Lslss.exe

Archived from groups: microsoft.public.windowsxp.general (More info?)

The computer will only boot partway. I get a system shutdown in 60 seconds
even before I get to the desktop. It says lsass.exe terminated unexpectedly.
Also 1073741819 shows as a status code.

I've tried Safe Mode and last known good configuration and neither works.

I've tried taking the hard drive out of the computer and installing it as a
second drive to scan for viruses. I've used AVG and NAV, both updated, to
scan for viruses. I've also used Fxsasser.exe from Symantec to scan the
drive. None of these found anything at all.

I've also tried replacing the lsass.exe file with a known good one.

I cannot get the computer to boot so I cannot do anything with the drive
while it is in the computer.

How can I fix this?
8 answers Last reply
More about lslss
  1. Archived from groups: microsoft.public.windowsxp.general (More info?)

    Duck wrote:
    > The computer will only boot partway. I get a system shutdown in 60 seconds
    > even before I get to the desktop. It says lsass.exe terminated unexpectedly.
    > Also 1073741819 shows as a status code.
    >
    > I've tried Safe Mode and last known good configuration and neither works.
    >
    > I've tried taking the hard drive out of the computer and installing it as a
    > second drive to scan for viruses. I've used AVG and NAV, both updated, to
    > scan for viruses. I've also used Fxsasser.exe from Symantec to scan the
    > drive. None of these found anything at all.
    >
    > I've also tried replacing the lsass.exe file with a known good one.
    >
    > I cannot get the computer to boot so I cannot do anything with the drive
    > while it is in the computer.
    >
    > How can I fix this?

    Slave the drive again in the other machine and copy off all your data files.

    With the drive back in the orig machine you may try a repair install:

    http://www.michaelstevenstech.com/XPrepairinstall.htm

    but in my experience this sort of issue has required a clean install of
    the OS, including deleting the existing partition:

    http://www.michaelstevenstech.com/cleanxpinstall.html

    Steve
  2. Archived from groups: microsoft.public.windowsxp.general (More info?)

    You've got one of the Sasser worms.

    Check the link below:

    http://www.microsoft.com/downloads/details.aspx?familyid=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en

    "Duck" wrote:

    > The computer will only boot partway. I get a system shutdown in 60 seconds
    > even before I get to the desktop. It says lsass.exe terminated unexpectedly.
    > Also 1073741819 shows as a status code.
    >
    > I've tried Safe Mode and last known good configuration and neither works.
    >
    > I've tried taking the hard drive out of the computer and installing it as a
    > second drive to scan for viruses. I've used AVG and NAV, both updated, to
    > scan for viruses. I've also used Fxsasser.exe from Symantec to scan the
    > drive. None of these found anything at all.
    >
    > I've also tried replacing the lsass.exe file with a known good one.
    >
    > I cannot get the computer to boot so I cannot do anything with the drive
    > while it is in the computer.
    >
    > How can I fix this?
  3. Archived from groups: microsoft.public.windowsxp.general (More info?)

    From: "Duck" <Duck@discussions.microsoft.com>

    | The computer will only boot partway. I get a system shutdown in 60 seconds
    | even before I get to the desktop. It says lsass.exe terminated unexpectedly.
    | Also 1073741819 shows as a status code.
    |
    | I've tried Safe Mode and last known good configuration and neither works.
    |
    | I've tried taking the hard drive out of the computer and installing it as a
    | second drive to scan for viruses. I've used AVG and NAV, both updated, to
    | scan for viruses. I've also used Fxsasser.exe from Symantec to scan the
    | drive. None of these found anything at all.
    |
    | I've also tried replacing the lsass.exe file with a known good one.
    |
    | I cannot get the computer to boot so I cannot do anything with the drive
    | while it is in the computer.
    |
    | How can I fix this?

    Download the patch (below). Put the patch, Stinger on media (CDROM, ZIP Disk, USB Flash
    drive, etc) disconnect the affected PC from the Internet and install the patch. Then reboot
    the PC and perform the following scan of the PC using Stinger and the below Multi AV Commnad
    Line Scanner front end utility !

    If you have the SHUTDOWN.EXE utility from the Win2K Resource kit, you can perform the
    following when you get the shutdown message.

