There are also some ideas happening here on thread #11377 ...

0

"the system process 'c:\windows\system32\lsass.exe' terminated unexpectedly with status code -1073741819. the system will now shut down and restart"

0

"the system process 'c:\windows\system32\lsass.exe' terminated unexpectedly with status code -1073741819. the system will now shut down and restart" PLZ HELP

0

Hi guys, A couple of days ago, the same problem suddenly started to show up on my Windows2000 PC. When it appeared for the first time, it was several hours after the boot. But then, once this forced shutdown-reboot was made, it got to appear frequently, the timing is not constant, but many times it was several minutes after re-boot. I checked the registry for a sign of virus setup, but there was no that kind of usual setup like the new entry under RUN. Then I checked around on the Internet for any clue and reached one which hinted that Microsoft Security Bulletin MS04-011 (KB835732) would be related. So I downloaded this fix and applied it. Then after that, I haven't got this problem even once. So I guess this fix solved the problem. When I applied this fix, my concern was whether fix can be applied before this problem appears, but the time required to apply this fix is so short that I could successfully applied it. Hope this information will help you fix this problem. (Note): When I checked this Security Bulletin on Microsoft web site, I found similar kind of security vulnerability described in MS04-012. So I installed the fix for this, too, at the same time. But I believe the fix which solved this problem was MS04-011. Anyway it'd be better to apply both fixes for different kind of attacks in future.

0

Just had this same issue with lsass.exe on my windows XP PC. The latest update of AVG seems to find it. AVG found downloader.keenval.b and .c in c:\program files\common files\updmgr\rvupdmgr.exe and simgr.exe. After auto-healing and MS patch downloading the system seems fine.

0

I had the same problem with restarting (lsass.exe). I've updated my virus definitions and it just found that this virus whas trying to infect my system. You need to have 30.04.2004 virus definitions in order to NortonAV recognize it!!! http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.worm.html#recommendations

0

Hey this happened to me two times. The first time was some months ago and the second one was yesterday. But this time I knew what to do, and I fixed it faster than the other time. I have windows XP, the only thing you have to do is download a patch for windows from: http://support.microsoft.com/?kbid=824146 there you can find a patch for diferent versions of win. If you want info about this virus go to: What You Should Know About the Blaster Worm http://www.microsoft.com/security/incident/blast.asp I hope you can fix it men couse this bug is really anoying...good LUCK!

0

This isn't the Blaster worm! Its a newer worm that has the same affect. I had Blaster before, and I ran the fix for it after this new one started showing up yesterday. Didn't detect anything. I think this might have to do with the new Windows XP Update, which I had just downloaded and installed a few hours before all this started showing up....

0

It's not the blaster!! The blaster used to shut down a different process... can't remember right now... but not the lsass... I can't even download anymore from the microsoft security update and my norton antivirus doesn't wor anymore.. can't update virus definition anymore!!! AAARGGRR PLEASE HELP!! Peace & Love CiRoPanZa

0

Actually the blaster was a remote procedure call process that was interrupted and was forcing the pc to shut down... the shutdown -a WORKS!!! GREAT hermione ... even if it doesn't solve the problem... can't connect even to the symantec website anymore!!! Why hakers don't have sex instead of making viruses!!!!!!! HATE THEM Peace & Love CiRoPanZa

