HELP!! System Shutting down after 10 min with "LSASS.EXE Terminated
Unexpectedly with status Code 1073741819". I've run the Microsoft Malicious
Software tool and it doesn't detect the W32.Sasser.E.Worm. I've tried the
Symantec tool as well but the system shuts down before it is complete. I've
compared this to my other system and the Registry entries for LSASS.EXE are
exactly the same. My other system is fine. I have tried virtually every
suggestion I have found on the Web and still no resolution.

Any suggestions? Bob

RUNNING WINDOWS XP. ALL updates applied.

"Robert J. Rando" <rjrando1@cox.net> wrote in message
news:4IIrf.469$sA3.313@fed1read02...
> HELP!! System Shutting down after 10 min with "LSASS.EXE Terminated
> Unexpectedly with status Code 1073741819". I've run the Microsoft
> Malicious Software tool and it doesn't detect the W32.Sasser.E.Worm. I've
> tried the Symantec tool as well but the system shuts down before it is
> complete. I've compared this to my other system and the Registry entries
> for LSASS.EXE are exactly the same. My other system is fine. I have tried
> virtually every suggestion I have found on the Web and still no
> resolution.
>
> Any suggestions? Bob
>

Hi,

It's a worm. When the message appears, click start/run and type
"shutdown -a" (without the quotes) to halt it and then download some up to
date Antivirus scanning software.

Free virus removal tools:

http://vil.nai.com/vil/stinger/
http://www.emsisoft.com/en/
http://free.grisoft.com/doc/8/lng/us.../nid/3001#3001
http://www.f-secure.com/download-purchase/tools.shtml

Also, you may use this free on-line scanner:
http://housecall.trendmicro.com/

Symantec also distributes many free removal tools that are virus-specific:
http://securityresponse.symantec.com...ools.list.html

Many are best run in Safe mode to minimize interference. Most will resist
removal in normal mode where they are active.

How to start in Safe mode:
http://www.rickrogers.org/fixes.htm#Safe%20mode

Emergency system tools:
http://www.dougknox.com/xp/utils/xp_emerutils.htm

--
Best of Luck,

Rick Rogers, aka "Nutcase" - Microsoft MVP
http://mvp.support.microsoft.com/
Associate Expert - WindowsXP Expert Zone
www.microsoft.com/windowsxp/expertzone
Windows help - www.rickrogers.org

"Robert J. Rando" <rjrando1@cox.net> wrote in message
news:4IIrf.469$sA3.313@fed1read02...
> HELP!! System Shutting down after 10 min with "LSASS.EXE Terminated
> Unexpectedly with status Code 1073741819". I've run the Microsoft
> Malicious Software tool and it doesn't detect the W32.Sasser.E.Worm. I've
> tried the Symantec tool as well but the system shuts down before it is
> complete. I've compared this to my other system and the Registry entries
> for LSASS.EXE are exactly the same. My other system is fine. I have tried
> virtually every suggestion I have found on the Web and still no
> resolution.
>
> Any suggestions? Bob
>

From: "Robert J. Rando" <rjrando1@cox.net>

| HELP!! System Shutting down after 10 min with "LSASS.EXE Terminated
| Unexpectedly with status Code 1073741819". I've run the Microsoft Malicious
| Software tool and it doesn't detect the W32.Sasser.E.Worm. I've tried the
| Symantec tool as well but the system shuts down before it is complete. I've
| compared this to my other system and the Registry entries for LSASS.EXE are
| exactly the same. My other system is fine. I have tried virtually every
| suggestion I have found on the Web and still no resolution.
|
| Any suggestions? Bob
|

Way too many News Groups !

There are anti virus News Groups specifically for this type of discussion.

microsoft.public.security.virus
alt.comp.virus
alt.comp.anti-virus

One of the above and microsoft.public.windowsxp.general is all that this should have been
posted too ! Theefore I have set Follow-ups to those two News Groups.

