Dear all,
I have this problem when I log in to the net. I not sure how long I online till this msg pop up
The system will shutdown now and that it was caused by
c:\WINDOWS\system32\lsass.exe
terminating suddenly with error code 1073741819


Oh ya before I forget I'm running windows XP (not sure wat pack) This is I upgrade from windows 2k. I don't know whether this prob persist or not while I'm using windows 2k because I never online that time. So here wat I had done,

I search at AO I found this http://www.antionline.com/showthread.php?s=&threadid=261342&highlight=lsass.exe+terminated.
I didn't download the removal tool from norton but I download it from http://vil.nai.com/vil/content/v_125007.htm . I download the stinger tool and still cannot detect the virus, ( run in normal and safe mode with networking).
I do try to remove the virus manually but cannot found the files. Check the registry still found nothing.

I'm doubt if my pc infected my sasser worm or not. So go search the microsoft and found this

This is from M$ http://support.microsoft.com/kb/300038. but where I should find Ldp.exe or Adsiedit.exe. I try to search my C drive but found nothing. But wat concern me is, M$ seem like focusing on ppl using Windows 2k. But I'm using win XP. Ok would it work if I download win2k SP4 and install it inside winXP.

Thank q for advanced.

If you open Cmd, type "shutdown -s", does the same thing show up then?
I have no idea how to stop it permanently but maybe temporary.

You can manually remove the virus. LSAS.exe is a process which is registered as the W32.Agobot.AA Virus. This Trojan allows attackers to access your computer, stealing passwords and personal data. It is a registered security risk and should be removed immediately. it can also mask itself as system32.exe or you might get a message like C:/Windows/system/system32.exe is missing. this means that a partial removal of lsas.exe was done but other components still exsist.

Win32.Agobot. attempts to terminate the following processes:

_AVP32.EXE
_AVPCC.EXE
_AVPM.EXE
ACKWIN32.EXE
ANTI-TROJAN.EXE
APVXDWIN.EXE
AUTODOWN.EXE
AVCONSOL.EXE
AVE32.EXE
AVGCTRL.EXE
AVKSERV.EXE
AVNT.EXE
AVP.EXE
AVP32.EXE
AVPCC.EXE
AVPDOS32.EXE
AVPM.EXE
AVPTC32.EXE
AVPUPD.EXE
AVSCHED32.EXE
AVWIN95 .EXE
AVWUPD32.EXE
BLACKD.EXE
BLACKICE.EXE
CFIADMIN.EXE
CFIAUDIT.EXE
CFINET.EXE
CFINET32.EXE
CLAW95.EXE
CLAW95CF.EXE
CLEANER.EXE
CLEANER3.EXE
DVP95.EXE
DVP95_0.EXE
ECENGINE.EXE
ESAFE.EXE
ESPWATCH.EXE
F-AGNT95.EXE
F-PROT.EXE
F-PROT95.EXE
F-STOPW.EXE
FINDVIRU.EXE
FP-WIN.EXE
FPROT.EXE
FRW.EXE
IAMAPP.EXE
IAMSERV.EXE
IBMASN.EXE
IBMAVSP.EXE
ICLOAD95.EXE
ICLOADNT.EXE
ICMON.EXE
ICSUPP95.EXE
ICSUPPNT.EXE
IFACE.EXE
IOMON98.EXE
JEDI.EXE
LOCKDOWN2000.EXE
LOOKOUT.EXE
LUALL.EXE
MOOLIVE.EXE
MPFTRAY.EXE
N32SCANW.EXE
NAVAPW32.EXE
NAVLU32.EXE
NAVNT.EXE
NAVW32.EXE
NAVWNT.EXE
NISUM.EXE
NMAIN.EXE
NORMIST.EXE
NUPGRADE.EXE
NVC95.EXE
OUTPOST.EXE
PADMIN.EXE
PAVCL.EXE
PAVSCHED.EXE
PAVW.EXE
PCCWIN98.EXE
PCFWALLICON.EXE
PERSFW.EXE
RAV7.EXE
RAV7WIN.EXE
RESCUE.EXE
SAFEWEB.EXE
SCAN32.EXE
SCAN95.EXE
SCANPM.EXE
SCRSCAN.EXE
SERV95.EXE
SMC.EXE
SPHINX.EXE
SWEEP95.EXE
TBSCAN.EXE
TCA.EXE
TDS2-98.EXE
TDS2-NT.EXE
VET95.EXE
VETTRAY.EXE
VSCAN40.EXE
VSECOMR.EXE
VSHWIN32.EXE
VSSTAT.EXE
WEBSCANX.EXE
WFINDV32.EXE
ZONEALARM.EXE

