lsass.exe - some sort of virus?

[Guest]

Hello - I'm relatively new to this. I have recently been getting a pop-up
message on start up that says my system is shutting down because lsass.exe
terminated unexpectedlywith status code 1073741819 and a countdown clock.
After about 20 seconds, the clock stops and another message appears saying
lsass.exe has encountered a serious problem (possible spyware infection) etc
etc

I have tried running the microsoft patch for this but my system tells me my
pack already has a newerversion. Any sasser worm search I run tells me I
don't have it and various virus scans I run say I am not infected, yet the
messages I described at the start return every time I start up again.

This seems to have a serious impact on my memory usage

Can anyone help?

Thanks


David

 

[Woody]

It could be either depending whether the first letter is a capital I (i)or a
small l (L). Do a google search on the file and you will get lots of
information on it....

 

[Guest]

Thanks for coming back so quickly David

Those are exactly the messages I am getting

In response to your questions

1. Yes WINXP SP2 - as I say, I tried downloading microsofts patch for
this but my system tells me I already have it

2. I'm sorry, I am fairly IT backward! How can I find out what LOGs I have?


Thanks again

 

[David H. Lipman]

From: "dpmiler" <[email protected]>

| Thanks for coming back so quickly David
|
| Those are exactly the messages I am getting
|
| In response to your questions
|
| 1. Yes WINXP SP2 - as I say, I tried downloading microsofts patch for
| this but my system tells me I already have it
|
| 2. I'm sorry, I am fairly IT backward! How can I find out what LOGs I have?
|

Go to; start --> run
and enter...

notepad %windir%\KB835732.log

Does it it bring up a LOG file of text ?

 

[Guest]

Thanks Dave

Yes, that does bring up a LOG file of text

Now what!?

Cheers


David

 

[David H. Lipman]

From: "dpmiler" <[email protected]>

| Thanks Dave
|
| Yes, that does bring up a LOG file of text
|
| Now what!?
|
| Cheers
|
| David
|


OK. Then that measn that the LSASS module vulnerability exploited via Internet worms using
TCOP port 445 is NOT the case.

Basically, something else is causing this errors and it is NOT an Internet worm.

What exactly it is, I don't know. However, you can test this by disconnecting the PC from
the Internet.

If the affected PC is NOT connected to a LAN or the Internet and you STILL get the 60 sec.
shutdown message previously described then it proves it is not a virus (Internet worm)
related cause.

 

[Guest]

I've rebooted my pc while disconnected to the Internet and the message did
not appear, nor did it when I subsequently rebooted while connected

Seems like it's disappeared!

I appreciate your help and prompt responses. Fingers crossed it will stay away

Cheers again


David

 

[David H. Lipman]

From: "dpmiler" <[email protected]>

| I've rebooted my pc while disconnected to the Internet and the message did
| not appear, nor did it when I subsequently rebooted while connected
|
| Seems like it's disappeared!
|
| I appreciate your help and prompt responses. Fingers crossed it will stay away
|
| Cheers again
|
| David


Just to be sure...

Microsoft's LSASS vulnerability patch.
WinXP KB835732
http://www.microsoft.com/downloads/...9E-DA3F-43B9-A4F1-AF243B6168F3&displaylang=en