Continued shutdown, move iniciated by NT Authority System

[rocio]

I recently installed Win2000 in my computer, and I was in
the process of reinstalling utilities in advance of
installing programs.
The first irrecularity happen after installing Norton
Antivirus, when I was notified by Norton of having the
virus 'W32.spybot.Worm' encountered in the object named and
locatated in <c:\WINNT\system32\TFTP1344> which was deleted
by Norton.
This happened twice, the second time it refered to TFTP1392.

After that, when I tried running a full scan, my system
started shutting down on its own. It has happen several
times, to the point that I can not keep installing.
The following is the complete messaje I am getting:

"This system is shutting down. Please save all work in
process and log off. Any unsaved changes will b lost. This
shutdown was initiate by NT AUTHORITY SYSTEM.
Message: The system process 'c:\WINNT\system32\Isass.exe'
terminated unexpectedly with status code 128. The system
will now shutdown and restart"

Then it gives me one minute to close. When it restarts it
repeats itself.... What is going on?

Are the files deleted by Norton responsible for this? And
if so, is there a way of fixing this problem?

The message appered iniciaty when I started to conduct a
full scan, but after disconnecting from the web and after
successfully conducting a full scan, the message appeared
again when I was trying to install other utilities, and
thereafter, just appeared anyway!! :-(

Can somebody help??? I will truly apprecite it! Thanks in
advance.

Rocio

 

[Dave Patrick]

For any new install it is imperative that you install these before
connecting to any network or you'll be almost immediately infected.

http://www.microsoft.com/technet/security/bulletin/MS03-043.mspx
http://www.microsoft.com/technet/security/bulletin/MS03-049.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-025.mspx
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx

--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

:
|I recently installed Win2000 in my computer, and I was in
| the process of reinstalling utilities in advance of
| installing programs.
| The first irrecularity happen after installing Norton
| Antivirus, when I was notified by Norton of having the
| virus 'W32.spybot.Worm' encountered in the object named and
| locatated in <c:\WINNT\system32\TFTP1344> which was deleted
| by Norton.
| This happened twice, the second time it refered to TFTP1392.
|
| After that, when I tried running a full scan, my system
| started shutting down on its own. It has happen several
| times, to the point that I can not keep installing.
| The following is the complete messaje I am getting:
|
| "This system is shutting down. Please save all work in
| process and log off. Any unsaved changes will b lost. This
| shutdown was initiate by NT AUTHORITY SYSTEM.
| Message: The system process 'c:\WINNT\system32\Isass.exe'
| terminated unexpectedly with status code 128. The system
| will now shutdown and restart"
|
| Then it gives me one minute to close. When it restarts it
| repeats itself.... What is going on?
|
| Are the files deleted by Norton responsible for this? And
| if so, is there a way of fixing this problem?
|
| The message appered iniciaty when I started to conduct a
| full scan, but after disconnecting from the web and after
| successfully conducting a full scan, the message appeared
| again when I was trying to install other utilities, and
| thereafter, just appeared anyway!! :-(
|
| Can somebody help??? I will truly apprecite it! Thanks in
| advance.
|
| Rocio
|

 

[rocio]

Thanks Dave, for responding.

And while I save the downloads to a disk and read the
information, I have a couple of questions to ask you.

Related to the virus:
- Do you think that the problem is that a virus still in my
computer? Even after running a full scan and finding
nothing?...

- The files that were deleted by Norton (TFTP1344 and
TFTP1392)... do they need to be replaced in the system?
Norton has kept these files as a 'backup' [having deleted
the infected ones -I think]. And if that is the case, can
I reinstall those files from my 'backup' ERD disk?

Related to the patches:
- Installing these patches in the system should solve the
problem? Or would I need to reinstall from ERD date data
and then run the patches before re-installing again
utilities and Norten antivirus. At this time I have not
data or major programs installed.

- Also, is there a special method for installing patches?
or it is kind of 'wizard' follow-me-through kind of install?

Sorry if I sound so novice... I guess I'am.
Thanks for your help.

