A number of us have been complaining about this virus/trojan that shuts down our computers every reboot with the message:

System Shutdown:
“This system is shutting down. Please save all... This shutdown was initiated by NT AUTHORITY\SYSTEM.

Message: The system process 'c:\windows\system32\lsass.exe' terminated unexpectedly with the status code -1073741676. The system will now shut down and restart.”

I've tried everything. Norton, Trend Micro, Ad-Aware, CWShredder, Pest Patrol Corp Edition, Spybot. All critical MS updates are installed. Nothing sees any virus/trojan.

Here's the clue: in msconfig under the 'Services' tab I took a check mark off "Windows Security Update (Manufacturer: unknown)". When this item is disabled, I get no shutdown problem. When this item is enabled, the system shuts down every reboot.

Any idea? How do I figure out what this mysterious "Windows Security Update" item is?

ismay

ismay

Since you have tried everything to find it with no results...

Download Hijackthis from here:

http://spywarewarrior.com/files/HijackThis.exe

Make a seperate folder for hijack. eg: c:\HJT\Hijackthis.exe
Hijack makes backups of what is removed, restoring backups if needed is unreliable if run from a temp folder or the desktop.

Recheck the item(s) you have disabled in msconfig and reboot. (yes you will start the virus again but hijack can't see it if it's disabled)

Start hijack> click scan, the scan button changes to save log button, save the log, it will pop up in notepad, copy/paste entire results in reply in this thread.

Don't fix anything yet...most of what you see in scan is safe or even essential

We will see what next.
_________________________________

I never give up!

Windows Update

Hi blender!
I have exactly the same problem with lsass.exe as Ismay. Computer crashes from time to time showing up the screen with the error message "lsass.exe blablabla". I have all security and recommended updates installed on my machine (win xp pro) and no antivirus software reports a virus. I've made a log from hijackthis.exe as you've recommended to ismay, this is the result:

Logfile of HijackThis v1.97.7
Scan saved at 12:30:43, on 26.4.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HHVcdV5Sys\VC5SecS.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\HHVcdV5Sys\VC5Play.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Utils\USroll\UScroll.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Virtual CD v5\System\VC5Tray.exe
C:\Program Files\Total Commander 5.5\TOTALCMD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Visual Studio .NET 2003\Common7\IDE\devenv.exe
C:\Program Files\Microsoft Visual Studio .NET 2003\Common7\IDE\devenv.exe
C:\Program Files\Common Files\Microsoft Shared\Help\dexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\Temp\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 10.10.10.1
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.uniba.sk:3128
O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [KAZAA] "C:\Program Files\Kazaa Lite K++\kpp.exe" "C:\Program Files\Kazaa Lite K++\KazaaLite.kpp" /SYSTRAY
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VC5Player] C:\Program Files\HHVcdV5Sys\VC5Play.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [UScroll] C:\Utils\USroll\UScroll.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Outlook.lnk = C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Run DAP (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O10 - Broken Internet access because of LSP provider 'imon.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38043.3383217593
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F2A84794-EE6D-447B-8C21-3BA1DC77C5B4} (SDKInstall Class) - http://activex.microsoft.com/activex/controls/sdkupdate/sdkinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = kvant.sk
O17 - HKLM\Software\..\Telephony: DomainName = kvant.sk
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = kvant.sk

I couldn't see anything unusual in the report, I am not an expert. Please note that the UScroll is my utility - not a virus.

Thank you in advance.

Hi Blender, as you requested, here's the log (thanks for your help):

Logfile of HijackThis v1.97.7
Scan saved at 10:32:19 AM, on 4/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\ACT\SideACT.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mk:@MSITStore:C:\WINDOWS\start.chm::/start.html
R3 - URLSearchHook: (no name) - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [Palm MulitUser Config] C:\Program Files\Sony Handheld\Configtool.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: SideACT!.lnk = C:\Program Files\ACT\SideACT.exe
O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/7d90ae05585062/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

9*

I'm getting this problem too, and it's very annoying trying to fix it, when you're in the middle of searching for help or doing online virus scans, it pops up and shuts your computer down!

