starbuck67
ID: 22868520
Hi,

I ran both the Stinger and Fxsasser detection utilities and nothing was found. I have attached the logs from both.
stinger1001602.txt
FxSasser.log
0
 

Author Comment

by:Starbuck67
ID: 22869741
Hi,

Your instructions "When starting your PC and when you get the error and your PC starts to shutdown..Type this command in Run--> shutdown -a" did not stop the system from shutting down.

Jeff
0
 
LVL 5

Expert Comment

by:two_people_hk
ID: 22873431
Sorry, It should be Please RUN your windows update as well.
0
 
LVL 5

Expert Comment

by:two_people_hk
ID: 22873453
0
 
LVL 5

Accepted Solution

by:
two_people_hk earned 500 total points
ID: 22873489
There are anti virus News Groups specifically for this type of discussion.

microsoft.public.security.virus
alt.comp.virus
alt.comp.anti-virus

One of the above and microsoft.public.windowsxp.general is all that this should have been
posted too ! Theefore I have set Follow-ups to those two News Groups.

The following are certainly symptoms of a LSASS buffer overflow exploit via TCP port 445.

NT AUTHORITY\SYSTEM
'c:\windows\system32\lsass.exe' terminated unexpectedly with status code -1073741819

or

NT AUTHORITY\SYSTEM
'c:\winnt\system32\lsass.exe' terminated unexpectedly with status code -1073741819

However, one can NOT assume Sasser. There are several Internet worms now actively taking
advantage of this vulnerability. Most notable are the SDBot/RBot worms

W32/Sasser.worm.a -- http://vil.nai.com/vil/content/v_125007.htm
W32/Reatle.f@MM -- http://vil.nai.com/vil/content/v_135722.htm
W32/Gaobot.worm.gen -- http://vil.nai.com/vil/content/v_100785.htm
Qhosts.apd -- http://vil.nai.com/vil/content/v_124880.htm
W32/Plexus.b@MM -- http://vil.nai.com/vil/content/v_126167.htm
W32/Sdbot.worm!ftp -- http://vil.nai.com/vil/content/v_128082.htm
W32/Mytob.gen@MM -- http://vil.nai.com/vil/content/v_132158.htm
W32/Radebot.worm -- http://vil.nai.com/vil/content/v_132018.htm
{ W32/Radebot.worm, W32/Mytob.gen@MM & W32/Sdbot.worm!ftp will all exploit both LSASS and
the RPC/RPCSS DCOM vulnerabilities }

To mitigate the LSASS module buffer overflow vulnerability one needs to install the
following Microsoft LSASS for WinXP KB835732 --
http://www.microsoft.com/downloads/details.aspx?FamilyId=3549EA9E-DA3F-43B9-A4F1-AF243B6168F3&displaylang=en

One can execute the 'shutdown -a' command line to stop the 60 second countdown and effect
the installation of the patch. Additionally disconnecting the PC from the Internet will
keep such an attack from happening and allow the installation of the patch.

When you get the (attached) NT Shutdown message with the 60 sec. countdown...
Go to; Start --> Run
enter; shutdown -a

It should also be noted that just becuase one gets the (attched) LSASS shutdown message, it
does NOT mean that one is infected. It means that TCP port 445 is under attack by
attempting to exploit the buffer overflow vulnerability. A non-vulnerable system will not
exhibit the (attached) NT Shutdown message.

One *must* use a FireWall and patch their systems to prevent such an exploitation.

If one is on Broadband a Cable/DSL Router such as the Linksys BEFSR41 can greatly mitigate
such a threat even if LAN nodes are not fully patched. Specifically blocking both TCP and
UDP ports 135 ~ 139 and 445 will completely mitigate and of the worms or hackers trying to
take advantage of MS Networking ports using TCP/IP.

The following tool can be used to find and remove any of the known Internet worms that will
exploit the vulnerability and should be used ASAP.

Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm
0
 

Author Comment

by:Starbuck67
ID: 22946675
My bad for having two similar questions running. I had given up on this post as there was about a day when there was no response and I was in a real rush. During that one day span with no reply I tried giving the question a push by 'requesting attention' which had no effect.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

This article is a cursory discussion of Intel SpeedStep Technology (SpeedStep) and Enhanced Intel SpeedStep Technology (EIST).  The goal is more to illuminate what these technologies are and are not.  The detail of how each technology works is not a…
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…
The viewer will learn how to successfully download and install the SARDU utility on Windows 7, without downloading adware.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now