Rocio

-----Original Message-----
For any new install it is imperative that you install these before
connecting to any network or you'll be almost immediately infected.

http://www.microsoft.com/technet/security/bulletin/MS03-043.mspx
http://www.microsoft.com/technet/security/bulletin/MS03-049.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-025.mspx
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx

--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

:
|I recently installed Win2000 in my computer, and I was in
| the process of reinstalling utilities in advance of
| installing programs.
| The first irrecularity happen after installing Norton
| Antivirus, when I was notified by Norton of having the
| virus 'W32.spybot.Worm' encountered in the object named and
| locatated in <c:\WINNT\system32\TFTP1344> which was deleted
| by Norton.
| This happened twice, the second time it refered to TFTP1392.
|
| After that, when I tried running a full scan, my system
| started shutting down on its own. It has happen several
| times, to the point that I can not keep installing.
| The following is the complete messaje I am getting:
|
| "This system is shutting down. Please save all work in
| process and log off. Any unsaved changes will b lost. This
| shutdown was initiate by NT AUTHORITY SYSTEM.
| Message: The system process 'c:\WINNT\system32\Isass.exe'
| terminated unexpectedly with status code 128. The system
| will now shutdown and restart"
|
| Then it gives me one minute to close. When it restarts it
| repeats itself.... What is going on?
|
| Are the files deleted by Norton responsible for this? And
| if so, is there a way of fixing this problem?
|
| The message appered iniciaty when I started to conduct a
| full scan, but after disconnecting from the web and after
| successfully conducting a full scan, the message appeared
| again when I was trying to install other utilities, and
| thereafter, just appeared anyway!! :-(
|
| Can somebody help??? I will truly apprecite it! Thanks in
| advance.
|
| Rocio
|


.

 

[Dave Patrick]

:
| Thanks Dave, for responding.
|
| And while I save the downloads to a disk and read the
| information, I have a couple of questions to ask you.
|
| Related to the virus:
| - Do you think that the problem is that a virus still in my
| computer? Even after running a full scan and finding
| nothing?...
* Yes msblast and or sasser or variants.

| - The files that were deleted by Norton (TFTP1344 and
| TFTP1392)... do they need to be replaced in the system?
* Most likely just part of the virus.

| Norton has kept these files as a 'backup' [having deleted
| the infected ones -I think]. And if that is the case, can
| I reinstall those files from my 'backup' ERD disk?
|
| Related to the patches:
| - Installing these patches in the system should solve the
| problem? Or would I need to reinstall from ERD date data
| and then run the patches before re-installing again
| utilities and Norten antivirus. At this time I have not
| data or major programs installed.
* These may help.
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html
http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.d.html
Windows 2000 Users: What to Do If Your Computer Has Been Infected by Sasser
http://www.microsoft.com/security/incident/sasser_print2000.mspx
But then I would just start a new install.

| - Also, is there a special method for installing patches?
| or it is kind of 'wizard' follow-me-through kind of install?
* The articles spell it out pretty well.


--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

 

[Chris]

Related to the virus:
- Do you think that the problem is that a virus still in my
computer? Even after running a full scan and finding
nothing?...

In answer to this point, we have experienced similar problems with SASSER
virus variants that have infected machines in an office elsewhere in the
world, but are still sending out instructions to newly built (and not yet
patched) machines in our office causing the shutdown behaviour (something to
do with a buffer overflow in lsass.exe).

Installing MS patch KB735832 replaces several system files in Win2k &
stopped this activity from causing the machines to shut down. So it may not
be that you have the virus, but someone else on the network does. Even so,
update your AV, but most importantly, get patched!

-----Original Message-----
For any new install it is imperative that you install these before
connecting to any network or you'll be almost immediately infected.

http://www.microsoft.com/technet/security/bulletin/MS03-043.mspx
http://www.microsoft.com/technet/security/bulletin/MS03-049.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-025.mspx
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx

--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

:
|I recently installed Win2000 in my computer, and I was in
| the process of reinstalling utilities in advance of
| installing programs.
| The first irrecularity happen after installing Norton
| Antivirus, when I was notified by Norton of having the
| virus 'W32.spybot.Worm' encountered in the object named and
| locatated in <c:\WINNT\system32\TFTP1344> which was deleted
| by Norton.
| This happened twice, the second time it refered to TFTP1392.
|
| After that, when I tried running a full scan, my system
| started shutting down on its own. It has happen several
| times, to the point that I can not keep installing.
| The following is the complete messaje I am getting:
|
| "This system is shutting down. Please save all work in
| process and log off. Any unsaved changes will b lost. This
| shutdown was initiate by NT AUTHORITY SYSTEM.
| Message: The system process 'c:\WINNT\system32\Isass.exe'
| terminated unexpectedly with status code 128. The system
| will now shutdown and restart"
|
| Then it gives me one minute to close. When it restarts it
| repeats itself.... What is going on?
|
| Are the files deleted by Norton responsible for this? And
| if so, is there a way of fixing this problem?
|
| The message appered iniciaty when I started to conduct a
| full scan, but after disconnecting from the web and after
| successfully conducting a full scan, the message appeared
| again when I was trying to install other utilities, and
| thereafter, just appeared anyway!! :-(
|
| Can somebody help??? I will truly apprecite it! Thanks in
| advance.
|
| Rocio
|