The following are certainly symptoms of a LSASS buffer overflow exploit via TCP port 445.

NT AUTHORITY\SYSTEM
'c:\windows\system32\lsass.exe' terminated unexpectedly with status code -1073741819

or

NT AUTHORITY\SYSTEM
'c:\winnt\system32\lsass.exe' terminated unexpectedly with status code -1073741819

However, one can NOT assume Sasser. There are several Internet worms now actively taking
advantage of this vulnerability. Most notable are the SDBot/RBot worms

W32/Sasser.worm.a -- http://vil.nai.com/vil/content/v_125007.htm
W32/Reatle.f@MM -- http://vil.nai.com/vil/content/v_135722.htm
W32/Gaobot.worm.gen -- http://vil.nai.com/vil/content/v_100785.htm
Qhosts.apd -- http://vil.nai.com/vil/content/v_124880.htm
W32/Plexus.b@MM -- http://vil.nai.com/vil/content/v_126167.htm
W32/Sdbot.worm!ftp -- http://vil.nai.com/vil/content/v_128082.htm
W32/Mytob.gen@MM -- http://vil.nai.com/vil/content/v_132158.htm
W32/Radebot.worm -- http://vil.nai.com/vil/content/v_132018.htm
{ W32/Radebot.worm, W32/Mytob.gen@MM & W32/Sdbot.worm!ftp will all exploit both LSASS and
the RPC/RPCSS DCOM vulnerabilities }

To mitigate the LSASS module buffer overflow vulnerability one needs to install the
following Microsoft LSASS for WinXP KB835732 --
http://www.microsoft.com/downloads/d...displaylang=en

One can execute the 'shutdown -a' command line to stop the 60 second countdown and effect
the installation of the patch. Additionally disconnecting the PC from the Internet will
keep such an attack from happening and allow the installation of the patch.

When you get the (attached) NT Shutdown message with the 60 sec. countdown...
Go to; Start --> Run
enter; shutdown -a

It should also be noted that just becuase one gets the (attched) LSASS shutdown message, it
does NOT mean that one is infected. It means that TCP port 445 is under attack by
attempting to exploit the buffer overflow vulnerability. A non-vulnerable system will not
exhibit the (attached) NT Shutdown message.

One *must* use a FireWall and patch their systems to prevent such an exploitation.

If one is on Broadband a Cable/DSL Router such as the Linksys BEFSR41 can greatly mitigate
such a threat even if LAN nodes are not fully patched. Specifically blocking both TCP and
UDP ports 135 ~ 139 and 445 will completely mitigate and of the worms or hackers trying to
take advantage of MS Networking ports using TCP/IP.

The following tool can be used to find and remove any of the known Internet worms that will
exploit the vulnerability and should be used ASAP.

Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm


* * * Please report back your results * * *


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Rick....Most times it freezes up first with STOP:C000021a Windows Logon
Process System Process Terminated unexpectedly with a status of 0xC0000005.
I turned off Automatically Restart in Startup and Recovery. one t9ime I was
working in a program and at the 10 minute mark the error message LSASS.EXE
Terminated Unexpectedly Code 1073741819 showed up in a small box for 60
seconds and then came the stop message. How do I get the system to show me
the LSASS.EXE terminated message so I can click start/run within 60 seconds
before the system locks up>
I've logged on in Safe Mode and the system still shuts down after 10
minutes. If I do the shutdown -a in safe mode will the system stay up?

