A Windows XP help forum. PCbanter

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

Go Back   Home » PCbanter forum » Microsoft Windows XP » Security and Administration with Windows XP
Site Map Home Register Authors List Search Today's Posts Mark Forums Read Web Partners

lsass.exe terminates unexpectedly



 
 
Thread Tools Display Modes
  #1  
Old November 5th 08, 06:06 PM posted to microsoft.public.windowsxp.security_admin
OldVaxGuy
external usenet poster
 
Posts: 1
Default lsass.exe terminates unexpectedly

frequently (up to 4 or 5 occurances in 8 hrs, seems random) my computer
restarts. I get a 'System Shutdown' window with a countdown timer stating
that the 'shutdown was initiated by NT AUTHORITY\SYSTEM' and 'lsass.exe
terminated unexpectedly with status code -1073741819'. the restart can be
aborted with the command 'shutdown -a' but this invalidates my domain login.
i'm running xp pro sp3. appreciate any help i can get to correct this.
Ads
  #2  
Old November 5th 08, 06:12 PM posted to microsoft.public.windowsxp.security_admin
Leonard Grey[_3_]
external usenet poster
 
Posts: 3,048
Default lsass.exe terminates unexpectedly

Malicious software ("malware") is installed on your computer.

Make sure that your anti-malware software is running, then download the
latest signatures and run a full scan.

If you don't have comprehensive anti-malware software, that's like
driving a car without seats belts or air bags. Either way, you're
eventually going to get hammered. Install comprehensive anti-malware
software and learn how to use its features. A 'comprehensive' solution
scans for all types of malicious software in the background, on demand
and on schedule.

For now try scanning your system with /several/ of the better online
scanners, such as:
Kaspersky Antivirus (http://www.kaspersky.com/virusscanner)
Panda ActiveScan (http://www.pandasoftware.com/activescan)

Download HijackThis from www.trendsecure.com. Run it, save a log, and
post the log at one of the many sites that support HJT, such as
spywarewarrior.com, bleepingcomputer.com, and temerc.com -- but not
here. Within a day, sometimes within an hour, you'll have one-on-one
step-by-step advice from a security expert on cleaning up any
infestations—or you'll have a clean bill of health from the volunteer
expert.

Even the best detection and removal software can't fix every malware
infection. If none of the above remove the infection, you may want to
show the computer to a professional.

---
Leonard Grey
Errare Humanum Est

OldVaxGuy wrote:
frequently (up to 4 or 5 occurances in 8 hrs, seems random) my computer
restarts. I get a 'System Shutdown' window with a countdown timer stating
that the 'shutdown was initiated by NT AUTHORITY\SYSTEM' and 'lsass.exe
terminated unexpectedly with status code -1073741819'. the restart can be
aborted with the command 'shutdown -a' but this invalidates my domain login.
i'm running xp pro sp3. appreciate any help i can get to correct this.

  #3  
Old November 5th 08, 10:47 PM posted to microsoft.public.windowsxp.security_admin
David H. Lipman
external usenet poster
 
Posts: 4,185
Default lsass.exe terminates unexpectedly

From: "OldVaxGuy"

| frequently (up to 4 or 5 occurances in 8 hrs, seems random) my computer
| restarts. I get a 'System Shutdown' window with a countdown timer stating
| that the 'shutdown was initiated by NT AUTHORITY\SYSTEM' and 'lsass.exe
| terminated unexpectedly with status code -1073741819'. the restart can be
| aborted with the command 'shutdown -a' but this invalidates my domain login.
| i'm running xp pro sp3. appreciate any help i can get to correct this.

Disconnet the PC from the network.

Does this stop ?

Have you implemented the patch for MS08-067 ?

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp


  #4  
Old November 5th 08, 10:48 PM posted to microsoft.public.windowsxp.security_admin
David H. Lipman
external usenet poster
 
Posts: 4,185
Default lsass.exe terminates unexpectedly

From: "Leonard Grey"

| Malicious software ("malware") is installed on your computer.

Not neccessarily. This may be a worm or trojan external to the PC trying to exploit
MS08-067


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp


  #5  
Old November 6th 08, 12:35 AM posted to microsoft.public.windowsxp.security_admin
nass
external usenet poster
 
Posts: 7,474
Default lsass.exe terminates unexpectedly



"David H. Lipman" wrote:

From: "Leonard Grey"

| Malicious software ("malware") is installed on your computer.

Not neccessarily. This may be a worm or trojan external to the PC trying to exploit
MS08-067


How is that?

You can't get lsass.exe going nuts from outside the PC!
You can get the protection software defences going Mad in usage but not
lsass.exe.
HTH,
nass
---
http://www.nasstec.co.uk

  #6  
Old November 6th 08, 12:48 AM posted to microsoft.public.windowsxp.security_admin
David H. Lipman
external usenet poster
 
Posts: 4,185
Default lsass.exe terminates unexpectedly

From: "nass"


| How is that?

| You can't get lsass.exe going nuts from outside the PC!
| You can get the protection software defences going Mad in usage but not
| lsass.exe.
| HTH,
| nass
| ---
| http://www.nasstec.co.uk

Sure you can. The same way the Lovsan/Blaster did to RPC/RPCSS via TCP port.

The Sasser worm did it to LSASS via TCP port 445.

Now you have trojans and worms doing it based upon the vulnerability described in MS08-067

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp


  #7  
Old November 6th 08, 01:45 AM posted to microsoft.public.windowsxp.security_admin
Twayne[_2_]
external usenet poster
 
Posts: 4,276
Default lsass.exe terminates unexpectedly

"David H. Lipman" wrote:

From: "Leonard Grey"

Malicious software ("malware") is installed on your computer.


Not neccessarily. This may be a worm or trojan external to the PC
trying to exploit MS08-067


How is that?

You can't get lsass.exe going nuts from outside the PC!
You can get the protection software defences going Mad in usage but
not lsass.exe.
HTH,
nass
---
http://www.nasstec.co.uk


Actually some malware will actually replace lsass and when you clean it,
you no longer have the program any longer. It has to be replaced.
Somehow, even the original file can be modified by malware. I don't
recall if the details of how were ever given, but the AV companies all
seem to have info on it.


  #8  
Old November 6th 08, 01:58 AM posted to microsoft.public.windowsxp.security_admin
David H. Lipman
external usenet poster
 
Posts: 4,185
Default lsass.exe terminates unexpectedly

From: "Twayne"


| Actually some malware will actually replace lsass and when you clean it,
| you no longer have the program any longer. It has to be replaced.
| Somehow, even the original file can be modified by malware. I don't
| recall if the details of how were ever given, but the AV companies all
| seem to have info on it.


LSASS.EXE is rarely if ever replaced. It can become infected with a virus or become
trojanized. That is code can be inserted, prepended or appended to the EXE file.

The file name LSASS.EXE is also one of the most common used to obfucate a given malware's
malicious intent.

Here it isn't the name that is important but the fully qualified path to where it is being
executed from.
Example:
The W32/Hupigon.worm will create; %windir%\LSASS.EXE

Variations on the name is often common to confuse the infected person such as ISASS.EXE

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp


 




Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off






All times are GMT +1. The time now is 03:11 PM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Copyright ©2004-2024 PCbanter.
The comments are property of their posters.