lsass.exe terminates unexpectedly

[OldVaxGuy]

frequently (up to 4 or 5 occurances in 8 hrs, seems random) my computer
restarts. I get a 'System Shutdown' window with a countdown timer stating
that the 'shutdown was initiated by NT AUTHORITY\SYSTEM' and 'lsass.exe
terminated unexpectedly with status code -1073741819'. the restart can be
aborted with the command 'shutdown -a' but this invalidates my domain login.
i'm running xp pro sp3. appreciate any help i can get to correct this.

 

[Leonard Grey]

Malicious software ("malware") is installed on your computer.

Make sure that your anti-malware software is running, then download the
latest signatures and run a full scan.

If you don't have comprehensive anti-malware software, that's like
driving a car without seats belts or air bags. Either way, you're
eventually going to get hammered. Install comprehensive anti-malware
software and learn how to use its features. A 'comprehensive' solution
scans for all types of malicious software in the background, on demand
and on schedule.

For now try scanning your system with /several/ of the better online
scanners, such as:
Kaspersky Antivirus (http://www.kaspersky.com/virusscanner)
Panda ActiveScan (http://www.pandasoftware.com/activescan)

Download HijackThis from www.trendsecure.com. Run it, save a log, and
post the log at one of the many sites that support HJT, such as
spywarewarrior.com, bleepingcomputer.com, and temerc.com -- but not
here. Within a day, sometimes within an hour, you'll have one-on-one
step-by-step advice from a security expert on cleaning up any
infestations—or you'll have a clean bill of health from the volunteer
expert.

Even the best detection and removal software can't fix every malware
infection. If none of the above remove the infection, you may want to
show the computer to a professional.

 

[David H. Lipman]

From: "OldVaxGuy" <[email protected]>

| frequently (up to 4 or 5 occurances in 8 hrs, seems random) my computer
| restarts. I get a 'System Shutdown' window with a countdown timer stating
| that the 'shutdown was initiated by NT AUTHORITY\SYSTEM' and 'lsass.exe
| terminated unexpectedly with status code -1073741819'. the restart can be
| aborted with the command 'shutdown -a' but this invalidates my domain login.
| i'm running xp pro sp3. appreciate any help i can get to correct this.

Disconnet the PC from the network.

Does this stop ?

Have you implemented the patch for MS08-067 ?

 

[David H. Lipman]

From: "Leonard Grey" <[email protected]>

| Malicious software ("malware") is installed on your computer.

Not neccessarily. This may be a worm or trojan external to the PC trying to exploit
MS08-067

 

[nass]

From: "Leonard Grey" <[email protected]>

| Malicious software ("malware") is installed on your computer.

Not neccessarily. This may be a worm or trojan external to the PC trying to exploit
MS08-067

How is that?

You can't get lsass.exe going nuts from outside the PC!
You can get the protection software defences going Mad in usage but not
lsass.exe.
HTH,
nass

 

[David H. Lipman]

From: "nass" <[email protected]>


| How is that?

| You can't get lsass.exe going nuts from outside the PC!
| You can get the protection software defences going Mad in usage but not
| lsass.exe.
| HTH,
| nass
| ---
| http://www.nasstec.co.uk

Sure you can. The same way the Lovsan/Blaster did to RPC/RPCSS via TCP port.

The Sasser worm did it to LSASS via TCP port 445.

Now you have trojans and worms doing it based upon the vulnerability described in MS08-067

 

[Twayne]

How is that?

You can't get lsass.exe going nuts from outside the PC!
You can get the protection software defences going Mad in usage but
not lsass.exe.
HTH,
nass

Actually some malware will actually replace lsass and when you clean it,
you no longer have the program any longer. It has to be replaced.
Somehow, even the original file can be modified by malware. I don't
recall if the details of how were ever given, but the AV companies all
seem to have info on it.

 

[David H. Lipman]

From: "Twayne" <[email protected]>


| Actually some malware will actually replace lsass and when you clean it,
| you no longer have the program any longer. It has to be replaced.
| Somehow, even the original file can be modified by malware. I don't
| recall if the details of how were ever given, but the AV companies all
| seem to have info on it.


LSASS.EXE is rarely if ever replaced. It can become infected with a virus or become
trojanized. That is code can be inserted, prepended or appended to the EXE file.

The file name LSASS.EXE is also one of the most common used to obfucate a given malware's
malicious intent.

Here it isn't the name that is important but the fully qualified path to where it is being
executed from.
Example:
The W32/Hupigon.worm will create; %windir%\LSASS.EXE

Variations on the name is often common to confuse the infected person such as ISASS.EXE