'Here's the clue: in msconfig under the 'Services' tab I took a check mark off "Windows Security Update (Manufacturer: unknown)". When this item is disabled, I get no shutdown problem. When this item is enabled, the system shuts down every reboot.'

How exactly do you get to that checkmark?

I just started having this problem today.

I went to that msconfig place like you said [to get there, go to start> run> "msconfig" +enter] But i didnt see that thing to check off.

To stop your system from rebooting itself, you can go to start> run> and type in "shutdown -a"

Whats that Hijackthis thing gonna do anyway?

... Or what if "Windows Security Update (Manufacturer: unknown)" is NOT SHOWN in order to uncheck it?

There are also some ideas happening here on thread #11377 ...

"the system process 'c:\windows\system32\lsass.exe' terminated unexpectedly with status code -1073741819. the system will now shut down and restart"

"the system process 'c:\windows\system32\lsass.exe' terminated unexpectedly with status code -1073741819. the system will now shut down and restart"

PLZ HELP

Hi guys,

A couple of days ago, the same problem suddenly started to show up on my Windows2000 PC. When it appeared for the first time, it was several hours after the boot. But then, once this forced shutdown-reboot was made, it got to appear frequently, the timing is not constant, but many times it was several minutes after re-boot. I checked the registry for a sign of virus setup, but there was no that kind of usual setup like the new entry under RUN.

Then I checked around on the Internet for any clue and reached one which hinted that Microsoft Security Bulletin MS04-011 (KB835732) would be related. So I downloaded this fix and applied it. Then after that, I haven't got this problem even once. So I guess this fix solved the problem.

When I applied this fix, my concern was whether fix can be applied before this problem appears, but the time required to apply this fix is so short that I could successfully applied it.

Hope this information will help you fix this problem.

(Note): When I checked this Security Bulletin on Microsoft web site, I found similar kind of security vulnerability described in MS04-012. So I installed the fix for this, too, at the same time. But I believe the fix which solved this problem was MS04-011. Anyway it'd be better to apply both fixes for different kind of attacks in future.

Just had this same issue with lsass.exe on my windows XP PC. The latest update of AVG seems to find it. AVG found downloader.keenval.b and .c in c:\program files\common files\updmgr\rvupdmgr.exe and simgr.exe. After auto-healing and MS patch downloading the system seems fine.

I had the same problem with restarting (lsass.exe). I've updated my virus definitions and it just found that this virus whas trying to infect my system. You need to have 30.04.2004 virus definitions in order to NortonAV recognize it!!!
http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.worm.html#recommendations

Hey this happened to me two times. The first time was some months ago and the second one was yesterday.
But this time I knew what to do, and I fixed it faster than the other time. I have windows XP, the only thing you have to do is download a patch for windows from:

http://support.microsoft.com/?kbid=824146

there you can find a patch for diferent versions of win.
If you want info about this virus go to:

What You Should Know About the Blaster Worm

http://www.microsoft.com/security/incident/blast.asp

I hope you can fix it men couse this bug is really anoying...good LUCK!

This isn't the Blaster worm! Its a newer worm that has the same affect. I had Blaster before, and I ran the fix for it after this new one started showing up yesterday. Didn't detect anything.

I think this might have to do with the new Windows XP Update, which I had just downloaded and installed a few hours before all this started showing up....

It's not the blaster!! The blaster used to shut down a different process... can't remember right now... but not the lsass...
I can't even download anymore from the microsoft security update and my norton antivirus doesn't wor anymore.. can't update virus definition anymore!!! AAARGGRR
PLEASE HELP!!

Peace & Love
CiRoPanZa

Actually the blaster was a remote procedure call process that was interrupted and was forcing the pc to shut down...
the shutdown -a WORKS!!! GREAT hermione ...
even if it doesn't solve the problem... can't connect even to the symantec website anymore!!!
Why hakers don't have sex instead of making viruses!!!!!!! HATE THEM

Peace & Love
CiRoPanZa

I also just ran my windows update and seconds later got this virus. And yes, is is not Blaster. Norton just identified this virus YESTERDAY! Im still in the process of trying to fix it, Ill post as soon as I know if it actually worked or not. Here's their advice:

W32.Sasser.Worm is a worm that attempts to exploit the MS04-011 vulnerability. It spreads by scanning randomly-chosen IP addresses for vulnerable systems.

