NT Authority Error (LSASS.EXE) and System Shutdown

Discussion in 'Computer Support' started by bgordon, May 30, 2004.

  1. bgordon

    bgordon Guest

    I just loaded a clean copy of Win XP Pro, and I use dial-up and MSN 9.0. The
    error ONLY happens while I am connected to the internet, but I get an
    LSASS.exe Shell error, and it asks if I want to send the Error report, I say
    Dont Send, and about 5 minutes after that, I get a NT Authority Event
    C:\Windows\System32\LSASS.EXE is the problem, and the system will be shut
    down in 1 minute. There is no getting around it. Being that I am on dial-up,
    I have not been able to download SP1 yet, or any other updates. Do you think
    that would fix it, or am I infected with a virus? Because I have seen an
    error similar to this before, but it was the Remote Procedure Call (RPC)
    Service that created the error, and it turned out to be The W32.Blaster
    virus. Any suggestions?


    bgordon, May 30, 2004
    1. Advertisements

  2. bgordon

    why? Guest


    Sasser Worm, Microsoft teams have confirmed that the Sasser worm
    (W32.Sasser.A and its variants) is currently circulating on the
    Internet. Microsoft has verified that the worm exploits the Local
    Security Authority Subsystem Service (LSASS) issue that was addressed by
    the security update released on April 13 in conjunction with Microsoft
    Security Bulletin MS04-011.

    it's a 2MB download

    If you can't get your connection up for very long, try the removal tool
    it's 114K, download information page is
    the path to the exe download is
    Don't use your Internet connection without patching, firewall, spyware

    why?, May 30, 2004
    1. Advertisements

  3. bgordon

    Unk Guest

    "This shutdown initiated by NT AUTHORITY\SYSTEM"
    If the error is about RPC, refer to the MSBlast section
    If the error is about lsass.exe, refer to the W32.Sasser section

    Restart the computer in the Safe Mode.
    After the Power On Self Test (POST), press and hold the F8 key.

    From the Safe Mode, click Start, Run. In the Run box, type
    "regedit" (without the quotes) and press enter.

    Navigate your way to:
    HKEY_LOCAL_MACHINE, Software, Microsoft, Windows, CurrentVersion, Run

    In the right-hand pane, look for any entry that might include:
    avserve.exe <---- See "W32.Sasser.Worm" section
    avserve2.exe <---- See "W32.Sasser.B.Worm" section

    Delete any/all of the above entries and exit regedit.

    You just disabled the worm from running at startup. Now, disable System
    Click Start, Programs, Accessories, System Tools, System Restore, System
    Restore Settings, "System Restore" tab, and check the box. "Turn Off System
    Restore on all drives", click "Apply" and "OK".

    Now delete previous Restores:
    Click Start, Accessories, System tools, Disk Cleanup, "More Options" tab,
    "System Restore" section, "Clean up" button, click "Yes"

    Download the W32.Blaster.Worm Removal Tool, "FixBlast.exe" from Symantec.
    File: http://securityresponse.symantec.com/avcenter/FixBlast.exe

    Save the file, "FixBlast.exe" to a folder, then double-click it to clean
    your system.

    Restart the computer in the normal mode, and Turn On System Restore on all
    Download, and install the Microsoft MS03-026 patch:

    W32.Sasser.Worm; or W32.Sasser.B.Worm
    Download the W32.Sasser.Worm Removal Tool, "FxSasser.exe" from Symantec.
    File: http://securityresponse.symantec.com/avcenter/FxSasser.exe

    Save the file, "FxSasser.exe" to a folder, then double-click it to clean
    your system.

    Restart the computer in the normal mode, and Turn On System Restore on all
    Download, and install the Microsoft MS04-011 patch:

    The worm also removes a registory entry for the shutdown button in the start
    To get it back, Click Start, Run. In the Run box, type "regedit" (without
    the quotes) and
    press Enter. Navigate your way to:


    Look in the right-hand window for the entry:

    If the entry exists, change the "dword:00000001" to "dword:00000000"
    If it doesn't exist, create a new one.


    Invest in a decent firewall and antivirus program, and install ALL of
    Microsoft's security patches.


    This is a link to a small FREE program by McAfee Anti-virus named Stinger.
    It will scan your system for 41 known viruses and trojans (including the new
    W32/Sasser.worm.e) and repair them. You don't need McAfee anti-virus
    installed on your computer... this is a stand alone program.

    Microsoft Download Center: Has several virus removal tools.
    Unk, May 30, 2004
  4. bgordon

    Reid Decker Guest

    You have the NT Authority thing I just got rid of. I am told it is
    due to a buffer overrun in the OS. I had one hell of a time with it. I had
    to buy a Sasser and Blaster disk from my computer store for $5.00 and he
    threw in a floppy with the NT Authority patch on it. You must use these
    before going on line, otherwise it will shut your machine down before you
    can do anything. I got the problem back when I reinstalled XP. I had cured
    it once before, but lost the floppy with the patch and searched till I was
    blue in the face. Keep the patch once you get rid of the "virus". Also,
    I'm waiting for a free disk from Microsoft, which some expert may tell you
    how to obtain.
    Reid Decker, May 31, 2004
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.