Anti-Spyware Forums


Reply
Thread Tools Display Modes

W2k3 - lsass shutdown problem

 
 
Ronny
Guest
Posts: n/a

 
      09-12-2004, 06:52 PM
Hi @ll,

got a little problem - hope anyone can help.

Suddenly my Windows 2003 server (acting as domain controller) always shuts
down and restarts with the well-known message 'system is shutting down...
initiated by NT AUTHORITY\SYSTEM... system process
c:\windows\system32\lsass.exe...status code -1073741819...' After restarting
it lasts very long until the login message comes up - and if I press
CTRL-ALT-DEL nothing happens, I get no login prompt, only the shutdown
message appears again. Did anyone of you already get a similar problem?

'cause I can't login I also cannot stop the shutdown process with
'shutdown -a' and analyze what happened. I started the server in safe mode
and checked all the well-known folders and registry keys for Sasser, Blaster
& Co., checked the system with the current Stinger tool from NAI - but
nothing was found.
And yes, the system was up-to-date with all the security patches offered by
Microsoft and had the current virus scan signatures.

Appreciate your help...

Thanks and regards,
Ronny


 
Reply With Quote
 
 
 
 
David H. Lipman
Guest
Posts: n/a

 
      09-12-2004, 09:25 PM
I have to think there was a problem installing the patch for LSASS. You are not infected,
but it but you are vulnerable. Go back to the MS KB article and examine the KB article and
make sure the DLLs that are updated are indeed the correct version as indicated.

Dave



"Ronny" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
| Hi @ll,
|
| got a little problem - hope anyone can help.
|
| Suddenly my Windows 2003 server (acting as domain controller) always shuts
| down and restarts with the well-known message 'system is shutting down...
| initiated by NT AUTHORITY\SYSTEM... system process
| c:\windows\system32\lsass.exe...status code -1073741819...' After restarting
| it lasts very long until the login message comes up - and if I press
| CTRL-ALT-DEL nothing happens, I get no login prompt, only the shutdown
| message appears again. Did anyone of you already get a similar problem?
|
| 'cause I can't login I also cannot stop the shutdown process with
| 'shutdown -a' and analyze what happened. I started the server in safe mode
| and checked all the well-known folders and registry keys for Sasser, Blaster
| & Co., checked the system with the current Stinger tool from NAI - but
| nothing was found.
| And yes, the system was up-to-date with all the security patches offered by
| Microsoft and had the current virus scan signatures.
|
| Appreciate your help...
|
| Thanks and regards,
| Ronny
|
|


 
Reply With Quote
 
 
 
 
Lanwench [MVP - Exchange]
Guest
Posts: n/a

 
      10-12-2004, 05:43 PM
Ronny wrote:
> Hi @ll,
>
> got a little problem - hope anyone can help.
>
> Suddenly my Windows 2003 server (acting as domain controller) always
> shuts down and restarts with the well-known message 'system is
> shutting down... initiated by NT AUTHORITY\SYSTEM... system process
> c:\windows\system32\lsass.exe...status code -1073741819...' After
> restarting it lasts very long until the login message comes up - and
> if I press CTRL-ALT-DEL nothing happens, I get no login prompt, only
> the shutdown message appears again. Did anyone of you already get a
> similar problem?
>
> 'cause I can't login I also cannot stop the shutdown process with
> 'shutdown -a' and analyze what happened. I started the server in safe
> mode and checked all the well-known folders and registry keys for
> Sasser, Blaster & Co., checked the system with the current Stinger
> tool from NAI - but nothing was found.
> And yes, the system was up-to-date with all the security patches
> offered by Microsoft and had the current virus scan signatures.
>
> Appreciate your help...
>
> Thanks and regards,
> Ronny


You aren't fully patched with all Windows patches if this is happening to
you, and I have to wonder what's open in your firewall from the Internet (or
how patched your other network servers/workstations are). Check out
http://www.microsoft.com/security/incident/sasser.asp



 
Reply With Quote
 
Ronny
Guest
Posts: n/a

 
      11-12-2004, 03:16 PM
I have checked the installation of the LSASS patch - found nothing, all
files have the correct date & version. Nevertheless I reapplied the patch -
same result, the computer keeps rebooting.

One thing what helped a little bit was setting the DCPROMO.LOG file to read
only as suggested by Microsoft. Now I can at least log on if the server is
started normally but has no network cable connected - and if the shutdown
message appears I can stop it to analyze the server. But I still can't log
on if I connect the server to the network, still no logon prompt is coming
up.

