Problem with LSA Shell (Export version)

[Jonas]

I get an error message that says that it is something
wrong with LSA Shell (Export version). Then a system
message comes up that says:

Windows will be shut down. Initiated by NT Instans\system

windows\system32\Isass.exe was shut down unexpected. Then
some numbers are shown 1073741819. Then a clock starts to
count down from 1 minute. The computer will restart.

What is this and how can I fix it? Please help me it is
really annoying!

Thanks

Jonas

 

[Guest]

i get the exact same problem what is going on????

 

[Malke]

I get an error message that says that it is something
wrong with LSA Shell (Export version). Then a system
message comes up that says:

Windows will be shut down. Initiated by NT Instans\system

windows\system32\Isass.exe was shut down unexpected. Then
some numbers are shown 1073741819. Then a clock starts to
count down from 1 minute. The computer will restart.

What is this and how can I fix it? Please help me it is
really annoying!

Sounds like you've gotten caught by the Sasser worm. Don't have an
updated antivirus installed, hmmm? Here's the link to information:

http://www.sarc.com/avcenter/venc/data/w32.sasser.worm.html

Get the worm off your system and then immediately patch XP:

http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

Malke

 

[Mike]

I've got it too. New worm....read about it here:
http://www.computing.net/security/wwwboard/forum/11377.html

 

[Guest]

I jus had tyhe same preoblem. Its a trojan
Please let us know hpw to fox i
Thanks

 

[Malke]

I jus had tyhe same preoblem. Its a trojan?
Please let us know hpw to fox it
Thanks

Sounds like you've gotten caught by the Sasser worm. To stop the
rebooting, go to Start>Run and type "shutdown -a" without the quotes.
For information about the worm, go here:

http://www.sarc.com/avcenter/venc/data/w32.sasser.worm.html

Get the worm off your system and then immediately patch XP:

http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx -
TechNet bulletin with download links

http://windowsupdate.microsoft.com

Install an antivirus program and keep it updated. Install a firewall. XP
has a built-in firewall, or there are free alternatives like Zone Alarm
or Sygate.

Malke

 

[Todd]

Sounds like you've gotten caught by the Sasser worm. Don't have an

updated antivirus installed, hmmm? Here's the link to information:

http://www.sarc.com/avcenter/venc/data/w32.sasser.worm.html

Get the worm off your system and then immediately patch XP:

http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

Malke

I've got the same problem on several machines here, but after trying
several antivirus programs, none of them detect that Sasser is on the
systems. I've run Norton's Sasser removal tool, fsecure's online
scan, etc. I also looked in the registry for the Sasser symptoms, and
in the Windows dir for the files that are dropped, there are no
symptoms there. Is anyone else having this problem?

Todd

 

[Malke]

I've got the same problem on several machines here, but after trying
several antivirus programs, none of them detect that Sasser is on the
systems. I've run Norton's Sasser removal tool, fsecure's online
scan, etc. I also looked in the registry for the Sasser symptoms, and
in the Windows dir for the files that are dropped, there are no
symptoms there. Is anyone else having this problem?

Todd

Todd - Be sure you have today's version of the Symantec Sasser removal
tool - it has been updated to cover 3 variants. The problem is that so
many of these worms mutate rapidly; just look at the number of variants
of Netsky, etc. Alteratively, you may not have the Sasser worm, or you
had it and it was cleaned off but files are damaged. Maybe try running
System File Checker if you are sure your computer is clean.

Malke

 

[Todd Ellison]

Todd - Be sure you have today's version of the Symantec Sasser removal
tool - it has been updated to cover 3 variants. The problem is that so
many of these worms mutate rapidly; just look at the number of variants
of Netsky, etc. Alteratively, you may not have the Sasser worm, or you
had it and it was cleaned off but files are damaged. Maybe try running
System File Checker if you are sure your computer is clean.

Malke

Thanks, Malke. I didn't know there was a C version out this morning.
The version of fxSasser that I was using, though, was downloaded this
morning and appears to be the same one I just downloaded from the
Symantec site, but I am running the new download anyway.

The C variant still says that it installs avserve2.exe, though, which
doesn't exist on my system. I am starting to worry that there is an
undetected worm out there that may be getting overshadowed by the rush
to beat Sasser.

Todd

 

[Malke]

Thanks, Malke. I didn't know there was a C version out this morning.
The version of fxSasser that I was using, though, was downloaded this
morning and appears to be the same one I just downloaded from the
Symantec site, but I am running the new download anyway.

The C variant still says that it installs avserve2.exe, though, which
doesn't exist on my system. I am starting to worry that there is an
undetected worm out there that may be getting overshadowed by the rush
to beat Sasser.

