LSASS.EXE Terminated Unexpectedely Code 1073741819

[Robert J. Rando]

David,

I'm running in SAFE MODE. I'm trying to execute Start, Run, Shutdown -a
precisely at the time I get the error message but I'm getting locked out of
the start/run command line once the error message comes up. I can't get the
system to stay running for me for more than 10 minutes. This is getting very
frustrating as I can't get any of the MULTI_AV exe files to run for more
than 10 minutes. You have been extremely helpful and I am computer savvy but
I just can't seem to get past 1st base with this one.

Also, how do I specifically block the UDP and TCP ports you reference? I do
have an Etherfast Cable/DSL Router.

Bob
----- Original Message -----
From: David H. Lipman
To: (e-mail address removed)
Sent: Sunday, December 25, 2005 8:12 PM
Subject: Fw: LSASS.EXE Terminated Unexpectedely Code 1073741819

From: David H. Lipman
Newsgroups:
microsoft.public.windowsxp.device_driver.dev,microsoft.public.windowsxp.general,microsoft.public.windowsxp.help_and_support,microsoft.public.windowsxp.perform_maintain,microsoft.public.security.virus
Sent: Sunday, December 25, 2005 10:05 PM
Subject: Re: LSASS.EXE Terminated Unexpectedly Code 1073741819


From: "Robert J. Rando" <[email protected]>

| HELP!! System Shutting down after 10 min with "LSASS.EXE Terminated
| Unexpectedly with status Code 1073741819". I've run the Microsoft
Malicious
| Software tool and it doesn't detect the W32.Sasser.E.Worm. I've tried the
| Symantec tool as well but the system shuts down before it is complete.
I've
| compared this to my other system and the Registry entries for LSASS.EXE
are
| exactly the same. My other system is fine. I have tried virtually every
| suggestion I have found on the Web and still no resolution.
|
| Any suggestions? Bob
|

Way too many News Groups !

There are anti virus News Groups specifically for this type of discussion.

microsoft.public.security.virus
alt.comp.virus
alt.comp.anti-virus

One of the above and microsoft.public.windowsxp.general is all that this
should have been
posted too ! Theefore I have set Follow-ups to those two News Groups.

The following are certainly symptoms of a LSASS buffer overflow exploit via
TCP port 445.

NT AUTHORITY\SYSTEM
'c:\windows\system32\lsass.exe' terminated unexpectedly with status
code -1073741819

or

NT AUTHORITY\SYSTEM
'c:\winnt\system32\lsass.exe' terminated unexpectedly with status
code -1073741819

However, one can NOT assume Sasser. There are several Internet worms now
actively taking
advantage of this vulnerability. Most notable are the SDBot/RBot worms

W32/Sasser.worm.a -- http://vil.nai.com/vil/content/v_125007.htm
W32/Reatle.f@MM -- http://vil.nai.com/vil/content/v_135722.htm
W32/Gaobot.worm.gen -- http://vil.nai.com/vil/content/v_100785.htm
Qhosts.apd -- http://vil.nai.com/vil/content/v_124880.htm
W32/Plexus.b@MM -- http://vil.nai.com/vil/content/v_126167.htm
W32/Sdbot.worm!ftp -- http://vil.nai.com/vil/content/v_128082.htm
W32/Mytob.gen@MM -- http://vil.nai.com/vil/content/v_132158.htm
W32/Radebot.worm -- http://vil.nai.com/vil/content/v_132018.htm
{ W32/Radebot.worm, W32/Mytob.gen@MM & W32/Sdbot.worm!ftp will all exploit
both LSASS and
the RPC/RPCSS DCOM vulnerabilities }

To mitigate the LSASS module buffer overflow vulnerability one needs to
install the
following Microsoft LSASS for WinXP KB835732 --
http://www.microsoft.com/downloads/...9E-DA3F-43B9-A4F1-AF243B6168F3&displaylang=en

One can execute the 'shutdown -a' command line to stop the 60 second
countdown and effect
the installation of the patch. Additionally disconnecting the PC from the
Internet will
keep such an attack from happening and allow the installation of the patch.

When you get the (attached) NT Shutdown message with the 60 sec.
countdown...
Go to; Start --> Run
enter; shutdown -a

It should also be noted that just becuase one gets the (attched) LSASS
shutdown message, it
does NOT mean that one is infected. It means that TCP port 445 is under
attack by
attempting to exploit the buffer overflow vulnerability. A non-vulnerable
system will not
exhibit the (attached) NT Shutdown message.

One *must* use a FireWall and patch their systems to prevent such an
exploitation.

If one is on Broadband a Cable/DSL Router such as the Linksys BEFSR41 can
greatly mitigate
such a threat even if LAN nodes are not fully patched. Specifically
blocking both TCP and
UDP ports 135 ~ 139 and 445 will completely mitigate and of the worms or
hackers trying to
take advantage of MS Networking ports using TCP/IP.