Thanks, Bob

"Rick "Nutcase" Rogers" <rick@mvps.org> wrote in message
news:%2346r4ccCGHA.4004@tk2msftngp13.phx.gbl...
> Hi,
>
> It's a worm. When the message appears, click start/run and type
> "shutdown -a" (without the quotes) to halt it and then download some up to
> date Antivirus scanning software.
>
> Free virus removal tools:
>
> http://vil.nai.com/vil/stinger/
> http://www.emsisoft.com/en/
> http://free.grisoft.com/doc/8/lng/us.../nid/3001#3001
> http://www.f-secure.com/download-purchase/tools.shtml
>
> Also, you may use this free on-line scanner:
> http://housecall.trendmicro.com/
>
> Symantec also distributes many free removal tools that are virus-specific:
> http://securityresponse.symantec.com...ools.list.html
>
> Many are best run in Safe mode to minimize interference. Most will resist
> removal in normal mode where they are active.
>
> How to start in Safe mode:
> http://www.rickrogers.org/fixes.htm#Safe%20mode
>
> Emergency system tools:
> http://www.dougknox.com/xp/utils/xp_emerutils.htm
>
> --
> Best of Luck,
>
> Rick Rogers, aka "Nutcase" - Microsoft MVP
> http://mvp.support.microsoft.com/
> Associate Expert - WindowsXP Expert Zone
> www.microsoft.com/windowsxp/expertzone
> Windows help - www.rickrogers.org
>
> "Robert J. Rando" <rjrando1@cox.net> wrote in message
> news:4IIrf.469$sA3.313@fed1read02...
>> HELP!! System Shutting down after 10 min with "LSASS.EXE Terminated
>> Unexpectedly with status Code 1073741819". I've run the Microsoft
>> Malicious Software tool and it doesn't detect the W32.Sasser.E.Worm. I've
>> tried the Symantec tool as well but the system shuts down before it is
>> complete. I've compared this to my other system and the Registry entries
>> for LSASS.EXE are exactly the same. My other system is fine. I have tried
>> virtually every suggestion I have found on the Web and still no
>> resolution.
>>
>> Any suggestions? Bob
>>
>
>

From: "Rick "Nutcase" Rogers" <rick@mvps.org>

| Hi,
|
| It's a worm. When the message appears, click start/run and type
| "shutdown -a" (without the quotes) to halt it and then download some up to
| date Antivirus scanning software.
|
| Free virus removal tools:
|
| http://vil.nai.com/vil/stinger/
| http://www.emsisoft.com/en/
| http://free.grisoft.com/doc/8/lng/us.../nid/3001#3001
| http://www.f-secure.com/download-purchase/tools.shtml
|
| Also, you may use this free on-line scanner:
| http://housecall.trendmicro.com/
|
| Symantec also distributes many free removal tools that are virus-specific:
| http://securityresponse.symantec.com...ools.list.html
|
| Many are best run in Safe mode to minimize interference. Most will resist
| removal in normal mode where they are active.
|
| How to start in Safe mode:
| http://www.rickrogers.org/fixes.htm#Safe%20mode
|
| Emergency system tools:
| http://www.dougknox.com/xp/utils/xp_emerutils.htm
|

Rick:

You have listed various AV software which may find such worms as; W32/Radebot.worm ,
W32/Plexus , W32/Gaobot.worm and W32/Reatle that Exploit the LSASS Buffer Overflow
Vulnberability via TCP port 445, but you left out the most important part. Exploitation
mitigation.

The patch associated with KB835732 is not mentioned. Nor is using either a software
FireWall or a NAT Router. If these are NOT used the user will just get re-infected or just
keep on getting the message...

NT AUTHORITY\SYSTEM
'c:\windows\system32\lsass.exe' terminated unexpectedly with status code -1073741819

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

From: "Robert J. Rando" <rjrando1@cox.net>

| Rick....Most times it freezes up first with STOP:C000021a Windows Logon
| Process System Process Terminated unexpectedly with a status of 0xC0000005.
| I turned off Automatically Restart in Startup and Recovery. one t9ime I was
| working in a program and at the 10 minute mark the error message LSASS.EXE
| Terminated Unexpectedly Code 1073741819 showed up in a small box for 60
| seconds and then came the stop message. How do I get the system to show me
| the LSASS.EXE terminated message so I can click start/run within 60 seconds
| before the system locks up>
| I've logged on in Safe Mode and the system still shuts down after 10
| minutes. If I do the shutdown -a in safe mode will the system stay up?
|

Disconnect the PC from the Internet.
Download the patch and place it on media such as CDROM, USB Flash, etc.
With the PC disconnected from the Internet install the patch.

