LSA Shell & System32\lsass.exe problems

[Becky B]

I am running Windows XP and when I turn the computer on,
I get a pop-up window that says "LSA Shell (export
Version)" not found - send report or don't send report.
When I choose not to send the report (because I am not
connected to the internet) it closes and I try to
connect. After connecting to the internet this message
comes up after logging on..."C:Windows\system32
\lsass.exe" has been terminated. Shut down initiated by
NT AUTHORITY\SYSTEM. The computer then gives me 1 minute
to log off or it automatically shuts down and starts the
whole process over again. I can not stay connected in
order to get any help at all. I have done a system
restore (F8) key and still I am having problems. Does
anyone know how to fix this problem?

Thanks

 

[John Barnett MVP]

Looks like the sasser worm again.
http://www.microsoft.com/security/incident/sasser.mspx

 

[MGGP]

You can stop the impending shutdown by going to Start, Run
and typing shutdown -a and hit OK.

See http://www.microsoft.com/security/incident/sasser.asp

Also:
http://vil.nai.com/vil/stinger/
Stinger is a stand-alone utility used to detect and remove
specific viruses. It is not a substitute for full anti-
virus protection, but rather a tool to assist
administrators and users when dealing with an infected
system. Stinger utilizes next generation scan engine
technology, including process scanning, digitally signed
DAT files, and scan performance optimizations.

Also:
THE PARASITE FIGHT QUICK FIX PROTOCOL
http://aumha.org/a/quickfix.htm

THE PARASITE FIGHT
Finding, Removing & Protecting Yourself From Scumware
http://aumha.org/a/parasite.htm

Bugs, Glitches & Stuffups
http://www.mvps.org/inetexplorer/Darnit.htm

Dealing with Unwanted Spyware and Parasites
http://mvps.org/winhelp2002/unwanted.htm

Unexplained computer behavior may be caused by deceptive
software
http://support.microsoft.com/default.aspx?scid=kb;EN-
US;827315#appliesto

Spyware and Deceptive Software
http://www.microsoft.com/mscorp/twc/privacy/spyware.mspx?
gssnb=1

What you should know about spyware
http://www.microsoft.com/security/articles/spyware.asp

Good Luck !

 

[Nathan]

I am running Windows XP and when I turn the computer on,
I get a pop-up window that says "LSA Shell (export
Version)" not found - send report or don't send report.
When I choose not to send the report (because I am not
connected to the internet) it closes and I try to
connect. After connecting to the internet this message
comes up after logging on..."C:Windows\system32
\lsass.exe" has been terminated. Shut down initiated by
NT AUTHORITY\SYSTEM. The computer then gives me 1 minute
to log off or it automatically shuts down and starts the
whole process over again. I can not stay connected in
order to get any help at all. I have done a system
restore (F8) key and still I am having problems. Does
anyone know how to fix this problem?

Thanks

you may be looking at the sasser worm. go here
http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.removal.tool.html
and downloud the removal tool, then see if the problem persists there
are several other expliots that have the same signature as the sasser
worm but, more than likely this will fix your problem

 

[Bruce Chambers]

Greetings --

You've apparently contracted the latest worm, W32.Sasser.Worm,
specifically designed to attack people who do not update their
computers promptly and who do not practice "safe hex." In other
words, like Blaster, this worm was developed and distributed _after_ a
patch for the vulnerability was announced and made publicly available.
Further, and also like Blaster, this worm could not affect any
computer whose user had taken the basic precaution of using a properly
configured firewall.

To stay on-line long enough to get the necessary updates, patches,
and removal tools, click Start > Run, and enter "shutdown -a" when the
next Shutdown countdown begins. This will abort the shut down. Also,
make sure you've enabled a firewall before starting, to preclude any
more intrusions while getting the updates/patches/tools.

What You should Know about the Sasser Worm and its Variants
http://www.microsoft.com/security/incident/sasser.asp

Microsoft Security Bulletin MS04-011
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

W32.Sasser.Worm
http://www.symantec.com/avcenter/venc/data/w32.sasser.worm.html

A tool is available to remove the Sasser worm variants
http://support.microsoft.com/default.aspx?scid=kb;EN-US;841720

W32.Sasser.Worm Removal Tool
http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.removal.tool.html

McAfee AVert Stinger Virus Removal Tool
http://vil.nai.com/vil/stinger/


Bruce Chambers
--
Help us help you:



You can have peace. Or you can have freedom. Don't ever count on
having both at once. - RAH