The following tool can be used to find and remove any of the known Internet
worms that will
exploit the vulnerability and should be used ASAP.

Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go
through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in
Normal Mode.
This way all the components can be downloaded from each AV vendor's web
site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot
the PC.

You can choose to go to each menu item and just download the needed files or
you can
download the files and perform a scan in Normal Mode. Once you have
downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe
Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to
run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal
Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more
comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm


* * * Please report back your results * * *

 

[pcbutts1]

Run it before you get the message then when the message pops up it is just 3
mouse clicks to execute it. Start>run>ok.

--


The best live web video on the internet http://www.seedsv.com/webdemo.htm
NEW Embedded system W/Linux. We now sell DVR cards.
See it all at http://www.seedsv.com/products.htm
Sharpvision simply the best http://www.seedsv.com

David,

I'm running in SAFE MODE. I'm trying to execute Start, Run, Shutdown -a
precisely at the time I get the error message but I'm getting locked out
of the start/run command line once the error message comes up. I can't get
the system to stay running for me for more than 10 minutes. This is
getting very frustrating as I can't get any of the MULTI_AV exe files to
run for more than 10 minutes. You have been extremely helpful and I am
computer savvy but I just can't seem to get past 1st base with this one.

Also, how do I specifically block the UDP and TCP ports you reference? I
do have an Etherfast Cable/DSL Router.

Bob
----- Original Message -----
From: David H. Lipman
To: (e-mail address removed)
Sent: Sunday, December 25, 2005 8:12 PM
Subject: Fw: LSASS.EXE Terminated Unexpectedely Code 1073741819

From: David H. Lipman
Newsgroups:
microsoft.public.windowsxp.device_driver.dev,microsoft.public.windowsxp.general,microsoft.public.windowsxp.help_and_support,microsoft.public.windowsxp.perform_maintain,microsoft.public.security.virus
Sent: Sunday, December 25, 2005 10:05 PM
Subject: Re: LSASS.EXE Terminated Unexpectedly Code 1073741819


From: "Robert J. Rando" <[email protected]>

| HELP!! System Shutting down after 10 min with "LSASS.EXE Terminated
| Unexpectedly with status Code 1073741819". I've run the Microsoft
Malicious
| Software tool and it doesn't detect the W32.Sasser.E.Worm. I've tried
the
| Symantec tool as well but the system shuts down before it is complete.
I've
| compared this to my other system and the Registry entries for LSASS.EXE
are
| exactly the same. My other system is fine. I have tried virtually every
| suggestion I have found on the Web and still no resolution.
|
| Any suggestions? Bob
|

Way too many News Groups !

There are anti virus News Groups specifically for this type of discussion.

microsoft.public.security.virus
alt.comp.virus
alt.comp.anti-virus

One of the above and microsoft.public.windowsxp.general is all that this
should have been
posted too ! Theefore I have set Follow-ups to those two News Groups.

The following are certainly symptoms of a LSASS buffer overflow exploit
via TCP port 445.

NT AUTHORITY\SYSTEM
'c:\windows\system32\lsass.exe' terminated unexpectedly with status
code -1073741819

or

NT AUTHORITY\SYSTEM
'c:\winnt\system32\lsass.exe' terminated unexpectedly with status
code -1073741819

However, one can NOT assume Sasser. There are several Internet worms now
actively taking
advantage of this vulnerability. Most notable are the SDBot/RBot worms

W32/Sasser.worm.a -- http://vil.nai.com/vil/content/v_125007.htm
W32/Reatle.f@MM -- http://vil.nai.com/vil/content/v_135722.htm
W32/Gaobot.worm.gen -- http://vil.nai.com/vil/content/v_100785.htm
Qhosts.apd -- http://vil.nai.com/vil/content/v_124880.htm
W32/Plexus.b@MM -- http://vil.nai.com/vil/content/v_126167.htm
W32/Sdbot.worm!ftp -- http://vil.nai.com/vil/content/v_128082.htm
W32/Mytob.gen@MM -- http://vil.nai.com/vil/content/v_132158.htm
W32/Radebot.worm -- http://vil.nai.com/vil/content/v_132018.htm
{ W32/Radebot.worm, W32/Mytob.gen@MM & W32/Sdbot.worm!ftp will all exploit
both LSASS and
the RPC/RPCSS DCOM vulnerabilities }

To mitigate the LSASS module buffer overflow vulnerability one needs to
install the
following Microsoft LSASS for WinXP KB835732 --
http://www.microsoft.com/downloads/...9E-DA3F-43B9-A4F1-AF243B6168F3&displaylang=en

One can execute the 'shutdown -a' command line to stop the 60 second
countdown and effect
the installation of the patch. Additionally disconnecting the PC from the
Internet will
keep such an attack from happening and allow the installation of the
patch.

