lsass.exe, ---xp problem solved,done.

Status
Not open for further replies.
G

gramesh

Journeyman
Hi

I use a computer with win me( on C) and win x (on D).

Recently after I surfed the net and visited some sites then the problem started, and that time I was surfing after booting into xp.



Each time I switch on (XP) the following message comes up.

" LSA Shell (Export Version)

LSA Shell (Exort version) encountered a problem and needed to close. This error occured on 1\30\2005 at 4:46:07 PM (each time this time only it is showing). please tell Microsoft about this problem ....
.....



To see what data this error reort contains click here, when clicked the following appeared

error signature

szAppName:lsass.exe, szAppver:5.1.260011006, szmodnmae:unknown .......


when I click on don't send report the computers behaved ok If Iam using for normal application, but when I connect to the net after some time the following appeares on the screen and system shuts down in one minute,


This system is shutting down.Please save the work .....
..... This shutdown was .....NT AUTHORITY\SYSTEM'

Message:

The system process D:\win\system32\lsass.exe terminated unexpectedly with status word -1073741819. The system will now shutdown and restart and it shutdowns withina a minute.

I think this is sasser virus/worm.

sometime back I experienced the same in one of the computers and visited microsoft site and applied a fix and it was made ok.

Now I used the following

1.FxSasser.exe
2.STINGER.EXE
3.Windows-KB841720-ENU-V4.exe
4.Windows-KB890830-ENU.exe
5.WindowsXP-KB835732-x86-ENU.EXE

but all says no sasser virus on your system. Please help!

Regards.
 
ferrarif50

ferrarif50

Journeyman
The background service lsass.exe seems to have been corrupted. When the system is shutting down, you can abort it quickly by the fol steps:

Go to Start > Run
Type CMD or cmd
In the command prompt, type shutdown -a

This will abort the system shutdown.

As for the service, you can go to the command prompt again, type the fol
sfc /SCANNOW

This will scan system files, and if corrupted, you can replace from Win XP CD. If this fails, reinstall Windows XP.
 
Y

yehmeriidhain

In the zone
When tht 60 seconds shutdown message comes ..type shutdown-a at command prompt ....

After tht u can have this permanent solution .. go Start>>Run .. type services.msc ... now in new window tht opens ..look for REmote Procedure Call (RPC) .. double-click on it ...then in new window ..go to recovery tab ..& select "Take no Action" in all the three error occuring states ..there is "Restart The Computer" ...by default i suppose :roll:

This wont remove the virus from ur comp but is certainly very very effective... bcz tht 60 second error will be stopped!! & after get the Blasterworm patch from ne website .. if I remember correctly tht patch is available free on Norton website also..so do this ..hope this might solve ur problems!!

Gud Luck :roll:
 
N

nipun_the_gr8

Guest
U can dwnload the Blaster Worm Removal Tool from here :

*securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

Or the Sasser Worm Removal Tool from here :

*securityresponse.symantec.com/avcenter/venc/data/w32.sasser.removal.tool.html
 
vysakh

vysakh

Padawan
yes installing SP2 will fix the problem just like the removal tools do. moreover u get the latest updates
 
swatkat

swatkat

Technomancer
lsass.exe is a system process of the Microsoft Windows security mechanisms. It specifically deals with local security and login policies
Click to expand...
See..lsass.exe is not a sasser worm/virus file....so that's why u didnt get it!
this may be due to corrupted file or something like that....
u post the log file of HijackThis here, after analysing it, further actions can be taken.....
 
OP
G

gramesh

Journeyman
Hi ferrarif50

as u said I did sfc/SCANNOW ,then new problem started I think it changed some files ,it satarted asking me to activate windows? with grear difficulty I got it activated as I barrowed xp from a friend.

Hi Sourabh

Its a barrowed but I have the original key no, will it be safer to install SP2 as I came to know after installing SP2 some programs are not running?


Hi yehmeriidhain

I did RPC changes as u mentioned.

