Sign in with
Sign up | Sign in
Your question

Lslss.exe

Last response: in Windows XP
Share
Anonymous
June 22, 2005 1:51:03 PM

Archived from groups: microsoft.public.windowsxp.general (More info?)

The computer will only boot partway. I get a system shutdown in 60 seconds
even before I get to the desktop. It says lsass.exe terminated unexpectedly.
Also 1073741819 shows as a status code.

I've tried Safe Mode and last known good configuration and neither works.

I've tried taking the hard drive out of the computer and installing it as a
second drive to scan for viruses. I've used AVG and NAV, both updated, to
scan for viruses. I've also used Fxsasser.exe from Symantec to scan the
drive. None of these found anything at all.

I've also tried replacing the lsass.exe file with a known good one.

I cannot get the computer to boot so I cannot do anything with the drive
while it is in the computer.

How can I fix this?

More about : lslss exe

Anonymous
June 22, 2005 1:58:18 PM

Archived from groups: microsoft.public.windowsxp.general (More info?)

Duck wrote:
> The computer will only boot partway. I get a system shutdown in 60 seconds
> even before I get to the desktop. It says lsass.exe terminated unexpectedly.
> Also 1073741819 shows as a status code.
>
> I've tried Safe Mode and last known good configuration and neither works.
>
> I've tried taking the hard drive out of the computer and installing it as a
> second drive to scan for viruses. I've used AVG and NAV, both updated, to
> scan for viruses. I've also used Fxsasser.exe from Symantec to scan the
> drive. None of these found anything at all.
>
> I've also tried replacing the lsass.exe file with a known good one.
>
> I cannot get the computer to boot so I cannot do anything with the drive
> while it is in the computer.
>
> How can I fix this?

Slave the drive again in the other machine and copy off all your data files.

With the drive back in the orig machine you may try a repair install:

http://www.michaelstevenstech.com/XPrepairinstall.htm

but in my experience this sort of issue has required a clean install of
the OS, including deleting the existing partition:

http://www.michaelstevenstech.com/cleanxpinstall.html

Steve
Anonymous
June 22, 2005 2:06:02 PM

Archived from groups: microsoft.public.windowsxp.general (More info?)

You've got one of the Sasser worms.

Check the link below:

http://www.microsoft.com/downloads/details.aspx?familyi...

"Duck" wrote:

> The computer will only boot partway. I get a system shutdown in 60 seconds
> even before I get to the desktop. It says lsass.exe terminated unexpectedly.
> Also 1073741819 shows as a status code.
>
> I've tried Safe Mode and last known good configuration and neither works.
>
> I've tried taking the hard drive out of the computer and installing it as a
> second drive to scan for viruses. I've used AVG and NAV, both updated, to
> scan for viruses. I've also used Fxsasser.exe from Symantec to scan the
> drive. None of these found anything at all.
>
> I've also tried replacing the lsass.exe file with a known good one.
>
> I cannot get the computer to boot so I cannot do anything with the drive
> while it is in the computer.
>
> How can I fix this?
Anonymous
June 22, 2005 5:10:12 PM

Archived from groups: microsoft.public.windowsxp.general (More info?)

From: "Duck" <Duck@discussions.microsoft.com>

| The computer will only boot partway. I get a system shutdown in 60 seconds
| even before I get to the desktop. It says lsass.exe terminated unexpectedly.
| Also 1073741819 shows as a status code.
|
| I've tried Safe Mode and last known good configuration and neither works.
|
| I've tried taking the hard drive out of the computer and installing it as a
| second drive to scan for viruses. I've used AVG and NAV, both updated, to
| scan for viruses. I've also used Fxsasser.exe from Symantec to scan the
| drive. None of these found anything at all.
|
| I've also tried replacing the lsass.exe file with a known good one.
|
| I cannot get the computer to boot so I cannot do anything with the drive
| while it is in the computer.
|
| How can I fix this?

Download the patch (below). Put the patch, Stinger on media (CDROM, ZIP Disk, USB Flash
drive, etc) disconnect the affected PC from the Internet and install the patch. Then reboot
the PC and perform the following scan of the PC using Stinger and the below Multi AV Commnad
Line Scanner front end utility !

If you have the SHUTDOWN.EXE utility from the Win2K Resource kit, you can perform the
following when you get the shutdown message.

Go to; Start --> Run
enter; shutdown /a

If you don't have the SHUTDOWN.EXE utility, I have posted a copy in the News Group;
alt.binaries.comp.virus
In the post entitled "SHUTDOWN.EXE for Win2K platforms for RPC/DCOM and LSASS shutdown
issues"

This will halt the shutdown and give you a chance to Download the McAfee worm removal tool,
Stinger: http://vil.nai.com/vil/stinger/

Please read the following URL:
http://www.microsoft.com/security/incident/sasser_print...

Install the following patch for the LSASS vulnerability addressed by; KB835732
http://www.microsoft.com/downloads/details.aspx?FamilyI...

Please read: http://www.microsoft.com/security/incident/sasser.mspx


You also need a FireWall. If you don't patch the PC and not use a FireWall then you will
just be re-infected.
I also suggest the installation of ALL MS Critical Updates ASAP.