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.
1. End the malicious process.
2. Disable System Restore (Windows Me/XP).
3. Update the virus definitions.
4. Run a full system scan and delete all the files detected as W32.Sasser.Worm.
5. Reverse the change made to the registry.
For details on each of these steps, read the following instructions.

1. To end the malicious process
To end the malicious process:
a. Press Ctrl+Alt+Delete once.
b. Click Task Manager.
c. Click the Processes tab.
d. Double-click the Image Name column header to alphabetically sort the processes.
e. Scroll through the list and look for the following processes:
• avserve.exe
• any process with a name consisting of 4 or 5 digits followed by _up.exe (eg 74354_up.exe).
f. If you find any such process, click it, and then click End Process.
g. Exit the Task Manager.
2. To disable System Restore (Windows Me/XP)
If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.

Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.

Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.

For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles:
• "How to disable or enable Windows Me System Restore"
• "How to turn off or turn on Windows XP System Restore"
________________________________________
Note: When you are completely finished with the removal procedure and are satisfied that the threat has been removed, re-enable System Restore by following the instructions in the aforementioned documents.
________________________________________
For additional information, and an alternative to disabling Windows Me System Restore, see the Microsoft Knowledge Base article, "Antivirus Tools Cannot Clean Infected Files in the _Restore Folder," Article ID: Q263455.
3. To update the virus definitions
Symantec Security Response fully tests all the virus definitions for quality assurance before they are posted to our servers. There are two ways to obtain the most recent virus definitions:
• Running LiveUpdate, which is the easiest way to obtain virus definitions: These virus definitions are posted to the LiveUpdate servers once each week (usually on Wednesdays), unless there is a major virus outbreak. To determine whether definitions for this threat are available by LiveUpdate, refer to the Virus Definitions (LiveUpdate).
• Downloading the definitions using the Intelligent Updater: The Intelligent Updater virus definitions are posted on U.S. business days (Monday through Friday). You should download the definitions from the Symantec Security Response Web site and manually install them. To determine whether definitions for this threat are available by the Intelligent Updater, refer to the Virus Definitions (Intelligent Updater).

The Intelligent Updater virus definitions are available: Read "How to update virus definition files using the Intelligent Updater" for detailed instructions.

4. To scan for and delete the infected files
a. Start your Symantec antivirus program and make sure that it is configured to scan all the files.
• For Norton AntiVirus consumer products: Read the document, "How to configure Norton AntiVirus to scan all files."
• For Symantec AntiVirus Enterprise products: Read the document, "How to verify that a Symantec Corporate antivirus product is set to scan all files."
b. Run a full system scan.
c. If any files are detected as infected with W32.Sasser.Worm, click Delete.

5. To reverse the change made to the registry
________________________________________
WARNING: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry," for instructions.
________________________________________
a. Click Start, and then click Run. (The Run dialog box appears.)
b. Type regedit

Then click OK. (The Registry Editor opens.)
c. Navigate to the key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
d. In the right pane, delete the value:

"avserve.exe"="%Windir%\avserve.exe"
e. Exit the Registry Editor.

Help! I had the "lsass.exe" shutdown problem, and downloaded the Microsoft patch listed above. Now, my pc doesn't shut down anymore, but I have tons of other problems. I can't copy/paste, my "add/remove programs" doesn't have ANY programs in it (just a blank window opens), etc.

Please help!

(I have Windows 2000 Professional, have run Adaware, Spybot, Stinger, etc. I do NOT have any anti-virus software. I cannot do Window's Update either because it won't load anything. Even typing the web address in my address bar for IE comes up blank.)

Thank you!

Also, to follow up my previous post, in my Regedit, I noticed something that is strange to me. Under HKEY_LOCAL_MACHINE; SOFTWARE; Microsoft; Windows; Current Version; and Run, there is only 1 item in the "run" folder. It's name is "(default)" and type is "reg_sz". I believe there used to be several programs in there.