0

I also just ran my windows update and seconds later got this virus. And yes, is is not Blaster. Norton just identified this virus YESTERDAY! Im still in the process of trying to fix it, Ill post as soon as I know if it actually worked or not. Here's their advice: W32.Sasser.Worm is a worm that attempts to exploit the MS04-011 vulnerability. It spreads by scanning randomly-chosen IP addresses for vulnerable systems. The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines. 1. End the malicious process. 2. Disable System Restore (Windows Me/XP). 3. Update the virus definitions. 4. Run a full system scan and delete all the files detected as W32.Sasser.Worm. 5. Reverse the change made to the registry. For details on each of these steps, read the following instructions. 1. To end the malicious process To end the malicious process: a. Press Ctrl+Alt+Delete once. b. Click Task Manager. c. Click the Processes tab. d. Double-click the Image Name column header to alphabetically sort the processes. e. Scroll through the list and look for the following processes: • avserve.exe • any process with a name consisting of 4 or 5 digits followed by _up.exe (eg 74354_up.exe). f. If you find any such process, click it, and then click End Process. g. Exit the Task Manager. 2. To disable System Restore (Windows Me/XP) If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer. Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations. Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat. For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles: • "How to disable or enable Windows Me System Restore" • "How to turn off or turn on Windows XP System Restore" ________________________________________ Note: When you are completely finished with the removal procedure and are satisfied that the threat has been removed, re-enable System Restore by following the instructions in the aforementioned documents. ________________________________________ For additional information, and an alternative to disabling Windows Me System Restore, see the Microsoft Knowledge Base article, "Antivirus Tools Cannot Clean Infected Files in the _Restore Folder," Article ID: Q263455. 3. To update the virus definitions Symantec Security Response fully tests all the virus definitions for quality assurance before they are posted to our servers. There are two ways to obtain the most recent virus definitions: • Running LiveUpdate, which is the easiest way to obtain virus definitions: These virus definitions are posted to the LiveUpdate servers once each week (usually on Wednesdays), unless there is a major virus outbreak. To determine whether definitions for this threat are available by LiveUpdate, refer to the Virus Definitions (LiveUpdate). • Downloading the definitions using the Intelligent Updater: The Intelligent Updater virus definitions are posted on U.S. business days (Monday through Friday). You should download the definitions from the Symantec Security Response Web site and manually install them. To determine whether definitions for this threat are available by the Intelligent Updater, refer to the Virus Definitions (Intelligent Updater). The Intelligent Updater virus definitions are available: Read "How to update virus definition files using the Intelligent Updater" for detailed instructions. 4. To scan for and delete the infected files a. Start your Symantec antivirus program and make sure that it is configured to scan all the files. • For Norton AntiVirus consumer products: Read the document, "How to configure Norton AntiVirus to scan all files." • For Symantec AntiVirus Enterprise products: Read the document, "How to verify that a Symantec Corporate antivirus product is set to scan all files." b. Run a full system scan. c. If any files are detected as infected with W32.Sasser.Worm, click Delete. 5. To reverse the change made to the registry ________________________________________ WARNING: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry," for instructions. ________________________________________ a. Click Start, and then click Run. (The Run dialog box appears.) b. Type regedit Then click OK. (The Registry Editor opens.) c. Navigate to the key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run d. In the right pane, delete the value: "avserve.exe"="%Windir%\avserve.exe" e. Exit the Registry Editor.

0

Help! I had the "lsass.exe" shutdown problem, and downloaded the Microsoft patch listed above. Now, my pc doesn't shut down anymore, but I have tons of other problems. I can't copy/paste, my "add/remove programs" doesn't have ANY programs in it (just a blank window opens), etc. Please help! (I have Windows 2000 Professional, have run Adaware, Spybot, Stinger, etc. I do NOT have any anti-virus software. I cannot do Window's Update either because it won't load anything. Even typing the web address in my address bar for IE comes up blank.) Thank you!

0

Also, to follow up my previous post, in my Regedit, I noticed something that is strange to me. Under HKEY_LOCAL_MACHINE; SOFTWARE; Microsoft; Windows; Current Version; and Run, there is only 1 item in the "run" folder. It's name is "(default)" and type is "reg_sz". I believe there used to be several programs in there. An additional note - an "Expert" told me this morning to disable my RPC under Control Panel, Administrative Tools, Services. I did, but now I can't enable it again. When I double click on it, nothing happens - no new window opens to allow me to enable it. Thanks!

0

I am having the same problem and I have Windows XP professional, it only happens when I am accessing on the internet. Also it only happens when I am on the internet using a dial-up connection (doesn't happen when I accessing the net via DSL) I am also an AVG anti virus user, I updated my virus software and I ran it several times but it wasn't able to detect any viruses except the "lovesan" virus which it removed through healing. I have also noticed that a windoes error message appears which says something is wrong with the "LSA Shell", apparently thatis connected with the "lsass.exe" file. I have tried running the "Microsoft Security Bulletin MS04-011 (KB835732)" as reccommended by one of the users here but everytime I run the downloaded file it doesn't install successfully. Thats where things are so far. Could anyone please help??

0

Hi to all I spent my WHOLE evening trying to get rid of this f*** shutdown problem. Before those very messages, I could not find ANYTHING over the Internet to help me. THANK YOU very much!!! But I would just add something a friend told me, which could help the ones who have low speed Internet connections: when the shutdown message shows up, just set your Windows clock 1 (or more) day before. Instead of having just one minute to do what you need to do, you will have 1 (or more) day and one minute. (sorry for my bad english as it is not my native language)

0

Kudos to Kazu_from_Japan I too was frustrated watching my computer re-boot every few minutes. I tried what Kazu suggested and...IT WORKED! I downloaded the Microsoft Security Bulletin MS04-011 (KB835732). I'm running XP Pro w/DSL. Thanks ever so much. Once again, this old computer is working just fine.

