Solved

Windows XP updates (6/06) result in services.exe and lsass.exe application errors 0xc0000005

Posted on 2006-06-25
8
868 Views
Last Modified: 2012-06-27
The last 40+ Windows XP updates MS put out several weeks ago (May or June 2006) has created a problem.  After installing the latest updates and restarting the following error messages appear: "services.exe - Application error, application failed to initialize properly (0xc0000005), click to terminate" FOLLOWED BY a second message: "lsass.exe  Application error, application failed to initialize properly (0xc0000005). click OK to terminate".   These to error messages once again appear then a black screen with only the cursor pointer appears on the black screen.  The pointer does respond to mouse movement.

I repaired XP, including SP2, installed MS Windows Installer 3.1 without difficulty.  The same error messages appeared after installing the 40+ updates from MS.  I have repeated this problem at least four times after trying various driver updates and removal of several applications.  

Autodesk, all of MS Office applications and several other applications are on this harddrive.  Removing Autodesk is not an option at this time.  

I would like to identify the conflict with MS updates to the software on this system.  Wiping the drive, loading XP with the updates, and then reloading Autodesk and all other applications is not a option at this time.

Can anyone show me the procedure to identify this software conflict?    Thanks
0
Comment
Question by:wllarson
  • 2
  • 2
  • 2
8 Comments
 
LVL 4

Accepted Solution

by:
ZaSSeR earned 250 total points
Comment Utility
When you get the black screen, can you open Task Manager by hitting CTRL+SHIFT+ESC keys? If you can, it's possible you see
from there if there's a nonresponsive program, or a process taking up 100% of CPU time. If there is one, record the name and
kill it - see what happens.

Can you boot in Safe Mode by repeatedly pressing F8 until you get a prompt? Does this problem occur also in Safe Mode?

If you think that it's one of the updates, you could track it down by installing one update at a time.
You can do this by going into windowsupdate.microsoft.com with IE before automatic updates start to download
(disable automatic updates from Control Panel if necessary). Then select one update at a time, install, reboot etc. and see
which one causes the behaviour. Tiresome, but if you want to find out this is the way.

One explanation would also be the Sasser virus, which is linked with lsass.exe and can infect computers if you try to download updates
without first turning on your firewall. See info on: http://www.f-secure.com/v-descs/sasser.shtml .
Connecting your hard drive to another, virus-protected computer and doing a scan would be an option.
You could also obtain a copy of anti-virus software that boots from a CD (at least F-Secure's install CD does) and scan with that - ie. with no Windows running.

Let me know more, sure we can work this out.
0
 

Author Comment

by:wllarson
Comment Utility
Thanks for the quit response.

I tried the Safe Mode with various methods of startup.  Each time exactly the same response.

I cleaned out all malware possible (in the safe mode) with Spybot, Adaware, Windows various products, Trendmicro house call, trial versions of Zonealarm and Trendmicro's internet security products.  Turned off restore, rebooted after cleaning and turned on restore.

The keyboard is not responsive, so unable to access Task Manager.

Could be malware, but tend to think conflict.  Your paragraph three is a possibility, but don't know if there is enough time.

Thanks
0
 
LVL 4

Expert Comment

by:ZaSSeR
Comment Utility
Viruses running in the system can fool virus scanners. You should really do a scan so that Windows is not running (even in Safe mode) to be sure.
You can do this by booting from a floppy or a CD-based anti-virus program.

As another option, see http://www.informationweek.com/windows/showArticle.jhtml?articleID=189400897 for
'XP's No-Reformat, Nondestructive Total-Rebuild Option' .
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 

Author Comment

by:wllarson
Comment Utility
Zasser,

Do you have any favorite CD based anti-virus scanning applications?  

The InformationWeek article was well written.  The repairing of XP that I mentioned in the original question is the procedure described in this article.  I have used it multiple times, now.  

The PC is now back in service without current updates.  My next step will be to scan the drive without Win XP running or wipe the drive once the client has caught up on their work.

