|
-
February 4th, 2005, 12:52 PM
#1
Senior Member
lsass.exe terminated
Dear all,
I have this problem when I log in to the net. I not sure how long I online till this msg pop up
The system will shutdown now and that it was caused by
c:\WINDOWS\system32\lsass.exe
terminating suddenly with error code 1073741819
Oh ya before I forget I'm running windows XP (not sure wat pack) This is I upgrade from windows 2k. I don't know whether this prob persist or not while I'm using windows 2k because I never online that time. So here wat I had done,
I search at AO I found this http://www.antionline.com/showthread...xe+terminated.
I didn't download the removal tool from norton but I download it from http://vil.nai.com/vil/content/v_125007.htm . I download the stinger tool and still cannot detect the virus, ( run in normal and safe mode with networking).
I do try to remove the virus manually but cannot found the files. Check the registry still found nothing.
I'm doubt if my pc infected my sasser worm or not. So go search the microsoft and found this
This is from M$ http://support.microsoft.com/kb/300038. but where I should find Ldp.exe or Adsiedit.exe. I try to search my C drive but found nothing. But wat concern me is, M$ seem like focusing on ppl using Windows 2k. But I'm using win XP. Ok would it work if I download win2k SP4 and install it inside winXP.
Thank q for advanced.
-
February 4th, 2005, 02:45 PM
#2
Junior Member
If you open Cmd, type "shutdown -s", does the same thing show up then?
I have no idea how to stop it permanently but maybe temporary.
-
February 4th, 2005, 02:46 PM
#3
You can manually remove the virus. LSAS.exe is a process which is registered as the W32.Agobot.AA Virus. This Trojan allows attackers to access your computer, stealing passwords and personal data. It is a registered security risk and should be removed immediately. it can also mask itself as system32.exe or you might get a message like C:/Windows/system/system32.exe is missing. this means that a partial removal of lsas.exe was done but other components still exsist.
Win32.Agobot. attempts to terminate the following processes:
_AVP32.EXE
_AVPCC.EXE
_AVPM.EXE
ACKWIN32.EXE
ANTI-TROJAN.EXE
APVXDWIN.EXE
AUTODOWN.EXE
AVCONSOL.EXE
AVE32.EXE
AVGCTRL.EXE
AVKSERV.EXE
AVNT.EXE
AVP.EXE
AVP32.EXE
AVPCC.EXE
AVPDOS32.EXE
AVPM.EXE
AVPTC32.EXE
AVPUPD.EXE
AVSCHED32.EXE
AVWIN95 .EXE
AVWUPD32.EXE
BLACKD.EXE
BLACKICE.EXE
CFIADMIN.EXE
CFIAUDIT.EXE
CFINET.EXE
CFINET32.EXE
CLAW95.EXE
CLAW95CF.EXE
CLEANER.EXE
CLEANER3.EXE
DVP95.EXE
DVP95_0.EXE
ECENGINE.EXE
ESAFE.EXE
ESPWATCH.EXE
F-AGNT95.EXE
F-PROT.EXE
F-PROT95.EXE
F-STOPW.EXE
FINDVIRU.EXE
FP-WIN.EXE
FPROT.EXE
FRW.EXE
IAMAPP.EXE
IAMSERV.EXE
IBMASN.EXE
IBMAVSP.EXE
ICLOAD95.EXE
ICLOADNT.EXE
ICMON.EXE
ICSUPP95.EXE
ICSUPPNT.EXE
IFACE.EXE
IOMON98.EXE
JEDI.EXE
LOCKDOWN2000.EXE
LOOKOUT.EXE
LUALL.EXE
MOOLIVE.EXE
MPFTRAY.EXE
N32SCANW.EXE
NAVAPW32.EXE
NAVLU32.EXE
NAVNT.EXE
NAVW32.EXE
NAVWNT.EXE
NISUM.EXE
NMAIN.EXE
NORMIST.EXE
NUPGRADE.EXE
NVC95.EXE
OUTPOST.EXE
PADMIN.EXE
PAVCL.EXE
PAVSCHED.EXE
PAVW.EXE
PCCWIN98.EXE
PCFWALLICON.EXE
PERSFW.EXE
RAV7.EXE
RAV7WIN.EXE
RESCUE.EXE
SAFEWEB.EXE
SCAN32.EXE
SCAN95.EXE
SCANPM.EXE
SCRSCAN.EXE
SERV95.EXE
SMC.EXE
SPHINX.EXE
SWEEP95.EXE
TBSCAN.EXE
TCA.EXE
TDS2-98.EXE
TDS2-NT.EXE
VET95.EXE
VETTRAY.EXE
VSCAN40.EXE
VSECOMR.EXE
VSHWIN32.EXE
VSSTAT.EXE
WEBSCANX.EXE
WFINDV32.EXE
ZONEALARM.EXE
Also, Win32.Agobot.Z attempts to terminate the following processes that can belong to other computer worms:
tftpd.exe
dllhost.exe
winppr32.exe
mspatch.exe
penis32.exe
msblast.exe
regloadr.exe
explore.exe
scvhosl.exe
Just use Google to search for key words on this subject you will find more than you know.
