lsass.exe

Discussion in 'Computer Security' started by Bob, May 28, 2005.

  1. Bob

    Bob Guest

    Hi,

    Several systems simultaneously shutdown on our network the other day with a
    message from NT AUTHORITY SERVICE stating that c:\winnt\system32\lsasse.exe
    had failed and the system would reboot in about 60 seconds.

    Is this related to the sasser worm as our av people have stated that we are
    patched for the above scenario unless it's a new varient.

    Some systems remained up which leaves me to believe that the issue is
    related to service packs/security patches rather than our av solution being
    able to identify a problem with lasass.exe.

    Any feedback here would be greatly appreciated.

    Bob
     
    Bob, May 28, 2005
    #1
    1. Advertising

  2. Bob

    Randy Guest

    http://www.google.com/search?hl=en&q=lsasse.exe&btnG=Google Search

    Bob wrote:
    > Hi,
    >
    > Several systems simultaneously shutdown on our network the other day with a
    > message from NT AUTHORITY SERVICE stating that c:\winnt\system32\lsasse.exe
    > had failed and the system would reboot in about 60 seconds.
    >
    > Is this related to the sasser worm as our av people have stated that we are
    > patched for the above scenario unless it's a new varient.
    >
    > Some systems remained up which leaves me to believe that the issue is
    > related to service packs/security patches rather than our av solution being
    > able to identify a problem with lasass.exe.
    >
    > Any feedback here would be greatly appreciated.
    >
    > Bob
    >
    >
    >
     
    Randy, May 28, 2005
    #2
    1. Advertising

  3. From: "Bob" <>

    | Hi,
    |
    | Several systems simultaneously shutdown on our network the other day with a
    | message from NT AUTHORITY SERVICE stating that c:\winnt\system32\lsasse.exe
    | had failed and the system would reboot in about 60 seconds.
    |
    | Is this related to the sasser worm as our av people have stated that we are
    | patched for the above scenario unless it's a new varient.
    |
    | Some systems remained up which leaves me to believe that the issue is
    | related to service packs/security patches rather than our av solution being
    | able to identify a problem with lasass.exe.
    |
    | Any feedback here would be greatly appreciated.
    |
    | Bob
    |

    Reference posts in with same subject: alt.binaries.comp.virus

    If the NT System/shutdown message looks like the one posted in the above News Group it could
    be the Sasser or another form of LSASS Exploit.

    If it is WinXP or Win2003 Server you can use the native SHUTDOWN.EXE utility.

    On Win2K you have to use the Resource Kit utility posted in; alt.binaries.comp.virus.

    WinXP or Win2003 Server
    Go to; Start --> Run
    enter; shutdown -a

    For Win2K Resource Kit utility
    enter; shutdown /a

    Dowload the patch (below). Put the patch, Stinger and Sysclean (below) on media (CDROM, ZIP
    Disk, USB Flash drive, etc) discconnect the affected PC from the Internet and install the
    patch then reboot the PC. Reconnect the PC to the Internet and perform the scans the PC
    with Stinger and Trend Sysclean !

    Please read the following URL:
    http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

    Please install the patch that fixes the LSASS vulnerability that the Sasser and others
    exploits --

    WinXP KB835732
    http://www.microsoft.com/downloads/...9E-DA3F-43B9-A4F1-AF243B6168F3&displaylang=en

    Win2K KB835732
    http://www.microsoft.com/downloads/...7E-F63A-414C-B3EB-D2342FBB6C00&displaylang=en

    You also need a FireWall.
    If you don't patch the PC and not use a FireWall then you will just be re-infected.

    I also suggest the installation of ALL MS Critical Updates ASAP.

    Dump the contents of the IE Temporary Internet Folder cache (TIF)
    Start --> Settings --> Control Panel --> Internet Options --> Delete Files

    Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
    Tools --> Options --> Privacy --> Cache --> Clear

    1) Download the TrendMicro Sysclean Front End

    Download the utility SYSCLEAN_FE at the following URL --
    http://www.ik-cs.com/got-a-virus.htm
    SYSCLEAN_FE automates the download and execution process of the Trend Sysclean Package.
    Direct URL --
    http://www.ik-cs.com/programs/virtools/Sysclean_FE.exe


    2) Download and McAfee/AVERT Stinger
    http://vil.nai.com/vil/stinger/


    3) Execute; SYSCLEAN_FE.EXE
    Choose; Unzip
    Choose; Close


    Execute; c:\sysclean\SYSCLEAN_FE.BAT
    { or Double-click on 'SYSCLEAN_FE Link' in c:\sysclean }
    when you get to the menu dhoose [1] so you can boot into Safe Mode.

    4) Reboot your PC into Safe Mode and shutdown as many applications as possible.

    5) Scan using Stinger.

    6) Execute; c:\sysclean\SYSCLEAN_FE.BAT
    { or Double-click on 'SYSCLEAN_FE Link' in c:\sysclean }
    Choose [2] on the menu and let SYCLEAN.COM scan your computer.
    when done, execute Ad-aware SE and perform a full scan of your PC and delete

    7) Restart your PC and perform a "final" Full Scan of your platform
    Execute; c:\sysclean\SYSCLEAN_FE.BAT
    { or Double-click on 'SYSCLEAN_FE Link' in c:\sysclean }
    Choose [2] on the menu and let SYCLEAN.COM scan your computer.
    when done, execute Ad-aware SE and perform a final scan of your PC and delete
    all objects found.



    * * * Please report back your results * * *


    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    http://www.ik-cs.com/got-a-virus.htm
     
    David H. Lipman, May 28, 2005
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Plz help

    lsass.exe has terminated system shutdown in 60secs

    Plz help, May 2, 2004, in forum: Computer Support
    Replies:
    3
    Views:
    7,030
    Plz help
    May 2, 2004
  2. bgordon
    Replies:
    3
    Views:
    15,432
    Reid Decker
    May 31, 2004
  3. Bob Thompson
    Replies:
    9
    Views:
    89,294
    HajraPeti
    Jan 11, 2011
  4. Silverstrand

    Do you know your lsass.exe from your isass.exe?

    Silverstrand, Nov 14, 2006, in forum: Front Page News
    Replies:
    0
    Views:
    696
    Silverstrand
    Nov 14, 2006
  5. =?Utf-8?B?Um90ZW0gQXJub24=?=

    logonui.exe and lsass.exe cpu usage when more than 20 user account

    =?Utf-8?B?Um90ZW0gQXJub24=?=, Feb 5, 2007, in forum: Windows 64bit
    Replies:
    5
    Views:
    2,203
    Dshai
    Feb 7, 2007
Loading...

Share This Page