On Tue, 9 Aug 2005 22:27:01 -0700, "kdiddle" <> wrote:
>I am writing this for a friend because after he ran updates today his
>computer keeps shutting down. He is running Windows xp and gets the message
>that the system is shutting down by NT AUTHORITY\SYSTEM due to the
>information regarding the condition of LSA shell{Export Version}. This is
>regarding the OS version/computer hardware, and internet Protocol address of
>computer.
>Teminated unexpectedly with status code -1073741819
>
>Then the error signature window has this:
>szAppName:lsass.exe szApp Ver :5.1.2600.1106 szName :unknown szModver:
>0.0.0.0 offset: 00000000
>
>Could anyone tell me what all this means?
Your friend has the W32.Sasser worm.
If Windows 2000, and you're sure it's NOT a virus, see:
Computer Shuts Down at Startup After You Install Windows 2000 Security Rollup Package 1
http://support.microsoft.com/?kbid=318650
Restart the computer in the Safe Mode.
After the Power On Self Test (POST), press and hold the F8 key.
From the Safe Mode, click Start, Run. In the Run box, type
"regedit" (without the quotes) and press enter.
Navigate your way to:
HKEY_LOCAL_MACHINE, Software, Microsoft, Windows, CurrentVersion, Run (and Run Services)
In the right-hand pane, look for any entry that might include:
msblast.exe
penis32.exe
teekids.exe
mspatch.exe
mslaugh.exe
enbiei.exe
eschlp.exe
svchosthlp.exe
mschost.exe
tftp.exe
avserve.exe
avserve2.exe
skynetave.exe
Any filename ending with '-service' <---- See "W32.HLLW.Gaobot.gen" section
Delete any/all of the above entries and exit regedit.
Next, go to the ..\Windows\Prefetch\ or ..\WinNT\Prefetch\
and find any reference to the above files and delete them too.
(instead of whatever.exe. it will be whatever.pf)
Actually, the contents of the entire folder can be deleted. Do it!
You just disabled the worm from running at startup. Now, disable System Restore:
Click Start, Programs, Accessories, System Tools, System Restore, System Restore Settings,
"System Restore" tab, and check the box. "Turn Off System Restore on all drives", click "Apply"
and "OK".
Now delete previous Restores:
Click Start, Accessories, System tools, Disk Cleanup, "More Options" tab, "System Restore"
section, "Clean up" button, click "Yes"
---------------------------------------------------------------------------------------------------------------------------------------
W32.Sasser.Worm; or W32.Sasser.B.Worm
Download the W32.Sasser.Worm Removal Tool, "FxSasser.exe" from Symantec.
Info:
http://securityresponse.symantec.com...oval.tool.html
File:
http://securityresponse.symantec.com...r/FxSasser.exe
Save the file, "FxSasser.exe" to a folder, then double-click it to clean your system.
Restart the computer in the normal mode, and Turn On System Restore on all drives.
Download, and install the Microsoft MS04-011 patch:
http://support.microsoft.com/?kbid=835732
http://www.microsoft.com/technet/sec.../ms04-011.mspx
http://www.microsoft.com/downloads/d...displaylang=en
The worm also removes a registry entry for the shutdown button in the start menu.
To get it back, Click Start, Run. In the Run box, type "regedit" (without the quotes) and
press Enter. Navigate your way to:
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\Explorer
Look in the right-hand window for the entry:
"NoClose"=dword:00000001
If the entry exists, change the "dword:00000001" to "dword:00000000"
If it doesn't exist, create a new one.
---------------------------------------------------------------------------------------------------------------------------------------
W32.HLLW.Gaobot.gen - Handle like the above Sasser
http://www.symantec.com/avcenter/ven...aobot.gen.html
http://securityresponse.symantec.com...oval.tool.html
Download the FxGaobot.exe file from:
http://securityresponse.symantec.com...r/FxGaobot.exe
---------------------------------------------------------------------------------------------------------------------------------------
Invest in a decent firewall and antivirus program, and install ALL of Microsoft's security
patches.
http://v4.windowsupdate.microsoft.com/en/default.asp
Microsoft provides free anti-virus software that can be used for 1 year.
http://www.my-etrust.com/microsoft/
---------------------------------------------------------------------------------------------------------------------------------------
This is a link to a small FREE program by McAfee Anti-virus named Stinger.
It will scan your system for 53 known viruses and trojans and repair them.
You don't need McAfee anti-virus installed on your computer... this is a
stand alone program.
http://vil.nai.com/vil/stinger/ or
http://us.mcafee.com/virusInfo/default.asp?id=stinger
Direct Download:
http://download.nai.com/products/mca...-i-n-g-e-r.exe
Similar Threads
Linear Mode
