lsas.exe

lisa9599 · #1 05-04-2004, 05:31 PM

I am running Windows XP and recently I have been getting one of those things that pops up and says that the system will shutdown in 1 minute. The shutdown popup thing says:

C:\Windows\System32\Lsass.exe
Has terminated unexpectedly with code
1073741819

I searched through the web for this and I have found things on Mirosoft.com and other websites, but they all talk about this problem happening in Windows 2000 and none mention what to do if it effects XP, does anybody know what to do to fix this?

Azn_tweaker · #2 05-04-2004, 05:40 PM

i think u have been infected with an virus. try running an virus scanner.

Azn_tweaker · #3 05-04-2004, 05:41 PM

if u dont have an virus scanner, use this free online scanner: http://housecall.antivirus.com/ tell us ur results

ESALADUANE · #4 05-04-2004, 05:54 PM

It's caused by a worm called Sasser. See here from Microsoft:
http://www.microsoft.com/security/incident/sasser.asp

Here's the scanning and removal tool.
http://www.microsoft.com/downloads/d...displaylang=en

lisa9599 · #5 05-04-2004, 06:08 PM

i have already scanned for that virus and aldo ran the removal tool for that virus apparently it is not that one cause after the removal tool was done it said i donthave that virus on this computer ...and also it is still happeneing

ESALADUANE · #6 05-04-2004, 06:16 PM

Have you done a full system scan as Azn-tweaker suggested? There are others (besides Sasser) using the same vulnerability - such as Blaster, Wechia and Gaobot. Here are the removal tools.

W32.Blaster.Worm Removal Tool
http://securityresponse.symantec.com...oval.tool.html

W32.Gaobot Removal Tool
http://securityresponse.symantec.com...oval.tool.html

W32.Welchia.Worm Removal Tool
http://securityresponse.symantec.com...oval.tool.html

Azn_tweaker · #7 05-04-2004, 10:09 PM

This worm spreads by internet exploiting MS Windows LSASS service vulnerability described in MS Security Bulletin MS04-011.

I-Worm/Sasser.A
Installation:
When the worm is launched it copies itself as avserve.exe to Windows Directory and registers itself as avserve.exe in Run key in Windows Registry.

Spreading: internet
Worm searches IP addresses and when it finds a vulnerable computer it uses the exploit for downloading a copy of itself and its launching.

I-Worm/Sasser.B
Installation:
When the worm is launched it copies itself as avserve2.exe to Windows Directory and registers itself as avserve2.exe in Run key in Windows Registry.

Spreading: internet
Worm searches IP addresses and when it finds a vulnerable computer it uses the exploit for downloading a copy of itself and its launching.

I-Worm/Sasser.C
Installation:
When the worm is launched it copies itself as avserve2.exe to Windows Directory and registers itself as avserve2.exe in Run key in Windows Registry.

Spreading: internet
Worm searches IP addresses and when it finds a vulnerable computer it uses the exploit for downloading a copy of itself and its launching.

I-Worm/Sasser.D
Installation:
When the worm is launched it copies itself as skynetave.exe to Windows Directory and registers itself as skynetave.exe in Run key in Windows Registry.

Spreading: internet
Worm searches IP addresses and when it finds a vulnerable computer it uses the exploit for downloading a copy of itself and its launching.

Removing:
Download and install latest Windows Patch resolving LSASS vulnerability from these pages or from Windows Update pages. You have to choose your operating system and language of your Windows.

The detected files content I-Worm/Sasser has to be deleted or use this

Remover

If it isn`t possible to delete these files in Normal mode, run Windows in Safe mode (restart your computer, press and hold the F8 key during the initial Windows and choose SAFE mode option) and do following:
- move your cursor on Start bar
- press Start button -> Run -> write "regedit" without quotes
- press button OK
- please open the following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run
- in the right column look for:
avserve.exe = %WinDir%\avserve.exe
or
avserve2.exe = %WinDir%\avserve2.exe
%WinDir% is name of your system folder (eg. WinNT, Windows)
- click by right button on the particular values and choose Delete
- close registry editor
- it`s required to delete following files:
%WinDir%\avserve.exe
%WinDir%\avserve2.exe
depends on the path which was written in the registry
- Now you can restart your computer to normal mode again.

