NT Authority Error (LSASS.EXE) and System Shutdown

I just loaded a clean copy of Win XP Pro, and I use dial-up and MSN 9.0. The
error ONLY happens while I am connected to the internet, but I get an
LSASS.exe Shell error, and it asks if I want to send the Error report, I say
Dont Send, and about 5 minutes after that, I get a NT Authority Event
C:\Windows\System32\LSASS.EXE is the problem, and the system will be shut
down in 1 minute. There is no getting around it. Being that I am on dial-up,
I have not been able to download SP1 yet, or any other updates. Do you think
that would fix it, or am I infected with a virus? Because I have seen an
error similar to this before, but it was the Remote Procedure Call (RPC)
Service that created the error, and it turned out to be The W32.Blaster
virus. Any suggestions?

Thanks

BGordon

 

<snip>

http://www.microsoft.com/security/incident/sasser.asp
Sasser Worm, Microsoft teams have confirmed that the Sasser worm
(W32.Sasser.A and its variants) is currently circulating on the
Internet. Microsoft has verified that the worm exploits the Local
Security Authority Subsystem Service (LSASS) issue that was addressed by
the security update released on April 13 in conjunction with Microsoft
Security Bulletin MS04-011.

Article,
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
it's a 2MB download
http://www.microsoft.com/downloads/...9E-DA3F-43B9-A4F1-AF243B6168F3&displaylang=en

If you can't get your connection up for very long, try the removal tool
it's 114K, download information page is
http://www.microsoft.com/downloads/...7E-1B6B-4FC3-90D4-9FA42D14CC17&displaylang=en
the path to the exe download is
http://download.microsoft.com/downl...9df4-a0cd2873e3c5/Windows-KB841720-ENU-V4.exe

Don't use your Internet connection without patching, firewall, spyware
detection.

Me

 

"This shutdown initiated by NT AUTHORITY\SYSTEM"
If the error is about RPC, refer to the MSBlast section
If the error is about lsass.exe, refer to the W32.Sasser section

Restart the computer in the Safe Mode.
After the Power On Self Test (POST), press and hold the F8 key.

From the Safe Mode, click Start, Run. In the Run box, type
"regedit" (without the quotes) and press enter.

Navigate your way to:
HKEY_LOCAL_MACHINE, Software, Microsoft, Windows, CurrentVersion, Run

In the right-hand pane, look for any entry that might include:
msblast.exe
penis32.exe
teekids.exe
mspatch.exe
mslaugh.exe
enbiei.exe
eschlp.exe
svchosthlp.exe
mschost.exe
tftp.exe
avserve.exe <---- See "W32.Sasser.Worm" section
avserve2.exe <---- See "W32.Sasser.B.Worm" section

Delete any/all of the above entries and exit regedit.

You just disabled the worm from running at startup. Now, disable System
Restore:
Click Start, Programs, Accessories, System Tools, System Restore, System
Restore Settings, "System Restore" tab, and check the box. "Turn Off System
Restore on all drives", click "Apply" and "OK".

Now delete previous Restores:
Click Start, Accessories, System tools, Disk Cleanup, "More Options" tab,
"System Restore" section, "Clean up" button, click "Yes"

---------------------------------------------------------------------------------------------------------------------------------------
W32.Blaster.Worm:
Download the W32.Blaster.Worm Removal Tool, "FixBlast.exe" from Symantec.
Info:
http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html
File: http://securityresponse.symantec.com/avcenter/FixBlast.exe

Save the file, "FixBlast.exe" to a folder, then double-click it to clean
your system.

Restart the computer in the normal mode, and Turn On System Restore on all
drives.
Download, and install the Microsoft MS03-026 patch:
http://support.microsoft.com/?kbid=823980
http://www.microsoft.com/downloads/...5B6-44AC-9532-3DE40F69C074&amp;displaylang=en

---------------------------------------------------------------------------------------------------------------------------------------
W32.Sasser.Worm; or W32.Sasser.B.Worm
Download the W32.Sasser.Worm Removal Tool, "FxSasser.exe" from Symantec.
Info:
http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.removal.tool.html
File: http://securityresponse.symantec.com/avcenter/FxSasser.exe

Save the file, "FxSasser.exe" to a folder, then double-click it to clean
your system.

Restart the computer in the normal mode, and Turn On System Restore on all
drives.
Download, and install the Microsoft MS04-011 patch:
http://support.microsoft.com/?kbid=835732
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
http://www.microsoft.com/downloads/...9E-DA3F-43B9-A4F1-AF243B6168F3&displaylang=en

The worm also removes a registory entry for the shutdown button in the start
menu.
To get it back, Click Start, Run. In the Run box, type "regedit" (without
the quotes) and
press Enter. Navigate your way to:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

Look in the right-hand window for the entry:
"NoClose"=dword:00000001

If the entry exists, change the "dword:00000001" to "dword:00000000"
If it doesn't exist, create a new one.

---------------------------------------------------------------------------------------------------------------------------------------

Invest in a decent firewall and antivirus program, and install ALL of
Microsoft's security patches.
http://v4.windowsupdate.microsoft.com/en/default.asp

---------------------------------------------------------------------------------------------------------------------------------------

This is a link to a small FREE program by McAfee Anti-virus named Stinger.
It will scan your system for 41 known viruses and trojans (including the new
W32/Sasser.worm.e) and repair them. You don't need McAfee anti-virus
installed on your computer... this is a stand alone program.
http://vil.nai.com/vil/stinger/

Microsoft Download Center: Has several virus removal tools.
http://www.microsoft.com/downloads/search.aspx?displaylang=en

 

You have the NT Authority thing I just got rid of. I am told it is
due to a buffer overrun in the OS. I had one hell of a time with it. I had
to buy a Sasser and Blaster disk from my computer store for $5.00 and he
threw in a floppy with the NT Authority patch on it. You must use these
before going on line, otherwise it will shut your machine down before you
can do anything. I got the problem back when I reinstalled XP. I had cured
it once before, but lost the floppy with the patch and searched till I was
blue in the face. Keep the patch once you get rid of the "virus". Also,
I'm waiting for a free disk from Microsoft, which some expert may tell you
how to obtain.