Re: LSASS.EXE
- From: "David H. Lipman" <DLipman~nospam~@Verizon.Net>
- Date: Wed, 22 Jun 2005 13:10:12 -0400
From: "Duck" <Duck@xxxxxxxxxxxxxxxxxxxxxxxxx>
| The computer will only boot partway. I get a system shutdown in 60 seconds
| even before I get to the desktop. It says lsass.exe terminated unexpectedly.
| Also 1073741819 shows as a status code.
|
| I've tried Safe Mode and last known good configuration and neither works.
|
| I've tried taking the hard drive out of the computer and installing it as a
| second drive to scan for viruses. I've used AVG and NAV, both updated, to
| scan for viruses. I've also used Fxsasser.exe from Symantec to scan the
| drive. None of these found anything at all.
|
| I've also tried replacing the lsass.exe file with a known good one.
|
| I cannot get the computer to boot so I cannot do anything with the drive
| while it is in the computer.
|
| How can I fix this?
Download the patch (below). Put the patch, Stinger on media (CDROM, ZIP Disk, USB Flash
drive, etc) disconnect the affected PC from the Internet and install the patch. Then reboot
the PC and perform the following scan of the PC using Stinger and the below Multi AV Commnad
Line Scanner front end utility !
If you have the SHUTDOWN.EXE utility from the Win2K Resource kit, you can perform the
following when you get the shutdown message.
Go to; Start --> Run
enter; shutdown /a
If you don't have the SHUTDOWN.EXE utility, I have posted a copy in the News Group;
alt.binaries.comp.virus
In the post entitled "SHUTDOWN.EXE for Win2K platforms for RPC/DCOM and LSASS shutdown
issues"
This will halt the shutdown and give you a chance to Download the McAfee worm removal tool,
Stinger: http://vil.nai.com/vil/stinger/
Please read the following URL:
http://www.microsoft.com/security/incident/sasser_printxp.mspx
Install the following patch for the LSASS vulnerability addressed by; KB835732
http://www.microsoft.com/downloads/details.aspx?FamilyId=0692C27E-F63A-414C-B3EB-D2342FBB6C00&displaylang=en
Please read: http://www.microsoft.com/security/incident/sasser.mspx
You also need a FireWall. If you don't patch the PC and not use a FireWall then you will
just be re-infected.
I also suggest the installation of ALL MS Critical Updates ASAP.
You can also scan the system using the below multi AV Command Line Scanner front end utility
Dump the contents of the IE Temporary Internet Folder cache (TIF)
Start --> Settings --> Control Panel --> Internet Options --> Delete Files
Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
Tools --> Options --> Privacy --> Cache --> Clear
Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe
It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
http://kixtart.org Kixtart is CareWare } two batch files, four Kixtart scripts, one Link
(.LNK) file, this PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
simplify the process of using up to 3 different Anti Virus Command Line Scanners to remove
viruses and various other malware.
C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode. This
way all the components can be downloaded from each AV vendor?s web site.
On Win9x/ME the choices are; Trend, McAfee, Exit the menu and Reboot the PC
On NT4, Win2k, WinXP and Win2003 Server the choices are; Sophos, Trend, McAfee, Exit the
menu and Reboot the PC.
You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.
When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.
To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close
Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }
NOTE: You may have to disable your software FireWall or allow WGET.EXE and/or FTP.EXE to go
through your FireWall to allow them to download the needed AV vendor related files.
* * * Please report back your results * * *
--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
.
- Follow-Ups:
- Re: LSASS.EXE
- From: Duck
- Re: LSASS.EXE
- From: David H. Lipman
- Re: LSASS.EXE
- References:
- Lslss.exe
- From: Duck
- Lslss.exe
- Prev by Date: RE: Lslss.exe
- Next by Date: Re: Administrator permissions problem
- Previous by thread: Re: Lslss.exe
- Next by thread: Re: LSASS.EXE
- Index(es):
Relevant Pages
|
Loading