An additional note - an "Expert" told me this morning to disable my RPC under Control Panel, Administrative Tools, Services. I did, but now I can't enable it again. When I double click on it, nothing happens - no new window opens to allow me to enable it.

Thanks!

I am having the same problem and I have Windows XP professional, it only happens when I am accessing on the internet. Also it only happens when I am on the internet using a dial-up connection (doesn't happen when I accessing the net via DSL) I am also an AVG anti virus user, I updated my virus software and I ran it several times but it wasn't able to detect any viruses except the "lovesan" virus which it removed through healing. I have also noticed that a windoes error message appears which says something is wrong with the "LSA Shell", apparently thatis connected with the "lsass.exe" file. I have tried running the "Microsoft Security Bulletin MS04-011 (KB835732)" as reccommended by one of the users here but everytime I run the downloaded file it doesn't install successfully. Thats where things are so far. Could anyone please help??

Hi to all

I spent my WHOLE evening trying to get rid of this f*** shutdown problem.
Before those very messages, I could not find ANYTHING over the Internet to help me.
THANK YOU very much!!!

But I would just add something a friend told me, which could help the ones who have low speed Internet connections: when the shutdown message shows up, just set your Windows clock 1 (or more) day before. Instead of having just one minute to do what you need to do, you will have 1 (or more) day and one minute.

(sorry for my bad english as it is not my native language)

Kudos to Kazu_from_Japan
I too was frustrated watching my computer re-boot every few minutes.
I tried what Kazu suggested and...IT WORKED!
I downloaded the Microsoft Security Bulletin MS04-011 (KB835732). I'm running XP Pro w/DSL.
Thanks ever so much. Once again, this old computer is working just fine.

This reboot problem seems solved for me too after applying the patch KB835732 from Microsoft.
thx

Yeah, the Microsoft Security Bulletin MS04-011 (KB835732) works!!
You can download it here:
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

Use Start> Run> "shutdown -a" if the warning pops up while youre downloading/installing the program so you can continue.

http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx

procedure to clean sasser is on the link

http://www.microsoft.com/security/incident/sasser.asp

sasser specific help from microsoft

HELLO GUYS!!!
I HAVE BEEN FOLLOWING THIS THREAD FOR DAYS NOW. AND YES THE PROBLEM WITH LSASS.EXE SHUTDOWN PROBLEM CAN ONLY BE SOLVED BY UPDATING WINDOWS XP.

I TRIED EVERY RECENTLY UPDATED ANTIVIRUS I GOT BUT THAT DID NOT SOLVE THE PROBLEM.

HOWEVER, SINCE MY WIN XP COMPUTER RECEIVES AUTOMATIC UPDATES FROM WINDOWS, I NOTICED THERE IS AN ENTRY IN THE SYSTEM TRAY THAT SAYS "Windows update ready to install".

AFTER RUNNING IT, THAT SOLVED THE PROBLEM !! SIMPLE!!

utot mo!!

To Harv_from_Calif, ZeBen and Hermione,

Glad to hear that you could solve your problems according to my information.

Seeing other posts, it seems there are other types of causes which might be eventually leading to the same symptom, but I think that, to those who are suffering this problem (lsass.exe being unexpectedly terminated and the automatic shutdown as a result) with their registry NOT changed (therefore no virus inside your computers), MS04-011 (KB835732) is worth trying.

My guess is that this problem is being caused by the direct attack from outside which takes advantage of lsass.exe vulnerability.

Began having SYSTEM SHUTDOWN messages referencing "lsass.exe" tonight. After multiple reboots, I finally found that a hacker's executable file, "avserve2.exe", had been inserted in my Windows main directory about 15 minutes after my first logon of the evening. It had also been installed in my Windows startup group. After deleting all occurences of "avserve*.*" from hard drive, the shutdown problem has ceased.

Thanks for your previous posts that led me to look for the "avserve*.*" culprit. Of course, don't forget to get the latest MS Security Updates and maintain current versions of your virus definition files!