You can also scan the system using the below multi AV Command Line Scanner front end utility

Dump the contents of the IE Temporary Internet Folder cache (TIF)
Start --> Settings --> Control Panel --> Internet Options --> Delete Files

Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
Tools --> Options --> Privacy --> Cache --> Clear

Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
http://kixtart.org Kixtart is CareWare } two batch files, four Kixtart scripts, one Link
(.LNK) file, this PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
simplify the process of using up to 3 different Anti Virus Command Line Scanners to remove
viruses and various other malware.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode. This
way all the components can be downloaded from each AV vendor’s web site.
On Win9x/ME the choices are; Trend, McAfee, Exit the menu and Reboot the PC
On NT4, Win2k, WinXP and Win2003 Server the choices are; Sophos, Trend, McAfee, Exit the
menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE and/or FTP.EXE to go
through your FireWall to allow them to download the needed AV vendor related files.

* * * Please report back your results * * *



--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
Anonymous
June 22, 2005 5:10:13 PM

Archived from groups: microsoft.public.windowsxp.general (More info?)

None of this will work as I cannot get into Windows with the affected
computer. Not in Safe Mode either.

The computer shuts down before I can do anything in Windows.

"David H. Lipman" wrote:

> From: "Duck" <Duck@discussions.microsoft.com>
>
> | The computer will only boot partway. I get a system shutdown in 60 seconds
> | even before I get to the desktop. It says lsass.exe terminated unexpectedly.
> | Also 1073741819 shows as a status code.
> |
> | I've tried Safe Mode and last known good configuration and neither works.
> |
> | I've tried taking the hard drive out of the computer and installing it as a
> | second drive to scan for viruses. I've used AVG and NAV, both updated, to
> | scan for viruses. I've also used Fxsasser.exe from Symantec to scan the
> | drive. None of these found anything at all.
> |
> | I've also tried replacing the lsass.exe file with a known good one.
> |
> | I cannot get the computer to boot so I cannot do anything with the drive
> | while it is in the computer.
> |
> | How can I fix this?
>
> Download the patch (below). Put the patch, Stinger on media (CDROM, ZIP Disk, USB Flash
> drive, etc) disconnect the affected PC from the Internet and install the patch. Then reboot
> the PC and perform the following scan of the PC using Stinger and the below Multi AV Commnad
> Line Scanner front end utility !
>
> If you have the SHUTDOWN.EXE utility from the Win2K Resource kit, you can perform the
> following when you get the shutdown message.
>
> Go to; Start --> Run
> enter; shutdown /a
>
> If you don't have the SHUTDOWN.EXE utility, I have posted a copy in the News Group;
> alt.binaries.comp.virus
> In the post entitled "SHUTDOWN.EXE for Win2K platforms for RPC/DCOM and LSASS shutdown
> issues"
>
> This will halt the shutdown and give you a chance to Download the McAfee worm removal tool,
> Stinger: http://vil.nai.com/vil/stinger/
>
> Please read the following URL:
> http://www.microsoft.com/security/incident/sasser_print...
>
> Install the following patch for the LSASS vulnerability addressed by; KB835732
> http://www.microsoft.com/downloads/details.aspx?FamilyI...
>
> Please read: http://www.microsoft.com/security/incident/sasser.mspx
>
>
> You also need a FireWall. If you don't patch the PC and not use a FireWall then you will
> just be re-infected.
> I also suggest the installation of ALL MS Critical Updates ASAP.
>
>
> You can also scan the system using the below multi AV Command Line Scanner front end utility
>
> Dump the contents of the IE Temporary Internet Folder cache (TIF)
> Start --> Settings --> Control Panel --> Internet Options --> Delete Files
>
> Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
> Tools --> Options --> Privacy --> Cache --> Clear
>
> Download MULTI_AV.EXE from the URL --
> http://www.ik-cs.com/programs/virtools/Multi_AV.exe
>
> It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
> http://kixtart.org Kixtart is CareWare } two batch files, four Kixtart scripts, one Link
> (.LNK) file, this PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
> simplify the process of using up to 3 different Anti Virus Command Line Scanners to remove
> viruses and various other malware.
>
> C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
> This will bring up the initial menu of choices and should be executed in Normal Mode. This
> way all the components can be downloaded from each AV vendor’s web site.
> On Win9x/ME the choices are; Trend, McAfee, Exit the menu and Reboot the PC
> On NT4, Win2k, WinXP and Win2003 Server the choices are; Sophos, Trend, McAfee, Exit the
> menu and Reboot the PC.
>
> You can choose to go to each menu item and just download the needed files or you can
> download the files and perform a scan in Normal Mode. Once you have downloaded the files
> needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
> during boot] and re-run the menu again and choose which scanner you want to run in Safe
> Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.
>
> When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
> file.
>
> To use this utility, perform the following...
> Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
> Choose; Unzip
> Choose; Close
>
> Execute; C:\AV-CLS\StartMenu.BAT
> { or Double-click on 'Start Menu' in C:\AV-CLS }
>
> NOTE: You may have to disable your software FireWall or allow WGET.EXE and/or FTP.EXE to go
> through your FireWall to allow them to download the needed AV vendor related files.
>
> * * * Please report back your results * * *
>
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
>
Anonymous
June 22, 2005 5:20:09 PM

Archived from groups: microsoft.public.windowsxp.general (More info?)

