From: "MattW85" <
[email protected]>
| Hi, I am having problems with Lsass.exe and here’s the description of the
| problem.
|
| The system is shutting down... the shutdown was initiated by NT AUTHORITY
| SYSTEM"
|
| The system process c:\windows\system32\lsass.exe terminated unexpectedly
| With status code -01073741819. The system will now shut down & restart."
|
| I checked on the internet and everything points to it being some sort of the
| sasser virus but here’s the thing I don’t have any of the known programs
| running in the task manger such as avserve.exe. I tried every single sasser
| virus scanner and they fail to find anything. Also I check for agobot,
| argobot, blaster, Welch, gaobot. And the anti-virus scanners can’t find
| anything. I am running Windows Xp service pack 2 also I am behind the windows
| firewall and I use AVG as my main antivirus scanner. I was wondering does
| anybody else have any ideas before I smash this computer
If you think you have a virus, there are anti virus News Groups for posting in.
Such as:
microsoft.public.security.virus
If you are getting the following NT AUTHORITY\SYSTEM shutdown message...
NT AUTHORITY\SYSTEM
'c:\winnt\system32\lsass.exe' terminated unexpectedly with status code -1073741819
Is indicative of an Internet worm trying to exploit the LSASS module of the OS via TCP port
445.
The Sasser worm is long since gone. It has been replaced by numerous other Internet worms
that have incorporated that exploit in their arsenal of infection vectors. While you
mentions several BOTs, the Lovsan/Blaster is NOT one of them. The Lovsan/Blaster exploits
the RCP/RPCSS DCOM module of the OS via TCP port 135. It should be noted that many
subsequent BOT variants (SDBot, , AgoBOT, RBot, etc.) will try to exploit BOTH the RPC/RPCSS
DCOM and LSASS modules as vectors of infection.
You can stop the 60 sec. shutdown process.
In WinXP;
Go to; Start --> Run
enter; shutdown -a
Microsoft's LSASS vulnerability patch.
WinXP KB835732
http://www.microsoft.com/downloads/...9E-DA3F-43B9-A4F1-AF243B6168F3&displaylang=en
However, you indicate that you are using WinXP SP2. WinXP SP2 has the above patch
incorporated in it already. Thus using WinXP SP2 mitigates this vulnerability.
Additionally, the enhanced WinXP SP2 FireWall should also help mitigate this type of TCP
port exploitation. So does the use of a Cable/DSL Router such as the Linksys BEFSR41.
Using a NAT Router even on an un-patched system will mitigate such an exploitation.
I have seen platforms get this error even if there is NO sign of infection.
Just in case, you can use the following tool. It is a broad-spectrum anti virus tool that
will catch the widest varieties of BOTs that may use this exploitation.
Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe
To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close
Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }
NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.
C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.
You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.
When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.
http://www.ik-cs.com/multi-av.htm
Additional Instructions:
http://pcdid.com/Multi_AV.htm
* * * Please report back your results * * *