Page 1 of 2 12 LastLast
Results 1 to 15 of 16

Thread: lsass.exe error status code 128 causes windows 2000 to shut down and restart

  1. #1
    Super Moderator Super Moderator Big Booger's Avatar
    Join Date
    Apr 2002
    Location
    JAPAN
    Posts
    10,941

    lsass.exe error status code 128 causes windows 2000 to shut down and restart

    I just got back from repairing my father-in-law's XP installation as he got the Sasser virus...

    It took me nearly 2 and half hours as I was not sure what the virus was at first, so I had to run a scan, I ran the SasserFix from Symantec, and none of that crap was helping. The symantec tool never picked it up, even though it is designed to find it, remove it and it can catch the base virus and 3 variants..

    32.Sasser.Worm is a worm that attempts to exploit the MS04-011 vulnerability. It spreads by scanning randomly-chosen IP addresses for vulnerable systems.

    The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.
    1. End the malicious process.
    2. Disable System Restore (Windows Me/XP).
    3. Update the virus definitions.
    4. Run a full system scan and delete all the files detected as W32.Sasser.Worm.
    5. Reverse the change made to the registry.
    For details on each of these steps, read the following instructions.

    1. To end the malicious process
    To end the malicious process:
    a. Press Ctrl+Alt+Delete once.
    b. Click Task Manager.
    c. Click the Processes tab.
    d. Double-click the Image Name column header to alphabetically sort the processes.
    e. Scroll through the list and look for the following processes:
    avserve.exe
    any process with a name consisting of 4 or 5 digits followed by _up.exe (eg 74354_up.exe).
    f. If you find any such process, click it, and then click End Process.
    g. Exit the Task Manager.
    2. To disable System Restore (Windows Me/XP)
    If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.

    Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.

    Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.

    For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles:
    "How to disable or enable Windows Me System Restore"
    "How to turn off or turn on Windows XP System Restore"
    ________________________________________
    Note: When you are completely finished with the removal procedure and are satisfied that the threat has been removed, re-enable System Restore by following the instructions in the aforementioned documents.
    ________________________________________
    For additional information, and an alternative to disabling Windows Me System Restore, see the Microsoft Knowledge Base article, "Antivirus Tools Cannot Clean Infected Files in the _Restore Folder," Article ID: Q263455.
    3. To update the virus definitions
    Symantec Security Response fully tests all the virus definitions for quality assurance before they are posted to our servers. There are two ways to obtain the most recent virus definitions:
    Running LiveUpdate, which is the easiest way to obtain virus definitions: These virus definitions are posted to the LiveUpdate servers once each week (usually on Wednesdays), unless there is a major virus outbreak. To determine whether definitions for this threat are available by LiveUpdate, refer to the Virus Definitions (LiveUpdate).
    Downloading the definitions using the Intelligent Updater: The Intelligent Updater virus definitions are posted on U.S. business days (Monday through Friday). You should download the definitions from the Symantec Security Response Web site and manually install them. To determine whether definitions for this threat are available by the Intelligent Updater, refer to the Virus Definitions (Intelligent Updater).

    The Intelligent Updater virus definitions are available: Read "How to update virus definition files using the Intelligent Updater" for detailed instructions.

    4. To scan for and delete the infected files
    a. Start your Symantec antivirus program and make sure that it is configured to scan all the files.
    For Norton AntiVirus consumer products: Read the document, "How to configure Norton AntiVirus to scan all files."
    For Symantec AntiVirus Enterprise products: Read the document, "How to verify that a Symantec Corporate antivirus product is set to scan all files."
    b. Run a full system scan.
    c. If any files are detected as infected with W32.Sasser.Worm, click Delete.

    5. To reverse the change made to the registry
    ________________________________________
    WARNING: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry," for instructions.
    ________________________________________
    a. Click Start, and then click Run. (The Run dialog box appears.)
    b. Type regedit

    Then click OK. (The Registry Editor opens.)
    c. Navigate to the key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    d. In the right pane, delete the value:

    "avserve.exe"="%Windir%\avserve.exe"
    e. Exit the Registry Editor.
    Well, I knew it had to be the sasser worm...

    Because his XP would give this error:


    The system process 'c:\windows\system32\lsass.exe' terminated unexpectedly with the status code -1073741676. The system will now shut down and restart.
    And then it would promptly give you 50 seconds and shut down. I then went to run, typed 'shutdown -a' and went to town on the scans I mentioned above. note: At first I couldn't run the symantec removal tool as it was generating an administrator privileges error (had to cold shutdown, as shutdown wasn't an option in the start menu, after restarting it worked, also after restarting I had to run the shutdown -a command again..)