0

This reboot problem seems solved for me too after applying the patch KB835732 from Microsoft. thx

0

Yeah, the Microsoft Security Bulletin MS04-011 (KB835732) works!! You can download it here: http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx Use Start> Run> "shutdown -a" if the warning pops up while youre downloading/installing the program so you can continue.

0

http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx procedure to clean sasser is on the link

0

http://www.microsoft.com/security/incident/sasser.asp sasser specific help from microsoft

0

HELLO GUYS!!! I HAVE BEEN FOLLOWING THIS THREAD FOR DAYS NOW. AND YES THE PROBLEM WITH LSASS.exe SHUTDOWN PROBLEM CAN ONLY BE SOLVED BY UPDATING WINDOWS XP. I TRIED EVERY RECENTLY UPDATED ANTIVIRUS I GOT BUT THAT DID NOT SOLVE THE PROBLEM. HOWEVER, SINCE MY WIN XP COMPUTER RECEIVES AUTOMATIC UPDATES FROM WINDOWS, I NOTICED THERE IS AN ENTRY IN THE SYSTEM TRAY THAT SAYS "Windows update ready to install". AFTER RUNNING IT, THAT SOLVED THE PROBLEM !! SIMPLE!! utot mo!!

0

To Harv_from_Calif, ZeBen and Hermione, Glad to hear that you could solve your problems according to my information. Seeing other posts, it seems there are other types of causes which might be eventually leading to the same symptom, but I think that, to those who are suffering this problem (lsass.exe being unexpectedly terminated and the automatic shutdown as a result) with their registry NOT changed (therefore no virus inside your computers), MS04-011 (KB835732) is worth trying. My guess is that this problem is being caused by the direct attack from outside which takes advantage of lsass.exe vulnerability.

0

Began having SYSTEM SHUTDOWN messages referencing "lsass.exe" tonight. After multiple reboots, I finally found that a hacker's executable file, "avserve2.exe", had been inserted in my Windows main directory about 15 minutes after my first logon of the evening. It had also been installed in my Windows startup group. After deleting all occurences of "avserve*.*" from hard drive, the shutdown problem has ceased. Thanks for your previous posts that led me to look for the "avserve*.*" culprit. Of course, don't forget to get the latest MS Security Updates and maintain current versions of your virus definition files!

0

Hello! I spent the whole day, yesterday, trying to fix this problem. When you told about KB835732, I just remmembered that, on Friday, I ran Windows Update, but the installation of the Updates went wrong, then the problem startes. Today I was looking, and there is a temporary folder, created by Win. Up. whith whom inside? Guess! ToT -> KB835732 Patch! <- ToT Well I installed the patch, the problem seems tho be gone. Thanks All, Hayato.

0

Just had this same issue with lsass.exe on my windows XP PC. The latest update of AVG seems to find it. AVG found downloader.keenval.b and .c in c:\program files\common files\updmgr\rvupdmgr.exe and simgr.exe. After auto-healing and MS patch downloading the system seems fine. This had me Helped, Thx! Now my Pc runs Perfect!

0

http://www.trendmicro.com/en/home/us/enterprise.htm Go here automatic scan and repair free from Micro trend it works !!!!

0

I can't believe there's help like this available out there, but I'm glad because I wouldn't know where to turn otherwise. I ran HijackThis and would be ever grateful if someone was willing to take a look at my log. Let me know. Thanks and blessings, -ab

0

Howdy. Well well well FINALLY I may be in some hope for decent help now. I received this problem yesterday and I'v been going bald trying to fix it all this time. I'm running XP. I get those LSA shell errors when I come on the net, and then the shutdown box appears. iv done searches for all those virus you have listed, and nothing comes up! i'm downloading the windows patch now and I pray that it solves this dreadful problem. (the shutdown thing just happened, and I did the date change + the shutdown -a thing and its gone. phew). I just want to get rid of this problem all together. *crosses fingers*. I hope the KB835732 thing works. thanks all of u! i thought i was the only one :'( . ill keep you's posted. regards, Sincere

0

Your guys ROCK! I thought I'd be looking for days to figure this out. The MS update seems to have worked. Should I still remove the "avserv*.*" files. My task managers show it still trying to execute? Thanks again!

