lsass.exe - Shutdown in 1 min... View previous topic :: View next topic  


NFOHump.com Forum Index - Operating Systems
Page 1 of 1
UserFriendly7
Moderator



Posts: 1471
Location: England
PostPosted: Sun, 1st May 2005 01:35    Post subject: lsass.exe - Shutdown in 1 min...
Hello one of my computers is having a bit of problem getting to know it's adsl modem.

All the drivers are installed correctly on the basic Windows XP Professional os.

When it connects to the internet it lasts for about 30-60 seconds then gives a error (via the MS error report) and then displays a windows explaining it's a non-recoverable error.

The only solution I have at the moment is to execute the command "Shutdown -a" in the run box.

It's not the sasser worm virus as I have downloaded all the little tools to cure that and nothing was found and avg free cant detect any other virus's so I cant see it being a virus...

One option I have is to replace the lsass.exe file with the file on this computer but that didnt seem to work.

Is there any tools/fix's to disable any error reporting crap from this file and to permantly stop the shutdown period?

Thanks!! Smile
Back to top
cousinvinnie7




Posts: 75
PostPosted: Sun, 1st May 2005 02:08    Post subject:
hello, i'm not sure of your of your windows experience, there are many types of trojan and virus to cause your system to restart, just when you try to go on the web or such or add and remove programs and in most cases it disables antiv and firewall programs, what you need to do is start in safe mode jfyi f8 at start up and safe mode and thats how you can find whats illing your pc, once your system starts in the run box type msconfig.exe and the last tab will be startup and you'll see a list of start up programs and such, also if your not familiar with the insides of windows don't try this, good luck

[AMD XP 2500 BARTON] [ASUS A7N8X-E NForce 2] [1GiG XMS CORSAIR DC PC-3200] [BFG 6600GT 500@1000] [SB AUDIGY 2 ZS PLATINUM]600wps SEAGATE 36GIG 15,000 RPM SCSI ADAPTEC ULTRA 160 SCSI controller [LITEON DVD/RW-pioneer dvd/cd-rom
Back to top
Mutantius
VIP Member



Posts: 18594
Location: In Elektro looking for beans
PostPosted: Sun, 1st May 2005 02:25    Post subject:
Hmm this is actually a sign of Sasser since its Lsass also create that kind of behaviour... Tried good old Windows Update?

"Why don't you zip it, Zipfero?" - fraich3
Back to top
Accelleron




Posts: 1926
PostPosted: Sun, 1st May 2005 04:17    Post subject:
if you have another working PC I'd make the entire HD available on your home network and scan it from the other PC.
Back to top
Under




Posts: 667
Location: Scotland
PostPosted: Sun, 1st May 2005 10:59    Post subject:
First :
Download : MicrosoftAntiSpywareInstall.exe

2nd :
Install it on the infected computer and tried to update spyware definition If you failed skip it and start checking..

3rt
If you still have problems with the comp (after ms scan) do this :

It's higly recommnd by me to do this that all action in .. ehh ...what u called in english ? Confused .. Its called Tryb Awaryjny in Polish Wink but it english .. lemme think ..oh.. Safe Mode ? Smile because some of the files might be in use


  • Go to c:\Documents and Settings\YOUR_USER_NAME\Local Settings\
    Delete Temporay files and temp ...
  • Go to C:\Temp\ (If you have it) - if you see here any salm.exe or something like delete it
  • Windows -> Run-> Cleanmgr - and clean everything
  • Go to C:\Windows\ - check the main dir - sort files by date and if you see some new dll's or exe's (lets say from 1-2 week) delete it
    Do this same in System32 folder
  • Stop Netbios Service - Uninstall Microsoft Messenger - Always be Sure that you have latest Updates - Change IE to FireFox ...
  • Check Add/Unistall Software list ... for utils like Search Assistant ,,, 180 search ... ShopBargain and so on



BTW : About LSASS.EXE :

Virus with same name:
W32.Nimos.Worm - Symantec Corporation
W32.Sasser.E.Worm (Lsasss.exe) - McAfee
W32.HLLW.Lovgate.C@mm - Symantec Corporation

You can use this : http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.removal.tool.html

or (And i would recommend it)

Malware.REMOVE.Tool.From.MICROSOFT



Best PICKUP LINE :
"Hey, does this rag smell like chloroform to you?"

Last edited by Under on Sat, 4th Jun 2005 13:17; edited 1 time in total
Back to top
UserFriendly7
Moderator



Posts: 1471
Location: England
PostPosted: Sun, 1st May 2005 11:40    Post subject:
Hmmm I'll try the antivirus stuff again but im 99.9% sure its not the sasser worm or any type of virus...

