LSA Shell + IMON Conflict

Discussion in 'NOD32 version 2 Forum' started by Steeler, Apr 23, 2004.

Thread Status:
Not open for further replies.
  1. Steeler

    Steeler Registered Member

    Joined:
    Apr 23, 2004
    Posts:
    2
    Location:
    Greater Toronto Area, Ontario, Canada
    Ran the NOD32 trial version for several weeks, no problems. Since purchasing and installing the registered version last evening, I've endured an exasperating string of system instabilities and reboots.

    I'm running XP Pro SP1 via dial-up, and the system error logs clearly identified the NOD32 IMON (imon.dll) as the culprit that kept crashing the LSA Shell (Export Version - lsass.exe in the windows/system32/ folder). Turning off IMON stablized my system for a short while, as running any winsock reliant app caused the system to lock-up with a hard reboot the only escape (even the Task Manager could not be retrieved). Unfortunately, it reached the point where turning off all NOD32 monitors was the only way to prevent the LSA shell from crashing on startup.

    After several uninstalls/re-installs of NOD32, the problem persists. I am now running my system with no AV protection - it was the only way I could get online and post this thread...

    I will re-install the trial version again and toss the registered version in my "digital doghouse" until someone can help with this strange predicament. Thanks in advance for your responses...
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Please email support@nod32.com for a newer version of imon.dll which should have this problem fixed.
     
  3. Steeler

    Steeler Registered Member

    Joined:
    Apr 23, 2004
    Posts:
    2
    Location:
    Greater Toronto Area, Ontario, Canada
    I sent a message to NOD32 Support and they replied 13 minutes later, on a Saturday afternoon - I was impressed!!!

    However, the updated imon.dll file was a failure. Once installed, the updated file removed the IMON module from the Control Center and locked up my sockets.

    I'm back to the Trial version (2.000.6) until it expires or I get a proper fix. I've already sent another email to NOD32 support and hope to hear back early this week.
     
  4. sejong

    sejong Registered Member

    Joined:
    Apr 25, 2004
    Posts:
    7
    Location:
    Upstate, NY, USA
    I have a similar experience on a server running Windows 2000 Sever that is also a Terminal Server in Application Server mode and a domain controller (I realize this is suboptimal and a security risk), running Outlook 2000 in Corporate/Workgroup mode (but the mail server is an ISP's mail server, not Exchange).

    In the System log are repeated instances of an Application Popup Event ID 26 from Lsass.exe - Application Error : The instruction at "0xnnnnnnnn" referenced memory at "0xnnnnnnnn". The memory could not be "read". Click on OK to terminate the program. Click on CANCEL to debug the program . This mesage is also displayed at the console; clicking OK runs a shutdown command with a 60-second countdown.


    In the Security log, at the exact same time as each such event is an instance of Event ID 540 - Successful Network Logon:

    I wonder if deleting EMON, or a newer vesion of IMON would solve this problem. Any advice is appreciated.
     
  5. sejong

    sejong Registered Member

    Joined:
    Apr 25, 2004
    Posts:
    7
    Location:
    Upstate, NY, USA
    Follow-up to my previous post: I followed Marcos' advice and got a new version of imon.dll, which eliminated the lsass.exe application errors.
     
  6. I have the same problem. I tried to download this dll file from internet but i didn't found it.
    Anybody can tell me where I can found ito_O
    Thanks you lot!
     
  7. rodzilla

    rodzilla Registered Member

    Joined:
    Jun 15, 2002
    Posts:
    653
    Location:
    australia
    It's not online for download.

    It will be included in a future update once it has been fully tested, but right now you can request a copy from support@nod32.com

    It's not guaranteed 100% to fix your problem, but it's worth a try ... it has worked with most lsass glitches so far.
     
  8. Thank! Thank you.
     
  9. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    The latest version of NOD32 available on our website has the lsass problem already fixed. Those who are experiencing the problem, please re-download and re-install NOD32.
     