Hi swatkat

I run the Hijackthis and below is the log file,, BUT BUT a new roblem Iam facing now when I connect to internet through xp, is that after some time the whole screen is flashing and taskbar is becoming from blue to light yellow and then blue after that the internet connection is freezing, Please help!




Logfile of HijackThis v1.99.0
Scan saved at 10:41:32 PM, on 2/2/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\sm56hlpr.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\Polyphony Software\Keyboard Manager\KeybdMgr.exe
D:\Documents and Settings\Ramesh\Application Data\cacp.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
D:\WINDOWS\System32\wuauclt.exe
D:\WINDOWS\System32\wuauclt.exe
D:\Documents and Settings\Ramesh\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
D:\WINDOWS\System32\svchost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - D:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SM56ACL] sm56hlpr.exe
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MONPluginSrIvcs] n3monap23.exe
O4 - HKLM\..\Run: [Microsoft Update] msconfg.exe
O4 - HKLM\..\RunServices: [MONPluginSrIvcs] n3monap23.exe
O4 - HKLM\..\RunServices: [Microsoft Update] msconfg.exe
O4 - HKCU\..\Run: [KeyboardManager] "D:\Program Files\Polyphony Software\Keyboard Manager\KeybdMgr.exe" /s
O4 - HKCU\..\Run: [Lerm] D:\Documents and Settings\Ramesh\Application Data\cacp.exe
O4 - HKCU\..\Run: [MONPluginSrIvcs] n3monap23.exe
O4 - HKCU\..\Run: [Microsoft Update] msconfg.exe
O4 - Startup: ShortKeys Lite.lnk = D:\Program Files\shortkey\SHORTKEY.EXE
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download all by Net Transport - D:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - D:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\ied_s7m.cab
O16 - DPF: {11111111-1111-1111-1111-511111113457} - file://c:\x.cab
O16 - DPF: {11111111-1111-1111-1111-511111113458} - file://c:\x.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - file://c:\x.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B0F443BA-28E4-42DF-AD51-2BD309C1FCED}: NameServer = 61.1.160.65 61.1.128.5
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - D:\WINDOWS\System32\vbsys2 (file missing)
O23 - Service: EPSON Printer Status Agent2 - SEIKO EPSON CORPORATION - D:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

Regards.
 
swatkat

swatkat

Technomancer
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\sm56hlpr.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\Polyphony Software\Keyboard Manager\KeybdMgr.exe
D:\Documents and Settings\Ramesh\Application Data\cacp.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
D:\WINDOWS\System32\wuauclt.exe
D:\WINDOWS\System32\wuauclt.exe
D:\Documents and Settings\Ramesh\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
D:\WINDOWS\System32\svchost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - D:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SM56ACL] sm56hlpr.exe
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MONPluginSrIvcs] n3monap23.exe
O4 - HKLM\..\Run: [Microsoft Update] msconfg.exe
O4 - HKLM\..\RunServices: [MONPluginSrIvcs] n3monap23.exe
O4 - HKLM\..\RunServices: [Microsoft Update] msconfg.exe
O4 - HKCU\..\Run: [KeyboardManager] "D:\Program Files\Polyphony Software\Keyboard Manager\KeybdMgr.exe" /s
O4 - HKCU\..\Run: [Lerm] D:\Documents and Settings\Ramesh\Application Data\cacp.exe
O4 - HKCU\..\Run: [MONPluginSrIvcs] n3monap23.exe
O4 - HKCU\..\Run: [Microsoft Update] msconfg.exe
O4 - Startup: ShortKeys Lite.lnk = D:\Program Files\shortkey\SHORTKEY.EXE
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download all by Net Transport - D:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - D:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\ied_s7m.cab
O16 - DPF: {11111111-1111-1111-1111-511111113457} - file://c:\x.cab
O16 - DPF: {11111111-1111-1111-1111-511111113458} - file://c:\x.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - file://c:\x.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B0F443BA-28E4-42DF-AD51-2BD309C1FCED}: NameServer = 61.1.160.65 61.1.128.5
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - D:\WINDOWS\System32\vbsys2 (file missing)
O23 - Service: EPSON Printer Status Agent2 - SEIKO EPSON CORPORATION - D:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
Click to expand...
The bold entries look suspicious....do these steps:-
1]Close all browser windows and programs.
2]Select/Check the items which are made bold here, in HijackThis and Click Fix Selected Items.
3]Then Restart ur system in Safe mode.
4]Delete only these files:-
a}cacp.exe
b}n3monap23.exe