    By the way, this Sasser worm connects to the internet on its own.. it doesn't need you to connect... Unless you have your connection setup to give a password before connecting


    Even the MS tool wouldn't pick it up. So I went directly to the windows update site. Attempted to run the updates, but it was greyed out. I then noticed that in the start menu, "Turn off Computer" was missing.

    I thought that was peculiar... So I ran AVG, that didn't work.. it took 40 minutes to scan a 6GB HDD, with a celeron 400mhz CPU on a Fujitsu Biblio notebook.

    Well then I break into the control panel (I was lucky I could access it). I found that KB835732 was NOT installed. So I run to TECHZONEZ front page, did a quick search for sasser and found this article:
    http://techzonez.com/comments.php?id...light=KB835732

    I then downloaded the KB835732 patch from the link below:

    http://www.microsoft.com/security/se...04_windows.asp

    But I didn't realize that SP1 was not installed on this PC.. so I had to redownload the KB83572 Patch for the NON SP1 Version of Windows XP (there are many patches on that site, make sure you get the correct one).

    Finally after installing KB83572, I was able to fix the problem.. no more Lsass.exe errors:

    "c:\windows\system32\lsass.exe' terminated unexpectedly with the status code -1073741676. The system will now shut down and restart.
    Save yourself some time and energy and just check to see if KB83752 is installed and if not install it.. then run all the antivirus and worm removal tools.

  2. #2
    Friendly Neighborhood Super Moderator phishhead's Avatar
    Join Date
    Apr 2002
    Location
    San Diego, Ca.
    Posts
    3,732
    another tip is that if your infected and you dont have the ms patch...turn on xp firewall or dont allow any outbound traffic. Also this is only infecting NTFS os's (win2k, xp, win2k3)turning on the firewall will allow you to stay online long enough to download the patch. here is the files on our pub ftp

    ftp.mitchell.com/outgoing/ then download sasser.zip hey stripe SSSSHHHHH
    Last edited by phishhead; May 5th, 2004 at 15:12 PM.



  3. #3
    Super Moderator Super Moderator Big Booger's Avatar
    Join Date
    Apr 2002
    Location
    JAPAN
    Posts
    10,941
    You may not believe this but I had already set this laptop up with the XP firewall. That is why I thought he couldn't catch this virus... that and AVG w/auto updates, automatic updates from MS everyday at 3:00am....

    I really don't know how they got it. Yesterday I went over there and ran all the updates from the windows update site but the sasser patch KB835732 was not one of the updates listed.

    It really was peculiar... now it is all set.

    We will be getting them either a hardware based firewall, a wireless router, or a software firewall in the coming days. I am tired of this crap and I know without a doubt that a firewall would prevent this... with aggressive settings.

  4. #4
    Security Intelligence TZ Veteran cash_site's Avatar
    Join Date
    Jul 2002
    Location
    Software Paradise
    Posts
    3,852
    Sasser has been quite a money earner this week. We had quite a few customers come in to get fixed. We are just lucky that it was only a reg fix and 2 file delete. LOL, do you think it is unethical to return the computer to the customer without putting the Patch on?? Apparantly a 'friend' did this

    --- 0wN3D by 3gG ---

  5. #5
    Junior Member
    Join Date
    Jun 2004
    Posts
    2

    Can't download after running KB835732

    I've done the fix and everything, and it did take care of the computer shutting down. But now I can't download anything through Internet Explorer. I have checked the security options, and file downloads are enabled. I have checked group policies, and nothing looks out of line there either. It all started after I ran the KB835732 fix. Any ideas?

  6. #6
    Super Moderator Super Moderator Big Booger's Avatar
    Join Date
    Apr 2002
    Location
    JAPAN
    Posts
    10,941
    try installing kb835732 and reinstalling it. Does that fix your download issue? You might also want to try an alternate browser. I think the overwhelming majority on this board use firefox:

    http://www.mozilla.org/products/firefox/

    I'm using it right now and I have that hotfix installed.

  7. #7
    Junior Member
    Join Date
    Jun 2004
    Posts
    2

    Still No Luck

    Well, reinstalling the patch didn't work, and changing browsers isn't a option because I work for a fairly large corporation and this is a problem we are having here in the company.