I would also assume that you are NOT using WinXP SP2. You must patch the system, scan the
system with the tool I provided you and when the PC is known to be clean, install WinXP SP2
and all post SP2 patches. I also suggest a Cable/DSL Router. If you had used one to begin
with you wouldn't be experiencing these problems.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

David,
What is a NAT router and where do I get one? I believe I got this virus
installing a corrupted
system download exe 0of SpyDoctor of all things.
__________________________________________________ ______________________________
You have listed various AV software which may find such worms as;
W32/Radebot.worm ,
> W32/Plexus , W32/Gaobot.worm and W32/Reatle that Exploit the LSASS Buffer
> Overflow
> Vulnberability via TCP port 445, but you left out the most important part.
> Exploitation
> mitigation.
>
> The patch associated with KB835732 is not mentioned. Nor is using either
> a software
> FireWall or a NAT Router. If these are NOT used the user will just get
> re-infected or just
> keep on getting the message...
>
> NT AUTHORITY\SYSTEM
> 'c:\windows\system32\lsass.exe' terminated unexpectedly with status
> code -1073741819
>


"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:OJ%23dktcCGHA.2124@TK2MSFTNGP10.phx.gbl...
> From: "Rick "Nutcase" Rogers" <rick@mvps.org>
>
> | Hi,
> |
> | It's a worm. When the message appears, click start/run and type
> | "shutdown -a" (without the quotes) to halt it and then download some up
> to
> | date Antivirus scanning software.
> |
> | Free virus removal tools:
> |
> | http://vil.nai.com/vil/stinger/
> | http://www.emsisoft.com/en/
> | http://free.grisoft.com/doc/8/lng/us.../nid/3001#3001
> | http://www.f-secure.com/download-purchase/tools.shtml
> |
> | Also, you may use this free on-line scanner:
> | http://housecall.trendmicro.com/
> |
> | Symantec also distributes many free removal tools that are
> virus-specific:
> | http://securityresponse.symantec.com...ools.list.html
> |
> | Many are best run in Safe mode to minimize interference. Most will
> resist
> | removal in normal mode where they are active.
> |
> | How to start in Safe mode:
> | http://www.rickrogers.org/fixes.htm#Safe%20mode
> |
> | Emergency system tools:
> | http://www.dougknox.com/xp/utils/xp_emerutils.htm
> |
>
> Rick:
>
> You have listed various AV software which may find such worms as;
> W32/Radebot.worm ,
> W32/Plexus , W32/Gaobot.worm and W32/Reatle that Exploit the LSASS Buffer
> Overflow
> Vulnberability via TCP port 445, but you left out the most important part.
> Exploitation
> mitigation.
>
> The patch associated with KB835732 is not mentioned. Nor is using either
> a software
> FireWall or a NAT Router. If these are NOT used the user will just get
> re-infected or just
> keep on getting the message...
>
> NT AUTHORITY\SYSTEM
> 'c:\windows\system32\lsass.exe' terminated unexpectedly with status
> code -1073741819
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>

"Robert J. Rando" <rjrando1@cox.net> wrote in message
news:XLIrf.470$sA3.373@fed1read02...

>> Any suggestions? Bob

You could try a System Restore to a time previous to when the problem
occured.

From: "yakuza" <yaku@za.com>

|
| "Robert J. Rando" <rjrando1@cox.net> wrote in message
| news:XLIrf.470$sA3.373@fed1read02...
|
>>> Any suggestions? Bob
|
| You could try a System Restore to a time previous to when the problem
| occured.
|

It would NOT work. W/o patching the system and/or implementing a FireWall and mitigating
the exploitation code then he would still be getting the shutdown in 60 secs.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm