lsass.exe

[Guest]

I'm getting the dreaded system shutdown in x minutes message -
WINNT\system32\lsass.exe has been terminated unexpectedly with status code...

From what I'm reading, it looks like I have the Sasser virus. I can't get my
system to stay signed on long enough to try to remove it...I think I shut
down after 60 seconds.

Any suggestions? I don't really know how I got it. I've got an updated
version of McAfee Firewall and Virus Protection...

 

[David H. Lipman]

There are anti virus News Groups specifically for this type of discussion.

microsoft.public.scripting.virus.discussion
microsoft.public.security.virus
alt.comp.virus
alt.comp.anti-virus

When you get the shutdown message...

Go to; Start --> Run
enter; shutdown -a

This will halt the shutdown and give you a chance to Download the McAfee worm removal tool,
Stinger: http://vil.nai.com/vil/stinger/

Install the following patch for the LSASS vulnerability addressed by; KB835732
http://www.microsoft.com/downloads/...7E-F63A-414C-B3EB-D2342FBB6C00&displaylang=en

Please read: http://www.microsoft.com/security/incident/sasser.mspx

You also need a FireWall. If you don't patch the PC and not use a FireWall then you will
just be re-infected. I also suggest the installation of *ALL* MS Critical Updates ASAP.

--
Dave
http://www.claymania.com/removal-trojan-adware.html




| I'm getting the dreaded system shutdown in x minutes message -
| WINNT\system32\lsass.exe has been terminated unexpectedly with status code...
|
| From what I'm reading, it looks like I have the Sasser virus. I can't get my
| system to stay signed on long enough to try to remove it...I think I shut
| down after 60 seconds.
|
| Any suggestions? I don't really know how I got it. I've got an updated
| version of McAfee Firewall and Virus Protection...

 

[Guest]

Thanks for the info...I'll check out the other newsgroups. By the way, I
tried halting the shutdown by doing what you told me to do and it didn't stop
the shutdown. I went to start, run, and typed in shutdown -a. It said there
was not file or componets located for 'shutdown'. Did I do something wrong?
Are there any spaces in 'shutdown -a' or not? If so, where exactly are they
so I can check to see if I'm typing it exactly as it should be.

Thanks.

 

[Guest]

David...I am so bummed! That didn't work either...is there something else I
could try? You know, I'm not sure how this could have happened. I've got
McAfee Virus Scan and Firewall, SpySweeper, AdAware, Super PopUp Blocker and
I thought all my patches were up to date. I'm using my husband's laptop to
post the messages tonight...my computer at this point is useless to me.

 

[RWN]

Not an expert, but;
Can you start in safe mode?

 

[Guest]

It sounds like you need to add the location of
shutdown.exe into your path. it's definitley on your
system because that is how you get that message in the
first place.

how are your dos skills? I don't think I should bother
posting if you don't even know dos, it will get too
complicated. Do you have any nerdy friends

 

[Guest]

I'm no expert either...lol How do I start in safe mode? When my computer
starts up, there is a brief moment where I have two options to F2 Setup & F12
Reboot. Would I use one of these to start in safe mode...I have actually
looked at what each option lists, but didn't see a safe mode option.

 

[Guest]

I have very limited DOS skills...I'm wondering if I should simply do a
restore...I can boot from a CD...urgh, how dreadful.

 

[David H. Lipman]

How did it not work ?

Please elaborate. That SHUTDOWN.EXE works, I know I tested it under Win2K but shutting down
a PC then entering; "shutdown /a" and the process was stopped.

What version McAfee VirusScan (retail or Corp.) ?
What is the McAfee ENGINE version ?
What is the DAT revision ?