When you get the (attached) NT Shutdown message with the 60 sec.
countdown...
Go to; Start --> Run
enter; shutdown -a

It should also be noted that just becuase one gets the (attched) LSASS
shutdown message, it
does NOT mean that one is infected. It means that TCP port 445 is under
attack by
attempting to exploit the buffer overflow vulnerability. A non-vulnerable
system will not
exhibit the (attached) NT Shutdown message.

One *must* use a FireWall and patch their systems to prevent such an
exploitation.

If one is on Broadband a Cable/DSL Router such as the Linksys BEFSR41 can
greatly mitigate
such a threat even if LAN nodes are not fully patched. Specifically
blocking both TCP and
UDP ports 135 ~ 139 and 445 will completely mitigate and of the worms or
hackers trying to
take advantage of MS Networking ports using TCP/IP.

The following tool can be used to find and remove any of the known
Internet worms that will
exploit the vulnerability and should be used ASAP.

Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to
go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in
Normal Mode.
This way all the components can be downloaded from each AV vendor's web
site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and
Reboot the PC.

You can choose to go to each menu item and just download the needed files
or you can
download the files and perform a scan in Normal Mode. Once you have
downloaded the files
needed for each scanner you want to use, you should reboot the PC into
Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want
to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal
Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more
comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm


* * * Please report back your results * * *

 

[David H. Lipman]

From: "Robert J. Rando" <[email protected]>

| David,
|
| I'm running in SAFE MODE. I'm trying to execute Start, Run, Shutdown -a
| precisely at the time I get the error message but I'm getting locked out of
| the start/run command line once the error message comes up. I can't get the
| system to stay running for me for more than 10 minutes. This is getting very
| frustrating as I can't get any of the MULTI_AV exe files to run for more
| than 10 minutes. You have been extremely helpful and I am computer savvy but
| I just can't seem to get past 1st base with this one.
|
| Also, how do I specifically block the UDP and TCP ports you reference? I do
| have an Etherfast Cable/DSL Router.
|
| Bob

Bob:

How you set the TCP and UDP blocks will vary from vendor to vendor and between different
models by a vendor. You can view the graphic I had attached in a previous reply for how
they are set on some Linksys models.

Here is the *big* question...

If you disconnect the PC from the network, that is you remove the Ethernet cable from the
back of the affected computer, do you still get the following message ?

NT AUTHORITY\SYSTEM
'c:\winnt\system32\lsass.exe' terminated unexpectedly with status code -1073741819

 

[Robert J. Rando]

OK. I did that. Timer stopped counting down but I still couldn't do
anything. The mouse didn't work and I couldn't do anything else.

HELP!!!

Run it before you get the message then when the message pops up it is just
3 mouse clicks to execute it. Start>run>ok.

--


The best live web video on the internet http://www.seedsv.com/webdemo.htm
NEW Embedded system W/Linux. We now sell DVR cards.
See it all at http://www.seedsv.com/products.htm
Sharpvision simply the best http://www.seedsv.com

David,

I'm running in SAFE MODE. I'm trying to execute Start, Run, Shutdown -a
precisely at the time I get the error message but I'm getting locked out
of the start/run command line once the error message comes up. I can't
get the system to stay running for me for more than 10 minutes. This is
getting very frustrating as I can't get any of the MULTI_AV exe files to
run for more than 10 minutes. You have been extremely helpful and I am
computer savvy but I just can't seem to get past 1st base with this one.

Also, how do I specifically block the UDP and TCP ports you reference? I
do have an Etherfast Cable/DSL Router.

Bob
----- Original Message -----
From: David H. Lipman
To: (e-mail address removed)
Sent: Sunday, December 25, 2005 8:12 PM
Subject: Fw: LSASS.EXE Terminated Unexpectedely Code 1073741819

From: David H. Lipman
Newsgroups:
microsoft.public.windowsxp.device_driver.dev,microsoft.public.windowsxp.general,microsoft.public.windowsxp.help_and_support,microsoft.public.windowsxp.perform_maintain,microsoft.public.security.virus
Sent: Sunday, December 25, 2005 10:05 PM
Subject: Re: LSASS.EXE Terminated Unexpectedly Code 1073741819


From: "Robert J. Rando" <[email protected]>

| HELP!! System Shutting down after 10 min with "LSASS.EXE Terminated
| Unexpectedly with status Code 1073741819". I've run the Microsoft
Malicious
| Software tool and it doesn't detect the W32.Sasser.E.Worm. I've tried
the
| Symantec tool as well but the system shuts down before it is complete.
I've
| compared this to my other system and the Registry entries for LSASS.EXE
are
| exactly the same. My other system is fine. I have tried virtually every
| suggestion I have found on the Web and still no resolution.
|
| Any suggestions? Bob
|

Way too many News Groups !

