Default Shares, Lsass.exe, System Shutdown!

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Hi,
My problem is:
All default (Administrative) shares are hiding and some times receives
lsass.exe 60 seconds shutdown message.
My Anti Virus (Norton) is updating and I didn’t detect any virus or spy ware
on my server.
What do you think?
Best regards, S.Kazemi
 
From: "S.Kazemi" <[email protected]>

| Hi,
| My problem is:
| All default (Administrative) shares are hiding and some times receives
| lsass.exe 60 seconds shutdown message.
| My Anti Virus (Norton) is updating and I didn’t detect any virus or spy ware
| on my server.
| What do you think?
| Best regards, S.Kazemi

What is the exact "NT AUTHORITY\SYSTEM" shutdown in 60 secs. associated LSASS message ?

Dot you have Win2K KB835732 installed ?
http://www.microsoft.com/downloads/...7E-F63A-414C-B3EB-D2342FBB6C00&displaylang=en
 
Error Code is: 1073741819,
P.S: I've found "dinst.exe" file on root of C, I've used "true Sword" trojan
remover application and it find some problem on my system.
But my problem is not solving yet.
TNX, S.K
 
From: "S.Kazemi" <[email protected]>

| Error Code is: 1073741819,
| P.S: I've found "dinst.exe" file on root of C, I've used "true Sword" trojan
| remover application and it find some problem on my system.
| But my problem is not solving yet.
| TNX, S.K

So the FULL message is...

NT AUTHORITY\SYSTEM
'c:\winnt\system32\lsass.exe' terminated unexpectedly with status code -1073741819

That is indicative of some for of LSASS buffer overflow vulnerability exploitation. It
could be the Sasser or SDBot or one of the many other Internet worms that now exploit this.

To *must* make sure this is installed...

Win2K KB835732
http://www.microsoft.com/downloads/...7E-F63A-414C-B3EB-D2342FBB6C00&displaylang=en

http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx

Since you are using the WEB based CDO Ndews Client, getting the Resource Kit utility
"shutdown.exe" for Win2K will be difficult.

That utility will stop the 60 sec shutdown.

You need to download the KB835732 HotFix and put it on media such as a CDROM or other. You
need to disconnect the affected platform from the Internet/LAN and you need to apply this
patch. Installing in Safe Mode might insure it gets installed properly if you have problems
in Normal Mode.

When you have the patch installed and the PC is rebooted, you can reconnect the PC to the
Internet. Then you can use the following tool to clean the PC if it was infected by
exploitive Internet worms.


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm


* * * Please report back your results * * *
 
Back
Top