--
Dave




| David...I am so bummed! That didn't work either...is there something else I
| could try? You know, I'm not sure how this could have happened. I've got
| McAfee Virus Scan and Firewall, SpySweeper, AdAware, Super PopUp Blocker and
| I thought all my patches were up to date. I'm using my husband's laptop to
| post the messages tonight...my computer at this point is useless to me.
|
| "David H. Lipman" wrote:
|
| > No, I forgot that SHUTDOWN.EXE is native to WinXP not Win2K and is a Resource Kit
Utility
| > for Win2K and the switch parameter is "/A" not "-A". My Bad -- Sorry !
| >
| > I looked for a URL for the utility but I could NOT find it so I am reluctantly attaching
the
| > SHUTDOWN.EXE file in a ZIP file.
| >
| > The syntax is; shutdown /A
| >
| > --
| > Dave
| >
| >
| >
| >
| > | > | Thanks for the info...I'll check out the other newsgroups. By the way, I
| > | tried halting the shutdown by doing what you told me to do and it didn't stop
| > | the shutdown. I went to start, run, and typed in shutdown -a. It said there
| > | was not file or componets located for 'shutdown'. Did I do something wrong?
| > | Are there any spaces in 'shutdown -a' or not? If so, where exactly are they
| > | so I can check to see if I'm typing it exactly as it should be.
| > |
| > | Thanks.
| > |
| > | "David H. Lipman" wrote:
| > |
| > | > There are anti virus News Groups specifically for this type of discussion.
| > | >
| > | > microsoft.public.scripting.virus.discussion
| > | > microsoft.public.security.virus
| > | > alt.comp.virus
| > | > alt.comp.anti-virus
| > | >
| > | > When you get the shutdown message...
| > | >
| > | > Go to; Start --> Run
| > | > enter; shutdown -a
| > | >
| > | > This will halt the shutdown and give you a chance to Download the McAfee worm
removal
| > tool,
| > | > Stinger: http://vil.nai.com/vil/stinger/
| > | >
| > | > Install the following patch for the LSASS vulnerability addressed by; KB835732
| > | >
| >
http://www.microsoft.com/downloads/...7E-F63A-414C-B3EB-D2342FBB6C00&displaylang=en
| > | >
| > | > Please read: http://www.microsoft.com/security/incident/sasser.mspx
| > | >
| > | > You also need a FireWall. If you don't patch the PC and not use a FireWall then you
| > will
| > | > just be re-infected. I also suggest the installation of *ALL* MS Critical Updates
ASAP.
| > | >
| > | > --
| > | > Dave
| > | > http://www.claymania.com/removal-trojan-adware.html
| > | >
| > | >
| > | >
| > | >
| > | > | > | > | I'm getting the dreaded system shutdown in x minutes message -
| > | > | WINNT\system32\lsass.exe has been terminated unexpectedly with status code...
| > | > |
| > | > | From what I'm reading, it looks like I have the Sasser virus. I can't get my
| > | > | system to stay signed on long enough to try to remove it...I think I shut
| > | > | down after 60 seconds.
| > | > |
| > | > | Any suggestions? I don't really know how I got it. I've got an updated
| > | > | version of McAfee Firewall and Virus Protection...
| > | >
| > | >
| > | >
| >
| >
| >
| >
| >

 

[Guest]

I don't know why or how it didn't work. My computer starts up, begins loading
programs such as McAfee, SpySweeper, etc. While this going on, I pull up the
start menu, run and then type in "shutdown /a" and then select ok. A message
pops up telling me that the file "shutdown" and it's componts cannot be
found.

My computer was literally working one minute and then shutdown the next and
won't stop restarting now. URGH! <shaking my head>

 

[Guest]

:
Sorry, I forgot to give you the following info...I purchased and downloaded
McAfee firewall and Virus Scan nearly two years ago from it's website and it
updates regularly. I don't know what the ENGINE version or the DAT revision
is?

 

[David H. Lipman]

Judi:

You ONLY need to execute 'SHUTDOWN /A' when/if you get a Pop-Up indicating your PC is being
shutdown and provides a timer-count down. You want to SAVE SHUTDOWN.EXE in c:\winnt

There are three components to *all* McAfee AV pacjakes and their are in two classes.
Retail - Home use and Corporate/Enterprise - for the business and large organizations. The
two classes are different from each other.