.

 

[Chris]

Sorry! Should've been KB835732! ;-)

Related to the virus:
- Do you think that the problem is that a virus still in my
computer? Even after running a full scan and finding
nothing?...

In answer to this point, we have experienced similar problems with SASSER
virus variants that have infected machines in an office elsewhere in the
world, but are still sending out instructions to newly built (and not yet
patched) machines in our office causing the shutdown behaviour (something to
do with a buffer overflow in lsass.exe).

Installing MS patch KB735832 replaces several system files in Win2k &
stopped this activity from causing the machines to shut down. So it may not
be that you have the virus, but someone else on the network does. Even so,
update your AV, but most importantly, get patched!

-----Original Message-----
For any new install it is imperative that you install these before
connecting to any network or you'll be almost immediately infected.

http://www.microsoft.com/technet/security/bulletin/MS03-043.mspx
http://www.microsoft.com/technet/security/bulletin/MS03-049.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-025.mspx
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx

--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

:
|I recently installed Win2000 in my computer, and I was in
| the process of reinstalling utilities in advance of
| installing programs.
| The first irrecularity happen after installing Norton
| Antivirus, when I was notified by Norton of having the
| virus 'W32.spybot.Worm' encountered in the object named and
| locatated in <c:\WINNT\system32\TFTP1344> which was deleted
| by Norton.
| This happened twice, the second time it refered to TFTP1392.
|
| After that, when I tried running a full scan, my system
| started shutting down on its own. It has happen several
| times, to the point that I can not keep installing.
| The following is the complete messaje I am getting:
|
| "This system is shutting down. Please save all work in
| process and log off. Any unsaved changes will b lost. This
| shutdown was initiate by NT AUTHORITY SYSTEM.
| Message: The system process 'c:\WINNT\system32\Isass.exe'
| terminated unexpectedly with status code 128. The system
| will now shutdown and restart"
|
| Then it gives me one minute to close. When it restarts it
| repeats itself.... What is going on?
|
| Are the files deleted by Norton responsible for this? And
| if so, is there a way of fixing this problem?
|
| The message appered iniciaty when I started to conduct a
| full scan, but after disconnecting from the web and after
| successfully conducting a full scan, the message appeared
| again when I was trying to install other utilities, and
| thereafter, just appeared anyway!! :-(
|
| Can somebody help??? I will truly apprecite it! Thanks in
| advance.
|
| Rocio
|


.

 

[rocio]

Thank you Chris for responding and sharing your
experience!

You are right, first things first, and I'm getting
patched. I got the patch you suggested from some of the
URLS Dave Patrick gave me in the previous response to my
posting and I have installed it. Now, I'm just debating
whether I should re-install again (only the OS) and patch
right away before getting my updates to AV.

My fear is that I might still be infected due to the fact
that I'm not part of a network at this point.
For now, thanks again for all your help!

Rocio

-----Original Message-----
Sorry! Should've been KB835732! ;-)

In answer to this point, we have experienced similar problems with SASSER
virus variants that have infected machines in an office elsewhere in the
world, but are still sending out instructions to newly built (and not yet
patched) machines in our office causing the shutdown

behaviour (something
to

do with a buffer overflow in lsass.exe).

Installing MS patch KB735832 replaces several system files in Win2k &
stopped this activity from causing the machines to

shut down. So it may
not

be that you have the virus, but someone else on the network does. Even so,
update your AV, but most importantly, get patched!