Note:
Immediately as you connect to Internet and your system isn`t updated by the latest patch from Microsoft, the virus will be activated again!

all info from: http://www.grisoft.com/virbase/virba... fdab66b76a000

mulangi · #8 05-10-2004, 02:18 PM

I have a win 2000 machine that shuts down with the same error message.

Is there some way I can I prevent it shutting down long enough to remove the virus?

I really hope so

-M-

ESALADUANE · #9 05-10-2004, 02:22 PM

To stop your machine from shutting down when this message is displayed, go to the start menu and select run. Then type "shutdown -a" (without the quotes) in the text box and click the OK button. This will stop the machine from shutting down. However, this is just a symptom. The cause is an exploit of your RPC service.

Another way (this is from Microsoft) to keep your computer from shutting down:

In many cases, on both Windows 2000 and XP, changing the settings for the Remote Procedure Call (RPC) service may allow you to connect to the Internet without the computer shutting down. To restore Internet connectivity to your PC, follow these steps:

1. Click Start > Run. The Run dialog box appears.
2. Type: SERVICES.MSC /S in the open line, and then click OK. The Services window opens.
3. In the right pane, locate the Remote Procedure Call (RPC) service.

CAUTION: There is also a service named Remote Procedure Call (RPC) Locator. Do not confuse the two.

4. Right-click the Remote Procedure Call (RPC) service, and then click Properties.
5. Click the Recovery tab.
6. Using the drop-down lists, change First failure, Second failure, and Subsequent failures to "Restart the Service."
7. Click Apply, and then OK.

CAUTION: Make sure that you change these settings back once you have removed the worm.

mulangi · #10 05-10-2004, 03:18 PM

Hi Esaladuane,

Thank you for such a swift response.

Three points:
1. I read on the Symantec site to open a cmd and enter
shutdown -i (rather than -a) BUT it also said that it would NOT work in Windows 2K (great;-)

2. Reading between the lines of your post..
Do you imply that the "shutdown in 20 seconds" ONLY happens if the machine is connected to the Internet? So, if I disconnect then I can follow your instructions to edit the registry - remove the files etc? (and it may not be necesary to start in safe mode)
(I don't have access to the machine in questin right now)

3. Will starting in Safe Mode also prevent the premature shut down?
Thanks,
by,
-M-

ESALADUANE · #11 05-10-2004, 03:32 PM

1. Yes, you're right. The first method only works with XP (sorry, I should have read your post more closely).

2. Yes, disconnect and then follow Microsoft's steps. You won't be editing the Registry, you'll be changing the RPC response in Services. You can also get there by right-clicking My Computer > Manage > Services and Applications > Services.

3. I don't know, but I doubt it. Try it.

mulangi · #12 05-12-2004, 02:30 PM

Hi Esaladuane,
Thank you for your help, the beast has been squashed.

In passing;
I wrote a reply earlier but when I when clicked Submit the mmessage did not go and I found myself loged out. Is there a time on the board?

while in the forum I got a couple of popups - both suspicious and related to tracking/spyware one was a window that had;
Advertisment Internet Explorer in the title bar and the other looked like a command window but with PART of the window scrolling by itself ?!

I thought I had all the popup blockers ON (Panicware and ZonealaemPlus) but these little blighters got through..very irritating..but more to the point is it likely that they were "guests" from this board?

-M-
Maybe this should have been a separate post?

ESALADUANE · #13 05-12-2004, 02:38 PM

I suspect that you're right about the "guests". The board is paid for by advertisers that are always trying to outsmart the pop-up stoppers and ad blockers that most people now have. It only happens the first time I bring up the site. I guess I can live with it.

skel1977 · #14 05-12-2004, 03:01 PM

I am also having trouble with this virus. I updated my windows, ran the symantic sasser removal tool but ti says my computer is not infected however I still get the windows shutdown message.

ESALADUANE · #15 05-12-2004, 03:18 PM

There are other exploits with similar symptoms to Sasser. Try scanning for Blaster and Gaobot. Or, the more general scanning and removal tool from McAfee called Avert Stinger 2.2.6 which has added several viruses and worms that exploit DCOM/RPC.

Scanning and Removal Tool for Blaster
http://securityresponse.symantec.co...moval.tool.html

Scanning and Removal Tool For Gaobot
http://securityresponse.symantec.co...moval.tool.html

Avert Stinger version 2.2.6
http://vil.nai.com/vil/averttools.asp