    Go to; Start --> Run
    enter; shutdown /a

    If you don't have the SHUTDOWN.EXE utility, I have posted a copy in the News Group;
    alt.binaries.comp.virus
    In the post entitled "SHUTDOWN.EXE for Win2K platforms for RPC/DCOM and LSASS shutdown
    issues"

    This will halt the shutdown and give you a chance to Download the McAfee worm removal tool,
    Stinger: http://vil.nai.com/vil/stinger/

    Please read the following URL:
    http://www.microsoft.com/security/incident/sasser_printxp.mspx

    Install the following patch for the LSASS vulnerability addressed by; KB835732
    http://www.microsoft.com/downloads/details.aspx?FamilyId=0692C27E-F63A-414C-B3EB-D2342FBB6C00&displaylang=en

    Please read: http://www.microsoft.com/security/incident/sasser.mspx


    You also need a FireWall. If you don't patch the PC and not use a FireWall then you will
    just be re-infected.
    I also suggest the installation of ALL MS Critical Updates ASAP.


    You can also scan the system using the below multi AV Command Line Scanner front end utility

    Dump the contents of the IE Temporary Internet Folder cache (TIF)
    Start --> Settings --> Control Panel --> Internet Options --> Delete Files

    Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
    Tools --> Options --> Privacy --> Cache --> Clear

    Download MULTI_AV.EXE from the URL --
    http://www.ik-cs.com/programs/virtools/Multi_AV.exe

    It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
    http://kixtart.org Kixtart is CareWare } two batch files, four Kixtart scripts, one Link
    (.LNK) file, this PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
    simplify the process of using up to 3 different Anti Virus Command Line Scanners to remove
    viruses and various other malware.

    C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
    This will bring up the initial menu of choices and should be executed in Normal Mode. This
    way all the components can be downloaded from each AV vendor’s web site.
    On Win9x/ME the choices are; Trend, McAfee, Exit the menu and Reboot the PC
    On NT4, Win2k, WinXP and Win2003 Server the choices are; Sophos, Trend, McAfee, Exit the
    menu and Reboot the PC.

    You can choose to go to each menu item and just download the needed files or you can
    download the files and perform a scan in Normal Mode. Once you have downloaded the files
    needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
    during boot] and re-run the menu again and choose which scanner you want to run in Safe
    Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

    When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
    file.

    To use this utility, perform the following...
    Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
    Choose; Unzip
    Choose; Close

    Execute; C:\AV-CLS\StartMenu.BAT
    { or Double-click on 'Start Menu' in C:\AV-CLS }

    NOTE: You may have to disable your software FireWall or allow WGET.EXE and/or FTP.EXE to go
    through your FireWall to allow them to download the needed AV vendor related files.

    * * * Please report back your results * * *


    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    http://www.ik-cs.com/got-a-virus.htm
  4. Archived from groups: microsoft.public.windowsxp.general (More info?)

    None of this will work as I cannot get into Windows with the affected
    computer. Not in Safe Mode either.

    The computer shuts down before I can do anything in Windows.

    "David H. Lipman" wrote:

