System shuts down in normal mode every time with error message above.

When I boot up in normal mode and login in the computer runs for about a minute and then I get a dialogue box with the error message: ." this system is shutting down..the process c:\windows\system32\isass.exe teminated  code is 1073741819'.

After the message goes thru a 60 second count down, the system seems to hang and the only way to restart the computer is with a hard boot.

I am using a Dell Workstation 690.

Jeff Waymack
206 634-0849
Who is Participating?
two_people_hkConnect With a Mentor Commented:
There are anti virus News Groups specifically for this type of discussion.

One of the above and microsoft.public.windowsxp.general is all that this should have been
posted too ! Theefore I have set Follow-ups to those two News Groups.

The following are certainly symptoms of a LSASS buffer overflow exploit via TCP port 445.

'c:\windows\system32\lsass.exe' terminated unexpectedly with status code -1073741819


'c:\winnt\system32\lsass.exe' terminated unexpectedly with status code -1073741819

However, one can NOT assume Sasser. There are several Internet worms now actively taking
advantage of this vulnerability. Most notable are the SDBot/RBot worms

W32/Sasser.worm.a --
W32/Reatle.f@MM --
W32/Gaobot.worm.gen --
Qhosts.apd --
W32/Plexus.b@MM --
W32/Sdbot.worm!ftp --
W32/Mytob.gen@MM --
W32/Radebot.worm --
{ W32/Radebot.worm, W32/Mytob.gen@MM & W32/Sdbot.worm!ftp will all exploit both LSASS and
the RPC/RPCSS DCOM vulnerabilities }

To mitigate the LSASS module buffer overflow vulnerability one needs to install the
following Microsoft LSASS for WinXP KB835732 --

One can execute the 'shutdown -a' command line to stop the 60 second countdown and effect
the installation of the patch. Additionally disconnecting the PC from the Internet will
keep such an attack from happening and allow the installation of the patch.

When you get the (attached) NT Shutdown message with the 60 sec. countdown...
Go to; Start --> Run
enter; shutdown -a

It should also be noted that just becuase one gets the (attched) LSASS shutdown message, it
does NOT mean that one is infected. It means that TCP port 445 is under attack by
attempting to exploit the buffer overflow vulnerability. A non-vulnerable system will not
exhibit the (attached) NT Shutdown message.

One *must* use a FireWall and patch their systems to prevent such an exploitation.

If one is on Broadband a Cable/DSL Router such as the Linksys BEFSR41 can greatly mitigate
such a threat even if LAN nodes are not fully patched. Specifically blocking both TCP and
UDP ports 135 ~ 139 and 445 will completely mitigate and of the worms or hackers trying to
take advantage of MS Networking ports using TCP/IP.

The following tool can be used to find and remove any of the known Internet worms that will
exploit the vulnerability and should be used ASAP.

Download MULTI_AV.EXE from the URL --

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
"lsass.exe" is the Local Security Authentication Server. It verifies the validity of user logons to your PC/Server. It generates the process responsible for authenticating users for the Winlogon service. This process is performed by using authentication packages such as the default Msgina.dll. If authentication is successful, Lsass generates the user's access token, which is used to launch the initial shell. Other processes that the user initiates inherit this token. More info

Note: The lsass.exe file is located in the folder C:\Windows\System32. In other cases, lsass.exe is a virus, spyware, trojan or worm! Check this with Security Task Manager.

Virus with same name:
W32.Nimos.Worm - Symantec Corporation
W32.Sasser.E.Worm (Lsasss.exe) - McAfee
W32.HLLW.Lovgate.C@mm - Symantec Corporation

Try to fix it by the following tools:


Also take a look here:
And be sure to get windows up-to-date from
Another method:
When starting your PC and when you get the error and your PC sarts to shutdown..Type this command in Run--> shutdown -a , This will extend the shutdown time and don't panic you will sometimes not be able to shutdown the PC through shutdown option too, Not connect to internet and download the file from Norton.
Run the file to scan your PC and this will remove the worm from your PC.
Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Starbuck67Author Commented:
Hi Two People Hk,

I have attached more information (screen captures and HiJacks Log for your reference.

I had already downloaded and run the Symantec utility in safe mode. Nothing was found.

You may try this:
Scan "Local Disks". You may be infected and a online scanner is best for ensuring the scanner has not been manipulated.
Please make a update for your windows as well.
Starbuck67Author Commented:

What do you mean "Please make a update for your windows as well."?

Starbuck67Author Commented:

I ran both the Stinger and Fxsasser detection utilities and nothing was found. I have attached the logs from both.
Starbuck67Author Commented:

Your instructions "When starting your PC and when you get the error and your PC starts to shutdown..Type this command in Run--> shutdown -a" did not stop the system from shutting down.

Sorry, It should be Please RUN your windows update as well.
Starbuck67Author Commented:
My bad for having two similar questions running. I had given up on this post as there was about a day when there was no response and I was in a real rush. During that one day span with no reply I tried giving the question a push by 'requesting attention' which had no effect.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.