After starting the machine without network connection a lot of services
can't be started, the windows installer isn't running - the error messages
tell about logon errors. But all the tools, virus scanners do not find any
hint that there is a virus or worm like Sasser & Co. So I start to wonder
what happened to my installation, if there a lot of files are damaged and if
reinstalling it would be the best (and quickest) solution...

Any more ideas?

Ronny


"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:(E-Mail Removed)...
>I have to think there was a problem installing the patch for LSASS. You are
>not infected,
> but it but you are vulnerable. Go back to the MS KB article and examine
> the KB article and
> make sure the DLLs that are updated are indeed the correct version as
> indicated.
>
> Dave
>
>
>
> "Ronny" <(E-Mail Removed)> wrote in message
> news:%(E-Mail Removed)...
> | Hi @ll,
> |
> | got a little problem - hope anyone can help.
> |
> | Suddenly my Windows 2003 server (acting as domain controller) always
> shuts
> | down and restarts with the well-known message 'system is shutting
> down...
> | initiated by NT AUTHORITY\SYSTEM... system process
> | c:\windows\system32\lsass.exe...status code -1073741819...' After
> restarting
> | it lasts very long until the login message comes up - and if I press
> | CTRL-ALT-DEL nothing happens, I get no login prompt, only the shutdown
> | message appears again. Did anyone of you already get a similar problem?
> |
> | 'cause I can't login I also cannot stop the shutdown process with
> | 'shutdown -a' and analyze what happened. I started the server in safe
> mode
> | and checked all the well-known folders and registry keys for Sasser,
> Blaster
> | & Co., checked the system with the current Stinger tool from NAI - but
> | nothing was found.
> | And yes, the system was up-to-date with all the security patches offered
> by
> | Microsoft and had the current virus scan signatures.
> |
> | Appreciate your help...
> |
> | Thanks and regards,
> | Ronny
> |
> |
>
>



 
Reply With Quote
 
Ronny
Guest
Posts: n/a

 
      11-12-2004, 03:24 PM
None of the other servers or workstations on my network (Windows Server 2003
and Windows XP) are showing this behaviour. They were all patched directly
from the windows update site and the control panel tells that all the
patches are installed succesfully. Also checking the file dates & versions
didn't show anything conspicuous. The firewall of the affected server (which
was acting as router to the internet via a DSL line) has no open ports for
incoming traffic from the internet, only outgoing traffic is allowed.

I'm still not sure if it has been a thing like Sasser or if anything totally
different happened to this machine...

Ronny

"Lanwench [MVP - Exchange]"
<(E-Mail Removed) ahoo.com> wrote in message
news:%(E-Mail Removed)...
> Ronny wrote:
>> Hi @ll,
>>
>> got a little problem - hope anyone can help.
>>
>> Suddenly my Windows 2003 server (acting as domain controller) always
>> shuts down and restarts with the well-known message 'system is
>> shutting down... initiated by NT AUTHORITY\SYSTEM... system process
>> c:\windows\system32\lsass.exe...status code -1073741819...' After
>> restarting it lasts very long until the login message comes up - and
>> if I press CTRL-ALT-DEL nothing happens, I get no login prompt, only
>> the shutdown message appears again. Did anyone of you already get a
>> similar problem?
>>
>> 'cause I can't login I also cannot stop the shutdown process with
>> 'shutdown -a' and analyze what happened. I started the server in safe
>> mode and checked all the well-known folders and registry keys for
>> Sasser, Blaster & Co., checked the system with the current Stinger
>> tool from NAI - but nothing was found.
>> And yes, the system was up-to-date with all the security patches
>> offered by Microsoft and had the current virus scan signatures.
>>
>> Appreciate your help...
>>
>> Thanks and regards,
>> Ronny

>
> You aren't fully patched with all Windows patches if this is happening to
> you, and I have to wonder what's open in your firewall from the Internet
> (or
> how patched your other network servers/workstations are). Check out
> http://www.microsoft.com/security/incident/sasser.asp
>
>
>



 
Reply With Quote
 
it_exprt
Guest
Posts: n/a

 
      14-12-2004, 04:45 AM

lsass.exe is the EXECUTABLE OF THE SASSER WORM VIRUS!!!
------------------------------------------------------------
To disable it:

Keyboard Combination CTRL+ALT+DELETE

Click the process "lsass"

Click the ENDTASK command button
------------------------------------------------------------
To delete it:

START

SEARCH

FOR FILES OR FOLDERS

Under SEARCH FOR FILES OR FOLDERS NAMED, type "lsass.exe"

Press the TAB on KEYBOARD

Under CONTAINING TEXT, type "lsass.exe"

Click the SEARCH NOW command button

Use this Keyboard Shortcut CTRL+A

Press the DELETE key on KEYBOARD

You will be prompted "ARE YOU SURE YOU WANT TO DELETE lsass.exe?"

