error lsass.exe terminated unexpectedly

[Michael]

A problem has just cropped up. I get a message box only
when on line with a dial up connection. "NT
Authority\System" displays a box that says "lsass.exe has
terminated unexpectdly. the system counts down and
restarts with a staus code of 128". I can only find a
reference to this type of error with Services.exe in the
support area. It is a stand alone desxtop. Service pack 4
installed, Mcafee antivirus is installed and up to date.
I can get on line but this message comes up everytime
anywhere from right away to up to 10 to 15 minutes after I
get logged on.

 

[Abhijeet Nigam [MSFT]]

Hi ,
This could be an issue with Sasser worm which is on net
I am sending you some information regarding that worm
let me know If you need some more help


The MS04-011 security bulletin is available at
www.microsoft.com/technet/security/bulletin/ms04-011.mspx.

Firewalls protect: Protect from the vector this worm attacks, which is TCP
Port 139. Most third party firewalls also block this attack vector by
default.

How to tell if you're infected: Systems who are infected with the
W32.Sasser.worm may experience difficulty accessing the Internet. Infected
customers may also receive an LSASS.exe error pop-up which may cause a
reboot.

How to fix: For Infected Systems, we should follow the manual clean-up
steps detailed at http://www.microsoft.com/security/incident/sasser.asp


for more Information
Network Associates: http://vil.nai.com/
Symantec: http://securityresponse.symantec.com
Trend Micro: http://www.trendmicro.com/

If you still experience infection symptoms after following the guidance or
who need assistance with the manual clean up steps should contact the
Microsoft PC Safety Hotline at 1-866-PCSAFTEY. International customers can
receive support from their local subsidiaries through
http://support.microsoft.com/international.



I hope this could help you


Abhijeet Nigam, MCSE,A+,CCNA
This posting is provided "AS IS" with no warranties, and confers no rights

 

[Bruce Chambers]

Greetings --

You've apparently contracted the latest worm, W32.Sasser.Worm,
specifically designed to attack people who do not update their
computers promptly and who do not practice "safe hex." In other
words, like Blaster, this worm was developed and distributed _after_ a
patch for the vulnerability was announced and made publicly available.
Further, and also like Blaster, this worm could not affect any
computer whose user had taken the basic precaution of using a properly
configured firewall.

To stay on-line long enough to get the necessary updates, patches,
and removal tools, click Start > Run, and enter "shutdown -a" when the
next RPC countdown begins. This will abort the shut down. Also, make
sure you've enabled a firewall before starting, to preclude any more
intrusions while getting the updates/patches/tools.

What You should Know about the Sasser Worm and its Variants
http://www.microsoft.com/security/incident/sasser.asp

Microsoft Security Bulletin MS04-011
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

W32.Sasser.Worm
http://www.symantec.com/avcenter/venc/data/w32.sasser.worm.html

A tool is available to remove the Sasser worm variants
http://support.microsoft.com/default.aspx?scid=kb;EN-US;841720

W32.Sasser.Worm Removal Tool
http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.removal.tool.html

McAfee AVert Stinger Virus Removal Tool
http://vil.nai.com/vil/stinger/


Bruce Chambers

--
Help us help you:




You can have peace. Or you can have freedom. Don't ever count on
having both at once. -- RAH