There are anti virus News Groups specifically for this type of
discussion.

microsoft.public.security.virus
alt.comp.virus
alt.comp.anti-virus

One of the above and microsoft.public.windowsxp.general is all that this
should have been
posted too ! Theefore I have set Follow-ups to those two News Groups.

The following are certainly symptoms of a LSASS buffer overflow exploit
via TCP port 445.

NT AUTHORITY\SYSTEM
'c:\windows\system32\lsass.exe' terminated unexpectedly with status
code -1073741819

or

NT AUTHORITY\SYSTEM
'c:\winnt\system32\lsass.exe' terminated unexpectedly with status
code -1073741819

However, one can NOT assume Sasser. There are several Internet worms now
actively taking
advantage of this vulnerability. Most notable are the SDBot/RBot worms

W32/Sasser.worm.a -- http://vil.nai.com/vil/content/v_125007.htm
W32/Reatle.f@MM -- http://vil.nai.com/vil/content/v_135722.htm
W32/Gaobot.worm.gen -- http://vil.nai.com/vil/content/v_100785.htm
Qhosts.apd -- http://vil.nai.com/vil/content/v_124880.htm
W32/Plexus.b@MM -- http://vil.nai.com/vil/content/v_126167.htm
W32/Sdbot.worm!ftp -- http://vil.nai.com/vil/content/v_128082.htm
W32/Mytob.gen@MM -- http://vil.nai.com/vil/content/v_132158.htm
W32/Radebot.worm -- http://vil.nai.com/vil/content/v_132018.htm
{ W32/Radebot.worm, W32/Mytob.gen@MM & W32/Sdbot.worm!ftp will all
exploit both LSASS and
the RPC/RPCSS DCOM vulnerabilities }

To mitigate the LSASS module buffer overflow vulnerability one needs to
install the
following Microsoft LSASS for WinXP KB835732 --
http://www.microsoft.com/downloads/...9E-DA3F-43B9-A4F1-AF243B6168F3&displaylang=en

One can execute the 'shutdown -a' command line to stop the 60 second
countdown and effect
the installation of the patch. Additionally disconnecting the PC from
the Internet will
keep such an attack from happening and allow the installation of the
patch.

When you get the (attached) NT Shutdown message with the 60 sec.
countdown...
Go to; Start --> Run
enter; shutdown -a

It should also be noted that just becuase one gets the (attched) LSASS
shutdown message, it
does NOT mean that one is infected. It means that TCP port 445 is under
attack by
attempting to exploit the buffer overflow vulnerability. A
non-vulnerable system will not
exhibit the (attached) NT Shutdown message.

One *must* use a FireWall and patch their systems to prevent such an
exploitation.

If one is on Broadband a Cable/DSL Router such as the Linksys BEFSR41 can
greatly mitigate
such a threat even if LAN nodes are not fully patched. Specifically
blocking both TCP and
UDP ports 135 ~ 139 and 445 will completely mitigate and of the worms or
hackers trying to
take advantage of MS Networking ports using TCP/IP.

The following tool can be used to find and remove any of the known
Internet worms that will
exploit the vulnerability and should be used ASAP.

Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to
go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in
C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in
Normal Mode.
This way all the components can be downloaded from each AV vendor's web
site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and
Reboot the PC.

You can choose to go to each menu item and just download the needed files
or you can
download the files and perform a scan in Normal Mode. Once you have
downloaded the files
needed for each scanner you want to use, you should reboot the PC into
Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want
to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal
Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more
comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm


* * * Please report back your results * * *

 

[Robert J. Rando]

I'm still getting the message even with the network cable disconnected. I
can't seem to get the system to run after 10 minutes even doing
Start,Run,Shutdown -a. WHY??? So even though I am running the MULTI_AV.EXE
and associated programs, I can't get any of them to finish. I have been
solving Windows based problems for years but this is the FIRST ONE I can't
make any progress on.

I have a 2nd system that is "Virtually" identical to the one that is
shutting down. I have run everything on it and it is clean. Is there any
"export" or something similar I can do of the system settings or key windows
files/registry files that I could then import to the failing system.

I'm desperate right now and so, so FRUSTRATED!

 

[David H. Lipman]

From: "Robert J. Rando" <[email protected]>

| I'm still getting the message even with the network cable disconnected. I
| can't seem to get the system to run after 10 minutes even doing
| Start,Run,Shutdown -a. WHY??? So even though I am running the MULTI_AV.EXE
| and associated programs, I can't get any of them to finish. I have been
| solving Windows based problems for years but this is the FIRST ONE I can't
| make any progress on.
|
| I have a 2nd system that is "Virtually" identical to the one that is
| shutting down. I have run everything on it and it is clean. Is there any
| "export" or something similar I can do of the system settings or key windows
| files/registry files that I could then import to the failing system.
|
| I'm desperate right now and so, so FRUSTRATED!