I thought about the windows update, but dont really want to install the service packs.....

Any other suggestions?

Thanks! Smile

 Spoiler:
 
Back to top
Steve-O 2004




Posts: 2851
PostPosted: Sun, 1st May 2005 12:23    Post subject:
Sounds like you connected to the Net With no Firewall... Make sure you have a good firewall and scan for the Sasser worm as I fixed a computer with that same problem the other day.

George W Bush -

'...more and more of our imports are coming from overseas.'
Back to top
chrisbadboy1




Posts: 1
PostPosted: Sun, 5th Jun 2005 16:41    Post subject:
yea its the firewall if you install a firewall you will see that you dont get the 60 seconds anymore , its a worm that spreads on your network ,I fixed a pc with that hing a while ago 2
Back to top
UserFriendly7
Moderator



Posts: 1471
Location: England
PostPosted: Mon, 6th Jun 2005 02:58    Post subject:
Sorted out the problem... Smile

I can garantee there is no worm on the computer and it still insisted to shutdown making it only possible to avoid that to type "shutdown -a" in the run command box.

In the end I just turned off Windows Error Reporting service and bobs you're uncle! it was fixed.

Im putting it down to windows not liking the usb adsl modem (windows has to dial 0,24 to get a connection and the software makes the computer think its a ISDN card) ~~ very odd indeed...!

Cheers for the help guys 'n' gals tho!

 Spoiler:
 
Back to top
[sYn]
[Moderator] Elitist



Posts: 8374
PostPosted: Mon, 6th Jun 2005 09:34    Post subject:
lol dude, thats not fixing a problem, thats just making it not bother you so much. Don't forget something is still fucking up and chances are it will bite you in the ass sooner or later.

My guess would have been Sasser, no matter what your anti virals say Razz.
Back to top
whoKnows
VIP Member



Posts: 2972
PostPosted: Tue, 7th Jun 2005 09:41    Post subject:
I don't think its Sasser either, it is the Blaster worm. As soon as you get an active TCP connection the computer shutsdown, thats typical for blaster too. Do the following:

Download Viewtcp and check for listening or active connections (tcp/udp)
http://mwti.net/antivirus/viewtcp.asp

And then get stinger from nai, its free and checks for all major worms:
http://vil.mcafeesecurity.com/vil/averttools.asp

And syn is right, you have to actually fix the problem Smile
Back to top
UserFriendly7
Moderator



Posts: 1471
Location: England
PostPosted: Tue, 7th Jun 2005 11:13    Post subject:
Tell me, how can it be a worm when the computer has just been formatted and winxp freshly installed, nothing but the adsl modem drivers installed can there be a worm?

I have tried NOD32, AVG, Kasperky and not to mention the individual worm removal tools and they detect nothing.

At the end of the day the computer that seems to be having problems is not that often on the internet so in the unlikely chance of it being a worm, virs, trojan etc... it wouldnt effect the computer much.

 Spoiler:
 
Back to top
Avenger_




Posts: 658
Location: Norway
PostPosted: Tue, 7th Jun 2005 16:01    Post subject:
When winxp is freshly installed, it's full of security holes Wink

So connecting a freshly installed winxp to the net without some sort of firewall is like opening a link someone PMed to you on IRC Very Happy

I've seen occurrences where a PC got infected < 5 mins after connecting to the net, without browsing etc.
Back to top
[sYn]
[Moderator] Elitist



Posts: 8374
PostPosted: Tue, 7th Jun 2005 16:30    Post subject:
Avenger_ wrote:
When winxp is freshly installed, it's full of security holes Wink

So connecting a freshly installed winxp to the net without some sort of firewall is like opening a link someone PMed to you on IRC Very Happy

I've seen occurrences where a PC got infected < 5 mins after connecting to the net, without browsing etc.


Agree'ed

I meant Blaster, not sasser, I always get the "big worms" mixed up Crying or Very sad !!

Its the easiest infect in the world UserFriendly, you only have to connect to the web and it will find you and infect you! Its also a pain in the ass!
Back to top
gutyreader




Posts: 365
PostPosted: Mon, 13th Jun 2005 22:01    Post subject:
Yep, Blaster's pretty quick.

Run a windows update, just update untill SP2, if you dont want it (SP1 is allright, though. You definitly should get to SP1 and up... just stop before sp2)
Back to top
Page 1 of 1 All times are GMT + 1 Hour
NFOHump.com Forum Index - Operating Systems
Signature/Avatar nuking: none (can be changed in your profile)  


Display posts from previous:   

Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB 2.0.8 © 2001, 2002 phpBB Group