There is always that possibility, but I wouldn't rule out some other
problem unrelated to viruses, either. You sound like you are computer
savvy, but don't forget there is no shame in taking the machine to
someone else to have a look. I've done it a few times myself! ;-)

Good luck,

Malke

 

[t]

We are not seeing any symptoms of SASSER and have run the latest
utilities as well, however to no avail. Many of our PCs are no longer
able to see the network and all tactics have been attempted to resolve
the issue with the exception of a reformat of the hard drive. It
doesn't appear to be SASSER, Todd would you describe your symptoms?
I'm curious if there is another issue we are facing as well? Thank
you in advance. - Tim

 

[t]

Todd and Malke,

I am concerned we are chasing a phantom virus issue as well. We have
many of our PCs no longer able to see the network. After the list of
standard network and anti-virus/windows update tactics and are not
left with many options, other than placing a new image on the problem
PCs. Todd I have the same concern that you do in that we are facing
something other than SASSER ... if anyone can relate or provide
additional insight, it would be much appreciated. Does anyone else
have symptoms where network connectivity is not available and there is
no trace of the SASSER worm to be found?

Thank you in advance.

Tim

 

[PA Bear]

Instructions for patching and cleaning vulnerable Windows 2000 and Windows
XP systems:

Vulnerable Windows 2000 and Windows XP machines may have the LSASS.EXE
process crash every time a malicious worm packet targets the vulnerable
machine which can occur very shortly after the machine starts up and
initializes the network stack.

When cleaning a machine that is vulnerable to the Sasser worm it is
necessary to first prevent the LSASS.EXE process from crashing, which in
turn causes the machine to reboot after a 60 second delay. This reboot
cannot be aborted on Windows 2000 platforms using the Shutdown.exe or
psshutdown.exe utilities and can interfere with the downloading and
installation of the patch as well as removal of the worm.

1. To prevent LSASS.EXE from shutting down the machine during the cleaning
process:

a. Unplug the network cable from the machine

b. If you are running Windows XP you can enable the built-in Internet
Connection Firewall using the instructions found here: Windows XP
http://support.microsoft.com/?id=283673 and then plug the machine back into
the network and go to step 2.

c. If you are running Windows 2000, you won't have a built-in firewall and
must use the following work-around to prevent LSASS.EXE from crashing. This
workaround involves creating a read-only file named 'dcpromo.log' in the
"%systemroot%\debug" directory. Creating this read-only file will prevent
the vulnerability used by this worm from crashing the LSASS.EXE process. i.

NOTE: %systemroot% is the variable that contains the name of the Windows
installation directory. For example if Windows was installed to the
"c:\winnt" directory the following command will create a file called
dcpromo.log in the c:\winnt\debug directory. The following commands must be
typed in a command prompt (i.e. cmd.exe) exactly as they are written below.

1. To start a command shell, click Start and then click run and type
'cmd.exe' and press enter.

2.Type the following command: echo dcpromo >%systemroot%\debug\dcpromo.log

For this workaround to work properly you MUST make the file read-only by
typing the following command:

3. attrib +R %systemroot%\debug\dcpromo.log


2. After enabling the Internet Connection Firewall or creating the read-only
dcpromo.log you can plug the network cable back in and you must download and
install the MS04-011 patch from the MS04-011 download link for the affected
machines operating system before cleaning the system. If the system is
cleaned before the patch is installed it is possible that the system could
get re-infected prior to installing the patch.

a. Here is the URL for the bulletin which contains the links to the download
location for each patch:
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx

b. If your machine is acting sluggish or your Internet connection is slow
you should use Task Manager to kill the following processes and then try
downloading the patch again (press the Ctrl + Alt + Del keys simultaneously
and select Task Manager):

i. Kill any process ending with '_up.exe' (i.e. 12345_up.exe)

ii. Kill any process starting with 'avserv' (i.e. avserve.exe,
avserve2.exe)

iii. Kill any process starting with 'skynetave' (i.e. skynetave.exe)

iv. Kill hkey.exe

v. Kill msiwin84.exe

vi. Kill wmiprvsw.exe

1. Note there is a legitimate system process called 'wmiprvse.exe'
that does NOT need to be killed.

c. allow the system to reboot after the patch is installed.


3. Run the Sasser cleaner tool from the following URL:

a. For the on-line ActiveX control based version of the cleaner you can run
it directly from the following URL:
http://www.microsoft.com/security/incident/sasser.asp

b. For the stand-alone download version of the cleaner you can download it
from the following URL:

http://www.microsoft.com/downloads/...7E-1B6B-4FC3-90D4-9FA42D14CC17&displaylang=en

4. Determine if the machine has been infected with a variant of the Agobot
worm which can also get on the machine using the same method as the Sasser
worm.

a. To do this run a full antivirus scan of your machine after ensuring your
antivirus signatures are up to date.

b. If you do NOT have an antivirus product installed you can visit HouseCall
from TrendMicro to perform a free scan using the following URL:
http://housecall.trendmicro.com/

If you have any questions regarding the security updates or its
implementation after reading the above listed bulletin you should contact
Product Support Services in the United States at 1-866-PCSafety
(1-866-727-2338). International customers should contact their local
subsidiary.
--
HTH - Please Reply to This Thread

~Robear Dyer (PA Bear)
MS MVP-Windows (IE/OE), AH-VSOP

AumHa Forums
http://forum.mvps.org/

Protect Your PC
http://www.microsoft.com/security/protect