-----Original Message-----
For any new install it is imperative that you install
these before
connecting to any network or you'll be almost immediately
infected.

http://www.microsoft.com/technet/security/bulletin/MS03- 043.mspxhttp://www.microsoft.com/technet/security/bulletin/MS03- 049.mspxhttp://www.microsoft.com/technet/security/bulletin/MS04- 025.mspxhttp://www.microsoft.com/technet/security/bulletin/ms04- 011.mspxhttp://www.microsoft.com/technet/security/bulletin/ms04- 012.mspx

--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

:
|I recently installed Win2000 in my computer, and I was in
| the process of reinstalling utilities in advance of
| installing programs.
| The first irrecularity happen after installing Norton
| Antivirus, when I was notified by Norton of having the
| virus 'W32.spybot.Worm' encountered in the object named and
| locatated in <c:\WINNT\system32\TFTP1344> which was deleted
| by Norton.
| This happened twice, the second time it refered to TFTP1392.
|
| After that, when I tried running a full scan, my system
| started shutting down on its own. It has happen several
| times, to the point that I can not keep installing.
| The following is the complete messaje I am getting:
|
| "This system is shutting down. Please save all work in
| process and log off. Any unsaved changes will b lost. This
| shutdown was initiate by NT AUTHORITY SYSTEM.
| Message: The system process 'c:\WINNT\system32 \Isass.exe'
| terminated unexpectedly with status code 128. The system
| will now shutdown and restart"
|
| Then it gives me one minute to close. When it restarts it
| repeats itself.... What is going on?
|
| Are the files deleted by Norton responsible for this? And
| if so, is there a way of fixing this problem?
|
| The message appered iniciaty when I started to conduct a
| full scan, but after disconnecting from the web and after
| successfully conducting a full scan, the message appeared
| again when I was trying to install other utilities, and
| thereafter, just appeared anyway!! :-(
|
| Can somebody help??? I will truly apprecite it! Thanks in
| advance.
|
| Rocio
|


.

.

 

[Chris]

But were you connected to the internet on that machine when the reboots took
place? Are you seeing the same behaviour now you are patched?

Thank you Chris for responding and sharing your
experience!

You are right, first things first, and I'm getting
patched. I got the patch you suggested from some of the
URLS Dave Patrick gave me in the previous response to my
posting and I have installed it. Now, I'm just debating
whether I should re-install again (only the OS) and patch
right away before getting my updates to AV.

My fear is that I might still be infected due to the fact
that I'm not part of a network at this point.
For now, thanks again for all your help!

Rocio

-----Original Message-----
Sorry! Should've been KB835732! ;-)

Related to the virus:
- Do you think that the problem is that a virus still in my
computer? Even after running a full scan and finding
nothing?...

In answer to this point, we have experienced similar problems with SASSER
virus variants that have infected machines in an office elsewhere in the
world, but are still sending out instructions to newly built (and not yet
patched) machines in our office causing the shutdown

behaviour (something
to

do with a buffer overflow in lsass.exe).

Installing MS patch KB735832 replaces several system files in Win2k &
stopped this activity from causing the machines to

shut down. So it may
not

be that you have the virus, but someone else on the network does. Even so,
update your AV, but most importantly, get patched!





-----Original Message-----
For any new install it is imperative that you install
these before
connecting to any network or you'll be almost immediately
infected.

http://www.microsoft.com/technet/security/bulletin/MS03- 043.mspxhttp://www.microsoft.com/technet/security/bulletin/MS03- 049.mspxhttp://www.microsoft.com/technet/security/bulletin/MS04- 025.mspxhttp://www.microsoft.com/technet/security/bulletin/ms04- 011.mspxhttp://www.microsoft.com/technet/security/bulletin/ms04- 012.mspx

--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

:
|I recently installed Win2000 in my computer, and I was in
| the process of reinstalling utilities in advance of
| installing programs.
| The first irrecularity happen after installing Norton
| Antivirus, when I was notified by Norton of having the
| virus 'W32.spybot.Worm' encountered in the object named and
| locatated in <c:\WINNT\system32\TFTP1344> which was deleted
| by Norton.
| This happened twice, the second time it refered to TFTP1392.
|
| After that, when I tried running a full scan, my system
| started shutting down on its own. It has happen several
| times, to the point that I can not keep installing.
| The following is the complete messaje I am getting:
|
| "This system is shutting down. Please save all work in
| process and log off. Any unsaved changes will b lost. This
| shutdown was initiate by NT AUTHORITY SYSTEM.
| Message: The system process 'c:\WINNT\system32 \Isass.exe'
| terminated unexpectedly with status code 128. The system
| will now shutdown and restart"
|
| Then it gives me one minute to close. When it restarts it
| repeats itself.... What is going on?
|
| Are the files deleted by Norton responsible for this? And
| if so, is there a way of fixing this problem?
|
| The message appered iniciaty when I started to conduct a
| full scan, but after disconnecting from the web and after
| successfully conducting a full scan, the message appeared
| again when I was trying to install other utilities, and
| thereafter, just appeared anyway!! :-(
|
| Can somebody help??? I will truly apprecite it! Thanks in
| advance.
|
| Rocio
|