If you still get the message when the network cable is removed then this is NOT related to
a vulnerability exploitation and it is something "else".

The only time I ever saw this message was with a PC infected with adware/spyware and when I
ran Ad-aware (this is over a year ago to 18 months ago) after about 1 minute into the scan,
I got the RPC shutdown message.

What you problem is I don't know but you *may* have to rebuild the PC from scratch.

 

[Robert J. Rando]

Any idea why when I do the Start, Run, Shutdown -a I can't get the system to
still function once I get the error message? Can I copy anything from system
2 over to the System that is failing?

 

[Robert J. Rando]

Rick...This is your previous response to my question and I have a new
question just below your previous answer.

_______________________________________________________________________________________________________________
RICK....THIS IS MY LATEST QUESTION. I STILL CAN'T FIX THIS

I can't seem to get this fixed. I click start/run then type shutdown -a when
I
get the message and the clock stops counting down but I can't do anything in
the system. It freezes for a few seconds and then I get the error message
STOP:C000021a Windows Logon Process System process Terminated Unexpectedly
and I go through the entire restart process again for about the 100th time.
I have all the free
Antivirus scanning software and I have been trying to run them all but at
the 10 minute mark
the system freezes and I am back to square 1.

ANY IDEAS? I don't want to do a Windows XP install update in place if I can
help it, and I'm not sure that will solve the problem. I also have a 2nd
system that is almost identical to the infected system. It is CLEAN. Is
there an export function of settings, registry files, etc. etc. that I can
then import to the infected system to solve the problem?

Thanks, Bob

 

[pcbutts1]

OK try this. Restart the computer. As soon as Windows opens and you see the
Windows desktop, click Start > Run.Type shutdown -i and press Enter. In the
Remote Shutdown Dialog that opens, change 20 seconds to 9999 and click OK.
This gives you about three hours to get the patch installed, update the
definitions, and so on. Reconnect the network/Internet connection.Connect to
the Internet, and get the patch. When you have patched for and removed the
threat, you can then download a removal tool to remove Sasser from your
system.

--


The best live web video on the internet http://www.seedsv.com/webdemo.htm
NEW Embedded system W/Linux. We now sell DVR cards.
See it all at http://www.seedsv.com/products.htm
Sharpvision simply the best http://www.seedsv.com

OK. I did that. Timer stopped counting down but I still couldn't do
anything. The mouse didn't work and I couldn't do anything else.

HELP!!!

Run it before you get the message then when the message pops up it is
just 3 mouse clicks to execute it. Start>run>ok.

--


The best live web video on the internet http://www.seedsv.com/webdemo.htm
NEW Embedded system W/Linux. We now sell DVR cards.
See it all at http://www.seedsv.com/products.htm
Sharpvision simply the best http://www.seedsv.com

David,

I'm running in SAFE MODE. I'm trying to execute Start, Run, Shutdown -a
precisely at the time I get the error message but I'm getting locked out
of the start/run command line once the error message comes up. I can't
get the system to stay running for me for more than 10 minutes. This is
getting very frustrating as I can't get any of the MULTI_AV exe files to
run for more than 10 minutes. You have been extremely helpful and I am
computer savvy but I just can't seem to get past 1st base with this one.

Also, how do I specifically block the UDP and TCP ports you reference? I
do have an Etherfast Cable/DSL Router.

Bob
----- Original Message -----
From: David H. Lipman
To: (e-mail address removed)
Sent: Sunday, December 25, 2005 8:12 PM
Subject: Fw: LSASS.EXE Terminated Unexpectedely Code 1073741819

From: David H. Lipman
Newsgroups:
microsoft.public.windowsxp.device_driver.dev,microsoft.public.windowsxp.general,microsoft.public.windowsxp.help_and_support,microsoft.public.windowsxp.perform_maintain,microsoft.public.security.virus
Sent: Sunday, December 25, 2005 10:05 PM
Subject: Re: LSASS.EXE Terminated Unexpectedly Code 1073741819


From: "Robert J. Rando" <[email protected]>

| HELP!! System Shutting down after 10 min with "LSASS.EXE Terminated
| Unexpectedly with status Code 1073741819". I've run the Microsoft
Malicious
| Software tool and it doesn't detect the W32.Sasser.E.Worm. I've tried
the
| Symantec tool as well but the system shuts down before it is complete.
I've
| compared this to my other system and the Registry entries for
LSASS.EXE are
| exactly the same. My other system is fine. I have tried virtually
every
| suggestion I have found on the Web and still no resolution.
|
| Any suggestions? Bob
|

Way too many News Groups !