0

Do anyone have now problems to see the computers from his/her local network? I cannot see them and they cannot see me ANYMORE. I found why, but not the solution. In my network properties, the boxes "Client for microsoft networks" and "share files and printers for microsoft networks" are unchecked. But if I click in the boxes, a window opens asking me if I I want to deactivate these components (as if they were already activated) I tried to uninstall and reinstall the components, but the problem is still there Any idea?

0

I have rebuilt this computer 5 times from scratch. The problem does not apear till I do the MS update. The problem BEGINS with the MS update. The patch above may fix it but it comes from within this lousy program to begin with. This has been a fresh install which fails after the udates every time! Thanks a 1000 times for the input by those who have figured it out. Where would we be without you guys!

0

Ok, so I read every entry in this forum and did the necessary updates and file deletions. I still get the shell error and then I get the shutdown lsass.exe. I tried to go back to the MS update site and see if there is anymore that I might have missed. The lsass.exe shutdown comes up again so I did what ZeBen said and knocked back the time 1 day to give myself more time to update. Now I get an issue with the MS update site saying there is a problem with my system time and that I need to check it. I set it back to normal and let the computer restart. I get back on and try again.... Same error applies. I did the virus scan for Mcafee from the safe mode command prompt and also from http://www.trendmicro.com/en/home/us/enterprise.htm, but nothing was found. I think this thing as got me by the ba ..s anymore idea’s

0

Hi, thank god for KB835732, finally solve the problem, but it also lead to another problem. After solving the LSASS.exe issue, i have no problem logging on to the net but notice a high data transfer begin to occur, data are following out of my PC at avg 10Kb/s!!. The last time I encounter this issue is with the W32.welchia.worm, but this time the virus scanner cannot detect any virus present! and the last fix by symantec does not fix this time. anyone having the same problem and have a solution(s) for it ??

0

Yes! I had the exact same issue like GenesisX and everyone else here! On top of the Lsass issue I also got infected with the older W32 Welchia! I got ride of it with a removal tools from Norton... Seems to worked out so far.

0

Hi Campalot64, u solve it using Symantec removal tools FixWelch.exe right ? This doesn't solve my problem as it did not detect the W32.welchia virus this time round. Even though the sympton (of high data rate flow) is similar. Do not know whether it ahve anything to do with the KB835732 fix. But the question is , is this data flow harmful to my PC ? (even though it is still affecting my bandwith)

0

GenesisX, I know what you mean: Unsolicited high-volume data flow means trouble to me though! Something is running in the bkground... Take a full look at this thread; response #25 and 26 shows a couple of useful links that can help with the Sasser issue. Just for info, the Welchia issue WAS detected by NAV this morning when I ran it with the latest virus definition! To me this whole situation combines multiples attacks (Sasser and Welchia) unless the first one weakens your system and lets other bad things coming through the "door" by the same token! ... Don't know... Any additional thoughts from any wise man around?! LOL

0

Ok so how do I fix my Win200 computer that WILL NOT BOOT all the way without rebooting? During a reboot it hangs at Applying Security Policy, sits there with the HD light flashing for several minutes THEN I get the message about LSASS and shutting down in one minute. The system is not up to the point of being able to do ANY of the steps mentioned. It will not boot in safe mode, same issue. Help!

0

Should have added: I keep this system up to date with MSUpdate and have done all the AV scans which found Blaster (Yes Blaster) and removed it but it still hangs at Applying Security Policy.... then just reboots.

0

It's not W32.Blaster.Worm. It's W32.Sasser.Worm. The simpliest way to solve the problem: Go to the url: http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.worm.html Then U can download the W32.Sasser.Worm Fixtool and do follow their instructions. Good luck.

0

1) "shutdown -a" doesn't work at all!!! 2) is there any patch for Service Pack 2? thanks a lots... looking for Shodan in Q4 2005

0

In reply to #45 I'm running Windows2000 and I'm using Norton Antivirus 2004. I've updated for new virus definitions that are supposed to solve this problem according to symantec. I also ran the W32.Sasser.Worm Fixtool without any success. When I use the tool it scans all files but in the log it says that my harddrives wasn't scanned. I've tried numerous online scans as well without any progress. I haven't tried deleting the avserv*.* -files, or deleted the registrychanges (as suggested in post #17) yet but I'll post later on if it works out. In reply to #46 What OS are you running? I haven't tried that commandline yet but is it possible that it only applies for Windows XP?