.

.

 

[rocio]

Hello Dave, and thanks again.

I have installed the patches and the installation, as you
mentioned, went trouble-free!

I have installed the patches, and the system seem to be
running well, although I have not reconnected yet to the
web.

Now, I'm thinking in following your suggestion of
reinstalling again. My next questions would be, would it
be sufficient to re-install ONLY MS2000k to the partition
I have reserved for the OS?, or do I have to do a 'Clean
Install' and start from scratch deleting all the
partitions I have created and the small programs/
utilities I have already installed?

I suppose that if I were to install only MS2000, I will
reinstall the patches again after the reinstallation and
in advance of connecting to the net and asking my
AntiVirus to get an updated of virus defintions... Would
that be the sequence?

Is there anything else I must do to prevent being
infected before my antivirus protection is fully in place?

Thanks for your continued help!
Rocio

-----Original Message-----
:
| Thanks Dave, for responding.
|
| And while I save the downloads to a disk and read the
| information, I have a couple of questions to ask you.
|
| Related to the virus:
| - Do you think that the problem is that a virus still in my
| computer? Even after running a full scan and finding
| nothing?...
* Yes msblast and or sasser or variants.

| - The files that were deleted by Norton (TFTP1344 and
| TFTP1392)... do they need to be replaced in the system?
* Most likely just part of the virus.

| Norton has kept these files as a 'backup' [having deleted
| the infected ones -I think]. And if that is the case, can
| I reinstall those files from my 'backup' ERD disk?
|
| Related to the patches:
| - Installing these patches in the system should solve the
| problem? Or would I need to reinstall from ERD date data
| and then run the patches before re-installing again
| utilities and Norten antivirus. At this time I have not
| data or major programs installed.
* These may help.
http://securityresponse.symantec.com/avcenter/venc/data/w 32.blaster.worm.removal.tool.html

http://securityresponse.symantec.com/avcenter/venc/data/w

32.sasser.d.html
Windows 2000 Users: What to Do If Your Computer Has Been Infected by Sasser
http://www.microsoft.com/security/incident/sasser_print20 00.mspx
But then I would just start a new install.

| - Also, is there a special method for installing patches?
| or it is kind of 'wizard' follow-me-through kind of install?
* The articles spell it out pretty well.


--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect


.

 

[rocio]

No, Chris,
When I did the installation of the patches, I was not
connected to the net, and the installation went flawless.
The behaviour have not continued (shutdown on its own),
although, I have not yet connected my system back to the
internet.

I want to make sure that before I reconnect, I am fully
protected against other possible damaging intusions.

Any ideas?... thaks!
Rocio

-----Original Message-----
But were you connected to the internet on that machine when the reboots took
place? Are you seeing the same behaviour now you are patched?

Thank you Chris for responding and sharing your
experience!

You are right, first things first, and I'm getting
patched. I got the patch you suggested from some of the
URLS Dave Patrick gave me in the previous response to my
posting and I have installed it. Now, I'm just debating
whether I should re-install again (only the OS) and patch
right away before getting my updates to AV.

My fear is that I might still be infected due to the fact
that I'm not part of a network at this point.
For now, thanks again for all your help!

Rocio

-----Original Message-----
Sorry! Should've been KB835732! ;-)


Related to the virus:
- Do you think that the problem is that a virus still in my
computer? Even after running a full scan and finding
nothing?...

In answer to this point, we have experienced similar problems with SASSER
virus variants that have infected machines in an office elsewhere in the
world, but are still sending out instructions to

newly
built (and not yet

patched) machines in our office causing the shutdown behaviour (something
to
do with a buffer overflow in lsass.exe).