Also scan ur system using TrojanHunter, AdAware...
 
T

theraven

Technomancer
O4 - HKLM\..\Run: [Microsoft Update] msconfg.exe
O4 - HKLM\..\RunServices: [Microsoft Update] msconfg.exe
O4 - HKCU\..\Run: [Microsoft Update] msconfg.exe

these are added by the Win32.Rbot.H WORM!
must be fixed too

as well as this
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - D:\WINDOWS\System32\vbsys2 (file missing)

for removing sasser worm plz download the removal tool
or get the mcafee stinger

for patchin it up ... get an original copy of winxp and install sp2
"borrowing" is piracy .. and illegal
 
swatkat

swatkat

Technomancer
O4 - HKLM\..\Run: [Microsoft Update] msconfg.exe
O4 - HKLM\..\RunServices: [Microsoft Update] msconfg.exe
O4 - HKCU\..\Run: [Microsoft Update] msconfg.exe
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - D:\WINDOWS\System32\vbsys2 (file missing)
Click to expand...
oh god.....how did i miss these entries!!!!!
Remove those in a similar way as mentioned by my earlier post...
Delete this files in Safe mode:-
msconfg.exe
 
OP
G

gramesh

Journeyman
Hi theraven

In the beginning itself I mentioned the five items I used to remove sasser, out of which stinger is one, then which stinger u r referring?
 
swatkat

swatkat

Technomancer
gramesh said:
Hi theraven

In the beginning itself I mentioned the five items I used to remove sasser, out of which stinger is one, then which stinger u r referring?
Click to expand...
it's McAfee Stinger.....get it here if u have not used it....
*vil.nai.com/vil/stinger/

also, u can use this CA eTrust sasser removal tool, clnsasser.
*www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=39012

did u tried fixing usin HijackThis?
 
it_waaznt_me

it_waaznt_me

Coming back to life ..
Well .. Raven and SwatKat have already did much of the work .. Ramesh, You need this file too ..

Sasser Patch .. Download and run it .. Its bigger than 2 MB so you cant save it on Floppy ..
 
T

theraven

Technomancer
i apologise for not reading ur post completely
but yes if u havent tried mcafee stinger try it
besides this ... please install the win xp SP2 if u havent already
and get a good antivirus like kav personal pro/personal or nav 2k5
 
alib_i

alib_i

Cyborg Agent
batty,
can u make this thread sticky ..
edit the topic name a bit ..
there are new threads over the very same topic every other day ...

____
alibi
 
OP
G

gramesh

Journeyman
HI it_waaznt_me
in the beginning of my post I mentioned about the sasser patch u are referring about some" WindowsXP-KB835732-x86-ENU.EXE" u mean to say the same thing?

Regards.
 
OP
G

gramesh

Journeyman
Hi swatkat

as u said I had fixed the bold items using hijackthis and also deleted
1. cacp.exe
2.n3monap23.exe
3.msconfg.exe

and also these file names with some extension were available in windows/prefetch folder also removed.


Hi theraven

I also fixed the items mentioned by u.
I will come back and reort if any malfunctioning is there.

Regards.
 
it_waaznt_me

it_waaznt_me

Coming back to life ..
Great .. Ramesh .. You should install that patch so that you cant get infected again .. It will patch the hole that Sasser virus exploits ..
 
Status
Not open for further replies.
Top Bottom