0

In response to #47, I have also downloaded the W32.Sasser.Worm Fixtool from http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.worm.html and run it on my Win XP Pro without any success. The exe scanned my PC but found no virus. The log said the system files were not scanned. I don't quite understand. I also searched for avserve*.* on my PC and found nothing. Now when I use the IE, my PC still reboots itself because of the crashing of lsass.exe due to the virus . Is there a patch from Microsoft on this bug in lsass.exe? Please help!

0

In reponse to #47 again I just downloaded a MS patch from http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx for Win Xp Professional to fix this problem. So far the patch seems to work. There is patch for Win 2000 also. Please go there and download a copy. Hope this will help you.

0

In response to #42, I have try everything, scanning with the latest AV and it still did not detect anything ! Data flow (out of my PC) is still going on everytime I logon to the net and there is nothing I can do about it. It seem to be a new kind of virus/trojan etc. similar to W32.Welchia. Anyone encountering this problem and have solution to it ???

0

I am running windows 2000 on my laptop which has been infecte with the sasser virus. I have applied Microsoft Patch MS835732 and now the situation is even worse. The machine re-boots automatically. It gets to the end of the 'starting windows 2000' and then restarts. Does anyone know how I can break out of this routine so that I can at least save some of my key files before I rebuild. Cheers

0

In response to #50 GenesisX, Try downloading this small freeware from MacAfee called Stinger. It is a virus scan utility that has worked great for me to detect and remove both Sasser and Welchia. It actually can identify more than 40 viruses, worms, etc. http://www.webattack.com/get/stinger.html Don't forget to also do the following: 1 - End malicious processes in the Task Manager. End the following: • avserve.exe • any process with a name consisting of 4 or 5 digits followed by _up.exe (eg 74354_up.exe). 2 - Download the latest Microsoft Windows Critical Updates and install. (Especially this one: KB835732) 3 - Download the stinger freeware (See link above!) 4 - Disconnect from the net (unplug DSL...) 5 - Disable your System Restore 6 - Run Stinger (It should detect and get ride of the "bad" files) 7 - Enable the Firewall in the security tab of the property window for EACH of your network connections in your control panel 8 - Restart computer 9 - Enable System Restore 10 – Also check Response Number 17, item 5 to reverse the change made to the registry: ________________________________________ WARNING: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry," for instructions. ________________________________________ a. Click Start, and then click Run. (The Run dialog box appears.) b. Type regedit Then click OK. (The Registry Editor opens.) c. Navigate to the key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run d. In the right pane, delete the value: "avserve.exe"="%Windir%\avserve.exe" e. Exit the Registry Editor. ...and you should be good to go! At least that's what I did and it all went well since then! You can also DL and run the removal tools from Symantec. They have updated removal tools for all the most recent threats and good articles that show how to identify an infection, etc. Go here for the Sasser removal: http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.removal.tool.html Go here for all other threats removal tools: http://securityresponse.symantec.com/avcenter/tools.list.html Hope that helps. Good luck!

0

I got the same lsass.exe shutdown message crap with a 1 minute timer. The first time it happened was Sunday (5/1) and I have not been able to stay on-line since without the machine (XP) rebooting on me. My virus software detects nothing. I'm okay if I don't connect to the internet. Once on-line, though, I get shutdown within 5 minutes of surfing. I tried to stop the shutdown process via task manager and the message I get is that I am not authorized to stop it. Nice, huh? I hope the suggestions above work. Thanks for the advice!

0

i have the same problem as ellinitha! whenever i use internet, within 3-5minutes, my computer gives me 1 minute warning and it shutdown. i've took my laptop to my friends who knows how to "use"it, but didn't work, but what ismay's suggestions work!(crossing fingers). this thing happend on saturday 4/30/04. and who is spreading this virus anyway? i will kick his/her !@#$#@$%@.. just kidding.but don't do it.!!! hk

0

I have the same problems as everyone else (shutdown timer, lsass.exe, unexplanable uploading) but i was wondering is if any one else is having the problem that when you do shutdown -a it no longer allows you to shut down. If i go start shutdown it brings me to the log off or switch users menu. after a while shutdown disapears completely and im only left with log off. does any one know if this is related to lsass or is it another problem all to its self. When i go into task manager(Ctrl-Alt-Delete) and then processes it says that the programs are running on "Unknown".So apperenty the computer thinks im logged on as no one. I think thats everything except that i also have avserve2.exe and it seams to be using over 50% cpu power at some times. I deleted it and there doesn't seam to be any problems with out it. -Thanks