    > From: "Duck" <Duck@discussions.microsoft.com>
    >
    > | The computer will only boot partway. I get a system shutdown in 60 seconds
    > | even before I get to the desktop. It says lsass.exe terminated unexpectedly.
    > | Also 1073741819 shows as a status code.
    > |
    > | I've tried Safe Mode and last known good configuration and neither works.
    > |
    > | I've tried taking the hard drive out of the computer and installing it as a
    > | second drive to scan for viruses. I've used AVG and NAV, both updated, to
    > | scan for viruses. I've also used Fxsasser.exe from Symantec to scan the
    > | drive. None of these found anything at all.
    > |
    > | I've also tried replacing the lsass.exe file with a known good one.
    > |
    > | I cannot get the computer to boot so I cannot do anything with the drive
    > | while it is in the computer.
    > |
    > | How can I fix this?
    >
    > Download the patch (below). Put the patch, Stinger on media (CDROM, ZIP Disk, USB Flash
    > drive, etc) disconnect the affected PC from the Internet and install the patch. Then reboot
    > the PC and perform the following scan of the PC using Stinger and the below Multi AV Commnad
    > Line Scanner front end utility !
    >
    > If you have the SHUTDOWN.EXE utility from the Win2K Resource kit, you can perform the
    > following when you get the shutdown message.
    >
    > Go to; Start --> Run
    > enter; shutdown /a
    >
    > If you don't have the SHUTDOWN.EXE utility, I have posted a copy in the News Group;
    > alt.binaries.comp.virus
    > In the post entitled "SHUTDOWN.EXE for Win2K platforms for RPC/DCOM and LSASS shutdown
    > issues"
    >
    > This will halt the shutdown and give you a chance to Download the McAfee worm removal tool,
    > Stinger: http://vil.nai.com/vil/stinger/
    >
    > Please read the following URL:
    > http://www.microsoft.com/security/incident/sasser_printxp.mspx
    >
    > Install the following patch for the LSASS vulnerability addressed by; KB835732
    > http://www.microsoft.com/downloads/details.aspx?FamilyId=0692C27E-F63A-414C-B3EB-D2342FBB6C00&displaylang=en
    >
    > Please read: http://www.microsoft.com/security/incident/sasser.mspx
    >
    >
    > You also need a FireWall. If you don't patch the PC and not use a FireWall then you will
    > just be re-infected.
    > I also suggest the installation of ALL MS Critical Updates ASAP.
    >
    >
    > You can also scan the system using the below multi AV Command Line Scanner front end utility
    >
    > Dump the contents of the IE Temporary Internet Folder cache (TIF)
    > Start --> Settings --> Control Panel --> Internet Options --> Delete Files
    >
    > Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
    > Tools --> Options --> Privacy --> Cache --> Clear
    >
    > Download MULTI_AV.EXE from the URL --
    > http://www.ik-cs.com/programs/virtools/Multi_AV.exe
    >
    > It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
    > http://kixtart.org Kixtart is CareWare } two batch files, four Kixtart scripts, one Link
    > (.LNK) file, this PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
    > simplify the process of using up to 3 different Anti Virus Command Line Scanners to remove
    > viruses and various other malware.
    >
    > C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
    > This will bring up the initial menu of choices and should be executed in Normal Mode. This
    > way all the components can be downloaded from each AV vendor’s web site.
    > On Win9x/ME the choices are; Trend, McAfee, Exit the menu and Reboot the PC
    > On NT4, Win2k, WinXP and Win2003 Server the choices are; Sophos, Trend, McAfee, Exit the
    > menu and Reboot the PC.
    >
    > You can choose to go to each menu item and just download the needed files or you can
    > download the files and perform a scan in Normal Mode. Once you have downloaded the files
    > needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
    > during boot] and re-run the menu again and choose which scanner you want to run in Safe
    > Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.
    >
    > When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
    > file.
    >
    > To use this utility, perform the following...
    > Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
    > Choose; Unzip
    > Choose; Close
    >
    > Execute; C:\AV-CLS\StartMenu.BAT
    > { or Double-click on 'Start Menu' in C:\AV-CLS }
    >
    > NOTE: You may have to disable your software FireWall or allow WGET.EXE and/or FTP.EXE to go
    > through your FireWall to allow them to download the needed AV vendor related files.
    >
    > * * * Please report back your results * * *
    >
    >
    >
    > --
    > Dave
    > http://www.claymania.com/removal-trojan-adware.html
    > http://www.ik-cs.com/got-a-virus.htm
    >
    >
    >
  5. Archived from groups: microsoft.public.windowsxp.general (More info?)

    From: "tfw48079" <tfw48079@discussions.microsoft.com>

    | You've got one of the Sasser worms.
    |
    | Check the link below:
    |
    |
    http://www.microsoft.com/downloads/details.aspx?familyid=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en
    |

    That's a faux conclusion as many infectors now will exploit the buffer overflow
    vulnerability in LSASS. This isncludes variants of MyDoom and the SDBot worms.

    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    http://www.ik-cs.com/got-a-virus.htm
  6. Archived from groups: microsoft.public.windowsxp.general (More info?)

    From: "David H. Lipman" <DLipman~nospam~@Verizon.Net>

    Oooops !

    Why did I think I picked this up in a Win2K News Group ? Do'h !!
    -----

    Download the patch (below). Put the patch, Stinger on media (CDROM, ZIP Disk, USB Flash
    drive, etc) disconnect the affected PC from the Internet and install the patch. Then reboot
    the PC and perform the following scan of the PC using Stinger and the below Multi AV Commnad
    Line Scanner front end utility !

    Whjen you get the shutdown message...

    Go to; Start --> Run
    enter; shutdown -a

    This will halt the shutdown and give you a chance to Download the McAfee worm removal tool,
    Stinger: http://vil.nai.com/vil/stinger/

    Please read the following URL:
    http://www.microsoft.com/security/incident/sasser_printxp.mspx

    Please read: http://www.microsoft.com/security/incident/sasser.mspx

    Please install the patch that fixes the Lsass vulnerability that the Sasser and other
    infectors exploit -- KB835732
    http://www.microsoft.com/downloads/details.aspx?FamilyId=3549EA9E-DA3F-43B9-A4F1-AF243B6168F3&displaylang=en

    You also need a FireWall.
    If you don't patch the PC and not use a FireWall then you will just be re-infected.

