Lslss.exe

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

The computer will only boot partway. I get a system shutdown in 60 seconds
even before I get to the desktop. It says lsass.exe terminated unexpectedly.
Also 1073741819 shows as a status code.

I've tried Safe Mode and last known good configuration and neither works.

I've tried taking the hard drive out of the computer and installing it as a
second drive to scan for viruses. I've used AVG and NAV, both updated, to
scan for viruses. I've also used Fxsasser.exe from Symantec to scan the
drive. None of these found anything at all.

I've also tried replacing the lsass.exe file with a known good one.

I cannot get the computer to boot so I cannot do anything with the drive
while it is in the computer.

How can I fix this?
 
Duck said:
The computer will only boot partway. I get a system shutdown in 60 seconds
even before I get to the desktop. It says lsass.exe terminated unexpectedly.
Also 1073741819 shows as a status code.

I've tried Safe Mode and last known good configuration and neither works.

I've tried taking the hard drive out of the computer and installing it as a
second drive to scan for viruses. I've used AVG and NAV, both updated, to
scan for viruses. I've also used Fxsasser.exe from Symantec to scan the
drive. None of these found anything at all.

I've also tried replacing the lsass.exe file with a known good one.

I cannot get the computer to boot so I cannot do anything with the drive
while it is in the computer.

How can I fix this?
Click to expand...

Slave the drive again in the other machine and copy off all your data files.

With the drive back in the orig machine you may try a repair install:

http://www.michaelstevenstech.com/XPrepairinstall.htm

but in my experience this sort of issue has required a clean install of
the OS, including deleting the existing partition:

http://www.michaelstevenstech.com/cleanxpinstall.html

Steve
 
From: "Duck" <[email protected]>

| The computer will only boot partway. I get a system shutdown in 60 seconds
| even before I get to the desktop. It says lsass.exe terminated unexpectedly.
| Also 1073741819 shows as a status code.
|
| I've tried Safe Mode and last known good configuration and neither works.
|
| I've tried taking the hard drive out of the computer and installing it as a
| second drive to scan for viruses. I've used AVG and NAV, both updated, to
| scan for viruses. I've also used Fxsasser.exe from Symantec to scan the
| drive. None of these found anything at all.
|
| I've also tried replacing the lsass.exe file with a known good one.
|
| I cannot get the computer to boot so I cannot do anything with the drive
| while it is in the computer.
|
| How can I fix this?

Download the patch (below). Put the patch, Stinger on media (CDROM, ZIP Disk, USB Flash
drive, etc) disconnect the affected PC from the Internet and install the patch. Then reboot
the PC and perform the following scan of the PC using Stinger and the below Multi AV Commnad
Line Scanner front end utility !

If you have the SHUTDOWN.EXE utility from the Win2K Resource kit, you can perform the
following when you get the shutdown message.

Go to; Start --> Run
enter; shutdown /a

If you don't have the SHUTDOWN.EXE utility, I have posted a copy in the News Group;
alt.binaries.comp.virus
In the post entitled "SHUTDOWN.EXE for Win2K platforms for RPC/DCOM and LSASS shutdown
issues"

This will halt the shutdown and give you a chance to Download the McAfee worm removal tool,
Stinger: http://vil.nai.com/vil/stinger/

Please read the following URL:
http://www.microsoft.com/security/incident/sasser_printxp.mspx

Install the following patch for the LSASS vulnerability addressed by; KB835732
http://www.microsoft.com/downloads/...7E-F63A-414C-B3EB-D2342FBB6C00&displaylang=en

Please read: http://www.microsoft.com/security/incident/sasser.mspx


You also need a FireWall. If you don't patch the PC and not use a FireWall then you will
just be re-infected.
I also suggest the installation of ALL MS Critical Updates ASAP.


You can also scan the system using the below multi AV Command Line Scanner front end utility

Dump the contents of the IE Temporary Internet Folder cache (TIF)
Start --> Settings --> Control Panel --> Internet Options --> Delete Files

Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
Tools --> Options --> Privacy --> Cache --> Clear

Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
http://kixtart.org Kixtart is CareWare } two batch files, four Kixtart scripts, one Link
(.LNK) file, this PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
simplify the process of using up to 3 different Anti Virus Command Line Scanners to remove
viruses and various other malware.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode. This
way all the components can be downloaded from each AV vendor’s web site.
On Win9x/ME the choices are; Trend, McAfee, Exit the menu and Reboot the PC
On NT4, Win2k, WinXP and Win2003 Server the choices are; Sophos, Trend, McAfee, Exit the
menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE and/or FTP.EXE to go
through your FireWall to allow them to download the needed AV vendor related files.

* * * Please report back your results * * *
 
From: "David H. Lipman" <[email protected]>

Oooops !

Why did I think I picked this up in a Win2K News Group ? Do'h !!
-----

Download the patch (below). Put the patch, Stinger on media (CDROM, ZIP Disk, USB Flash
drive, etc) disconnect the affected PC from the Internet and install the patch. Then reboot
the PC and perform the following scan of the PC using Stinger and the below Multi AV Commnad
Line Scanner front end utility !

Whjen you get the shutdown message...

Go to; Start --> Run
enter; shutdown -a

This will halt the shutdown and give you a chance to Download the McAfee worm removal tool,
Stinger: http://vil.nai.com/vil/stinger/

Please read the following URL:
http://www.microsoft.com/security/incident/sasser_printxp.mspx

Please read: http://www.microsoft.com/security/incident/sasser.mspx

Please install the patch that fixes the Lsass vulnerability that the Sasser and other
infectors exploit -- KB835732
http://www.microsoft.com/downloads/...9E-DA3F-43B9-A4F1-AF243B6168F3&displaylang=en

You also need a FireWall.
If you don't patch the PC and not use a FireWall then you will just be re-infected.

