lsass.exe invalid parameter...

Discussion in 'malware problems & news' started by taytong888, Mar 1, 2007.

Thread Status:
Not open for further replies.
  1. taytong888

    taytong888 Registered Member

    Joined:
    Mar 26, 2006
    Posts:
    138
    Hi,
    Urgently need your help. WinXP Home SP2 with up-to-date update files as well as several antivirus and antispy programs. Firefox2.0.0.2 with No Script enabled. When I got home tonight and turned on the computer, the screen reads: "lsass.exe - system error - An invalid parameter was passed to a service or function". When I closed the message, the computer keeps rebooting so I cannot do anything to diagnose or clean up. Even a safe mode boot didn't help. I also tried google using another computer but so far cannot find anything relevant. This is the first time ever I ran into this problem. Cant figure out why a malware (e.g. Sasser worm?) even got into my computer.

    I am getting frustrated. Could you please show me what to do next?
    Thanks a lot for your help.
     
  2. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    When the countdown starts, open a command prompt (Windows-R, cmd, OK is the fastest way to do this) and type shutdown /a. This will abort the shutdown. This will work on Windows XP, 2003.
    http://www.petri.co.il/quickly_abort_shut_down_commands_on_xp_2003.htm

    Quickly update all your security programs and scan your computer.
    http://www.symantec.com/security_response/writeup.jsp?docid=2004-050116-1831-99
    According to the article, sasser spreads via network infections.

    Are you using a firewall? The built-in Windows firewall is not recommended for everyday use, to protect your computer against future exploitations by this threat, you can use a third-party firewall such as this:
    http://www.sunbelt-software.com/Home-Home-Office/Sunbelt-Personal-Firewall/

    NOTE: Before installing Sunbelt Personal Firewall please uninstall any other firewall you may have installed. It is impossible to run more than one firewall on a computer. Note: Sunbelt Personal Firewall will automatically disable the Windows Firewall that is included in Windows XP.


    When you have a firewall up and running, disconnect your computer from the internet to stop the worm's advances. Then, scan your computer to clean out the worm.
     
    Last edited: Mar 1, 2007
  3. Ice_Czar

    Ice_Czar Registered Member

    Joined:
    May 21, 2002
    Posts:
    696
    Location:
    Boulder Colorado
    you may not be infected, corruption of the registry hive specifically the SAM could well lead to the same issue, thus Id also try a last known good from the safe mode menu (F8 at boot) or replace the Windows\System32\Config\SAM with the Windows\Repair\SAM from the commandline (via above or recovery console)

    keep in mind that files in Windows\Repair get overwritten with every successful normal boot

    (edit for clarification)
     
    Last edited: Mar 8, 2007
  4. taytong888

    taytong888 Registered Member

    Joined:
    Mar 26, 2006
    Posts:
    138
    Hi,

    Thanks for replying. I haven't found any malwares so far. Just wondering what caused error or corruption of the SAM in the first place. Since I could not boot into safe mode, I had to reinstall XP from scratch on another HD then get Widoz updates up to SP2. Very tedious!

    Not sure if I can find or dare to mess with Windows\Repair\SAM. It appears that XP Pro has better security features/tweaks than my XP Home. I just found that for XP Home, one can use the SysKey Utility (MS Kb 310105) to secure the SAM database. Should I?
     
  5. Ice_Czar

    Ice_Czar Registered Member

    Joined:
    May 21, 2002
    Posts:
    696
    Location:
    Boulder Colorado
    the contents of Windows\Repair is just the automatic registry backup otherwise known as

    last known good

    which is accessible from the recovery console or the same menu your presented to select safe mode from. Working from the commandline is a bit tricky till you learn the syntax (mainly because notation of sysntax is kind of opaque for a beginner)

    http://www.go4expert.com/forums/showthread.php?t=827
    (some decent "real" examples of copying with a little something extra :p )

    there are several hundred ways to corrupt data :p
    sometimes I think Im working on experiencing the last dozen or so. :rolleyes:

    Consider that after virtual memory, the registry and certain system files are the odds on favorites for frequency of access, the SAM file (Security Accounts Manager) is of course accessed at every boot. It might actually be getting written to all the time depending on if there are multiple accounts (auto logging back to the last account shut down with, or security templates that require a new password for a set timeframe other gpedit security templates)

    All this is to say its not necessarily malware, but it certainly doesnt preclude malware.
    Anything impacting security systems needs a thorough investigation.

    But if it is corruption, it can be a challenge to hunt it down, sometimes its pretty intermittent or even sector unique HDD degradation and you can waste alot of effort having to repair or reinstall with the less obvious less frequent corruption if it is repetitive.

    One of the reasons its worth learning about reliability issues in data and taking preventative rather than remedial steps.
    (the best power delivery you can manage, good cables well routed, extensive memory testing when you first build and as the first suspect ruled out when issues develop, being extra nice to HDDs, incremental OS snapshots as your adding drivers\software)

    on the remedial end learning all the CHKDSK switches and what they are good for, basic system file and registry repair
    investing in recovery aps and the time to learn them, developing a good backup strategy.
     
    Last edited: Mar 10, 2007
Thread Status:
Not open for further replies.