Also, Win32.Agobot.Z attempts to terminate the following processes that can belong to other computer worms:

tftpd.exe
dllhost.exe
winppr32.exe
mspatch.exe
penis32.exe
msblast.exe
regloadr.exe
explore.exe
scvhosl.exe

Just use Google to search for key words on this subject you will find more than you know.

You dont mention you have tried to scan in Safe Mode

Hit F8 several times on start up...before it gets to the loading XP gui

Try it with networking enabled and scan the computer with the one of many online Anti virus scanners

http://www.google.ca/search?hl=en&q=online+anti+virus&meta=

MLF

You dont mention you have tried to scan in Safe Mode

Hit F8 several times on start up...before it gets to the loading XP gui

I didn't download the removal tool from norton but I download it from http://vil.nai.com/vil/content/v_125007.htm . I download the stinger tool and still cannot detect the virus, ( run in normal and safe mode with networking).

He apparently did.

I hate to say it but it does sound like the Sasser worm. The tools you've used may not be properly detecting it. Try visiting http://housecall.trendmicro.com and have an online scan done. Alternatively these links might help:

Malicious Software Removal Tool from MS (http://www.microsoft.com/downloads/details.aspx?familyid=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en) (MyDoom, Blaster and Sasser)

Sasser Removal Tool from MS (http://www.microsoft.com/downloads/details.aspx?familyid=76c6de7e-1b6b-4fc3-90d4-9fa42d14cc17&displaylang=en)

Microsoft's Blurb on Sasser (http://www.microsoft.com/security/incident/sasser.mspx)

Reality is these worms tend to be rather hard to remove sometimes. It's probably going to take a bit of poking and prodding before you can be sure you're clean.

oops...

1st coffee :rolleyes:

Online scanners sometimes pick up things missed by local ones.

IMHO ..of course

MLF

NtrlZr => After shutdown -a, the msg won't pop up again. FOr temporary I guest that is good option too. But I'm afraid coz it is a virus.

Ghost_25inf=> Thank for the info.

MsMittens=> I'll try it tomorow, Hope I can get rid of those thing

Thank q guy for the advice

YOUR ALL FORGETTING ONE THING..

The error reported is NOT THE WORM IN THE BLOODY MACHINE.. IT IS THE WORM TRYING TO GET IN..
Disconnect the BOX from The network..

This mistake is being made on a lot of sites ..I wish people would use google and read up on what is happening with these worms..

The Computer IS NOT PATCHED.. PATCH THE DARN THING

before you do.. be aware it is not just the sasser worm that knocks on the Lsass service's door gaobot being one.
info on the Sasser worm (B) here http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.b.worm.html

Info on the hole here: http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

Also on this site:
the first is the descussion on the sasser worm WHEN IT STARTED TO SPREAD
http://www.antionline.com/showthread.php?s=&threadid=257294&perpage=10&highlight=lsass&pagenumber=1
http://www.antionline.com/showthread.php?s=&threadid=247294&perpage=10&highlight=dcom&pagenumber=1
http://www.antionline.com/showthread.php?s=&threadid=261273&perpage=10&highlight=rpcdcom%20lsass&pagenumber=1
http://www.antionline.com/showthread.php?s=&forumid=64&threadid=261342

But as I said.. It ISN"T JUST SASSER that attacks LSASS and just because the restart error is comming up dosen't mean that you have the worm.. your just not patched..

OH and DISCONNECT THE BOX FROM THE NET untill your PATCHED..

BTW: Ghost, the error was with lsass.exe not lsas,exe.. but you did recognise that there are other worms that attack the lsass service

Well from a run or dos mox you can type shutdown -a to abort shut down.