Hello!
I spent the whole day, yesterday, trying to fix this problem.
When you told about KB835732, I just remmembered that, on Friday, I ran Windows Update, but the installation of the Updates went wrong, then the problem startes.
Today I was looking, and there is a temporary folder, created by Win. Up. whith whom inside? Guess! ToT
-> KB835732 Patch! <- ToT
Well I installed the patch, the problem seems tho be gone.

Thanks All,
Hayato.

Just had this same issue with lsass.exe on my windows XP PC. The latest update of AVG seems to find it. AVG found downloader.keenval.b and .c in c:\program files\common files\updmgr\rvupdmgr.exe and simgr.exe. After auto-healing and MS patch downloading the system seems fine.

This had me Helped, Thx! Now my Pc runs Perfect!

http://www.trendmicro.com/en/home/us/enterprise.htm

Go here automatic scan and repair free from Micro trend it works !!!!

I can't believe there's help like this available out there, but I'm glad because I wouldn't know where to turn otherwise.

I ran HijackThis and would be ever grateful if someone was willing to take a look at my log. Let me know.
Thanks and blessings,
-ab

Howdy.

Well well well FINALLY I may be in some hope for decent help now. I received this problem yesterday and I'v been going bald trying to fix it all this time.

I'm running XP. I get those LSA shell errors when I come on the net, and then the shutdown box appears. iv done searches for all those virus you have listed, and nothing comes up! i'm downloading the windows patch now and I pray that it solves this dreadful problem. (the shutdown thing just happened, and I did the date change + the shutdown -a thing and its gone. phew). I just want to get rid of this problem all together. *crosses fingers*. I hope the KB835732 thing works.

thanks all of u! i thought i was the only one :'( . ill keep you's posted.

regards,
Sincere

Your guys ROCK!

I thought I'd be looking for days to figure this out. The MS update seems to have worked. Should I still remove the "avserv*.*" files. My task managers show it still trying to execute?

Thanks again!

Do anyone have now problems to see the computers from his/her local network? I cannot see them and they cannot see me ANYMORE.

I found why, but not the solution.
In my network properties, the boxes "Client for microsoft networks" and "share files and printers for microsoft networks" are unchecked.
But if I click in the boxes, a window opens asking me if I I want to deactivate these components (as if they were already activated)
I tried to uninstall and reinstall the components, but the problem is still there

Any idea?

I have rebuilt this computer 5 times from scratch. The problem does not apear till I do the MS update. The problem BEGINS with the MS update. The patch above may fix it but it comes from within this lousy program to begin with. This has been a fresh install which fails after the udates every time!

Thanks a 1000 times for the input by those who have figured it out. Where would we be without you guys!

Ok, so I read every entry in this forum and did the necessary updates and file deletions. I still get the shell error and then I get the shutdown lsass.exe. I tried to go back to the MS update site and see if there is anymore that I might have missed. The lsass.exe shutdown comes up again so I did what ZeBen said and knocked back the time 1 day to give myself more time to update. Now I get an issue with the MS update site saying there is a problem with my system time and that I need to check it. I set it back to normal and let the computer restart. I get back on and try again.... Same error applies. I did the virus scan for Mcafee from the safe mode command prompt and also from http://www.trendmicro.com/en/home/us/enterprise.htm, but nothing was found. I think this thing as got me by the ba…..s anymore idea’s

Hi,

thank god for KB835732, finally solve the problem, but it also lead to another problem.

After solving the LSASS.EXE issue, i have no problem logging on to the net but notice a high data transfer begin to occur, data are following out of my PC at avg 10Kb/s!!. The last time I encounter this issue is with the W32.welchia.worm, but this time the virus scanner cannot detect any virus present! and the last fix by symantec does not fix this time.

anyone having the same problem and have a solution(s) for it ??

Yes! I had the exact same issue like GenesisX and everyone else here! On top of the Lsass issue I also got infected with the older W32 Welchia! I got ride of it with a removal tools from Norton... Seems to worked out so far.