Installing MS patch KB735832 replaces several system files in Win2k &
stopped this activity from causing the machines to shut down. So it may
not
be that you have the virus, but someone else on the network does. Even so,
update your AV, but most importantly, get patched!





-----Original Message-----
For any new install it is imperative that you install
these before
connecting to any network or you'll be almost immediately

http://www.microsoft.com/technet/security/bulletin/MS03-

043.mspx

http://www.microsoft.com/technet/security/bulletin/MS03-

049.mspx

http://www.microsoft.com/technet/security/bulletin/MS04-

025.mspx

http://www.microsoft.com/technet/security/bulletin/ms04-

011.mspx

http://www.microsoft.com/technet/security/bulletin/ms04-

012.mspx

in
newsgroup.

Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

:
|I recently installed Win2000 in my computer,

and I
was in

| the process of reinstalling utilities in

advance
of

| installing programs.
| The first irrecularity happen after installing Norton
| Antivirus, when I was notified by Norton of having the
| virus 'W32.spybot.Worm' encountered in the

object
named and

| locatated in <c:\WINNT\system32\TFTP1344> which was deleted
| by Norton.
| This happened twice, the second time it refered to TFTP1392.
|
| After that, when I tried running a full scan,

my
system

| started shutting down on its own. It has happen several
| times, to the point that I can not keep installing.
| The following is the complete messaje I am getting:
|
| "This system is shutting down. Please save all work in
| process and log off. Any unsaved changes will b lost. This
| shutdown was initiate by NT AUTHORITY SYSTEM.
| Message: The system process 'c:\WINNT\system32 \Isass.exe'
| terminated unexpectedly with status code 128.

The
system

| will now shutdown and restart"
|
| Then it gives me one minute to close. When it restarts it
| repeats itself.... What is going on?
|
| Are the files deleted by Norton responsible for this? And
| if so, is there a way of fixing this problem?
|
| The message appered iniciaty when I started to conduct a
| full scan, but after disconnecting from the web and after
| successfully conducting a full scan, the

message
appeared

| again when I was trying to install other utilities, and
| thereafter, just appeared anyway!! :-(
|
| Can somebody help??? I will truly apprecite

it!
Thanks in

| advance.
|
| Rocio
|


.





.

.

 

[Bruce Chambers]

I recently installed Win2000 in my computer, and I was in
the process of reinstalling utilities in advance of
installing programs.
The first irrecularity happen after installing Norton
Antivirus, when I was notified by Norton of having the
virus 'W32.spybot.Worm' encountered in the object named
and locatated in <c:\WINNT\system32\TFTP1344> which was
deleted by Norton.
This happened twice, the second time it refered to
TFTP1392.

After that, when I tried running a full scan, my system
started shutting down on its own. It has happen several
times, to the point that I can not keep installing.
The following is the complete messaje I am getting:

"This system is shutting down. Please save all work in
process and log off. Any unsaved changes will b lost. This
shutdown was initiate by NT AUTHORITY SYSTEM.
Message: The system process 'c:\WINNT\system32\Isass.exe'
terminated unexpectedly with status code 128. The system
will now shutdown and restart"

Then it gives me one minute to close. When it restarts it
repeats itself.... What is going on?

Are the files deleted by Norton responsible for this? And
if so, is there a way of fixing this problem?

The message appered iniciaty when I started to conduct a
full scan, but after disconnecting from the web and after
successfully conducting a full scan, the message appeared
again when I was trying to install other utilities, and
thereafter, just appeared anyway!! :-(

Can somebody help??? I will truly apprecite it! Thanks in
advance.

Rocio

You've apparently contracted the latest worm, W32.Sasser.Worm,
specifically designed to attack people who do not update their
computers promptly and who do not practice "safe hex." In other
words, like Blaster, this worm was developed and distributed after a
patch for the vulnerability was announced and made publicly available.
Further, and also like Blaster, this worm could not affect any
computer whose user had taken the basic precaution of using a properly
configured firewall.

To stay on-line long enough to get the necessary updates, patches,
and removal tools, click Start > Run, and enter "shutdown -a" when the
next Shutdown countdown begins. This will abort the shut down. Also,
make sure you've enabled a firewall before starting, to preclude any
more intrusions while getting the updates/patches/tools.

