[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2221
  • Last Modified:

Windows 2000 machine shutting itself down

Ok, user is showing symptoms similar to blaster. She is getting the NT AUTHORITY message and her PC is shutting itself off.  Yes her system was unpatched.

So yesterday I ran STINGER on her PC but it found nothing?  I patched her system anyway and then ran Microsofts removal tool.  She said the message appears only in the morning time. By afternoon it is gone.  Anyone have any ideas?  The STINGER tool is supposed to remove blaster and sasser..... looks like it didnt work

Thanks
0
dissolved
Asked:
dissolved
  • 10
  • 6
  • 4
2 Solutions
 
sunray_2003Commented:
Hi dissolved,

Is this what you get

http://www.jsiinc.com/SUBG/TIP3400/rh3431.htm

Have you tried to patch her system with the latest windows updates yet ?

Also check this
http://support.gateway.com/s/issues/2-976684501.shtml

SR..
0
 
sunray_2003Commented:
MS blaster:
-----------

 http://www.microsoft.com/security/incident/blast.asp

Removal tool : http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html

Patch : http://www.microsoft.com/downloads/details.aspx?FamilyId=C8B8A846-F541-4C15-8C9F-220354449117&displaylang=en

Virus Alert About the Blaster Worm and Its Variants:
http://support.microsoft.com/default.aspx?kbid=826955

Sasser:
-------

Removal tool : http://www.microsoft.com/downloads/details.aspx?FamilyID=76c6de7e-1b6b-4fc3-90d4-9fa42d14cc17&displaylang=en

Removal Instructions:
http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.worm.html#removalinstructions

Manual removal :


  1. Disconnect your computer from the Internet.
  2. Boot in Safe Mode by pressing the F8 key during startup.
  3. Navigate to your Windows directory (c:\WINDOWS or c:\WINNT) on your
hard drive.
  4. Look for a file named AVSERVE.EXE. Delete it.
  5. Click on the Start menu and select Run.
  6. Type "regedit" (without quotes).
  7. Navigate to the following Registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  8. In the windows to the right, look for a value called avserve. Delete
it.
  9. Exit RegEdit.
  10. Reboot.

Once your system is up, go to windowsupdate.microsoft.com and update with the patches.
0
 
dissolvedAuthor Commented:
I was getting code 128. That must be it.   Says it is a corrupt event log?  Can clearing event viewer fix this????
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
sunray_2003Commented:
Use this
http://www.jsiinc.com/SUBF/Tip2500/rh2513.htm

If that doesnot help, try recovery console
0
 
SheharyaarSaahilCommented:
>> She said the message appears only in the morning time. By afternoon it is gone.

How she is connecting to internet ?? is she using an ADSL modem ??
0
 
dissolvedAuthor Commented:
Ok, ran STINGER, Symantec BLaster removal tool, Microsofts removal tool and none of them found any worm. I checked HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and no sign if virus.  

Her machine is win2k sp2. I'm currently patching it to sp4
Connection to internet is T1 (frame relay)

No idea on this one.   Error is


The system process C:\WINNT\SYSTEM32\LSASS.EXE terminated unexpectedly with status code 128. The system will shut down and restart.
0
 
sunray_2003Commented:
dissolved,
> The system process C:\WINNT\SYSTEM32\LSASS.EXE terminated unexpectedly
> with status code 128

have you scanned for sasser worm yet

is ur windows fully updated
0
 
sunray_2003Commented:
Also disconnect internet connection in your system
monitor the system for some time and see if shut down occurs..

make sure to do installation of updates first just after connecting to internet .

make sure to check the sasser removal instructions..
0
 
dissolvedAuthor Commented:
Ok I updated to SP4 and it STILL shutdown.  However, there are 27 available updates still left (currently downloading them)

I did scan for Sasser by using STINGER tool. But what is a sasser specific tool?  And yes, when I disconnect ethernet cable I noticed it doesnt shut down
Thanks
0
 
sunray_2003Commented:
dissolved,

since your computer doesnot shutdown if you donot have internet , gives an indication that you have some sort of virus.
check my previous suggestions and you should see removal tool for sasser and also check the removal instructions for sasser.
try to do all that.
then if you can sustain , first download all the updates , reboot your system and then check if you can solve the issue.
0
 
sunray_2003Commented:
0
 
SheharyaarSaahilCommented:
Im surprised that if its Sasser variant,,,, why Stinger is not picking it up.... it should pick it up !!
Are you feeling any weird slowness on your system which is the main symptom of Sasser ??

Go here >> http://www.microsoft.com/security/incident/sasser.mspx
click on Scan My Computer and check what does it report ??
0
 
sunray_2003Commented:
dissolved,

make sure u have Nov 8 version of Stinger.
http://vil.nai.com/vil/stinger/
0
 
dissolvedAuthor Commented:
Ok, all updates on PC.  Ran symantecs Sasser and Blaster removal tool to no avail.  Ran microsofts sasser removal tool to no avail. Ran microsofts blaster removal tool to no avail.  None of these tools reported finding a virus.

Running Nov version of Stinger again (ran Nov version yesterday as well)

So far, hasnt done it with all the updates installed. I will see.
0
 
SheharyaarSaahilCommented:
>> None of these tools reported finding a virus.
same thing i was telling that Sasser cannot be that much silent,,, it has very distinct symptoms which can be seen easily !!
you are using the ethernet card, right ?? how about changing it, i mean just hook another card and try with that one to check for the problem ??
0
 
dissolvedAuthor Commented:
would a network card give an lsass.exe error and make the system shut down though?
0
 
SheharyaarSaahilCommented:
a bad card can cause the lsass.exe service to terminate.... you wont believe but i have seen this lsass.exe problem also when there is some problem with the winsock settings.... the coountdown message is produced when lsass.exe service is terminated,,,,, and Sasser is known for this message coz it terminates lsass.exe
but its not ONLY sasser who can terminate lsass.exe service,,,,, there can be other reasons also :)
0
 
sunray_2003Commented:
dissolved,
> So far, hasnt done it with all the updates installed. I will see.

so you are saying with all the updates installed and still connected to internet , your system has not shutdown yet ?

wait for some more time and see what happens
0
 
dissolvedAuthor Commented:
Thanks fo rthe info SheyaryaarSaahil.

Sunray:  Yes, so far so good.
thanks guys
0
 
sunray_2003Commented:
If the stinger and anti-virus didnot report, i guess windows updates must have helped ..

try restarting your machine , disconnecting and connecting back to internet and wait for some more time to be absolutely sure the problem has gone away
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 10
  • 6
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now