Each product is broken into three major components --
Kernel -- This is the version of the software. For example Retail v8.0 or Enterprise v4.5.1
or v7.1
ENGINE -- This component is the part of the software that algryhmically finds and delets
infectors as defined in a signature file
DAT files -- These are the McAfee signature files.

The latest ENGINE is v4400 and the latest DAT file is v4423 (which will be updated to v4424
by 4pm Eastern Time Today).

You can find out thie above information by Right Clicking on the McAfee icon in the System
Tray and finding "About" or "virusscan --> About".


--
Dave




| I don't know why or how it didn't work. My computer starts up, begins loading
| programs such as McAfee, SpySweeper, etc. While this going on, I pull up the
| start menu, run and then type in "shutdown /a" and then select ok. A message
| pops up telling me that the file "shutdown" and it's componts cannot be
| found.
|
| My computer was literally working one minute and then shutdown the next and
| won't stop restarting now. URGH! <shaking my head>
|
| "David H. Lipman" wrote:
|
| > How did it not work ?
| >
| > Please elaborate. That SHUTDOWN.EXE works, I know I tested it under Win2K but shutting
down
| > a PC then entering; "shutdown /a" and the process was stopped.
| >
| > What version McAfee VirusScan (retail or Corp.) ?
| > What is the McAfee ENGINE version ?
| > What is the DAT revision ?
| >
| > --
| > Dave
| >
| >
| >
| >
| > | > | David...I am so bummed! That didn't work either...is there something else I
| > | could try? You know, I'm not sure how this could have happened. I've got
| > | McAfee Virus Scan and Firewall, SpySweeper, AdAware, Super PopUp Blocker and
| > | I thought all my patches were up to date. I'm using my husband's laptop to
| > | post the messages tonight...my computer at this point is useless to me.
| > |
| > | "David H. Lipman" wrote:
| > |
| > | > No, I forgot that SHUTDOWN.EXE is native to WinXP not Win2K and is a Resource Kit
| > Utility
| > | > for Win2K and the switch parameter is "/A" not "-A". My Bad -- Sorry !
| > | >
| > | > I looked for a URL for the utility but I could NOT find it so I am reluctantly
attaching
| > the
| > | > SHUTDOWN.EXE file in a ZIP file.
| > | >
| > | > The syntax is; shutdown /A
| > | >
| > | > --
| > | > Dave
| > | >
| > | >
| > | >
| > | >
| > | > | > | > | Thanks for the info...I'll check out the other newsgroups. By the way, I
| > | > | tried halting the shutdown by doing what you told me to do and it didn't stop
| > | > | the shutdown. I went to start, run, and typed in shutdown -a. It said there
| > | > | was not file or componets located for 'shutdown'. Did I do something wrong?
| > | > | Are there any spaces in 'shutdown -a' or not? If so, where exactly are they
| > | > | so I can check to see if I'm typing it exactly as it should be.
| > | > |
| > | > | Thanks.
| > | > |
| > | > | "David H. Lipman" wrote:
| > | > |
| > | > | > There are anti virus News Groups specifically for this type of discussion.
| > | > | >
| > | > | > microsoft.public.scripting.virus.discussion
| > | > | > microsoft.public.security.virus
| > | > | > alt.comp.virus
| > | > | > alt.comp.anti-virus
| > | > | >
| > | > | > When you get the shutdown message...
| > | > | >
| > | > | > Go to; Start --> Run
| > | > | > enter; shutdown -a
| > | > | >
| > | > | > This will halt the shutdown and give you a chance to Download the McAfee worm
| > removal
| > | > tool,
| > | > | > Stinger: http://vil.nai.com/vil/stinger/
| > | > | >
| > | > | > Install the following patch for the LSASS vulnerability addressed by; KB835732
| > | > | >
| > | >
| >
http://www.microsoft.com/downloads/...7E-F63A-414C-B3EB-D2342FBB6C00&displaylang=en
| > | > | >
| > | > | > Please read: http://www.microsoft.com/security/incident/sasser.mspx
| > | > | >
| > | > | > You also need a FireWall. If you don't patch the PC and not use a FireWall then
you
| > | > will
| > | > | > just be re-infected. I also suggest the installation of *ALL* MS Critical
Updates
| > ASAP.
| > | > | >
| > | > | > --
| > | > | > Dave
| > | > | > http://www.claymania.com/removal-trojan-adware.html
| > | > | >
| > | > | >
| > | > | >
| > | > | >
| > | > | > | > | > | > | I'm getting the dreaded system shutdown in x minutes message -
| > | > | > | WINNT\system32\lsass.exe has been terminated unexpectedly with status code...
| > | > | > |
| > | > | > | From what I'm reading, it looks like I have the Sasser virus. I can't get my
| > | > | > | system to stay signed on long enough to try to remove it...I think I shut
| > | > | > | down after 60 seconds.
| > | > | > |
| > | > | > | Any suggestions? I don't really know how I got it. I've got an updated
| > | > | > | version of McAfee Firewall and Virus Protection...
| > | > | >
| > | > | >
| > | > | >
| > | >
| > | >
| > | >
| > | >
| > | >
| >
| >
| >