What You should Know about the Sasser Worm and its Variants
http://www.microsoft.com/security/incident/sasser.asp

Microsoft Security Bulletin MS04-011
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

W32.Sasser.Worm
http://www.symantec.com/avcenter/venc/data/w32.sasser.worm.html

A tool is available to remove the Sasser worm variants
http://support.microsoft.com/default.aspx?scid=kb;EN-US;841720

W32.Sasser.Worm Removal Tool
http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.removal.tool.html

McAfee AVert Stinger Virus Removal Tool
http://vil.nai.com/vil/stinger/

--

Bruce Chambers

Help us help you:



You can have peace. Or you can have freedom. Don't ever
count on having both at once. - RAH

 

[Dave Patrick]

If it were I, then I would start a new install, then before connecting to
any network install the latest service pack, then the patches I listed.

--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

:
| Hello Dave, and thanks again.
|
| I have installed the patches and the installation, as you
| mentioned, went trouble-free!
|
| I have installed the patches, and the system seem to be
| running well, although I have not reconnected yet to the
| web.
|
| Now, I'm thinking in following your suggestion of
| reinstalling again. My next questions would be, would it
| be sufficient to re-install ONLY MS2000k to the partition
| I have reserved for the OS?, or do I have to do a 'Clean
| Install' and start from scratch deleting all the
| partitions I have created and the small programs/
| utilities I have already installed?
|
| I suppose that if I were to install only MS2000, I will
| reinstall the patches again after the reinstallation and
| in advance of connecting to the net and asking my
| AntiVirus to get an updated of virus defintions... Would
| that be the sequence?
|
| Is there anything else I must do to prevent being
| infected before my antivirus protection is fully in place?
|
| Thanks for your continued help!
| Rocio

 

[rocio]

Dave, thanks for your response. However, I still a bit
confused about what a 'clean install' entitles.

If I depart from the learned knowledge that the advantage
of having a system partitioned, and having the OS in one
of those partitions is that in case of something bad
happening (like in this case), you can re-install the OS
in the partitioned space. Then, from this perspective,
a 'clean install' would be to install the OS in that
partition, leaving other existing partitions as they are.

Or, are you saying, with your recomendation that I should
reintall to a clean hardrive? And redu the partitions
before installing software and so.

At this time, I have already the SP4 and the patches in a
CD, and I will follow your recommendation to install them
before connecting to the net next time.

I also got and followed the instructions of Northern/
Symantec to remove the '32.spybot.worm' from my system,
but it didn't find any traces of it in the registry or in
Start up.

So at this point I think I need to reinstall, however, I
might be better of if I wait for clarification from you
on what process to follow regarding the 'clean install'.
Thanks again.

Rocio

 

[rcoio]

Bruce, thank you for sharing your knowledge.
As you said, I was probably a bit naive about how fast a
virus can infect you. I tried to be cautios as I intalled
MS2k for first time, disconnected from the internet, and
I did not connected until I have to go and do
the 'updates' to my just-installed AV program. Right
there... I got caught!...
But eh! One learns from all the mistakes... and just the
fact that the need to correct those problemas have
brought me online with the newsgroup, is already a good
learning trade-off.

Now, back to my dilema. I have researched and trying all
the removing recomended mthods for 'W32.Spybot.worm' and
my system turned out clean of this worm.

So I will now, investigate the URL's you provided me to
find out more about the "sasser" worm. If nothing else,
to learn about it and try the removing tool method again
(as I might need it in the future), because I'm thinking
that if that turns also clean, and I still have some
doubts on whether the problem if fixed or not, I will
probably reinstall again to ensure that once I have the
programs and data in, I will not run into the same
situation.

Thanks again for your input!
Rocio

 

[Dave Patrick]

To do a clean install, either boot the Windows 2000 install CD-Rom or setup
disks. The set of four install disks can be created from your Windows 2000
CD-Rom; change to the \bootdisk directory on the CD-Rom and execute
makeboot.exe (from dos) or makebt32.exe (from 32 bit) and follow the
prompts.

When you get to the point, delete the existing NTFS and or other partitions
found. After you delete the partition(s) abort the install, then again
restart the pc booting the CD-Rom or setup disks to avoid unexpected drive
letter assignments with your new install.

