Author Topic: Win XP Pro Shuts Down Immediately. lsass.exe? Tried Avast Virus Cleaner  (Read 33652 times)

0 Members and 1 Guest are viewing this topic.

KBradley

  • Guest
Running WInXP Pro.  Clean install just a few weeks ago.  Have installed all updates, etc.  Have activated Windows built-in firewall.  Had a virus within first few minutes on internet, so eliminated worm, and turned on firewall.  Think I have another one, based on behavior of Windows.  

When I log on, Windows IMMEDIATELY shuts down (1 min. countdown) - no time to access online virus scanner, etc and correct.

Error message I get is:  "C:Windows/System32/lsass.exe terminated unexpectedly with status code 128.  The system will now shut down and restart."

Can use WindowsXP in Safe Mode without computer shutting down.  "Have run Adaware to check for spyware/adware - none found.  PandaSoftware PQRemove.exe can't find any viruses (abbreviated program).  Also ran Avast Virus Cleaner program - none found.  How can I access internet in Safe Mode in order to go to a thorough online virus scanner?  Is there a way to dial out and access internet in Safe Mode?  My ISP connection program does not want to run in Safe Mode.  Can anyone help?  Does anyone know what virus/worm this might be causing this problem.  When computer shuts down on it's own (after the 1 min. countdown, due to this problem), when I try to log back on it asks for a logon password (none installed).  If I power down and reboot, I can go into safe mode, or attempt to log in normally without the password interference.  Any ideas?  Any assistance would be appreciated!!
« Last Edit: April 23, 2004, 01:16:28 AM by KBradley »

whocares

  • Guest
Hi,

a) try blocking TCP in port 4500 and UDP IN port 500 for lsass, or ALL connections inbound for lsass.exe
maybe with 3rd-party firewall

b) are you SURE you installed all Windowsupdates ? also the ones from April 12.-14. ??
cause those updates replaced LSASS / fixed an lsass-vulnerability in additon to some RPC-security-Rollup-package

b1) there have been lots of reports that the above updates make some XP or 2000 system really unstable, try google

c) why don't you try installing/scanning with an AV-scanner OFFLINE, like avast, or Kaspersky ?

d) post a hijackthis-Log: www.lurkhere.com

e) try SFC.exe (system filecheck in WIN) to check for bogus windows/system files




 ;)
« Last Edit: April 23, 2004, 01:31:24 AM by whocares »

Offline .: Mac :.

  • Avast Überevangelist
  • Ultra Poster
  • *****
  • Posts: 5093
when you hit F8 to go to safemode if you use a network (like a cable connection) there should be an option to use safemode with networking. At least there is in XP
"People who are really serious about software should make their own hardware." - Alan Kay

werther

  • Guest
 ???

Hi! i got the same problem, clean install, updates and during an internet session something got in my Xp. After a full system scan Symantec AV Proff no results.

Have you found solution?

Bernie

  • Guest
Quote
After a full system scan Symantec AV Proff no results.
 

You can't rely on NAV. Try a "Boot Time Scan" with Avast!

Ulti

  • Guest
I am experiencing the very same issue (on at least two different w2k machines, a third will be checked tomorrow), and I've come to a couple of conclusions:
1. If I unplug the machine from the internet I have no problems.
2. If I (in safemode of offline mode) uninstall Avast I can get online with the machine with much more seldom reeboots.
3. The issue started after the last update of Avast.

//Ulti..

Ulti

  • Guest
After some "further investigation" it seems that the latest Avast update (for me) being right before the problems started were merely a coincidence, however, uninstalling Avast did get me much more time between the reeboots.
The solution for me was anyhow to run sasser-removers, and getting updates from microsoft, not only those showing up on win-update.

//Ulti..

ps. Even though none of the sasser-removers found my systems infected, I've seen a few people being helped by running the removers anyway. Might be a good idea anyhow..
« Last Edit: May 03, 2004, 01:49:38 AM by Ulti »

10.5

  • Guest
You might take a look at this:  http://www.blackviper.com/AskBV/tech10.htm.  It came up when I was searching Google for this same problem.  I haven't tried it yet so I can't verify that it'll work.

owlman_1

  • Guest
Try using "Stinger" by Mcafee. Search A.V.E.R.T On Yahoo. It got Rid of Worm Sasser.B on the first Try. I Downloaded "Download Accelerator Plus"Because it has resume. It was shutting Down My Computer every few Minutes. I shut Down My computer Before The Virus Did and Left It Off For About An Hour .Then Was able to Download "Stinger". :)
 Good Luck,
 owlman_1

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9406
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
This thing should help:
http://users.volja.net/razor256/downloads/AntiRPC_Batch.zip

This little batch script was used for MSBlast and i think it should work for Sasser too. Its so small that you can easily download it in second.
After you see count down timer,simply execute it and it should terminate that timer. After that get yourself a patch for this vulnerability.
Visit my webpage Angry Sheep Blog

Max M.Wachtel III

  • Guest
here is the workaround for the failed patch issued by MS-
" postings indicate
that the problem still exists on fully patched XP/2000 systems. A workaround is
to block ports 139/tcp and 445/tcp at the network perimeter to prevent attacks
from the Internet."
Also they arrested a german boy today for writing sasser see:
http://zdnet.com.com/2100-1106-5208655.html?tag=header.newsfeed
-max

lifespan

  • Guest
If you are capable of carrying out the above instructions in less than 1 minute I'm impressed.  :-* Otherwise the 1minute shutdown is probably hampering your attempts to follow the solid advice offered here.

To stop the machine from automatically shutting down.

  • Windows Key + R   (winkey is between ctrl and alt on left of spacebar)
  • type cmd in the Open box and click OK
  • at the command prompt type :
shutdown -a
  • press enter


Shutdowns should stop and you should be right to start removal.