There are anti virus News Groups specifically for this type of
discussion.

microsoft.public.security.virus
alt.comp.virus
alt.comp.anti-virus

One of the above and microsoft.public.windowsxp.general is all that
this should have been
posted too ! Theefore I have set Follow-ups to those two News Groups.

The following are certainly symptoms of a LSASS buffer overflow exploit
via TCP port 445.

NT AUTHORITY\SYSTEM
'c:\windows\system32\lsass.exe' terminated unexpectedly with status
code -1073741819

or

NT AUTHORITY\SYSTEM
'c:\winnt\system32\lsass.exe' terminated unexpectedly with status
code -1073741819

However, one can NOT assume Sasser. There are several Internet worms
now actively taking
advantage of this vulnerability. Most notable are the SDBot/RBot worms

W32/Sasser.worm.a -- http://vil.nai.com/vil/content/v_125007.htm
W32/Reatle.f@MM -- http://vil.nai.com/vil/content/v_135722.htm
W32/Gaobot.worm.gen -- http://vil.nai.com/vil/content/v_100785.htm
Qhosts.apd -- http://vil.nai.com/vil/content/v_124880.htm
W32/Plexus.b@MM -- http://vil.nai.com/vil/content/v_126167.htm
W32/Sdbot.worm!ftp -- http://vil.nai.com/vil/content/v_128082.htm
W32/Mytob.gen@MM -- http://vil.nai.com/vil/content/v_132158.htm
W32/Radebot.worm -- http://vil.nai.com/vil/content/v_132018.htm
{ W32/Radebot.worm, W32/Mytob.gen@MM & W32/Sdbot.worm!ftp will all
exploit both LSASS and
the RPC/RPCSS DCOM vulnerabilities }

To mitigate the LSASS module buffer overflow vulnerability one needs to
install the
following Microsoft LSASS for WinXP KB835732 --
http://www.microsoft.com/downloads/...9E-DA3F-43B9-A4F1-AF243B6168F3&displaylang=en

One can execute the 'shutdown -a' command line to stop the 60 second
countdown and effect
the installation of the patch. Additionally disconnecting the PC from
the Internet will
keep such an attack from happening and allow the installation of the
patch.

When you get the (attached) NT Shutdown message with the 60 sec.
countdown...
Go to; Start --> Run
enter; shutdown -a

It should also be noted that just becuase one gets the (attched) LSASS
shutdown message, it
does NOT mean that one is infected. It means that TCP port 445 is under
attack by
attempting to exploit the buffer overflow vulnerability. A
non-vulnerable system will not
exhibit the (attached) NT Shutdown message.

One *must* use a FireWall and patch their systems to prevent such an
exploitation.

If one is on Broadband a Cable/DSL Router such as the Linksys BEFSR41
can greatly mitigate
such a threat even if LAN nodes are not fully patched. Specifically
blocking both TCP and
UDP ports 135 ~ 139 and 445 will completely mitigate and of the worms or
hackers trying to
take advantage of MS Networking ports using TCP/IP.

The following tool can be used to find and remove any of the known
Internet worms that will
exploit the vulnerability and should be used ASAP.

Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder
C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE
to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in
C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in
Normal Mode.
This way all the components can be downloaded from each AV vendor's web
site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and
Reboot the PC.

You can choose to go to each menu item and just download the needed
files or you can
download the files and perform a scan in Normal Mode. Once you have
downloaded the files
needed for each scanner you want to use, you should reboot the PC into
Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want
to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal
Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more
comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm


* * * Please report back your results * * *

 

[Matt Thompson]

Your problem is coming from a virus that is on your computer and trying to
run or spread
OR
A bad system install where a file or critcial registry value is damaged.

There are a few things you can do to troublshoot this issue, however if you
can not even get the computer to start up and work in Safe Mode + Command
Prompt, chances are things are fairly damaged.

First, don't abort the system shutdown, but try to quickly schedule a CHKDSK
on your system drive.
CHKDSK /F %SYSTEMDRIVE%
Choose "Y" to schedule a CHKDSK at reboot.

Next, Can you find another machine that can burn ISO CD-R images? Can the
computer with a problem boot using a CD? If you answered yes to both of
these questions, let me know and I will see if I can provide you with a
bootable CD for scanning and cleaning your computer.

Otherwise.... Format/Reinstall.

 

[Robert J. Rando]

Well I tried that. I made the change but I can't save it because it is
looking for a COMPUTER TO ADD. Naturally there aren't any in the list.

OK try this. Restart the computer. As soon as Windows opens and you see
the Windows desktop, click Start > Run.Type shutdown -i and press Enter.
In the Remote Shutdown Dialog that opens, change 20 seconds to 9999 and
click OK.
This gives you about three hours to get the patch installed, update the
definitions, and so on. Reconnect the network/Internet connection.Connect
to the Internet, and get the patch. When you have patched for and removed
the threat, you can then download a removal tool to remove Sasser from
your system.