Hi Campalot64,

u solve it using Symantec removal tools FixWelch.exe right ? This doesn't solve my problem as it did not detect the W32.welchia virus this time round. Even though the sympton (of high data rate flow) is similar. Do not know whether it ahve anything to do with the KB835732 fix.

But the question is , is this data flow harmful to my PC ? (even though it is still affecting my bandwith)

GenesisX,
I know what you mean: Unsolicited high-volume data flow means trouble to me though!
Something is running in the bkground...

Take a full look at this thread; response #25 and 26 shows a couple of useful links that can help with the Sasser issue.
Just for info, the Welchia issue WAS detected by NAV this morning when I ran it with the latest virus definition!

To me this whole situation combines multiples attacks (Sasser and Welchia) unless the first one weakens your system and lets other bad things coming through the "door" by the same token! ... Don't know...

…Any additional thoughts from any wise man around?! LOL

Ok so how do I fix my Win200 computer that WILL NOT BOOT all the way without rebooting? During a reboot it hangs at Applying Security Policy, sits there with the HD light flashing for several minutes THEN I get the message about LSASS and shutting down in one minute. The system is not up to the point of being able to do ANY of the steps mentioned. It will not boot in safe mode, same issue. Help!

Should have added: I keep this system up to date with MSUpdate and have done all the AV scans which found Blaster (Yes Blaster) and removed it but it still hangs at Applying Security Policy.... then just reboots.

It's not W32.Blaster.Worm. It's W32.Sasser.Worm. The simpliest way to solve the problem:
Go to the url:
http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.worm.html

Then U can download the W32.Sasser.Worm Fixtool and do follow their instructions. Good luck.

1) "shutdown -a" doesn't work at all!!!

2) is there any patch for Service Pack 2?

thanks a lots...

looking for Shodan in Q4 2005

In reply to #45

I'm running Windows2000 and I'm using Norton Antivirus 2004. I've updated for new virus definitions that are supposed to solve this problem according to symantec. I also ran the W32.Sasser.Worm Fixtool without any success. When I use the tool it scans all files but in the log it says that my harddrives wasn't scanned.

I've tried numerous online scans as well without any progress. I haven't tried deleting the avserv*.* -files, or deleted the registrychanges (as suggested in post #17) yet but I'll post later on if it works out.

In reply to #46
What OS are you running? I haven't tried that commandline yet but is it possible that it only applies for Windows XP?

In response to #47, I have also downloaded the W32.Sasser.Worm Fixtool from
http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.worm.html and run it on my Win XP Pro without any success. The exe scanned my PC but found no virus. The log said the system files were not scanned. I don't quite understand. I also searched for avserve*.* on my PC and found nothing. Now when I use the IE, my PC still reboots itself because of the crashing of lsass.exe due to the virus . Is there a patch from Microsoft on this bug in lsass.exe? Please help!

In reponse to #47 again

I just downloaded a MS patch from
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
for Win Xp Professional to fix this problem. So far the patch seems to work. There is patch for Win 2000 also. Please go there and download a copy. Hope this will help you.

In response to #42,

I have try everything, scanning with the latest AV and it still did not detect anything ! Data flow (out of my PC) is still going on everytime I logon to the net and there is nothing I can do about it. It seem to be a new kind of virus/trojan etc. similar to W32.Welchia.

Anyone encountering this problem and have solution to it ???

I am running windows 2000 on my laptop which has been infecte with the sasser virus. I have applied Microsoft Patch MS835732 and now the situation is even worse. The machine re-boots automatically. It gets to the end of the 'starting windows 2000' and then restarts. Does anyone know how I can break out of this routine so that I can at least save some of my key files before I rebuild.
Cheers

In response to #50

GenesisX,

Try downloading this small freeware from MacAfee called Stinger. It is a virus scan utility that has worked great for me to detect and remove both Sasser and Welchia. It actually can identify more than 40 viruses, worms, etc.

http://www.webattack.com/get/stinger.html

Don't forget to also do the following:
1 - End malicious processes in the Task Manager. End the following:
• avserve.exe
• any process with a name consisting of 4 or 5 digits followed by _up.exe (eg 74354_up.exe).