I also suggest the installation of ALL MS Critical Updates ASAP.

You also need a FireWall. If you don't patch the PC and not use a FireWall then you will
just be re-infected.
I also suggest the installation of ALL MS Critical Updates ASAP.

You can also scan the system using the below multi AV Command Line Scanner front end utility

Dump the contents of the IE Temporary Internet Folder cache (TIF)
Start --> Settings --> Control Panel --> Internet Options --> Delete Files

Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
Tools --> Options --> Privacy --> Cache --> Clear

Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
http://kixtart.org Kixtart is CareWare } two batch files, four Kixtart scripts, one Link
(.LNK) file, this PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
simplify the process of using up to 3 different Anti Virus Command Line Scanners to remove
viruses and various other malware.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode. This
way all the components can be downloaded from each AV vendor’s web site.
On Win9x/ME the choices are; Trend, McAfee, Exit the menu and Reboot the PC
On NT4, Win2k, WinXP and Win2003 Server the choices are; Sophos, Trend, McAfee, Exit the
menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE and/or FTP.EXE to go
through your FireWall to allow them to download the needed AV vendor related files.

* * * Please report back your results * * *
 
None of this will work as I cannot get into Windows with the affected
computer. Not in Safe Mode either.

The computer shuts down before I can do anything in Windows.

David H. Lipman said:
From: "Duck" <[email protected]>

| The computer will only boot partway. I get a system shutdown in 60 seconds
| even before I get to the desktop. It says lsass.exe terminated unexpectedly.
| Also 1073741819 shows as a status code.
|
| I've tried Safe Mode and last known good configuration and neither works.
|
| I've tried taking the hard drive out of the computer and installing it as a
| second drive to scan for viruses. I've used AVG and NAV, both updated, to
| scan for viruses. I've also used Fxsasser.exe from Symantec to scan the
| drive. None of these found anything at all.
|
| I've also tried replacing the lsass.exe file with a known good one.
|
| I cannot get the computer to boot so I cannot do anything with the drive
| while it is in the computer.
|
| How can I fix this?

Download the patch (below). Put the patch, Stinger on media (CDROM, ZIP Disk, USB Flash
drive, etc) disconnect the affected PC from the Internet and install the patch. Then reboot
the PC and perform the following scan of the PC using Stinger and the below Multi AV Commnad
Line Scanner front end utility !

If you have the SHUTDOWN.EXE utility from the Win2K Resource kit, you can perform the
following when you get the shutdown message.

Go to; Start --> Run
enter; shutdown /a

If you don't have the SHUTDOWN.EXE utility, I have posted a copy in the News Group;
alt.binaries.comp.virus
In the post entitled "SHUTDOWN.EXE for Win2K platforms for RPC/DCOM and LSASS shutdown
issues"

This will halt the shutdown and give you a chance to Download the McAfee worm removal tool,
Stinger: http://vil.nai.com/vil/stinger/

Please read the following URL:
http://www.microsoft.com/security/incident/sasser_printxp.mspx

Install the following patch for the LSASS vulnerability addressed by; KB835732
http://www.microsoft.com/downloads/...7E-F63A-414C-B3EB-D2342FBB6C00&displaylang=en

Please read: http://www.microsoft.com/security/incident/sasser.mspx


You also need a FireWall. If you don't patch the PC and not use a FireWall then you will
just be re-infected.
I also suggest the installation of ALL MS Critical Updates ASAP.


You can also scan the system using the below multi AV Command Line Scanner front end utility

Dump the contents of the IE Temporary Internet Folder cache (TIF)
Start --> Settings --> Control Panel --> Internet Options --> Delete Files

Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
Tools --> Options --> Privacy --> Cache --> Clear

Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
http://kixtart.org Kixtart is CareWare } two batch files, four Kixtart scripts, one Link
(.LNK) file, this PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
simplify the process of using up to 3 different Anti Virus Command Line Scanners to remove
viruses and various other malware.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode. This
way all the components can be downloaded from each AV vendor’s web site.
On Win9x/ME the choices are; Trend, McAfee, Exit the menu and Reboot the PC
On NT4, Win2k, WinXP and Win2003 Server the choices are; Sophos, Trend, McAfee, Exit the
menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE and/or FTP.EXE to go
through your FireWall to allow them to download the needed AV vendor related files.

* * * Please report back your results * * *
Click to expand...
 
From: "Duck" <[email protected]>

| None of this will work as I cannot get into Windows with the affected
| computer. Not in Safe Mode either.
|
| The computer shuts down before I can do anything in Windows.


See my coprrective updated post. As indicated...

"disconnect the affected PC from the Internet " -- If it is a worm or other Internet based
LSASS Exploit then not having a connection to the Internet will block the ability of the
Exploit to force the shutdown.

If you do NOT have the PC connected to the Internet and you still get the NT
AUTHORITY/SYSTEM shutdown message then there is a problem in the Kernel of the WinXP PC.

When you get the shutdown message...

Go to; Start --> Run
enter; shutdown -a

This will halt the shutdown and give you a chance to Download Stinger and the patch.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Microsoft .NET Framework update leads to virus-like symptoms? 1
Microsoft .NET Famework 2
Running that commandline virus scanner... question 11
Lsass.exe automatic shutdown UPON STARTUP 4
LSASS.EXE Terminated Unexpectedely Code 1073741819 10
svhost.exe and lsass.exe using 75-100% processor - all of the time 2
Is there any External AV program? 14
What would cause an lsass.exe termination even before the login window is displayed? 1

Back
Top