0

In response to #52, Thanks Campalot64, u r right about the "Stinger.exe" program, I downloaded it from Macafee Website, I think. Anyway it detected the virus "Sdbot.worm.gen.g" which I believe somehow have eluded the NAV. After deleted the virus infected files, the Unsoliciting Data Transfer is gone. Any virus that I came across is the "W32.Randex.gen" virus which NAV detected but are unable to delete or repair the file. It seem to have the same effect with the W32.welchia and Sdbot.worm. In the end I found out that I have to used "Regedit" to delete the file. Hope these info can help some pple outthere. Rgds.

0

I just got (what i believe to be a variation of the sasser worm today) I'm getting all the standard signs of it such as the LSA export version and lsass.exe error -1073741819 specifically.... i've ran norton, spybot, ad-aware, stinger, and hijackthis... the weird thing is ive dled and installed the MS04-011 KB835732 patch, microsofts own search and removal program for the sasses,b,c, and d variants and i cant get rid of the problem... hell i dont even see any *avserve* processes or files on my comp... im running XP home edition and have no f---in clue what is going on ... im almost positive this is a version of the sasser worm... but i cant remove it like most people can... any ideas on what to do or what this could be if it is not the sasser? Thanks for the help

0

I can not try any of the downloadable solutions you suggestd because my variant of the worm does not allow me to enter windows XP, even in safe mode. A message comes up saying "lsass.exe - system error, onject not found." and then the computer reboots automatically (shortly after the windows xp logo had appeared). I ran start-up from a DOS boot disk and C:/ prompted an "invalid directory" error - which really frightens me. What is going wrong with my computer, and how can I fix it without reformatting the hard drive? PS. I have a CSI computer, so Dell and HP specific solutions don't seem to be helping. And I can't run a patch anyway because I'm stuck in DOS forever, can't even make it to safe mode. This problem has been keeping me up all night and I allpreciate anyone's insight. I hope there's a solution that doesn't require a Windows-XP reinstallation because I have no idea where that CD even is!

0

well ive tried everything here on my win2k pc (service pack 2)and nothing wll work, i have updated NAV, taken it to get fixed(government laptop so it was free to ghet fixed at work), tried both of those patches and everyone of those tools mentioned and i even put up a zonealarms firewall but nothing wil work and i really dont wanna format coz i have a lot of work and stuff on the computer.

0

Just like #43 and #51, my Win2k reboots before i get the login form. Can anyone help me???

0

To all: This problem does not require your computer to be infected with a virus/worm (Blaster or Sasser) It affect Windows 2000 up and including service pack 4. And Windows XP (don't know the service packs, assume the worst) The worms can infect Windows 98 but they only make this OS an infection agent. Windows 98 computers will not shutdown Better use URL http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx and follow download and installation instrucctions for your OS. I had to do this using a Windows 98 machine conected through a LAN to my affected Windows 2K laptop. I downloaded the patch from the Internet with Windows 98 and copied it through the LAN to Windows 2K (There's no LSASS.exe in Win98 capable of being affected by a buffer overflow attack)The patch is more than 6MB in size. A hell of a patch THEN, and with your computer DISCONNECTED from the INTERNET, install the patch AND run any installed virus removal tools you may want to run. The computer shuts down in response to a buffer overflow command that comes from the Net. SASSER creates AGENTS that send these commands. Currently, any Internet connection must be receiving thousands of them depending on your ISP. By the way, I wasn't able to run the Windows Update page before my computer shut down. So every connection to the Microsoft site looks like it receives buffer overflow attacks also.

0

prior to downloading the KB835732 and installing it, (which worked fine by the way), I copied the lsass.ex_ from xp disk into windows/system32/, renamed the old one(12Kb) and copied lsass.ex_ as lsass.exe(9kb), Don't Know if it made any difference but may help people still having problems... NOTE! If you rename this file and try to reboot without it YOU WILL HANG! and need to boot from cd and run system recovery to replace it! GREAT FORUM!