2 - Download the latest Microsoft Windows Critical Updates and install. (Especially this one: KB835732)

3 - Download the stinger freeware (See link above!)

4 - Disconnect from the net (unplug DSL...)

5 - Disable your System Restore

6 - Run Stinger (It should detect and get ride of the "bad" files)

7 - Enable the Firewall in the security tab of the property window for EACH of your network connections in your control panel

8 - Restart computer

9 - Enable System Restore

10 – Also check Response Number 17, item 5 to reverse the change made to the registry:
________________________________________
WARNING: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry," for instructions.
________________________________________

a. Click Start, and then click Run. (The Run dialog box appears.)
b. Type regedit
Then click OK. (The Registry Editor opens.)
c. Navigate to the key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
d. In the right pane, delete the value:
"avserve.exe"="%Windir%\avserve.exe"
e. Exit the Registry Editor.

...and you should be good to go! At least that's what I did and it all went well since then!

You can also DL and run the removal tools from Symantec. They have updated removal tools for all the most recent threats and good articles that show how to identify an infection, etc.

Go here for the Sasser removal:
http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.removal.tool.html

Go here for all other threats removal tools:
http://securityresponse.symantec.com/avcenter/tools.list.html

Hope that helps. Good luck!

I got the same lsass.exe shutdown message crap with a 1 minute timer. The first time it happened was Sunday (5/1) and I have not been able to stay on-line since without the machine (XP) rebooting on me. My virus software detects nothing. I'm okay if I don't connect to the internet. Once on-line, though, I get shutdown within 5 minutes of surfing. I tried to stop the shutdown process via task manager and the message I get is that I am not authorized to stop it. Nice, huh? I hope the suggestions above work. Thanks for the advice!

i have the same problem as ellinitha!
whenever i use internet, within 3-5minutes, my computer gives me 1 minute warning and it shutdown. i've took my laptop to my friends who knows how to "use"it, but didn't work, but what ismay's suggestions work!(crossing fingers). this thing happend on saturday 4/30/04.
and who is spreading this virus anyway?
i will kick his/her !@#$#@$%@..
just kidding.but don't do it.!!!

hk

I have the same problems as everyone else (shutdown timer, lsass.exe, unexplanable uploading) but i was wondering is if any one else is having the problem that when you do shutdown -a it no longer allows you to shut down.
If i go start shutdown it brings me to the log off or switch users menu. after a while shutdown disapears completely and im only left with log off.
does any one know if this is related to lsass or is it another problem all to its self.
When i go into task manager(Ctrl-Alt-Delete) and then processes it says that the programs are running on "Unknown".So apperenty the computer thinks im logged on as no one.
I think thats everything except that i also have avserve2.exe and it seams to be using over 50% cpu power at some times. I deleted it and there doesn't seam to be any problems with out it.
-Thanks

In response to #52,

Thanks Campalot64,

u r right about the "Stinger.exe" program, I downloaded it from Macafee Website, I think. Anyway it detected the virus "Sdbot.worm.gen.g" which I believe somehow have eluded the NAV. After deleted the virus infected files, the Unsoliciting Data Transfer is gone.

Any virus that I came across is the "W32.Randex.gen" virus which NAV detected but are unable to delete or repair the file. It seem to have the same effect with the W32.welchia and Sdbot.worm. In the end I found out that I have to used "Regedit" to delete the file.

Hope these info can help some pple outthere.

Rgds.

I just got (what i believe to be a variation of the sasser worm today)

I'm getting all the standard signs of it such as the LSA export version and lsass.exe error -1073741819 specifically.... i've ran norton, spybot, ad-aware, stinger, and hijackthis...

the weird thing is ive dled and installed the MS04-011 KB835732 patch, microsofts own search and removal program for the sasses,b,c, and d variants and i cant get rid of the problem... hell i dont even see any *avserve* processes or files on my comp... im running XP home edition and have no f---in clue what is going on ... im almost positive this is a version of the sasser worm... but i cant remove it like most people can... any ideas on what to do or what this could be if it is not the sasser?

