NT Authority Error (LSASS.EXE) and System Shutdown

Discussion in 'Computer Support' started by bgordon, May 30, 2004.

  1. bgordon

    bgordon Guest

    I just loaded a clean copy of Win XP Pro, and I use dial-up and MSN 9.0. The
    error ONLY happens while I am connected to the internet, but I get an
    LSASS.exe Shell error, and it asks if I want to send the Error report, I say
    Dont Send, and about 5 minutes after that, I get a NT Authority Event
    C:\Windows\System32\LSASS.EXE is the problem, and the system will be shut
    down in 1 minute. There is no getting around it. Being that I am on dial-up,
    I have not been able to download SP1 yet, or any other updates. Do you think
    that would fix it, or am I infected with a virus? Because I have seen an
    error similar to this before, but it was the Remote Procedure Call (RPC)
    Service that created the error, and it turned out to be The W32.Blaster
    virus. Any suggestions?

    Thanks

    BGordon
    bgordon, May 30, 2004
    #1
    1. Advertising

  2. bgordon

    why? Guest

    On Sun, 30 May 2004 14:10:55 -0500, bgordon wrote:

    >I just loaded a clean copy of Win XP Pro, and I use dial-up and MSN 9.0. The
    >error ONLY happens while I am connected to the internet, but I get an
    >LSASS.exe Shell error, and it asks if I want to send the Error report, I say
    >Dont Send, and about 5 minutes after that, I get a NT Authority Event
    >C:\Windows\System32\LSASS.EXE is the problem, and the system will be shut


    <snip>

    http://www.microsoft.com/security/incident/sasser.asp
    Sasser Worm, Microsoft teams have confirmed that the Sasser worm
    (W32.Sasser.A and its variants) is currently circulating on the
    Internet. Microsoft has verified that the worm exploits the Local
    Security Authority Subsystem Service (LSASS) issue that was addressed by
    the security update released on April 13 in conjunction with Microsoft
    Security Bulletin MS04-011.

    Article,
    http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
    it's a 2MB download
    http://www.microsoft.com/downloads/...9E-DA3F-43B9-A4F1-AF243B6168F3&displaylang=en

    If you can't get your connection up for very long, try the removal tool
    it's 114K, download information page is
    http://www.microsoft.com/downloads/...7E-1B6B-4FC3-90D4-9FA42D14CC17&displaylang=en
    the path to the exe download is
    http://download.microsoft.com/downl...9df4-a0cd2873e3c5/Windows-KB841720-ENU-V4.exe

    >error similar to this before, but it was the Remote Procedure Call (RPC)
    >Service that created the error, and it turned out to be The W32.Blaster
    >virus. Any suggestions?


    Don't use your Internet connection without patching, firewall, spyware
    detection.

    Me
    why?, May 30, 2004
    #2
    1. Advertising

  3. bgordon

    Unk Guest

    On Sun, 30 May 2004 14:10:55 -0500, "bgordon" <> wrote:

    >I just loaded a clean copy of Win XP Pro, and I use dial-up and MSN 9.0. The
    >error ONLY happens while I am connected to the internet, but I get an
    >LSASS.exe Shell error, and it asks if I want to send the Error report, I say
    >Dont Send, and about 5 minutes after that, I get a NT Authority Event
    >C:\Windows\System32\LSASS.EXE is the problem, and the system will be shut
    >down in 1 minute. There is no getting around it. Being that I am on dial-up,
    >I have not been able to download SP1 yet, or any other updates. Do you think
    >that would fix it, or am I infected with a virus? Because I have seen an
    >error similar to this before, but it was the Remote Procedure Call (RPC)
    >Service that created the error, and it turned out to be The W32.Blaster
    >virus. Any suggestions?
    >
    >Thanks
    >
    >BGordon
    >

    "This shutdown initiated by NT AUTHORITY\SYSTEM"
    If the error is about RPC, refer to the MSBlast section
    If the error is about lsass.exe, refer to the W32.Sasser section

    Restart the computer in the Safe Mode.
    After the Power On Self Test (POST), press and hold the F8 key.

    From the Safe Mode, click Start, Run. In the Run box, type
    "regedit" (without the quotes) and press enter.

    Navigate your way to:
    HKEY_LOCAL_MACHINE, Software, Microsoft, Windows, CurrentVersion, Run

    In the right-hand pane, look for any entry that might include:
    msblast.exe
    penis32.exe
    teekids.exe
    mspatch.exe
    mslaugh.exe
    enbiei.exe
    eschlp.exe
    svchosthlp.exe
    mschost.exe
    tftp.exe
    avserve.exe <---- See "W32.Sasser.Worm" section
    avserve2.exe <---- See "W32.Sasser.B.Worm" section

    Delete any/all of the above entries and exit regedit.

    You just disabled the worm from running at startup. Now, disable System
    Restore:
    Click Start, Programs, Accessories, System Tools, System Restore, System
    Restore Settings, "System Restore" tab, and check the box. "Turn Off System
    Restore on all drives", click "Apply" and "OK".

