Solved

Windows XP Shutdown -- Status Code 1073741819

Posted on 2006-11-30
9
3,596 Views
Last Modified: 2012-05-05
I have a user who has an XP machine w/ SP2 and has the most current updates installed on his computer. He has recently been having shut down issues.  

He will receive a message box referencing "lsass.exe: 0x012e0178 referenced at 0x00000000 can't be written".  He clicks on the OK button then will receive :

"System Shutdown: This system is shutting down.  Please save all work in progress and log off.  Any unsaved changes will be lost.  This shutdown was initiated by NT AUTHORITY\SYSTEM, and gives a 60 second timer before it shuts down.  The message in the System Shutdown box lists status code 1073741819.  

When the computer restarts, and the user logs in, he will receive a Data Execution Prevention message citing LSA Shell (Export Version).

Thinking it was a virus issue, I did a full scan with Sophos, Microsoft Malicious Software Removal Tool, no virus was detected.  In addition used Symantec's removal tool for Sasser and Blaster, and neither found anything.

Any thoughts on what I can do or what the issue might be.

Thanks!
0
Comment
Question by:CBHelpDesk
  • 4
  • 2
9 Comments
 
LVL 14

Expert Comment

by:FriarTuk
Comment Utility
search for lsass on you pc to find if more than one exists (should be c:\windows\system32)
try slaving the drive to another computer or put it in a usb enclosure, then do a full drive scan on all files.
http://www.microsoft.com/security/incident/sasser.mspx
0
 

Author Comment

by:CBHelpDesk
Comment Utility
Thanks for the suggestion.  There is only lsass on the computer.  I slaved the drive and did a couple different scans on the drive with no result.
0
 
LVL 14

Expert Comment

by:FriarTuk
Comment Utility
Problem: LSA Shell (Export Version) has encountered a problem and needs to close.
Then: C:\Windows\System32\ Isass.exe terminated unexpectedly with status code 1073741819.

http://www.microsoft.com/downloads/details.aspx?FamilyID=ad724ae0-e72d-4f54-9ab3-75b8eb148356&DisplayLang=en

http://www.symantec.com/security_response/writeup.jsp?docid=2004-050114-1706-99
http://vil.nai.com/vil/stinger/

Manual Removal Instructions
To remove this virus "by hand", follow these steps:

Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
Delete the file AVSERVE.EXE  from your WINDOWS directory (typically c:\windows or c:\winnt)
Edit the registry
Delete the "avserve" value from
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run Reboot the system into Default Mode
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:CBHelpDesk
Comment Utility
Unfortunately, I have already run Microsoft's Malicious Software Removal Tool, Stinger, Symantec's Removal Tool with no result.  Also, avserve.exe cannot be found anywhere on the computer nor the registry.  I am at the point where I am going to rebuild the computer unless you have any other thoughts.  Thanks for your suggestions and help.
0
 
LVL 14

Expert Comment

by:FriarTuk
Comment Utility
yeah, that sounds like what you'll have to do, as i can't find anything else that points to a decisive answer.
0
 
LVL 14

Expert Comment

by:FriarTuk
Comment Utility
could you refund but paq this as it was hard trying to find anything on this direct error & it may help others in the future, thx.
0
 
LVL 1

Accepted Solution

by:
Computer101 earned 0 total points
Comment Utility
PAQed with points refunded (500)

Computer101
EE Admin
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Suggested Solutions

There are 2 things you must have in order to connect to the internet behind a router, The "Gateway IP" of the router, which is usually something like 192.168.xxx.1, I've seen routers with default values of: 192.168.0.1, 192.168.1.1, 192.168.11.1, …
We have adopted the strategy to use Computers in Student Labs as the bulletin boards. The same target can be achieved by using a Login Notice feature in Group policy but it’s not as attractive as graphical wallpapers with message which grabs the att…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now