  10. dohgg

    dohgg Guest

    Hello, i foudn this thread as the best one to pot my problem.
    My english isnt good, but from what i read i think i have the same problem..
    few mnts after windows starts i m getting LSASS.EXE crushed and when i click "Dont send" a shutting down system timer begins.
    Look, i m really n00b in this, i have no idea whats the NODSE is but i D/Led it, and tried to install it and after i wrote the command on run textbox i got this msg : " Loadlibary("c:\nodse\nodse.dll")Failed. The specified module could not be found. ".
    I m really hopless right now, i have no idea wtf to do, plz help.
     
  11. Devin

    Devin Guest


    Nope didn't work!
     
  12. Devin84

    Devin84 Registered Member

    Joined:
    Feb 14, 2004
    Posts:
    49
    Damn I can't believe this, the LSA Shell (Export Version) problem is still there even though I uninstalled NOD. What should I do now??


    szAppName : lsass.exe szAppVer : 5.1.2600.0 szModName : unknown
    szModVer : 0.0.0.0 offset : 00000000

    C:\DOCUME~1\Devin\LOKALA~1\Temp\WER3.tmp.dir00\lsass.exe.mdmp
    C:\DOCUME~1\Devin\LOKALA~1\Temp\WER3.tmp.dir00\appcompat.txt
     
  13. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
  14. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Very true, Derek.

    Win32/Sasser.A is covered in NOD32's database update v1.745 for those interested.

    regards.

    paul
     
  15. dohgg

    dohgg Guest

  16. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Go for the free stand alone Stinger instead :)

    regards.

    paul
     
  17. Devin84

    Devin84 Registered Member

    Joined:
    Feb 14, 2004
    Posts:
    49
    I scaned my C drive but Stinger doesn't find it at least not on my computer.
    Suggestions what to do instead?
     
  18. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Devin,

    You can this one a try; a free tool to remove the Sasser.A and Sasser.B worms.

    regards.

    paul
     
  19. Kaosfusion

    Kaosfusion Guest

    Beware guys I was infected yesterday which what appears to have been the Sasser Worm (i.e. Isass.exe / LSA Shell has caused an error and then the PC shutting down and rebooting). . I used to do AV Tech Support and even I didn't initially realise, my AV was uptodate, I have a firewall activated and still the thing managed to get in. I ran scans and the fix patch and it didn't appear to pick up anything but the symptoms appear to have gone!

    This is what I did:
    1). Stop the PC from shutting down first by identifying the process in the Task Manager.
    Symantec details the following to end the malicious process:
    -Press Ctrl+Alt+Delete once.
    -Click Task Manager.
    -Click the Processes tab.
    -Double-click the Image Name column header to alphabetically sort the processes.
    -Scroll through the list and look for the following processes:
    avserve.exe
    -any process with a name consisting of 4 or 5 digits followed by _up.exe (eg 74354_up.exe).
    -If you find any such process, click it, and then click End Process.
    -Exit the Task Manager.

    2). Disable your System Restore.

    3). Run your AV Scan or emergency cleaning patch. Trend Micro have a great Damage Cleanup Service: http://www.trendmicro.com/download/dcs.asp

    If that doesn't work try their online antivirus scan: http://housecall.trendmicro.com/

    4). Now remove the key from your Registry (TAKE EXTREME CARE WHEN DOING THIS IF ANYTHING IS UNCLEAR OR YOU ARE UNSURE HOW TO PROCEED SEEK HELP OR EXPECT SERIOUS MESS IF YOU MAKE A MISTAKE). Symantec say:

    -Click Start, and then click Run. (The Run dialog box appears.)
    -Type 'regedit'
    -Then click OK. (The Registry Editor opens.)
    -Navigate to the key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

    -In the right pane, delete the value: "avserve.exe"="%Windir%\avserve.exe"
    -Exit the Registry Editor.