--


The best live web video on the internet http://www.seedsv.com/webdemo.htm
NEW Embedded system W/Linux. We now sell DVR cards.
See it all at http://www.seedsv.com/products.htm
Sharpvision simply the best http://www.seedsv.com

OK. I did that. Timer stopped counting down but I still couldn't do
anything. The mouse didn't work and I couldn't do anything else.

HELP!!!

Run it before you get the message then when the message pops up it is
just 3 mouse clicks to execute it. Start>run>ok.

--


The best live web video on the internet
http://www.seedsv.com/webdemo.htm
NEW Embedded system W/Linux. We now sell DVR cards.
See it all at http://www.seedsv.com/products.htm
Sharpvision simply the best http://www.seedsv.com



David,

I'm running in SAFE MODE. I'm trying to execute Start, Run, Shutdown -a
precisely at the time I get the error message but I'm getting locked
out of the start/run command line once the error message comes up. I
can't get the system to stay running for me for more than 10 minutes.
This is getting very frustrating as I can't get any of the MULTI_AV exe
files to run for more than 10 minutes. You have been extremely helpful
and I am computer savvy but I just can't seem to get past 1st base with
this one.

Also, how do I specifically block the UDP and TCP ports you reference?
I do have an Etherfast Cable/DSL Router.

Bob
----- Original Message -----
From: David H. Lipman
To: (e-mail address removed)
Sent: Sunday, December 25, 2005 8:12 PM
Subject: Fw: LSASS.EXE Terminated Unexpectedely Code 1073741819

From: David H. Lipman
Newsgroups:
microsoft.public.windowsxp.device_driver.dev,microsoft.public.windowsxp.general,microsoft.public.windowsxp.help_and_support,microsoft.public.windowsxp.perform_maintain,microsoft.public.security.virus
Sent: Sunday, December 25, 2005 10:05 PM
Subject: Re: LSASS.EXE Terminated Unexpectedly Code 1073741819


From: "Robert J. Rando" <[email protected]>

| HELP!! System Shutting down after 10 min with "LSASS.EXE Terminated
| Unexpectedly with status Code 1073741819". I've run the Microsoft
Malicious
| Software tool and it doesn't detect the W32.Sasser.E.Worm. I've tried
the
| Symantec tool as well but the system shuts down before it is
complete. I've
| compared this to my other system and the Registry entries for
LSASS.EXE are
| exactly the same. My other system is fine. I have tried virtually
every
| suggestion I have found on the Web and still no resolution.
|
| Any suggestions? Bob
|

Way too many News Groups !

There are anti virus News Groups specifically for this type of
discussion.

microsoft.public.security.virus
alt.comp.virus
alt.comp.anti-virus

One of the above and microsoft.public.windowsxp.general is all that
this should have been
posted too ! Theefore I have set Follow-ups to those two News Groups.

The following are certainly symptoms of a LSASS buffer overflow exploit
via TCP port 445.

NT AUTHORITY\SYSTEM
'c:\windows\system32\lsass.exe' terminated unexpectedly with status
code -1073741819

or

NT AUTHORITY\SYSTEM
'c:\winnt\system32\lsass.exe' terminated unexpectedly with status
code -1073741819

However, one can NOT assume Sasser. There are several Internet worms
now actively taking
advantage of this vulnerability. Most notable are the SDBot/RBot worms

W32/Sasser.worm.a -- http://vil.nai.com/vil/content/v_125007.htm
W32/Reatle.f@MM -- http://vil.nai.com/vil/content/v_135722.htm
W32/Gaobot.worm.gen -- http://vil.nai.com/vil/content/v_100785.htm
Qhosts.apd -- http://vil.nai.com/vil/content/v_124880.htm
W32/Plexus.b@MM -- http://vil.nai.com/vil/content/v_126167.htm
W32/Sdbot.worm!ftp -- http://vil.nai.com/vil/content/v_128082.htm
W32/Mytob.gen@MM -- http://vil.nai.com/vil/content/v_132158.htm
W32/Radebot.worm -- http://vil.nai.com/vil/content/v_132018.htm
{ W32/Radebot.worm, W32/Mytob.gen@MM & W32/Sdbot.worm!ftp will all
exploit both LSASS and
the RPC/RPCSS DCOM vulnerabilities }

To mitigate the LSASS module buffer overflow vulnerability one needs to
install the
following Microsoft LSASS for WinXP KB835732 --
http://www.microsoft.com/downloads/...9E-DA3F-43B9-A4F1-AF243B6168F3&displaylang=en

One can execute the 'shutdown -a' command line to stop the 60 second
countdown and effect
the installation of the patch. Additionally disconnecting the PC from
the Internet will
keep such an attack from happening and allow the installation of the
patch.