Thanks for the help

I can not try any of the downloadable solutions you suggestd because my variant of the worm does not allow me to enter windows XP, even in safe mode. A message comes up saying "lsass.exe - system error, onject not found." and then the computer reboots automatically (shortly after the windows xp logo had appeared).

I ran start-up from a DOS boot disk and C:/ prompted an "invalid directory" error - which really frightens me. What is going wrong with my computer, and how can I fix it without reformatting the hard drive? PS. I have a CSI computer, so Dell and HP specific solutions don't seem to be helping. And I can't run a patch anyway because I'm stuck in DOS forever, can't even make it to safe mode.

This problem has been keeping me up all night and I allpreciate anyone's insight.

I hope there's a solution that doesn't require a Windows-XP reinstallation because I have no idea where that CD even is!

well ive tried everything here on my win2k pc (service pack 2)and nothing wll work, i have updated NAV, taken it to get fixed(government laptop so it was free to ghet fixed at work), tried both of those patches and everyone of those tools mentioned and i even put up a zonealarms firewall but nothing wil work and i really dont wanna format coz i have a lot of work and stuff on the computer.

Just like #43 and #51, my Win2k reboots before i get the login form. Can anyone help me???

To all:

This problem does not require your computer to be infected with a virus/worm (Blaster or Sasser)

It affect Windows 2000 up and including service pack 4. And Windows XP (don't know the service packs, assume the worst) The worms can infect Windows 98 but they only make this OS an infection agent. Windows 98 computers will not shutdown

Better use URL http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx and follow download and installation instrucctions for your OS. I had to do this using a Windows 98 machine conected through a LAN to my affected Windows 2K laptop.

I downloaded the patch from the Internet with Windows 98 and copied it through the LAN to Windows 2K (There's no LSASS.EXE in Win98 capable of being affected by a buffer overflow attack)The patch is more than 6MB in size. A hell of a patch

THEN, and with your computer DISCONNECTED from the INTERNET, install the patch AND run any installed virus removal tools you may want to run.

The computer shuts down in response to a buffer overflow command that comes from the Net. SASSER creates AGENTS that send these commands. Currently, any Internet connection must be receiving thousands of them depending on your ISP. By the way, I wasn't able to run the Windows Update page before my computer shut down. So every connection to the Microsoft site looks like it receives buffer overflow attacks also.

prior to downloading the KB835732
and installing it, (which worked fine by the way), I copied the lsass.ex_ from xp disk into windows/system32/, renamed the old one(12Kb) and copied lsass.ex_ as lsass.exe(9kb), Don't Know if it made any difference but may help people still having problems...
NOTE! If you rename this file and try to reboot without it YOU WILL HANG! and need to boot from cd and run system recovery to replace it!
GREAT FORUM!

The Fix that worked for me. I checked for virues with the latest virues updates and they found nothing. I then checked the registery were they said to look for the virus, i didnt find any virus there either. What i did find however was a reg key call on boot or somthing like that and it was running "dumprep o -u", this seemed to be cause the lsass.exe to crash. I removed this registry entry and then applied the microsoft patch that was discribed in response 61. I then rebooted. dumprep no longer crashes my lsass. Hopefully everything is good and i dont have to do any more work, i hate fixing PC's.

Good Luck

I couldn't find the virus either, with both the tools and manual searching. One way I found to stop the crashing was to simply turn on my Windows XP firewall, but even doing that i still got lots of error messages and sluggish performance. Just now, looking in the run registry area, where the virus is supposed to be, I saw a key called somethin like %systemroom%/UserFaultCheck, and it ran the same dumprep program. I deleted it, and things seem to be fine now.

Hi guys,

Follow the procedure from the micrsoft web page: IN THAT ORDER http://www.microsoft.com/security/incident/sasser.asp

That is:
1. Firewall
2. Patch Windows
3. Update then scan with antivirus

Great work campalot64, all good stuff... Though I would recommend that the Firewall be enabled (step 7) at the very start. This will prevent further attacks from happening while you try and download. Yup, Kazu picked it for this thread.

Firewall!

Does everyone realise that this infection would never happen if people had enabled a firewall? Ju