 

[Guest]

If I do a system restore will that rid my system of the virus? I know this is
a drastic measure, but I have SO much I need to get done, so I don't have a
lot of time to keep trying things...any suggestion?

 

[John John]

Press F8 when windows starts to load.

John

I'm no expert either...lol How do I start in safe mode? When my computer
starts up, there is a brief moment where I have two options to F2 Setup & F12
Reboot. Would I use one of these to start in safe mode...I have actually
looked at what each option lists, but didn't see a safe mode option.

:

 

[David H. Lipman]

#1 -- There is NO System Restore Cache in Win2K
#2 -- It would not help anyway (if it was an option) because this activity is caused by a
Internet worm and you will just get re-infected again if you don't implement a FireWall and
don't patch the system for the LSASS vulnerability.

--
Dave




| If I do a system restore will that rid my system of the virus? I know this is
| a drastic measure, but I have SO much I need to get done, so I don't have a
| lot of time to keep trying things...any suggestion?
|
| "David H. Lipman" wrote:
|
| > How did it not work ?
| >
| > Please elaborate. That SHUTDOWN.EXE works, I know I tested it under Win2K but shutting
down
| > a PC then entering; "shutdown /a" and the process was stopped.
| >
| > What version McAfee VirusScan (retail or Corp.) ?
| > What is the McAfee ENGINE version ?
| > What is the DAT revision ?
| >
| > --
| > Dave
| >
| >
| >
| >
| > | > | David...I am so bummed! That didn't work either...is there something else I
| > | could try? You know, I'm not sure how this could have happened. I've got
| > | McAfee Virus Scan and Firewall, SpySweeper, AdAware, Super PopUp Blocker and
| > | I thought all my patches were up to date. I'm using my husband's laptop to
| > | post the messages tonight...my computer at this point is useless to me.
| > |
| > | "David H. Lipman" wrote:
| > |
| > | > No, I forgot that SHUTDOWN.EXE is native to WinXP not Win2K and is a Resource Kit
| > Utility
| > | > for Win2K and the switch parameter is "/A" not "-A". My Bad -- Sorry !
| > | >
| > | > I looked for a URL for the utility but I could NOT find it so I am reluctantly
attaching
| > the
| > | > SHUTDOWN.EXE file in a ZIP file.
| > | >
| > | > The syntax is; shutdown /A
| > | >
| > | > --
| > | > Dave
| > | >
| > | >
| > | >
| > | >
| > | > | > | > | Thanks for the info...I'll check out the other newsgroups. By the way, I
| > | > | tried halting the shutdown by doing what you told me to do and it didn't stop
| > | > | the shutdown. I went to start, run, and typed in shutdown -a. It said there
| > | > | was not file or componets located for 'shutdown'. Did I do something wrong?
| > | > | Are there any spaces in 'shutdown -a' or not? If so, where exactly are they
| > | > | so I can check to see if I'm typing it exactly as it should be.
| > | > |
| > | > | Thanks.
| > | > |
| > | > | "David H. Lipman" wrote:
| > | > |
| > | > | > There are anti virus News Groups specifically for this type of discussion.
| > | > | >
| > | > | > microsoft.public.scripting.virus.discussion
| > | > | > microsoft.public.security.virus
| > | > | > alt.comp.virus
| > | > | > alt.comp.anti-virus
| > | > | >
| > | > | > When you get the shutdown message...