When you get the (attached) NT Shutdown message with the 60 sec.
countdown...
Go to; Start --> Run
enter; shutdown -a

It should also be noted that just becuase one gets the (attched) LSASS
shutdown message, it
does NOT mean that one is infected. It means that TCP port 445 is
under attack by
attempting to exploit the buffer overflow vulnerability. A
non-vulnerable system will not
exhibit the (attached) NT Shutdown message.

One *must* use a FireWall and patch their systems to prevent such an
exploitation.

If one is on Broadband a Cable/DSL Router such as the Linksys BEFSR41
can greatly mitigate
such a threat even if LAN nodes are not fully patched. Specifically
blocking both TCP and
UDP ports 135 ~ 139 and 445 will completely mitigate and of the worms
or hackers trying to
take advantage of MS Networking ports using TCP/IP.

The following tool can be used to find and remove any of the known
Internet worms that will
exploit the vulnerability and should be used ASAP.

Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder
C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE
to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in
C:\AV-CLS}
This will bring up the initial menu of choices and should be executed
in Normal Mode.
This way all the components can be downloaded from each AV vendor's web
site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and
Reboot the PC.

You can choose to go to each menu item and just download the needed
files or you can
download the files and perform a scan in Normal Mode. Once you have
downloaded the files
needed for each scanner you want to use, you should reboot the PC into
Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you
want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal
Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more
comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm


* * * Please report back your results * * *

 

[Robert J. Rando]

Matt,

I have another machine that can burn an ISO CD-R image. I can also boot to
CD on the problem computer.
If you can provide me with a bootable CD for cleaning that would be
terrific!!!
I appreciate any help you can provide.

Thanks, Bob

 

[Matt Thompson]

If you email me, I will contact you and provide a link to a CD ISO to
download to scan and clean your computer.

Note: This offer only applies to the original poster, Robert J Rando.

 

[kurt wismer]

Any idea why when I do the Start, Run, Shutdown -a I can't get the system to
still function once I get the error message?

that's easy... LSASS is the local security authority subsystem... don't
expect any permission checking to succeed if LSASS has terminated and
therefore don't expect much of anything on a multi-user OS like windows
nt/2000/xp/2003 to work because just about everything will need to
first perform a permission check...

Can I copy anything from system
2 over to the System that is failing?

you can copy all kinds of things over, but it won't necessarily help as
it assumes that a legitimate file is broken instead of an illegitimate
program causing trouble...

if you have access to a second pc with a cd burner, i'd suggest trying a
bartpe disk (http://www.nu2.nu/pebuilder/) with one or more of the
malware recovery related plugins... otherwise, with all the trouble
you're having getting anything to function as it should, it may be more
expedient to rebuild the system from scratch as others have suggested..

 

[cquirke (MVP Windows shell/user)]

On Mon, 26 Dec 2005 16:38:08 -0700, "Robert J. Rando"

I'm still getting the message even with the network cable disconnected.

Wireless? InfraRed?

Is "Automatically restart on errors" disabled, or left as DUHfault?
Are RPC failures left in DUHfault "Restart Windows" mode?

---------- ----- ---- --- -- - - - -

Don't pay malware vendors - boycott Sony

 

[cquirke (MVP Windows shell/user)]

From: "Robert J. Rando" <[email protected]>

What you problem is I don't know but you *may* have to rebuild the PC from scratch.

I'd formally scan if from Bart CDR boot, rather than just throw it
away every time malware makes it impossible to enter the PC through
the infected HD-installed OS. Use a combination of Bart, the
RunScanner plugin to re-direct access to HD registry, and many of the
usual tools that are compatible (AntiVir 6, Trend SysClean, AdAware,
Spybot, HiJackThis, the NirSoft integration management tools, etc.)

You can also drop the HD into another clean PC and scan it from there,
using online scanners as well as Windows-based av. The problems with
that approach is there's no easy way to clean up the HD installation's
registry (I haven't tried RunScanner within HD-based XP), and as the
host OS is not read-only, there's a risk of infecting it.

You can also try stuff like parallel OS installs, but the same hassles
apply - i.e. that a malicious registry setting that kills any attempt
to run the OS, can't easily be found by automated means if the
knackered OS isn't running.

You can manually bind the hives to another OS installation's HKLM in
Regedit, but whether this will cause scanners to process them is
another matter. RunScanner plugin takes that a step further by
redirecting the shelled app to access these bound hives as if they
were the live ones, but that is a Bart plugin; I dunno whether it will
work when run from normal HD-based XP.

---------- ----- ---- --- -- - - - -

Don't pay malware vendors - boycott Sony