  8. #8

    Angry Similar probs in winserve03

    Hi
    I'm using Windows server 2003 and am having as similar problem, "lsass terminated unexpededly...status 128"
    I can't access my computer at all as i can't login.
    WS03 is on an NTFS partition and my only other OS on that PC is Win98
    how should i try and fix this?
    is it worth trying to fiind software to allow me to view NTFS from win9x or should i just give up and reformat?
    do i have the sasser worm or not.
    Yesterday I received "Cannot logon, invalid handle" i then used "use last good config" on bootup which then created this problem.
    I presume this was reffering to the password file handle.
    Could a missing password file be having this affect?

    Thnx in advance.
    Martin

  9. #9
    Friendly Neighborhood Super Moderator phishhead's Avatar
    Join Date
    Apr 2002
    Location
    San Diego, Ca.
    Posts
    3,732
    before I would reformat I would download the newest stinger app and run it to see if you have any viral laying about.



  10. #10
    Ive found some software and extracted Lsass.exe from my winserve NTFS drive i then scanned my HDD with stinger and it returned nothing.
    would getiing a copy of lsass from my mate with winXP wurk?

  11. #11
    Triple Platinum Member Curio's Avatar
    Join Date
    Nov 2004
    Location
    London
    Posts
    899

    Boink

    Repair install will fix error - boot cd go to install, don't choose recovery console then install will scan drives for existing installations and offer to repair the one it finds.
    Disconnect the network/internet and enable windows or other firewall before you connect to anything to prevent the rpc exploit from from being exposed. Once firewall in place you will not get sassered so connect to internet and download updates/patches.
    All patched up then run server as normal.

    Important points
    1. Disconnect network connections - other machines on your connections will re-infect you as soon as you connect.
    2. Enable firewall then get the patches. If you want to disable the firewall make sure you are patched first or - other machines on your connections will re-infect you as soon as you connect.

  12. #12
    The Beast Master TZ Veteran PIPER's Avatar
    Join Date
    May 2002
    Location
    Florida
    Posts
    1,180
    Error Nuker is a powerful utility that will scan the Windows Registry to identify lsass.exe terminated unexpectedly 128 errors and ways to optimize the performance of the Windows Registry. Unlike other similar tools, Error Nuker is very careful with the registry it never deletes a registry entry if this could harm your system. Let Error Nuker, our amazing FREE PC Diagnostics tool, identify lsass.exe terminated unexpectedly 128 problems in your Windows registry so you can determine exactly what is wrong with your computer. Best of all you can keep the tool forever and find out if your PC has problems for FREE as often as you like. Scan your PC now for FREE and see for yourself if your PC needs help.


    you can find this free scan at registryscan.com plus other useful items.

  13. #13
    Junior Member
    Join Date
    Jun 2005
    Posts
    2

    lsass.exe error status code 128 causes windows 2000 to shut down and restart

    Well , I'm either a newt or too drunk at this hour to read carefully. So the idea is this :
    I installed windows 2000 with SP3 a few months ago. About 2 weeks ago a funny thing started happening. THAT : lsass.exe error status code 128 causes windows 2000 to shut down and restart . Well ... now it's more often then ever...about every 2 hours... i've read the posts and i can only ask for help in my own manner. What do I have to do ? what antivirus should I use and how the heck is shutdown -a working when after running the windows key and then 'run' and shutdown - a it says cannot find that thing or one of its components. So , basically what do i have to get to get rid of this annoying little bastard worm ? Step by step pls and accurate answers..and fast..cause i'm getting close to the 2 h windows session...

  14. #14
    Super Moderator Super Moderator Big Booger's Avatar
    Join Date
    Apr 2002
    Location
    JAPAN
    Posts
    10,941
    shutdown - a


    It's:
    shutdown -a NO SPACE BETWEEN - and a

  15. #15
    Junior Member
    Join Date
    Jun 2005
    Posts
    2

    Unhappy

    Well, how should I say this ... NOPE. It doesn't work . Not even plain shutdown doesn't work , and i typed shutdown -a , no space between - and a a 1000 times , i tried with space , i tried shutdown-a , shutdown- a , shutdown - a , shutdown -a ... now what? same story, cannot find a component or that particullar comand ... :/ and the damn lsass.exe keeps bugging me about 10 times a day now .. i'm desperate ... i can't format c for at least 1 month ...technical issues... what is it? an error? a virus?worm ? trojan ? what...and where's the solution ... i need help...somebody's bound to know at least a solution , even though it could be less conventional . Thanks anyway booger.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •