Recently my computer has begun to have an error. I get a little box that says my computer will be shut down because (something).lsass.exe had an error. It counts down a minute, shows all these pretty vertical stripes on my monitor, then reboots. I don't know why it does this! Usually the restart message happens shortly after this lsass thing lets me know it screwed up and I tell it not to bother Bill Gates with an error report. I'm mightily confused. Help?

Do you have a virus scanner?

http://www.liutilities.com/products/wintaskspro/processlibrary/lsass/

McAfee something or other that I think came as a default virus scanner. That, or my parents put it on the machine before they gave it to me.

Ugh McAfee.
http://free.grisoft.com/doc/1

Got it, running it now. Will update here with the results.'

EDIT: I think AVG got it. If it didn't, what will I have to do about it?

I dunno, it depends on the computer's behavior. If you're not sure, boot into safe mode (mash F8 after the boot logo screen, but before windows starts to load) and select safe mode. Run AVG from there. This will work 99% of the time and clean all but the nastiest of nasties.

Alright. If it has that error again, I'll do the safe mode thing. We'll see what happens within the next day or so. Thanks Morgan.

Good luck :)

May the Force be with you.



Always.

Ok. It did it again.

LSA Shell Export Version had an error.
System shuting down by NT/AUTHORITY.
AVG popped up a little balloon in the bottom corner saying my email scanner is not configured properly. Does this mean the problem is in one of my email accounts? Or was it coincidence?

Probably a coincidence. What are you using to get your e-mail?

These kind of symtoms are known to happen because of the W32.Sasser.Worm, or some variant of the sasser worm family of viruses. This would likely not happened with a firewall, the latest security updates and another browser than Internet Explorer (for the love of all that is holy, only use Opera or Firefox). I heard stories of people who got infected withing a few minutes of casual browsing after a clean install of windows, so its quite widespread.

I will just quote someone else's trouble shooter on the matter, since it was summarised so neatly:


You've apparently contracted the latest worm, W32.Sasser.Worm, specifically designed to attack people who do not update their computers promptly and who do not practice "safe hex." In other words, like Blaster, this worm was developed and distributed _after_ a
patch for the vulnerability was announced and made publicly available.

Further, and also like Blaster, this worm could not affect any computer whose user had taken the basic precaution of using a properly configured firewall.

To stay on-line long enough to get the necessary updates, patches, and removal tools, click Start > Run, and enter "shutdown -a" when the next Shutdown countdown begins. This will abort the shut down. Also,
make sure you've enabled a firewall before starting, to preclude any more intrusions while getting the updates/patches/tools.

What You should Know about the Sasser Worm and its Variants
http://www.microsoft.com/security/incident/sasser.mspx

Microsoft Security Bulletin MS04-011
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

W32.Sasser.Worm
http://www.symantec.com/avcenter/venc/data/w32.sasser.worm.html

A tool is available to remove the Sasser worm variants
http://support.microsoft.com/default.aspx?scid=kb;EN-US;841720

W32.Sasser.Worm Removal Tool
http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.removal.tool.html

McAfee AVert Stinger Virus Removal Tool
http://vil.nai.com/vil/stinger/

A word of advise; always keep windows up to date with the latest security updates, have a properly configured firewall up at all time, and schedule regular full system scans + scan any downloaded files for virus. Also configure AVG for email scanning.

If the quoted troubleshooter does not help you, let us know.

Originally posted by Morgan Evanar
Probably a coincidence. What are you using to get your e-mail?
Gmail now, but I had a yahoo until a few weeks ago. I still check on it now and then.

I've got the default Windows firewall, and I keep it up-to-date. I'll put the worm removal on backup; I've still not run AVG in safe mode.

I guess you have outlook or outlook express installed, I wouldn't worry about it. Do run AVG in safe mode.

Ran it. Got nothing. Gonna try some of the links in Yoghurt's post after dinner.

EDIT: Ran these two:

W32.Sasser.Worm Removal Tool
http://securityresponse.symantec.co...moval.tool.html

McAfee AVert Stinger Virus Removal Tool
http://vil.nai.com/vil/stinger/


They came up clean. I won't get to run the 3rd tool until later on tonight.

I resurrect this thread in commemoration of the mighty return of LSA Shell (Export Vers)'s error, and the one-minute countdown of lsass says shut down doom. Last time, I used housecall.trendmicro.com before I tested Yoghurt's 3rd removal tool. It worked. The error went away, it was gone! :)

But, since I moved into college yesterday, it's come back with a vengeance. The computer's running 2 minutes before it crashes again, which isn't enough time to even start housecall scanning the thing. I tried accessing the internet via safe mode to run it, and it still has the error and reboot far too soon for me to start doing anything.

I've run AVG and Spybot in safe mode, along with FxSasser and Stinger. All four came up clean. I attempted to run them in normal mode, but the mighty reboot of death has so far kept any program from running to completion. Since I have so little time to do anything, I don't think I'll be able to go get Yoghurt's 3rd removal tool and run it, unless it can be burned to a CD and run in that manner. While I'm checking that, are there any other options? I would very much like to have my computer for the start of classes.

Is Windows up to date?

No. I've tried every day for the past 2 weeks and it tells me continuously that it failed to install the updates.

Hope you have broadband.

http://www.microsoft.com/downloads/details.aspx?FamilyId=049C9DBE-3B8E-4F30-8245-9E368D3CDB5A&displaylang=en

Get this and then run it from safe mode. It will take forever but it should work.

Thanks! So far the only help I've had is setting my computer's clock back a year to delay the timer. The stupid thing get's ridiculously slow when the timer comes up, and I'm not dealing with that for a full minute. I'll burn this to CD via his computer and run it that way.

EDIT: Tried running it twice. Each time it got part way through, then it gave me a window saying "Access is denied". I click the OK button, and it gives me another box saying that it's going to undo everything that happened up to "Access is denied". I click "OK" or the X button and it starts to completely undo everything.

Anything important on your computer? :)

My simple solution: clean format.

Of course, that's not an option for everyone...

I could do it without much worry. I just don't know how. One of my friends with a desktop has these 7 or 8 CDs that he used to clean format his. I don't know if I'd need anything like that for my laptop. I'm gonna take this to the computer services people on campus tomorrow and see if they'd have anything like that.

Did you try this to stop the count down?


To stay on-line long enough to get the necessary updates, patches, and removal tools, click Start > Run, and enter "shutdown -a" when the next Shutdown countdown begins.

Didn't know I could do that. :| I handed it over to ITS like...half an hour ago. They don't have much work, hopefully I'll get it back soon.