0

The Fix that worked for me. I checked for virues with the latest virues updates and they found nothing. I then checked the registery were they said to look for the virus, i didnt find any virus there either. What i did find however was a reg key call on boot or somthing like that and it was running "dumprep o -u", this seemed to be cause the lsass.exe to crash. I removed this registry entry and then applied the microsoft patch that was discribed in response 61. I then rebooted. dumprep no longer crashes my lsass. Hopefully everything is good and i dont have to do any more work, i hate fixing PC's. Good Luck

0

I couldn't find the virus either, with both the tools and manual searching. One way I found to stop the crashing was to simply turn on my Windows XP firewall, but even doing that i still got lots of error messages and sluggish performance. Just now, looking in the run registry area, where the virus is supposed to be, I saw a key called somethin like %systemroom%/UserFaultCheck, and it ran the same dumprep program. I deleted it, and things seem to be fine now.

0

Hi guys, Follow the procedure from the micrsoft web page: IN THAT ORDER http://www.microsoft.com/security/incident/sasser.asp That is: 1. Firewall 2. Patch Windows 3. Update then scan with antivirus Great work campalot64, all good stuff... Though I would recommend that the Firewall be enabled (step 7) at the very start. This will prevent further attacks from happening while you try and download. Yup, Kazu picked it for this thread. Firewall! Does everyone realise that this infection would never happen if people had enabled a firewall? Just to make sure everyone can do this, here are the steps for the Windows firewall, but would recommend FREE ZoneAlarm in the long (ok, short too then!) term, for better protection (zonelabs.com). In the Control Panel (which may also be under settings in the Start menu), select "Network Connections". Right click on your Internet connection and select properties. Click on the "Advanced" tab at the top right, then tick the "Protect my computer..." box under Internet Connection Firewall. It may not be the most robust Firewall (for example it lets all outbound connects such as from a trojan), but is easiest to set up for now, and would at least stop attacks like this worm. I hear WinXP Service Pack 2 will have a much improved firewall, but I have been using ZoneAlarm from zonelabs.com for a number of years now and it easily out performs many other commercial versions from other vendors. There are also Plus/Pro versions with added features, such as if you are using ICS (Internet Connection Sharing). There are some great pages at grc.com, including the 'Shields Up' service and 'LeakTest' to test if your firewall is secure. Proactive, not reactive! Having a firewall will protect you from similar attacks next time round, and from the script kiddies doing IP scans.... Although they still need to be done, Antivirus updates and MS security patches happen after the deed has happened... Stop the 60 second Shutdown before it occurs - eg for hiegear & HangJebat : To stop the shutdown from happening such as for ellinitha (note this is a temporary fix - put it back after a few days): type "services.msc" <Enter> after selecting the Run command from the Start menu. Scroll down to "Remote Procedure Call (RPC)" service (The first one out of the two that are present, ie without "Locator" at the end which you probably can't see right now cos the column is too thin) and double click on it. Select the "Recovery" Tab at the top and you will see 3 drop-down boxes all with "Restart the Computer". Change *ALL* of these to "Restart the Service". Click OK to confirm and close the Services window. Now you shouldn't get the shutdown message at all. Just remember to reset these back to default sometime later. Dont Disable RPC, just change recovery response! DO NOT disable RPC or Crytographic Services!!! These are needed for operation of your computer, especially to install any patches. If you have disabled it, go back to the services window, *right click on the first RPC (or Crypto) and click start*. These should have Startup type of Automatic. Changing RPC to restart the service instead of the computer (under Properties - ie double-click) is fine and had worked on all computers I have fixed so far. Dont think this "Expert" explained himself properly DMac :) Remember as mentioned above, if the shutdown process starts before you even get to do this type "shutdown -a" after selecting the Run command from the Start menu. For people who can't even boot their computer (Coolerman), I would try and use a boot disk and run the Stinger tool copied from a floppy or CD from another computer. Never seen it this bad on anyones computer I have repaired to date though - that's real bad! Can you run it from another partition or put the hard drive in another computer? (good luck finding someone to put your infected drive in their system... ;) YOU MAY HAVE BEEN HACKED TOO! If you have been infected with sasser, there is potential that a the creator or his minions have access your computer through the back door. God knows what they could have installed. Inspect your computer carefully and check that no user accounts have been magically created. *THREE THINGS EVERY COMPUTER USER NEED TO DO*: 1. Firewall 2. Anti-virus (and kept up to date EVERY DAY) 3. Microsoft Patches Go to