    Now delete previous Restores:
    Click Start, Accessories, System tools, Disk Cleanup, "More Options" tab,
    "System Restore" section, "Clean up" button, click "Yes"

    ---------------------------------------------------------------------------------------------------------------------------------------
    W32.Blaster.Worm:
    Download the W32.Blaster.Worm Removal Tool, "FixBlast.exe" from Symantec.
    Info:
    http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html
    File: http://securityresponse.symantec.com/avcenter/FixBlast.exe

    Save the file, "FixBlast.exe" to a folder, then double-click it to clean
    your system.

    Restart the computer in the normal mode, and Turn On System Restore on all
    drives.
    Download, and install the Microsoft MS03-026 patch:
    http://support.microsoft.com/?kbid=823980
    http://www.microsoft.com/downloads/...5B6-44AC-9532-3DE40F69C074&amp;displaylang=en

    ---------------------------------------------------------------------------------------------------------------------------------------
    W32.Sasser.Worm; or W32.Sasser.B.Worm
    Download the W32.Sasser.Worm Removal Tool, "FxSasser.exe" from Symantec.
    Info:
    http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.removal.tool.html
    File: http://securityresponse.symantec.com/avcenter/FxSasser.exe

    Save the file, "FxSasser.exe" to a folder, then double-click it to clean
    your system.

    Restart the computer in the normal mode, and Turn On System Restore on all
    drives.
    Download, and install the Microsoft MS04-011 patch:
    http://support.microsoft.com/?kbid=835732
    http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
    http://www.microsoft.com/downloads/...9E-DA3F-43B9-A4F1-AF243B6168F3&displaylang=en

    The worm also removes a registory entry for the shutdown button in the start
    menu.
    To get it back, Click Start, Run. In the Run box, type "regedit" (without
    the quotes) and
    press Enter. Navigate your way to:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

    Look in the right-hand window for the entry:
    "NoClose"=dword:00000001

    If the entry exists, change the "dword:00000001" to "dword:00000000"
    If it doesn't exist, create a new one.

    ---------------------------------------------------------------------------------------------------------------------------------------

    Invest in a decent firewall and antivirus program, and install ALL of
    Microsoft's security patches.
    http://v4.windowsupdate.microsoft.com/en/default.asp

    ---------------------------------------------------------------------------------------------------------------------------------------

    This is a link to a small FREE program by McAfee Anti-virus named Stinger.
    It will scan your system for 41 known viruses and trojans (including the new
    W32/Sasser.worm.e) and repair them. You don't need McAfee anti-virus
    installed on your computer... this is a stand alone program.
    http://vil.nai.com/vil/stinger/

    Microsoft Download Center: Has several virus removal tools.
    http://www.microsoft.com/downloads/search.aspx?displaylang=en
    Unk, May 30, 2004
    #3
  4. bgordon

    Reid Decker Guest

    You have the NT Authority thing I just got rid of. I am told it is
    due to a buffer overrun in the OS. I had one hell of a time with it. I had
    to buy a Sasser and Blaster disk from my computer store for $5.00 and he
    threw in a floppy with the NT Authority patch on it. You must use these
    before going on line, otherwise it will shut your machine down before you
    can do anything. I got the problem back when I reinstalled XP. I had cured
    it once before, but lost the floppy with the patch and searched till I was
    blue in the face. Keep the patch once you get rid of the "virus". Also,
    I'm waiting for a free disk from Microsoft, which some expert may tell you
    how to obtain.
    "bgordon" <> wrote in message
    news:...
    > I just loaded a clean copy of Win XP Pro, and I use dial-up and MSN 9.0.

    The
    > error ONLY happens while I am connected to the internet, but I get an
    > LSASS.exe Shell error, and it asks if I want to send the Error report, I

    say
    > Dont Send, and about 5 minutes after that, I get a NT Authority Event
    > C:\Windows\System32\LSASS.EXE is the problem, and the system will be shut
    > down in 1 minute. There is no getting around it. Being that I am on

    dial-up,
    > I have not been able to download SP1 yet, or any other updates. Do you

    think
    > that would fix it, or am I infected with a virus? Because I have seen an
    > error similar to this before, but it was the Remote Procedure Call (RPC)
    > Service that created the error, and it turned out to be The W32.Blaster
    > virus. Any suggestions?
    >
    > Thanks
    >
    > BGordon
    >
    >
    Reid Decker, May 31, 2004
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Ted
    Replies:
    19
    Views:
    50,178
    Badger
    Sep 9, 2003
  2. Plz help

    lsass.exe has terminated system shutdown in 60secs

    Plz help, May 2, 2004, in forum: Computer Support
    Replies:
    3
    Views:
    6,983
    Plz help
    May 2, 2004
  3. Replies:
    7
    Views:
    40,316
    lizzzy
    May 10, 2007
  4. Bob Thompson
    Replies:
    9
    Views:
    89,053
    HajraPeti
    Jan 11, 2011
  5. Meat Plow

    lsass.exe - system error

    Meat Plow, Mar 31, 2006, in forum: Computer Support
    Replies:
    0
    Views:
    454
    Meat Plow
    Mar 31, 2006
Loading...

Share This Page