From: "tfw48079" <tfw48079@discussions.microsoft.com>

| You've got one of the Sasser worms.
|
| Check the link below:
|
|
http://www.microsoft.com/downloads/details.aspx?familyi...
|

That's a faux conclusion as many infectors now will exploit the buffer overflow
vulnerability in LSASS. This isncludes variants of MyDoom and the SDBot worms.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
Anonymous
June 22, 2005 5:23:21 PM

Archived from groups: microsoft.public.windowsxp.general (More info?)

From: "David H. Lipman" <DLipman~nospam~@Verizon.Net>

Oooops !

Why did I think I picked this up in a Win2K News Group ? Do'h !!
-----

Download the patch (below). Put the patch, Stinger on media (CDROM, ZIP Disk, USB Flash
drive, etc) disconnect the affected PC from the Internet and install the patch. Then reboot
the PC and perform the following scan of the PC using Stinger and the below Multi AV Commnad
Line Scanner front end utility !

Whjen you get the shutdown message...

Go to; Start --> Run
enter; shutdown -a

This will halt the shutdown and give you a chance to Download the McAfee worm removal tool,
Stinger: http://vil.nai.com/vil/stinger/

Please read the following URL:
http://www.microsoft.com/security/incident/sasser_print...

Please read: http://www.microsoft.com/security/incident/sasser.mspx

Please install the patch that fixes the Lsass vulnerability that the Sasser and other
infectors exploit -- KB835732
http://www.microsoft.com/downloads/details.aspx?FamilyI...

You also need a FireWall.
If you don't patch the PC and not use a FireWall then you will just be re-infected.

I also suggest the installation of ALL MS Critical Updates ASAP.

You also need a FireWall. If you don't patch the PC and not use a FireWall then you will
just be re-infected.
I also suggest the installation of ALL MS Critical Updates ASAP.

You can also scan the system using the below multi AV Command Line Scanner front end utility

Dump the contents of the IE Temporary Internet Folder cache (TIF)
Start --> Settings --> Control Panel --> Internet Options --> Delete Files

Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
Tools --> Options --> Privacy --> Cache --> Clear

Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
http://kixtart.org Kixtart is CareWare } two batch files, four Kixtart scripts, one Link
(.LNK) file, this PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
simplify the process of using up to 3 different Anti Virus Command Line Scanners to remove
viruses and various other malware.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode. This
way all the components can be downloaded from each AV vendor’s web site.
On Win9x/ME the choices are; Trend, McAfee, Exit the menu and Reboot the PC
On NT4, Win2k, WinXP and Win2003 Server the choices are; Sophos, Trend, McAfee, Exit the
menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE and/or FTP.EXE to go
through your FireWall to allow them to download the needed AV vendor related files.

* * * Please report back your results * * *

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
Anonymous
June 22, 2005 5:44:13 PM

Archived from groups: microsoft.public.windowsxp.general (More info?)

From: "Duck" <Duck@discussions.microsoft.com>

| None of this will work as I cannot get into Windows with the affected
| computer. Not in Safe Mode either.
|
| The computer shuts down before I can do anything in Windows.


See my coprrective updated post. As indicated...

"disconnect the affected PC from the Internet " -- If it is a worm or other Internet based
LSASS Exploit then not having a connection to the Internet will block the ability of the
Exploit to force the shutdown.

If you do NOT have the PC connected to the Internet and you still get the NT
AUTHORITY/SYSTEM shutdown message then there is a problem in the Kernel of the WinXP PC.

When you get the shutdown message...

Go to; Start --> Run
enter; shutdown -a

This will halt the shutdown and give you a chance to Download Stinger and the patch.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
Anonymous
June 23, 2005 11:49:04 AM

Archived from groups: microsoft.public.windowsxp.general (More info?)

I guess I'll have to do a wipe and reload.

Thanks for your help.

"David H. Lipman" wrote:

> From: "Duck" <Duck@discussions.microsoft.com>
>
> | None of this will work as I cannot get into Windows with the affected
> | computer. Not in Safe Mode either.
> |
> | The computer shuts down before I can do anything in Windows.
>
>
> See my coprrective updated post. As indicated...
>
> "disconnect the affected PC from the Internet " -- If it is a worm or other Internet based
> LSASS Exploit then not having a connection to the Internet will block the ability of the
> Exploit to force the shutdown.
>
> If you do NOT have the PC connected to the Internet and you still get the NT
> AUTHORITY/SYSTEM shutdown message then there is a problem in the Kernel of the WinXP PC.
>
> When you get the shutdown message...
>
> Go to; Start --> Run
> enter; shutdown -a
>
> This will halt the shutdown and give you a chance to Download Stinger and the patch.
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
>
!