    I also suggest the installation of ALL MS Critical Updates ASAP.

    You also need a FireWall. If you don't patch the PC and not use a FireWall then you will
    just be re-infected.
    I also suggest the installation of ALL MS Critical Updates ASAP.

    You can also scan the system using the below multi AV Command Line Scanner front end utility

    Dump the contents of the IE Temporary Internet Folder cache (TIF)
    Start --> Settings --> Control Panel --> Internet Options --> Delete Files

    Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
    Tools --> Options --> Privacy --> Cache --> Clear

    Download MULTI_AV.EXE from the URL --
    http://www.ik-cs.com/programs/virtools/Multi_AV.exe

    It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
    http://kixtart.org Kixtart is CareWare } two batch files, four Kixtart scripts, one Link
    (.LNK) file, this PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
    simplify the process of using up to 3 different Anti Virus Command Line Scanners to remove
    viruses and various other malware.

    C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
    This will bring up the initial menu of choices and should be executed in Normal Mode. This
    way all the components can be downloaded from each AV vendor’s web site.
    On Win9x/ME the choices are; Trend, McAfee, Exit the menu and Reboot the PC
    On NT4, Win2k, WinXP and Win2003 Server the choices are; Sophos, Trend, McAfee, Exit the
    menu and Reboot the PC.

    You can choose to go to each menu item and just download the needed files or you can
    download the files and perform a scan in Normal Mode. Once you have downloaded the files
    needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
    during boot] and re-run the menu again and choose which scanner you want to run in Safe
    Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

    When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
    file.

    To use this utility, perform the following...
    Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
    Choose; Unzip
    Choose; Close

    Execute; C:\AV-CLS\StartMenu.BAT
    { or Double-click on 'Start Menu' in C:\AV-CLS }

    NOTE: You may have to disable your software FireWall or allow WGET.EXE and/or FTP.EXE to go
    through your FireWall to allow them to download the needed AV vendor related files.

    * * * Please report back your results * * *

    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    http://www.ik-cs.com/got-a-virus.htm
  7. Archived from groups: microsoft.public.windowsxp.general (More info?)

    From: "Duck" <Duck@discussions.microsoft.com>

    | None of this will work as I cannot get into Windows with the affected
    | computer. Not in Safe Mode either.
    |
    | The computer shuts down before I can do anything in Windows.


    See my coprrective updated post. As indicated...

    "disconnect the affected PC from the Internet " -- If it is a worm or other Internet based
    LSASS Exploit then not having a connection to the Internet will block the ability of the
    Exploit to force the shutdown.

    If you do NOT have the PC connected to the Internet and you still get the NT
    AUTHORITY/SYSTEM shutdown message then there is a problem in the Kernel of the WinXP PC.

    When you get the shutdown message...

    Go to; Start --> Run
    enter; shutdown -a

    This will halt the shutdown and give you a chance to Download Stinger and the patch.

    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    http://www.ik-cs.com/got-a-virus.htm
  8. Archived from groups: microsoft.public.windowsxp.general (More info?)

    I guess I'll have to do a wipe and reload.

    Thanks for your help.

    "David H. Lipman" wrote:

    > From: "Duck" <Duck@discussions.microsoft.com>
    >
    > | None of this will work as I cannot get into Windows with the affected
    > | computer. Not in Safe Mode either.
    > |
    > | The computer shuts down before I can do anything in Windows.
    >
    >
    > See my coprrective updated post. As indicated...
    >
    > "disconnect the affected PC from the Internet " -- If it is a worm or other Internet based
    > LSASS Exploit then not having a connection to the Internet will block the ability of the
    > Exploit to force the shutdown.
    >
    > If you do NOT have the PC connected to the Internet and you still get the NT
    > AUTHORITY/SYSTEM shutdown message then there is a problem in the Kernel of the WinXP PC.
    >
    > When you get the shutdown message...
    >
    > Go to; Start --> Run
    > enter; shutdown -a
    >
    > This will halt the shutdown and give you a chance to Download Stinger and the patch.
    >
    > --
    > Dave
    > http://www.claymania.com/removal-trojan-adware.html
    > http://www.ik-cs.com/got-a-virus.htm
    >
    >
    >
Ask a new question

Read More

Computers Windows XP