| > | > | >
| > | > | > Go to; Start --> Run
| > | > | > enter; shutdown -a
| > | > | >
| > | > | > This will halt the shutdown and give you a chance to Download the McAfee worm
| > removal
| > | > tool,
| > | > | > Stinger: http://vil.nai.com/vil/stinger/
| > | > | >
| > | > | > Install the following patch for the LSASS vulnerability addressed by; KB835732
| > | > | >
| > | >
| >
http://www.microsoft.com/downloads/...7E-F63A-414C-B3EB-D2342FBB6C00&displaylang=en
| > | > | >
| > | > | > Please read: http://www.microsoft.com/security/incident/sasser.mspx
| > | > | >
| > | > | > You also need a FireWall. If you don't patch the PC and not use a FireWall then
you
| > | > will
| > | > | > just be re-infected. I also suggest the installation of *ALL* MS Critical
Updates
| > ASAP.
| > | > | >
| > | > | > --
| > | > | > Dave
| > | > | > http://www.claymania.com/removal-trojan-adware.html
| > | > | >
| > | > | >
| > | > | >
| > | > | >
| > | > | > | > | > | > | I'm getting the dreaded system shutdown in x minutes message -
| > | > | > | WINNT\system32\lsass.exe has been terminated unexpectedly with status code...
| > | > | > |
| > | > | > | From what I'm reading, it looks like I have the Sasser virus. I can't get my
| > | > | > | system to stay signed on long enough to try to remove it...I think I shut
| > | > | > | down after 60 seconds.
| > | > | > |
| > | > | > | Any suggestions? I don't really know how I got it. I've got an updated
| > | > | > | version of McAfee Firewall and Virus Protection...
| > | > | >
| > | > | >
| > | > | >
| > | >
| > | >
| > | >
| > | >
| > | >
| >
| >
| >

 

[Guest]

The Pop-Up indicating my PC is shuting down with a timer does come up...did
you send me the shutdown.exe file? If so, where did you send it to? E-mail?
<looking stupid and hating it>

 

[Guest]

Is a restore the same thing as reloading my Windows 2000 Pro operating
system? I could start all over with it, and then take the steps <obviously
not taken before> to protect myself against this internet virus with the
Stinger program I've read about. At this point it doesn't look like I have
much choice.

 

[David H. Lipman]

I attached to my post. Since you are using the MS CDO Web Front-End to the MS News Groups I
guess you can't access it. Either you need to switch to using a News Client and accessing
the News Groups or you'll have to email me and I'll send it to you.

Just remove ~nospam~ to email me.

--
Dave




| The Pop-Up indicating my PC is shuting down with a timer does come up...did
| you send me the shutdown.exe file? If so, where did you send it to? E-mail?
| <looking stupid and hating it>

 

[David H. Lipman]

A "restore" is definitely not the same a reinstalling the OS !

You have LOTS of choices. Reinstalling Win2K is a draconian Knee Jerk reaction that is ONLY
reserved for when all other options have been exhausted.

--
Dave




| Is a restore the same thing as reloading my Windows 2000 Pro operating
| system? I could start all over with it, and then take the steps <obviously
| not taken before> to protect myself against this internet virus with the
| Stinger program I've read about. At this point it doesn't look like I have
| much choice.

 

[Guest]

LOTS of choices? What are they? Is it going to require sending my computer
off for repair?