Solved

Windows XP updates (6/06) result in services.exe and lsass.exe application errors 0xc0000005

Posted on 2006-06-25
8
873 Views
Last Modified: 2012-06-27
The last 40+ Windows XP updates MS put out several weeks ago (May or June 2006) has created a problem.  After installing the latest updates and restarting the following error messages appear: "services.exe - Application error, application failed to initialize properly (0xc0000005), click to terminate" FOLLOWED BY a second message: "lsass.exe  Application error, application failed to initialize properly (0xc0000005). click OK to terminate".   These to error messages once again appear then a black screen with only the cursor pointer appears on the black screen.  The pointer does respond to mouse movement.

I repaired XP, including SP2, installed MS Windows Installer 3.1 without difficulty.  The same error messages appeared after installing the 40+ updates from MS.  I have repeated this problem at least four times after trying various driver updates and removal of several applications.  

Autodesk, all of MS Office applications and several other applications are on this harddrive.  Removing Autodesk is not an option at this time.  

I would like to identify the conflict with MS updates to the software on this system.  Wiping the drive, loading XP with the updates, and then reloading Autodesk and all other applications is not a option at this time.

Can anyone show me the procedure to identify this software conflict?    Thanks
0
Comment
Question by:wllarson
  • 2
  • 2
  • 2
8 Comments
 
LVL 4

Accepted Solution

by:
ZaSSeR earned 250 total points
ID: 16979495
When you get the black screen, can you open Task Manager by hitting CTRL+SHIFT+ESC keys? If you can, it's possible you see
from there if there's a nonresponsive program, or a process taking up 100% of CPU time. If there is one, record the name and
kill it - see what happens.

Can you boot in Safe Mode by repeatedly pressing F8 until you get a prompt? Does this problem occur also in Safe Mode?

If you think that it's one of the updates, you could track it down by installing one update at a time.
You can do this by going into windowsupdate.microsoft.com with IE before automatic updates start to download
(disable automatic updates from Control Panel if necessary). Then select one update at a time, install, reboot etc. and see
which one causes the behaviour. Tiresome, but if you want to find out this is the way.

One explanation would also be the Sasser virus, which is linked with lsass.exe and can infect computers if you try to download updates
without first turning on your firewall. See info on: http://www.f-secure.com/v-descs/sasser.shtml .
Connecting your hard drive to another, virus-protected computer and doing a scan would be an option.
You could also obtain a copy of anti-virus software that boots from a CD (at least F-Secure's install CD does) and scan with that - ie. with no Windows running.

Let me know more, sure we can work this out.
0
 

Author Comment

by:wllarson
ID: 16979778
Thanks for the quit response.

I tried the Safe Mode with various methods of startup.  Each time exactly the same response.

I cleaned out all malware possible (in the safe mode) with Spybot, Adaware, Windows various products, Trendmicro house call, trial versions of Zonealarm and Trendmicro's internet security products.  Turned off restore, rebooted after cleaning and turned on restore.

The keyboard is not responsive, so unable to access Task Manager.

Could be malware, but tend to think conflict.  Your paragraph three is a possibility, but don't know if there is enough time.

Thanks
0
 
LVL 4

Expert Comment

by:ZaSSeR
ID: 16979815
Viruses running in the system can fool virus scanners. You should really do a scan so that Windows is not running (even in Safe mode) to be sure.
You can do this by booting from a floppy or a CD-based anti-virus program.

As another option, see http://www.informationweek.com/windows/showArticle.jhtml?articleID=189400897 for
'XP's No-Reformat, Nondestructive Total-Rebuild Option' .
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 

Author Comment

by:wllarson
ID: 16980814
Zasser,

Do you have any favorite CD based anti-virus scanning applications?  

The InformationWeek article was well written.  The repairing of XP that I mentioned in the original question is the procedure described in this article.  I have used it multiple times, now.  

The PC is now back in service without current updates.  My next step will be to scan the drive without Win XP running or wipe the drive once the client has caught up on their work.

