Unexpected shut-down, NT Authority System??

[Guest]

I was using the internet when I got a message saying that my computer was shutting down in one minute. It said that it had to do with NT Authority system, and that the error had occured in lsass.exe, from my system32 folder. The error code (I think that is what it was) was 1073741819. I restarted my computer and hoped that it had been fixed, but when I went back on the internet, the same thing happened. Can someone help?

 

[Carey Frisch [MVP]]

Apparently, your PC is infected with the "Blaster Worm". Use the following
tools to remove it, then promptly update your PC with the Critical Updates
available form the Windows Update website.

If your computer is constantly attempting to shutdown
or reboot, quickly go to:

Start > Run and type: CMD , and hit enter.
This opens the Command Prompt window.

Then type: shutdown -a , and hit enter.

This should halt the rebooting problem.

------------------------------------------------------------------

Then immediately turn-on Windows XP's built-in Firewall:
http://www.microsoft.com/security/protect/

Special note if you use AOL:

America Online installs its own connection settings that override
the ones that come with Windows XP. America Online's
connection settings don't include a way to turn on Windows XP's
built-in firewall.

Visit the following web site for instructions on downloading
a FREE firewall program for your computer.

Ref: http://www.updatexp.com/free.html

A tool is available to remove Blaster worm and Nachi worm infections from computers
that are running Windows 2000 or Windows XP
http://support.microsoft.com/?kbid=833330

What You Should Know About the Blaster Worm and Its Variants
http://www.microsoft.com/security/incident/blast.asp

3 Steps to Help Ensure your PC is Protected
http://www.microsoft.com/security/protect/

--
Carey Frisch
Microsoft MVP
Windows XP - Shell/User

Be Smart! Protect your PC!
http://www.microsoft.com/security/protect/

--------------------------------------------------------------------------------------------------------------


|I was using the internet when I got a message saying that my computer was shutting down in one minute. It
said that it had to do with NT Authority system, and that the error had occured in lsass.exe, from my system32
folder. The error code (I think that is what it was) was 1073741819. I restarted my computer and hoped that it
had been fixed, but when I went back on the internet, the same thing happened. Can someone help?

 

[Guest]

I did what you wrote to do and the system is still shutting down. I ran CMD and typed in shutdown -a and then I downloaded 833330. After I downloaded and installed it, it said I wouldn't have to do anything else. Within a minute, after restarting, the system shutdown message came up again. I typed in the shutdown -a and it aborted the shutdown. What do I do to prevent it from happening again after I have restarted my system?

 

[Guest]

Now I have a new problem! When I tried to have windows Update scan my computer, it wouldn't go past 0, and gave me the error code 0x800C0008. I went to the online help section and did what I was told in the troubleshooting section-- make sure that I had a language set, make sure my computer's time and date were correct, and delete all cookies/internet files-- and I still get this error. So I can't get updates, and can't get rid of the worm! What should I do?

 

[Guest]

I am having the same problem with the scan too.

 

[roger]

Hi michelleking89,

I did what you wrote to do and the system is still shutting down. I ran CMD and typed in shutdown -a and then I downloaded 833330. After I downloaded and installed it, it said I wouldn't have to do anything else. Within a minute, after restarting, the system shutdown message came up again. I typed in the shutdown -a and it aborted the shutdown. What do I do to prevent it from happening again after I have restarted my system?

The stinger tool may also be helpful in detecting and
cleaning the Sasser worm.
http://vil.nai.com/vil/stinger/

Download this update
Microsoft Security Bulletin MS04-011
Security Update for Microsoft Windows (835732)
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

Enable your firewall.

MORE ON SECURITY:

Three steps you can take to improve your computer's security:
http://www.microsoft.com/security/protect/

321050 Description of a Personal Firewall
http://support.microsoft.com/?id=321050

More info:

http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.worm.html
http://www.bullguard.com/antivirus/vit_randon_i.aspx
http://www.vsantivirus.com/sasser-a.htm

Hope this helps

 

[roger]

Hi,

Now I have a new problem! When I tried to have windows Update scan my computer, it wouldn't go past 0, and gave me the error code 0x800C0008. I went to the online help section and did what I was told in the troubleshooting section-- make sure that I had a language set, make sure my computer's time and date were correct, and delete all cookies/internet files-- and I still get this error. So I can't get updates, and can't get rid of the worm! What should I do?

The stinger tool may also be helpful in detecting and
cleaning the Sasser worm.
http://vil.nai.com/vil/stinger/

Download this update
Microsoft Security Bulletin MS04-011
Security Update for Microsoft Windows (835732)
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

Enable your firewall.

