LSA Shell (Export Version)...

I'm getting this error message that says The system process C:\WINODS\system23\lsass.exe has terminated unexpectedly with status code 1073741819 and then is gives a 58 second countdown to shutdown.

Here's the background:
Haven't had any problems since my last bug trying to overtake my IE. Last night I'm doing my general surf (same sites I vist every day) and get this countdown message. When it reboots, it connects but I can't get to any websites or e-mail.

Rebooted again and it took at least 30 seconds before it even began to connect.

This morning (since it was too late last night to think) I started running all the virus scans I have. McAfee - nothing, AdAware - just 30 generic tracking cookies, Spybot - nothing, CWShredder - nothing. Hijackthis - I compared a log from a while ago to today's and noted a couple of discrepancies. The one took care of the connection problem - just an override to my IE. The other is something called avserve.exe or avserve2.exe. I found out that this thing alongwas using up at least 50% of my CPU. I was connecting slowly because my CPU had 100% used up.

End I end the process for that, my PC works fine and I can surf. After a while though I start getting these error messages again. I downloaded some MS updates after sending an error report (which led me to the update page) but I still have errors.

Any help? What is avserve.exe? It resides at C:\windows.

Do I have a major virus, a worm, etc?

 

Just logged into my mail and received this e-mail:

Dear Trend Micro customer,

As of May 1, 2004 4:15 AM PST, TrendLabs has declared a Medium Risk Virus Alert to control the spread of WORM_SASSER.A.
TrendLabs has received several infection reports indicating that this malware is spreading in the US.

This worm is known to exploit the Windows LSASS vulnerability, which is a buffer overrun that allows remote code execution and enables an attacker to gain full control of the affected system. This vulnerability is discussed in detail in the following pages:

• http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=MS04-011_MICROSOFT_WINDOWS
• http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx

To propagate, it scans random IP addresses for vulnerable systems. When a vulnerable system is found, the malware sends a specially crafted packet to produce a buffer overflow on LSASS.EXE.

The resulting overflow allows the malware to listen to TCP port 9996, which instructs it to spawn a command shell. The malware then creates the script file CMD.FTP that contains instructions for the vulnerable system to download and execute a copy of this malware via FTP.

The infected host then opens TCP port 5554 to accept any FTP requests from infected remote systems. The worm copy to be downloaded bears the file name, <random integer>_up.exe (e.g., 12345_up.exe), and is saved in the Windows system directory.

After download, the malware deletes the file CMD.FTP. A log file named WIN.LOG is created in the root directory. This file contains the number of remote systems that the host system were able to infect.


TrendLabs will be releasing the following EPS deliverables:

TMCM Outbreak Prevention Policy 110 (released)
Official Pattern Release 879 (released)
Damage Cleanup Template 331 (ETA 1 hour)
Vulnerability Assessment Rule 10 (released)
NVW Pattern 10124 (ETA 1 hour)


For more information on WORM_SASSER.A, you can visit our Web site at:

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SASSER.A.

 

Hi sorry to hear of the problems
Please continue with your other thread by posting a fresh new hijackthis log
http://www.windowsbbs.com/showthread.php?t=29761

 

Run this tool
Network Associates Inc.Stinger: http://vil.nai.com/vil/stinger/

Reboot when ever prompted then please do post a new log

Good luck

 

And then load the latest Microsoft security patches. MS04-011 would have prevented this one from doing anything to your system but it would be a good idea to get all the current ones that deal with your specific system. MS04-012 almost certainly and probably some others.

 

I downloaded the patches and that seems to have solved my problem. However, there is a task that runs when I start up called realsched.exe (part of the Real Media stuff on the PC). This takes up 50% of the CPU usage. IF my husband logs on with his profile, the CPU is 100% and nothing runs. We have to end the process before we do anything.

Is this an echo of the worm? We hadn't had the problem before. I'm wondering if I can delete that without any major issues. I know the Real stuff isn't important, but just want to make sure before I set a chain of bad events into place.