Click the YES command butto


-
it_expr
-----------------------------------------------------------------------
Posted via http://www.mcse.m
-----------------------------------------------------------------------
View this thread: http://www.mcse.ms/message1278875.htm

 
Reply With Quote
 
Lanwench [MVP - Exchange]
Guest
Posts: n/a

 
      14-12-2004, 02:27 PM
it_exprt wrote:
> lsass.exe is the EXECUTABLE OF THE SASSER WORM VIRUS!!!


No. It's exploited by the sasser worm. lsass.exe is a valid Windows file. Do
not delete it. If you have the virus/worm, get rid of the virus/worm.


> ------------------------------------------------------------
> To disable it:
>
> Keyboard Combination CTRL+ALT+DELETE
>
> Click the process "lsass"
>
> Click the ENDTASK command button
> ------------------------------------------------------------
> To delete it:
>
> START
>
> SEARCH
>
> FOR FILES OR FOLDERS
>
> Under SEARCH FOR FILES OR FOLDERS NAMED, type "lsass.exe"
>
> Press the TAB on KEYBOARD
>
> Under CONTAINING TEXT, type "lsass.exe"
>
> Click the SEARCH NOW command button
>
> Use this Keyboard Shortcut CTRL+A
>
> Press the DELETE key on KEYBOARD
>
> You will be prompted "ARE YOU SURE YOU WANT TO DELETE lsass.exe?"
>
> Click the YES command button



 
Reply With Quote
 
it_exprt
Guest
Posts: n/a

 
      15-12-2004, 06:02 AM

SORRY, MY BAD I GOT IT NOW

Process name: Local security authentication server (LSASS)

Product: Windows

Company: Microsoft

File: lsass.exe

Security Rating:
"lsass.exe" is the Local Security Authentication Server. It verifie
the validity of user logons to your PC/Server. It generates the proces
responsible for authenticating users for the Winlogon service. Thi
process is performed by using authentication packages such as th
default Msgina.dll. If authentication is successful, Lsass generate
the user's access token, which is used to launch the initial shell
Other processes that the user initiates inherit this token. More info

Note: The lsass.exe file is located in the c:\windows\System32 folder
In other cases, lsass.exe is a virus, spyware, trojan or worm! Chec
this with Security Task Manager.

Virus with same name:
W32.Nimos.Worm - Symantec Corporation
W32.Sasser.E.Worm (Lsasss.exe) - McAfee
W32.HLLW.Lovgate.C@mm - Symantec Corporatio


-
it_expr
-----------------------------------------------------------------------
Posted via http://www.mcse.m
-----------------------------------------------------------------------
View this thread: http://www.mcse.ms/message1278875.htm

 
Reply With Quote
 
it_exprt
Guest
Posts: n/a

 
      15-12-2004, 06:11 AM

You should INSTALL OR DOWNLOAD a FIREWALL PROTECTION OF SOME SORT


-
it_expr
-----------------------------------------------------------------------
Posted via http://www.mcse.m
-----------------------------------------------------------------------
View this thread: http://www.mcse.ms/message1278875.htm

 
Reply With Quote
 
it_exprt
Guest
Posts: n/a

 
      15-12-2004, 06:14 AM

FIRST DO THIS shutdown -a



--
it_exprt
------------------------------------------------------------------------
Posted via http://www.mcse.ms
------------------------------------------------------------------------
View this thread: http://www.mcse.ms/message1278875.html

 
Reply With Quote
 
 
 
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
PC won't boot up - LSASS.exe problem ??? Bubey Security Software 4 31-03-2007 01:33 AM
Lsass.exe and ISAKMP on UDP port - problem or not? alwaysquestions@yahoonospam.net Spyware 6 04-08-2006 06:36 PM
Folder Security/ Permissions problem on W2K3 Roman B. Security Software 3 02-03-2006 07:28 AM
LSASS problem - help? Graham Anti-Virus 0 29-10-2004 01:15 PM
system shutdown code 1073741819 ( lsass.exe' ) d.k. turner Virus Information 1 18-07-2004 01:10 AM


All times are GMT. The time now is 04:00 PM.