MORE ON SECURITY:

Three steps you can take to improve your computer's security:
http://www.microsoft.com/security/protect/

321050 Description of a Personal Firewall
http://support.microsoft.com/?id=321050

More info:

http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.worm.html
http://www.bullguard.com/antivirus/vit_randon_i.aspx
http://www.vsantivirus.com/sasser-a.htm

Hope this helps

 

[Guest]

I've been having the same exact problem. Mine were also accompanied by BSOD

I've noticed a process running on my machine using up nearly 100% of the processor. It's called avserve2.exe

Is this an actual part of WinXP?

 

[roger]

Narlock,

I've been having the same exact problem. Mine were also accompanied by BSOD!

I've noticed a process running on my machine using up nearly 100% of the processor. It's called avserve2.exe.

Is this an actual part of WinXP?

You have the sasser worm.

Mitigation Steps for Affected Computers
If your computer is infected with the W32.Sasser.worm,
please do the following:

Enable the Windows XP Internet Connection Firewall or a
third-party firewall on the affected computer.
Disconnect the computer from the Internet.
Restart the computer. If you have problems rebooting,
reboot in safe mode.
Press CTRL+ALT+DEL.
Click the Task Manager.
Click the Processes tab.
Press and hold the CTRL key and then click
C:\WINDOWS\avserve.exe and c:\WINDOWS\system32\*_up.exe.
Click the End Task button.
Click Start.
Click Search and then search for and delete the following
files:
C:\WINDOWS\avserve.exe
C:\WINDOWS\system32\*_up.exe
Click Start again, click Run, and then type: regedit32
Click OK.
In Registry Editor, locate and delete the following
registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on\Run "avserve.exe" = C:\WINDOWS\avserve.exe
Connect the computer to the Internet.
Go to the Windows Update site, and click the Scan for
Updates button.
Download and install the critical updates recommended
after the scan.

The stinger tool may also be helpful in detecting and
cleaning the Sasser worm.
http://vil.nai.com/vil/stinger/

Download this update
Microsoft Security Bulletin MS04-011
Security Update for Microsoft Windows (835732)
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

Enable your firewall.

MORE ON SECURITY:

Three steps you can take to improve your computer's security:
http://www.microsoft.com/security/protect/

321050 Description of a Personal Firewall
http://support.microsoft.com/?id=321050

More info:

http://www.microsoft.com/security/incident/sasser.asp

Good luck

 

[Guest]

Would the sasser worm also cause BSOD crashes

I'm getting IRQL_NOT_LESS_OR_EQUAL errors with 0x0000000a (0x00000016, ox00000001c,0x0000000,0x804f5734)

Any ideas?

 

[roger]

Hi,

If you have avserve.exe, then you have the worm. Check this site:
http://www.microsoft.com/security/incident/sasser.asp

Good luck

 

[Bruce Chambers]

Greetings --

You've contracted the latest worm, W32.Sasser.Worm, specifically
designed to attack people who do not update their computers promptly
and who do not practice "safe hex." In other words, like Blaster,
this worm was developed and distributed _after_ a patch for the
vulnerability was announced and made publicly available. Further, and
also like Blaster, this worm could not affect any computer whose user
had taken the basic precaution of using a properly configured
firewall.

What You should Know about the Sasser Worm and its Variants
http://www.microsoft.com/security/incident/sasser.asp

Microsoft Security Bulletin MS04-011
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

W32.Sasser.Worm
http://www.symantec.com/avcenter/venc/data/w32.sasser.worm.html

W32.Sasser.Worm Removal Tool
http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.removal.tool.html

McAfee AVert Stinger Virus Removal Tool
http://vil.nai.com/vil/stinger/


Bruce Chambers

--
Help us help you:




You can have peace. Or you can have freedom. Don't ever count on
having both at once. -- RAH

 

[Bruce Chambers]

Greetings --

Carey, there's a new one:

W32.Sasser.Worm, specifically designed to attack people who do not
update their computers promptly and who do not practice "safe hex."
In other words, like Blaster,
this worm was developed and distributed _after_ a patch for the
vulnerability was announced and made publicly available. Further, and
also like Blaster, this worm could not affect any computer whose user
had taken the basic precaution of using a properly configured
firewall.

What You should Know about the Sasser Worm and its Variants
http://www.microsoft.com/security/incident/sasser.asp

Microsoft Security Bulletin MS04-011
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

W32.Sasser.Worm
http://www.symantec.com/avcenter/venc/data/w32.sasser.worm.html

W32.Sasser.Worm Removal Tool
http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.removal.tool.html

McAfee AVert Stinger Virus Removal Tool
http://vil.nai.com/vil/stinger/


Bruce Chambers

--
Help us help you:




You can have peace. Or you can have freedom. Don't ever count on
having both at once. -- RAH