Democratic Underground Latest Greatest Lobby Journals Search Options Help Login
Google

computer virus? LSASS.exe error

Printer-friendly format Printer-friendly format
Printer-friendly format Email this thread to a friend
Printer-friendly format Bookmark this thread		 This topic is archived.
Home » Discuss » The DU Lounge Donate to DU
 
dad Donating Member (1000+ posts) Send PM | Profile | Ignore Sun May-02-04 09:51 AM
Original message
computer virus? LSASS.exe error
Edited on Sun May-02-04 09:53 AM by canigeta
Any techies out there? Please take a look and let me know.  I
have Windows 2000 Professional.  Currently I have no antivirus
program on it, obviously that is gonna change and soon!

Something or other is wrong with my computer and I think it
must be a virus.  When it boots up, I've only got a few
minutes [it varies btwn approximately 1 and 10 minutes] before
a message pops up and the damn thing reboots itself.  I
actually had to go in to work to even be able to write this
message!


Here is the message:
This system is shutting down.  Please save all work in
progress and log off.  Any unsaved changes will be lost.
Time before shutdown [a countdown clock starting at 60 seconds
appears here. When it goes down to zero the computer reboots.]
The system process 'C:\WINNT\system32\lsass.exe' terminated
unexpectedly with status code 128.  The system will shut down
and restart.

Here's the kicker!  If I try to shut down, a message comes up
saying:
You do not have permission to shut down this computer
Printer Friendly | Permalink |  | Top
teach1st Donating Member (1000+ posts) Send PM | Profile | Ignore Sun May-02-04 09:53 AM
Response to Original message
1. Right here...
http://www.jsiinc.com/SUBM/tip6100/rh6116.htm

6116 » Lsass.exe error occurs after you install the Windows 2000 High Encryption Pack?



When you restart after installing the Windows 2000 High Encryption Pack, you receive:

Lsass.exe - Entry Point Not Found

The procedure entry point EqualDomainSid could not be located in the dynamic link library ADVAPI32.dll.

When you press OK, you receive:

System Shutdown This system is shutting down. Please save all work in progress and log off. Any unsaved changes will be lost. This shutdown was initiated by \

Time before shutdown: 00:00:59

Message

The system process 'C:\WINNT\System32\Lsass.exe' terminated unexpectedly with status code 128. The system will now shut down and restart.

The above error will occur if the following events transpired:

1. You installed the 271976 Hotfix Rollup Package and DID NOT RESTART.

2. You installed the 274172 FIX: Adding Multiple Users to Active Directory Can Cause Memory Leak When Setting Passwords and restarted your computer.

3. You installed the Windows 2000 High Encryption Pack and restarted your computer.

In the above scenario, a mismatched version of Advapi32.dll remains on your disk.

To resolve this issue:

1. Boot the Windows 2000 Recovery Console.

2. Switch to the System32 folder, cd system32.

3. Type ren advapi32.dll advapi32.old and press Enter.

4. Type copy c:\winnt\$ntuninstallq274172$\advapi32.dll and press Enter, where C:\Winnt should be replaced with the drive and folder in which Windows 2000 is installed.

5. Type exit and press Enter.

NOTE: See QChain.exe is a safe way of installing multiple hotfixes with a single reboot.

NOTE: The W32.Sasser.Worm, at SystemRoot%\avserver.exe or SystemRoot%\System32\avserver.exe, and configured to run run via a Value Name at HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run, can cause the LSASS.EXE termination with status code 128. If you are infected:

- delete the Value Name and close the Registry Editor.
- Shutdown and restart your computer.
- Update your antivirus and have it remove the avserver.exe file.
- Apply the Microsoft Security Bulletin MS04-011 patch.
Printer Friendly | Permalink |  | Top
 
dad Donating Member (1000+ posts) Send PM | Profile | Ignore Sun May-02-04 10:01 AM
Response to Reply #1
2. . 
Thank you, but I don't think that is it.  I never see a
message saying "Lsass.exe - Entry Point Not Found"
at bootup, and plus I never installed a high encryption pack
to my knowledge, unless that's one of those things that can
happen automatically.  This is a home computer we're talking
about.  The thing at the end where I cannot shut down my
computer makes it seem like I've lost admin rights to my own
machine too.  This is irritating to say the least.  Thanks
again, and let me know if you find anything else.  I'm going
out today to buy some kind of antivirus program and hope for
the best.
Printer Friendly | Permalink |  | Top
 
pretzel4gore Donating Member (1000+ posts) Send PM | Profile | Ignore Sun May-02-04 10:12 AM
Response to Reply #1
4. microsoft rejects whatever...
msoft rejects effort at point of installing the downloaded 'package'....maybe this is msoft's way of forcing windows xp etc users to pay money or something(?)....
Printer Friendly | Permalink |  | Top
 
orthogonal Donating Member (424 posts) Send PM | Profile | Ignore Sun May-02-04 10:09 AM
Response to Original message
3. Yes, you most likely have the Sasser worm
Edited on Sun May-02-04 10:12 AM by orthogonal
Sasser Worm

ISC is aware of the LSASS Sasser worm. This worm is spreading through the MS04-011 (LSASS) vulnerability. According to AV companies, this worm will generate traffic on ports 445, 5554 and 9996. Also, it will copy itself in the windows folder, under the name of avserve.exe, create a file at c:\ called win.log and add the registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\avserve = avserve.exe
Another sign of infection is frequent crashes of 'LSASS.EXE'.


from http://isc.sans.org/diary.php?date=2004-04-30 (emphasis orthogonal's)

You can probably find a free app that removes this at an anti-virus site (McAfee or Symantec); afterwards, do a Windows Update (IE Menu -> Tools -> Windows Update) to get the patch to make sure you don't get re-infected.
Printer Friendly | Permalink |  | Top
 
RC Donating Member (1000+ posts) Send PM | Profile | Ignore Sun May-02-04 10:36 AM
Response to Original message
5. Bring up the CMD screen
Start > Run
Enter cmd
Click start.
In the CMD window, Enter: shutdown -a

leave the window open. Do not press enter.
When the reboot notice appears, bring the CMD window to the top and press enter.
You will see a message about stopping the reboot.

This will prevent the computer from rebooting and give you time to do what ever.
Printer Friendly | Permalink |  | Top
 
DU AdBot (1000+ posts) Click to send private message to this author Click to view this author's profile Click to add this author to your buddy list Click to add this author to your Ignore list Thu May 02nd 2024, 07:59 AM
Response to Original message
Advertisements [?]
 Top

Home » Discuss » The DU Lounge Donate to DU

Powered by DCForum+ Version 1.1 Copyright 1997-2002 DCScripts.com
Software has been extensively modified by the DU administrators

Important Notices: By participating on this discussion board, visitors agree to abide by the rules outlined on our Rules page. Messages posted on the Democratic Underground Discussion Forums are the opinions of the individuals who post them, and do not necessarily represent the opinions of Democratic Underground, LLC.

Home  |  Discussion Forums  |  Journals |  Store  |  Donate

About DU  |  Contact Us  |  Privacy Policy

Got a message for Democratic Underground? Click here to send us a message.

© 2001 - 2011 Democratic Underground, LLC