    5). Apply Microsoft patch from this page. Also located on this page is a System check that will scan you PC looking for any signs of the Sasser Worm (a great way of checking that you have the all clear) - this only works if you apply the patch first though. http://www.microsoft.com/security/incident/sasser.asp

    6). Switch back on the System Restore function and reboot your PC for good measure.........you will know that everything is ok, I breathed a huge sigh of relief when my PC stopped with the scary rebooting.....good luck!!!
     
  20. Devin84

    Devin84 Registered Member

    Joined:
    Feb 14, 2004
    Posts:
    49
    Thanx to you guys I finally got rid of that s**t.

    Felt the same
     
  21. panthera

    panthera Registered Member

    Joined:
    May 3, 2004
    Posts:
    2
    Hey Guys,
    I had a huge prob with the Sasser Worm, but thanks to that trendmicro site it's now gone. (Microsoft site suggested to set up a firewall, how do i do thato_O)
    However, it also picked up this thing called the Nachi Worm, and now it keeps reinfecting my computer a few times a day, does anyone know how serious it is or what it's actually doing to my computer when it infects me? (ie: the sasser worm messes with LSA Shell and causes your comp to continually shut down)

    I downloaded mozilla to stop these annoying pop up things - there was one trying to get me to go to bigboner.biz and buy yohimbine or something, i think when that came up on my screen was around the same time i caught one of the viruses :mad:
    oh and one more thing, how do u make msn messenger use mozilla instead of internet explorer when you click on "go to your inbox"
    Thanks again guys, you saved my very unhealthy computer

    Cheers, Kylie


    ------------


    I can press buttons, but that's about as far as my computer skills go!!!
     
  22. Kaosfusion

    Kaosfusion Guest

    Hey Kylie,

    In response I am not sure about your Modzilla issue - never used it.

    However the virus question is my speciality. Trend Micro have an Online Virus Encyclopedia which is free for anyone to use just type in the name of the virus, or section of the name i.e. 'Nachi' it will then give you a list of different types of Nachi worm - so see if you can find out what type it is and then the go into the definition. It will detail what the worm does, its damage potential, how it does it, how to remove it and how to manually remove it if it is a real sticky one, hope this helps too.....
     
  23. Kaosfusion

    Kaosfusion Guest

  24. panthera

    panthera Registered Member

    Joined:
    May 3, 2004
    Posts:
    2
    I had a look on the encyclopedia, thanks, its a huge help. I did download that tsc thing which finds and supposedly deletes the nachi worm (and sasser too thank goodness) but every so often when i do a virus scan nachi worm is back there again... so i'm thinking maybe it's not completely getting rid of all of the components. I don't really understand a lot of the processes that the encyclopedia says to do to get rid of it properly, as you said, it might be a particularly sticky one. It seems unlikely that i'm being reinfected every time as it's happening so often, i think its the same one not going away properly. *sigh* i spent a whole day trying to download the right stuff to get rid of it, and its still not leaving my poor puta alone. It seems to come back every few hours. Is there a simple way someone can explain to me how to get rid of it for good? it's getting a bit beyond a joke and i'm not laughing anymore *sigh again*

    cheers
    Kylie

    -------------

    once again my naivity to computers bites off my tail
     
  25. sig

    sig Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    716
    Actually, if your machine is unpatched and not behind a firewall, you might well be reinfected with Nachi and other network worms like Sasser just by being on the internet. If you're on XP, activate the Internet Connection Firewall. Instructions can be found in the Help and Support section accessed through the start menu. When you use a clean up tool, if you are using XP deactivate system restore if you have it on and don't turn it back on until your PC is clean. Go to windows update and download the critical security updates for your system.

    Sasser like Nachi is also a network borne worm. Again, making sure your PC is up to date with the MS security patches and using a firewall is how to protect from getting infected and reinfected.
     
Thread Status:
Not open for further replies.