Thanks again.
0
 
LVL 70

Assisted Solution

by:Merete
Merete earned 250 total points
ID: 16981429
Apparently the Sasser worm also modifies a configuration file that renders many Anti-Virus sites and the MicrosoftUpdate site unreachable.
The Sasser worm is the most recent, and one of the most virulent, viruses to impact Windows-based systems. Unlike previous outbreaks, Sasser doesn't even need you to use email or, for that matter, even be at your machine to infect your computer and continue spreading. It exploits a recently patched vulnerability in something called LSASS.EXE.

Use a firewall. This can be as simple as turning on the Internet Connection Firewall included in Windows XP, to purchasing and installing hardware devices such as a NAT router. Either of these solutions will likely protect you from Sasser and many other types of non-email-based threats.
ZoneAlarm Free
http://www.pcworld.com/downloads/file_description/0,fid,7228,RSS,RSS,00.asp

Install the patch. This patch for your operating system can be found with Microsoft Security Bulletin MS04-011.
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

Open the file "\windows\system32\drivers\etc\hosts" in Notepad. (Press the Start button, click onRun, type Notepad \windows\system32\drivers\etc\hosts, and press OK.) Normally, it will have one entry for something called "localhost". If in addition you see a list of Anti-Virus sites such as Symantec, McAfee and more, then the worm has struck.

take the following steps:

Close Notepad.
Open Windows Explorer on the directory containing the file "hosts" (A quick way to do this is to press the Start button, click on Run, type\windows\system32\drivers\etc, and press OK.)
Right Click on the file hosts and select Rename. Give it a new name, like "oldhosts".
Run the command "nbtstat -R". (Press the Start button, click on Run, type nbtstat -R, and press OK.) You should only see a window flash on the screen briefly, but this little bit of magic should force Windows to re-lookup any of those names it might be keeping in memory.
Now you should be able to get to your anti-virus sites until you reboot - apparently the Sasser worm will recreate these bogus host file entries each time you reboot. So download your updatesand scan to clean up the virus right away.

Update: As was predicted, follow-on viruses that exploit the same vulnerabilities that Sasser exploits are starting to show up. Sasser removal tools may not work because they are different viruses, even though they share some of the same symptoms. I cannot stress enough the importance of using a firewall, keeping your virus definitions up to date and running virus scans on a regular basis. Two current examples of similar viruses include Kibuv-B
http://ask-leo.com/d-kibuvb
and Bobax,
http://ask-leo.com/d-bobax
 both of which have removal instructions up on the Symantec Anti-Virus site>> http://www.symantec.com/avcenter/


Please download HijackThis 1.99.1 and save it into its own folder.
Just choose your country
http://www.majorgeeks.com/download3155.html

Open Hijackthis, click  scan and save a logfile" donot fix" to the desktop or
then navigate to the hijackthis folder and copy out the log file
 contents and paste the log here into the small windows or panel>> http://www.hijackthis.de/ 
look directly below the panel or window see the small analyze

once you hit analyze it will analyse it immediately
you will know by the fact the panel is now empty
just scroll down below this now empty panel and you can see your analysed log,
right at the bottom below your analyzed log is the option to save it.
Please click on this save it.
Copy this address/url and paste it here.
=================================================
Disable the system restore as trojans can hide in this,re-enable it.
open disc cleanup at start all programs accessories system tools, let it caculate then go to more options and delete all but most the recent.
=-========================================================
Also run a system file checker at start run type in sfc /scannow. You will need your xpcd.
Any spyware can be removed to a degree by running the disc cleanup utility this deletes the temp files temporay internet files and history, also recomend deleting cookies.

regards Merete
0
 
LVL 70

Expert Comment

by:Merete
ID: 17161694
thank you  :)
0

Featured Post

Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Windows XP system won't boot past spash screen 15 166
Tasks remote computer 12 150
Windows 7 VM unable to boot up after shutdown 12 174
OneNote cannot connect to OneDrive 6 66
It is only natural that we all want our PCs to be in good working order, improved system performance, so that is exactly how programs are advertised to entice. They say things like:            •      PC crashes? Get registry cleaner to repair it!    …
Issue: Unstable cursor in Windows XP and Windows runs extremely slow in that any click will bring up the Hour glass (sometimes for several seconds before giving you what you want) . Troubleshooting Process and the FINAL FIX: This issue see…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question