RE: LSA Shell Shudown
- From: v-crinal@xxxxxxxxxxxxxxxxxxxx (Crina Li (MSFT))
- Date: Tue, 19 Jul 2005 03:58:35 GMT
Hi Windmi,
Thank you for posting in SBS newsgroup.
Based on the problem description, I understand you have encountered
''LSASS.EXE crash'' problem. According to the symptom, the system may be
infected with the virus Win32.Sasser.Worm. Microsoft has been made aware of
this and has verified that the worm exploits the Local Security Authority
Subsystem Service (LSASS). You can protect your computer against this worm
by installing Microsoft Security Bulletin MS04-011 immediately.
You may do as following:
Step 1:
Please remove sasser worm by Microsoft virus removal tool:
Microsoft Windows Malicious Software Removal Tool (KB890830)
http://www.microsoft.com/downloads/details.aspx?FamilyID=ad724ae0-e72d-4f54-
9ab3-75b8eb148356&DisplayLang=en
On the other hand, the following steps about manually cleaning up virus
infections are for your reference:
1. Restart the computer and boot in Safe Mode:
1) When the computer boots, press F8.
2) On the Windows Advanced Options Menu, select Safe Mode and press
Enter.
3) When the Boot Menu appears again, select the appropriate OS entry,
and press Enter.
4) Log in Windows by using the user account with the Computer
Administrator type.
2. Stop the virus relevant process:
1) Press Ctrl+Shift+Esc to load Task Manager.
2) Stop the following processes if they are running in the background:
c:\WINDOWS\system32\*_up.exe
avserve.exe
3. Configure folder options:
1) Double click Folder Options in Control Panel.
2) Click the Tools menu, and click Folder Options.
3) On the View tab, select the ''Show hidden files and folders'' option,
deselect the ''Hide extensions for known file types'' option, and click OK.
4. Search for virus files and delete them:
C:\WINDOWS\avserve.exe
c:\WINDOWS\system32\*_up.exe
5. Remove the corresponding registry key:
1) Click Start, click Run, type REGEDIT in the Open box, and click OK.
2) Navigate to the following registry branch:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
3) In the left pane, click [Run] to highlight it; in the right pane,
delete the following value name:
Value name: avserve.exe
Value data: C:\WINDOWS\avserve.exe
6. Restart the computer in Normal Mode.
Step2:
Please install latest update 835732, and you may download it from Windows
update site or from the following link:
Microsoft Security Bulletin MS04-011 Security Update for Microsoft Windows
(835732)
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
For more information about this virus, you may refer to the following web
site:
http://www.microsoft.com/security/incident/sasser.asp
Step3:
Please update your computer.
Security updates help shield your computer from vulnerabilities, viruses,
worms, and other threats as they are discovered. You can install security
updates for Windows and Windows components (such as Internet Explorer,
Outlook Express, and Windows Media Player). To do this, visit the following
Microsoft Web site:
Windows Update
http://windowsupdate.microsoft.com
For additional information, click the following article number to view the
article in the Microsoft Knowledge Base:
311047 How to keep your Windows computer up-to-date
http://support.microsoft.com/?id=311047
There are three steps you can take to improve your computer's security. You
can follow the three steps online, or print them for easy reference.
http://www.microsoft.com/security/protect/default.asp
If you have any questions or concerns, please feel free to let me know. I
am looking forward to your reply.
Best regards,
Crina Li (MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| Thread-Topic: LSA Shell Shudown
| | From: =?Utf-8?B?d2luZG1p?= <windmi@xxxxxxxxxxxxxxxxxxxxxxxxx>
| Subject: LSA Shell Shudown
| Date: Fri, 15 Jul 2005 11:20:02 -0700
| | Newsgroups: microsoft.public.windows.server.sbs
| |
| Following error measage received after auto unexpected shut downs. Can
| anybody explain this and offer assistance.
|
| LSA Shell encountered a problem and needed to close.
|
| ERROR signature:
|
| AppName: lsass.exe AppVer: 5.2.3790.0 ModName: rpcrt4.dll ModVer:
| 5.2.3790.76 Offset: 0000ce4d
|
| ERROR REPORT CONTENTS
|
| The following files will be included in this report:
|
| C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\WER121.tmp.dir00\lsass.exe.mdmp
| C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\WER121.tmp.dir00\appcompat.txt
|
.
- References:
- LSA Shell Shudown
- From: windmi
- LSA Shell Shudown
- Prev by Date: Re: Proxy and Firewalls
- Next by Date: RE: No password expiration message/Can't change password
- Previous by thread: LSA Shell Shudown
- Next by thread: Incoming faxes not routing to email
- Index(es):
Relevant Pages
|