http://www.microsoft.com/security/protect/ for more info. If you havent updated microsoft patches for a few months (ouch!) and still on dialup, then follow thelink from this page and MS can send you a FREE CD with updates until February this year, but if your in this forum topic, you need action now me thinks ;) You can get free Anti-virus for a year from Computer Associates at www.my-etrust.com/microsoft/ (link is from the same ms site above). This also includes a repacked version of ZoneAlarm, but you can just install the antivirus if you are already using a separate install of ZoneAlarm or other firewall. (Untick EZArmor during install, then click EZ Antivirus). I do not currently recommend Grisoft AVG, as it is not as effective as other products, though better than nothing I guess. See www.virusbtn.com for some independent testing... Go to VB100 then I like to browse by platform. Pick yer platform (OS!) and have a squiz. You can then also select a vendor and have a look at their history. AVG is http://www.virusbtn.com/vb100/archives/products.xml?avg.xml And then theres the Spyware of course.... maybe another day :) Download "Ad-Aware" from lavasoftusa.com, AND "Spybot Search and Destroy" for now! Peoples: lfb, the "Windows Security Update (Manufacturer: unknown)" looks very suss and should be stopped/removed. This is not a microsoft install... do a google and see what you come up with. This is a separate issue - most sers will not have this. Double check you also don't have the Sasser worm too if you're getting a similar error message. DMac, you want to right click on the first RPC (or Crypto) and click start on the popup menu instead of double clicking. ZeBen, interesting and clever workaround with the clock :) But you'd have to do this each time it tries to shut down me thinks - may as well do "shutdown -a", or even better prevent it happening at all with what I said above. kamanana (& DMac): turn the firewall on and this will stop the attacks when connected to the internet. I'm not sure if you're infected or not cos if you're up to date with MS04-11 (and antivirus says you're ok too) then you should be ok, but you are still getting the errr messages. Maybe it can still crash you without a firewal, but not infect you as such. DMac, you may have had other trojans installed... any more weird stuff you can tell us? Download Stinger again as there may be a newer version picking up variants. For the purpose of identifying whether you have sasser, stinger will do the job, but you should install e-trust (Free for a year) or at least AVG as you may have other stuff. Do the spyware checks. If still stuffed, print a HijackThis report. leonard - yep, you should install the updates before the antivirus. The antivirus MUST still be done though :) Firewall highly recommended GenesisX - sounds like 'they' are using your connection - with the sasser worm comes a free ftp server listening on port 9996. Open up a dos prompt (Start>Run>cmd) and type in "netstat -n -a" is there an entry under Local Address that looks like x.x.x.x:9996 (x.x.x.x being your IP address, or could be 0.0.0.0:9996 or 127.0.0.1:9996) - its that 9996 you wanna look for. Actually, I just thought you should try typing "netstat -n", but make sure you dont have ANY other Internt connections open - IE, WinUpdate, AntiVirus etc and this will tell you the foreign host that is connecting to you. Do a tracert on him or go to network-tools.com and see what/where he is... Then again it could be something completely different :o .... "To me this whole situation combines multiples attacks (Sasser and Welchia) unless the first one weakens your system and lets other bad things coming through the "door" by the same token! ... Don't know... " - that's exactly right campalot64.... you are 0wN3d... :( hmmm... they could even change that port number above if they were smart. If they were smart, then lsass.exe wouldn't crash! - I think it's a bug []:| NOT a bug in lsass as Josiah suggest ;) ificanhelp (#64) - sounds like a good alternative if still not working for people. Dunno if System Restore would help either? All fixes I've done have worked by following microsoft's page Cheers, Boughto aussiepcfix.com (But don't visit til next week :)

0

Help. When I boot up it says object missing lsass.exe and has a OK button. When you click the OK button it reboot, ie no way to get to windows. I created a boot disk and can get to the C drive, but not sure how to remove the problem. I can get to the internet, but not with Iexplorer, I am using offbyone browser. I tried to download the MS patch, but it doesn't do it. Anyone have any ideas? Thanks, Scott

0

In response to #65 Hi Boughto, You are a well of knowledge! Thanks for taking the time in making available that many great resources and info. ;) Cheers, Campalot

0

The fix also worked for me: http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.removal.tool.html. I'd just like to know why the hell it took Symantec and Microsoft almost 2 weeks to notice this. Hundreds of us were discussing this in the usenets and on webpages like this since April 14th! Not until May 1 did the big guys wake up. Very disappointing. ismay

0

hi guys, tnx 4 the patch info 4 those who don't hav time to go to search for kb835732 just go to the link mentioned below http://www.microsoft.com/downloads/details.aspx?FamilyId=0692C27E-F63A-414C-B3EB-D2342FBB6C00&displaylang=en HaXoR

0