Thanks again.
0
 
LVL 69

Assisted Solution

by:Merete
Merete earned 250 total points
Comment Utility
Apparently the Sasser worm also modifies a configuration file that renders many Anti-Virus sites and the MicrosoftUpdate site unreachable.
The Sasser worm is the most recent, and one of the most virulent, viruses to impact Windows-based systems. Unlike previous outbreaks, Sasser doesn't even need you to use email or, for that matter, even be at your machine to infect your computer and continue spreading. It exploits a recently patched vulnerability in something called LSASS.EXE.

Use a firewall. This can be as simple as turning on the Internet Connection Firewall included in Windows XP, to purchasing and installing hardware devices such as a NAT router. Either of these solutions will likely protect you from Sasser and many other types of non-email-based threats.
ZoneAlarm Free
http://www.pcworld.com/downloads/file_description/0,fid,7228,RSS,RSS,00.asp

Install the patch. This patch for your operating system can be found with Microsoft Security Bulletin MS04-011.
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

Open the file "\windows\system32\drivers\etc\hosts" in Notepad. (Press the Start button, click onRun, type Notepad \windows\system32\drivers\etc\hosts, and press OK.) Normally, it will have one entry for something called "localhost". If in addition you see a list of Anti-Virus sites such as Symantec, McAfee and more, then the worm has struck.

take the following steps:

Close Notepad.
Open Windows Explorer on the directory containing the file "hosts" (A quick way to do this is to press the Start button, click on Run, type\windows\system32\drivers\etc, and press OK.)
Right Click on the file hosts and select Rename. Give it a new name, like "oldhosts".
Run the command "nbtstat -R". (Press the Start button, click on Run, type nbtstat -R, and press OK.) You should only see a window flash on the screen briefly, but this little bit of magic should force Windows to re-lookup any of those names it might be keeping in memory.
Now you should be able to get to your anti-virus sites until you reboot - apparently the Sasser worm will recreate these bogus host file entries each time you reboot. So download your updatesand scan to clean up the virus right away.

Update: As was predicted, follow-on viruses that exploit the same vulnerabilities that Sasser exploits are starting to show up. Sasser removal tools may not work because they are different viruses, even though they share some of the same symptoms. I cannot stress enough the importance of using a firewall, keeping your virus definitions up to date and running virus scans on a regular basis. Two current examples of similar viruses include Kibuv-B
http://ask-leo.com/d-kibuvb
and Bobax,
http://ask-leo.com/d-bobax
 both of which have removal instructions up on the Symantec Anti-Virus site>> http://www.symantec.com/avcenter/


Please download HijackThis 1.99.1 and save it into its own folder.
Just choose your country
http://www.majorgeeks.com/download3155.html

Open Hijackthis, click  scan and save a logfile" donot fix" to the desktop or
then navigate to the hijackthis folder and copy out the log file
 contents and paste the log here into the small windows or panel>> http://www.hijackthis.de/
look directly below the panel or window see the small analyze

once you hit analyze it will analyse it immediately
you will know by the fact the panel is now empty
just scroll down below this now empty panel and you can see your analysed log,
right at the bottom below your analyzed log is the option to save it.
Please click on this save it.
Copy this address/url and paste it here.
=================================================
Disable the system restore as trojans can hide in this,re-enable it.
open disc cleanup at start all programs accessories system tools, let it caculate then go to more options and delete all but most the recent.
=-========================================================
Also run a system file checker at start run type in sfc /scannow. You will need your xpcd.
Any spyware can be removed to a degree by running the disc cleanup utility this deletes the temp files temporay internet files and history, also recomend deleting cookies.

regards Merete
0
 
LVL 69

Expert Comment

by:Merete
Comment Utility
thank you  :)
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
password expiry Windows 6 127
Windows XP image 11 109
Need a bootable CD to delete a Linux partition ... 9 129
Decrypting the Zepto Virus 21 595
We have adopted the strategy to use Computers in Student Labs as the bulletin boards. The same target can be achieved by using a Login Notice feature in Group policy but it’s not as attractive as graphical wallpapers with message which grabs the att…
It is only natural that we all want our PCs to be in good working order, improved system performance, so that is exactly how programs are advertised to entice. They say things like:            •      PC crashes? Get registry cleaner to repair it!    …
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now