Windows XP Shutdown -- Status Code 1073741819

I have a user who has an XP machine w/ SP2 and has the most current updates installed on his computer. He has recently been having shut down issues.  

He will receive a message box referencing "lsass.exe: 0x012e0178 referenced at 0x00000000 can't be written".  He clicks on the OK button then will receive :

"System Shutdown: This system is shutting down.  Please save all work in progress and log off.  Any unsaved changes will be lost.  This shutdown was initiated by NT AUTHORITY\SYSTEM, and gives a 60 second timer before it shuts down.  The message in the System Shutdown box lists status code 1073741819.  

When the computer restarts, and the user logs in, he will receive a Data Execution Prevention message citing LSA Shell (Export Version).

Thinking it was a virus issue, I did a full scan with Sophos, Microsoft Malicious Software Removal Tool, no virus was detected.  In addition used Symantec's removal tool for Sasser and Blaster, and neither found anything.

Any thoughts on what I can do or what the issue might be.

Thanks!
CBHelpDeskAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
Computer101Connect With a Mentor Commented:
PAQed with points refunded (500)

Computer101
EE Admin
0
 
FriarTukCommented:
search for lsass on you pc to find if more than one exists (should be c:\windows\system32)
try slaving the drive to another computer or put it in a usb enclosure, then do a full drive scan on all files.
http://www.microsoft.com/security/incident/sasser.mspx
0
 
CBHelpDeskAuthor Commented:
Thanks for the suggestion.  There is only lsass on the computer.  I slaved the drive and did a couple different scans on the drive with no result.
0
Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
FriarTukCommented:
Problem: LSA Shell (Export Version) has encountered a problem and needs to close.
Then: C:\Windows\System32\ Isass.exe terminated unexpectedly with status code 1073741819.

http://www.microsoft.com/downloads/details.aspx?FamilyID=ad724ae0-e72d-4f54-9ab3-75b8eb148356&DisplayLang=en

http://www.symantec.com/security_response/writeup.jsp?docid=2004-050114-1706-99
http://vil.nai.com/vil/stinger/

Manual Removal Instructions
To remove this virus "by hand", follow these steps:

Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
Delete the file AVSERVE.EXE  from your WINDOWS directory (typically c:\windows or c:\winnt)
Edit the registry
Delete the "avserve" value from
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run Reboot the system into Default Mode
0
 
CBHelpDeskAuthor Commented:
Unfortunately, I have already run Microsoft's Malicious Software Removal Tool, Stinger, Symantec's Removal Tool with no result.  Also, avserve.exe cannot be found anywhere on the computer nor the registry.  I am at the point where I am going to rebuild the computer unless you have any other thoughts.  Thanks for your suggestions and help.
0
 
FriarTukCommented:
yeah, that sounds like what you'll have to do, as i can't find anything else that points to a decisive answer.
0
 
FriarTukCommented:
could you refund but paq this as it was hard trying to find anything on this direct error & it may help others in the future, thx.
0
All Courses

From novice to tech pro — start learning today.