Hi all... I have a problem with my computer - When surfing the internet, the following message suddenly comes up: The system process 'c:\windows\system32\lsass.exe' terminated unexpectedly with the status code -1073741676. The system will now shut down and restart. The computer then shutdowns in 1 minute. I can stop the shutdown using the command "shutdown -a" in dos prompt, but I notice that when I do want to shutdown the computer, I will get the message that I do not have permission to shutdown this computer. After that, the only way I can shut down is to type shutdown -s in dos prompt, which logs me out. I am running Windows XP with service pack 1, if that is any help. Anyone else come across this problem? Adaware and spybot doesn't seem to help... I searched on the internet and couldn't find a solution... so some smart dude in this forum can help. Really hoping I don't have to reformat my hard disk.. sigh... Thanks in advance.
You may have the Blaster worm. http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html You may want to run antivirus software that is updated daily and a good firewall to stop things like this (assuming it is the Blaster worm that is the problem, of course).
I found this info searching the net. You will have to shut down your system restore to clear your restore points and run the scanner with it off. I had the same issue with an I-worm warning. Also make sure you clear temp internet files as it likes to hide there also. AVG kept giving me warnings until I shut off system restore then scanned. BTW after clearing the restore points and temp files virus scans came out clear of virus (AVG and housecall) how to disable system restore Gotta start scanning all that p*rn you're downloading from Kazaa!
Here is a good link that describes it in detail and gives good removal instructions. http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.chemsvy.html
Hey guys, Thanks for your response. Unfortunately, it is not the blaster worm, I logged in this morning (being that I am in Australia, it is now morning ) and found out what it is - it is the new sasser worm. http://www.computing.net/security/wwwboard/forum/11294.html http://news.netcraft.com/archives/2004/05/01/sasser_worm_spreading_through_lsass_exploit.html Sigh.. why do I have to be the first to get it? I am not sure if there is a patch/fix for it yet... but I just downloaded the latest update from Symantec and am running my virus scanner now, hopefully it will catch it. I guess I am happy it doesn't do much damage, but it is really really annoying. Anyway, guys, read the above articles, block the necessary ports on your firewall, and stop this worm once and for all! Grrrr...!!!! (I just disabled DMZ on my router) As soon as I found a way of getting rid of this, I'll let you guys know, hopefully microsoft will release a patch for this soon. Thanks again, guys!
I got it too. Lousy XP. It's really easy to get rid of: http://www.microsoft.com/security/incident/sasser.asp
New, Blaster-style Windows worm sweeps the Net By DWIGHT SILVERMAN Copyright 2004 Houston Chronicle Computers using Microsoft's Windows XP or 2000 operating systems are the target of a new Internet worm that spreads from machine to machine without user intervention. The worm, dubbed Sasser, takes advantage of a flaw in Windows that was patched by a fix issued in mid-April. However, because not all users take advantage of an auto-update feature included in Windows XP and 2000, there are still many systems connected to the Internet that are vulnerable. Sasser attacks a component of Windows called LSASS.EXE, and installs a file called AVSERVE.EXE, which then begins scanning the Internet and local networks for more machines to infect. Unlike the majority of viruses and worms that attack Windows-based systems, Sasser does not require e-mail to spread. The worm also creates a server program on the infected computer that uses FTP, a common way to transfer files between computers, potentially leaving it vulnerable to hackers. An analysis by security software firm Symantec indicates Sasser has the potential to slow an infected PC dramatically, rendering it nearly unusable. According to McAfee.com, a PC security site operated by Network Associates, the worm may also crash the LSASS.EXE module in Windows. Sasser is similar to another worm that wreaked havoc among Windows users in 2003. MS-Blast or Blaster worked the same way, taking advantage of unpatched systems and exploiting a flaw for which Microsoft had already offerered a patch. However, Sasser appears to be moving at a slower pace than Blaster, which reproduced so quickly that it bogged down some Internet servers. Most antivirus software companies today had Sasser rated as a medium-risk worm. The patch that fixed the flaw Sasser exploits was released April 13. The use of a hardware or software firewall -- which prevents unauthorized access to a computer on a network -- may also provide some protection to unpatched systems. Most of the major developers of antivirus software have released updates to their products to detect and remove Sasser. Microsoft has come under increasing fire from computer security experts because its software is ubiquitous and riddled with flaws that allow such attacks.
<a href="http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.b.worm.html">Symantec has a removal tool and more info</a>.