S25vd2xlZGdlIGlzIHBvd2VyIQ
-
February 4th, 2005, 03:34 PM
#4
You dont mention you have tried to scan in Safe Mode
Hit F8 several times on start up...before it gets to the loading XP gui
Try it with networking enabled and scan the computer with the one of many online Anti virus scanners
http://www.google.ca/search?hl=en&q=...ti+virus&meta=
MLF
How people treat you is their karma- how you react is yours-Wayne Dyer
-
February 4th, 2005, 03:43 PM
#5
You dont mention you have tried to scan in Safe Mode
Hit F8 several times on start up...before it gets to the loading XP gui
I didn't download the removal tool from norton but I download it from http://vil.nai.com/vil/content/v_125007.htm . I download the stinger tool and still cannot detect the virus, ( run in normal and safe mode with networking).
He apparently did.
I hate to say it but it does sound like the Sasser worm. The tools you've used may not be properly detecting it. Try visiting http://housecall.trendmicro.com and have an online scan done. Alternatively these links might help:
Malicious Software Removal Tool from MS (MyDoom, Blaster and Sasser)
Sasser Removal Tool from MS
Microsoft's Blurb on Sasser
Reality is these worms tend to be rather hard to remove sometimes. It's probably going to take a bit of poking and prodding before you can be sure you're clean.
-
February 4th, 2005, 04:44 PM
#6
oops...
1st coffee 
Online scanners sometimes pick up things missed by local ones.
IMHO ..of course
MLF
How people treat you is their karma- how you react is yours-Wayne Dyer
-
February 4th, 2005, 05:42 PM
#7
Senior Member
NtrlZr => After shutdown -a, the msg won't pop up again. FOr temporary I guest that is good option too. But I'm afraid coz it is a virus.
Ghost_25inf=> Thank for the info.
MsMittens=> I'll try it tomorow, Hope I can get rid of those thing
Thank q guy for the advice
-
February 4th, 2005, 10:44 PM
#8
YOUR ALL FORGETTING ONE THING..
The error reported is NOT THE WORM IN THE BLOODY MACHINE.. IT IS THE WORM TRYING TO GET IN..
Disconnect the BOX from The network..
This mistake is being made on a lot of sites ..I wish people would use google and read up on what is happening with these worms..
The Computer IS NOT PATCHED.. PATCH THE DARN THING
before you do.. be aware it is not just the sasser worm that knocks on the Lsass service's door gaobot being one.
info on the Sasser worm (B) here http://securityresponse.symantec.com...er.b.worm.html
Info on the hole here: http://www.microsoft.com/technet/sec.../MS04-011.mspx
Also on this site:
the first is the descussion on the sasser worm WHEN IT STARTED TO SPREAD
http://www.antionline.com/showthread...s&pagenumber=1
http://www.antionline.com/showthread...m&pagenumber=1
http://www.antionline.com/showthread...s&pagenumber=1
http://www.antionline.com/showthread...hreadid=261342
But as I said.. It ISN"T JUST SASSER that attacks LSASS and just because the restart error is comming up dosen't mean that you have the worm.. your just not patched..
OH and DISCONNECT THE BOX FROM THE NET untill your PATCHED..
BTW: Ghost, the error was with lsass.exe not lsas,exe.. but you did recognise that there are other worms that attack the lsass service
"Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr
-
February 5th, 2005, 05:06 AM
#9
Well from a run or dos mox you can type shutdown -a to abort shut down.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