--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

:
| Dave, thanks for your response. However, I still a bit
| confused about what a 'clean install' entitles.
|
| If I depart from the learned knowledge that the advantage
| of having a system partitioned, and having the OS in one
| of those partitions is that in case of something bad
| happening (like in this case), you can re-install the OS
| in the partitioned space. Then, from this perspective,
| a 'clean install' would be to install the OS in that
| partition, leaving other existing partitions as they are.
|
| Or, are you saying, with your recomendation that I should
| reintall to a clean hardrive? And redu the partitions
| before installing software and so.
|
| At this time, I have already the SP4 and the patches in a
| CD, and I will follow your recommendation to install them
| before connecting to the net next time.
|
| I also got and followed the instructions of Northern/
| Symantec to remove the '32.spybot.worm' from my system,
| but it didn't find any traces of it in the registry or in
| Start up.
|
| So at this point I think I need to reinstall, however, I
| might be better of if I wait for clarification from you
| on what process to follow regarding the 'clean install'.
| Thanks again.
|
| Rocio

 

[rocio]

Thanks again Dave for your replay, and I hope this will
be the last one of a long steam that seems to have
changed subject on the way.

I just want to recap my understanding before proceeding,
just to make sure I won't mess it up.

As a bacground info, let me tell you the existing
structure of the partitions I have now on a 120GB
hardrive (they are all NTFS file systems):

C = OS 15GB where I have installed MS2000Pro
(inside the 'C' folder, I have MOUNTED a primary
partition containing my Progrmas, in a folder called
other than 'Program Files' so it sits mounted on 'C'
without a drive letter assignment)

D = DVD drive
E = CD drive

The following are part of an extended partition, and
setup as a logical drives
F = Data
G = Images
H = To Backup
I = downloads

There is also some unpartitioned space.

So, as you mention, the reasigning of letters will be an
undesirable outcome.

If I understand what you are saying, with the Program CD,
I run it to make an install, then when I get to the point
of WHERE to install it (WHERE IT SHOWS THE DIFFERENT
PARTITIONS, choose DRIVE C, I suppose at that point it
will ask me if I want to delete everything in it, and I
say YES, then just after that I abort the install (I
guess by using 'escape' if there is not other visible
option to abort).

Then, when I re-start again with the CD to install and I
do the installation to the C drive, right?

What is the difference of doing the 'abort' move, to just
ask to do the installation to the C drive and continue
the install? I suppose it would be that the MOUNTED
PARTITION will take a drive letter assignment changing
all others?

Or is that also a possibility doing the 'abort' move?

Waiting for your comments, I thank you again for your
assistance and patience.

Rocio

BTY, I ran the removing tool for the Sasser worm, and the
system didn't identify anything, but even after I
installed all patches, and service pack4, I continue to
receive notices from my AV about deletions of new
incoming 'W32.Spybot.worm' infected files. (I also ran
follow the instructions to remove the 'spybot worm' with
nothing being identified). Go figure! I'm now reading
how to install a firewall...

-----Original Message-----
To do a clean install, either boot the Windows 2000 install CD-Rom or setup
disks. The set of four install disks can be created from your Windows 2000
CD-Rom; change to the \bootdisk directory on the CD-Rom and execute
makeboot.exe (from dos) or makebt32.exe (from 32 bit) and follow the
prompts.

When you get to the point, delete the existing NTFS and or other partitions
found. After you delete the partition(s) abort the install, then again
restart the pc booting the CD-Rom or setup disks to avoid unexpected drive
letter assignments with your new install.

--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

:
| Dave, thanks for your response. However, I still a bit
| confused about what a 'clean install' entitles.
|
| If I depart from the learned knowledge that the advantage
| of having a system partitioned, and having the OS in one
| of those partitions is that in case of something bad
| happening (like in this case), you can re-install the OS
| in the partitioned space. Then, from this perspective,
| a 'clean install' would be to install the OS in that
| partition, leaving other existing partitions as they are.
|
| Or, are you saying, with your recomendation that I should
| reintall to a clean hardrive? And redu the partitions
| before installing software and so.
|
| At this time, I have already the SP4 and the patches in a
| CD, and I will follow your recommendation to install them
| before connecting to the net next time.
|
| I also got and followed the instructions of Northern/
| Symantec to remove the '32.spybot.worm' from my system,
| but it didn't find any traces of it in the registry or in
| Start up.
|
| So at this point I think I need to reinstall, however, I
| might be better of if I wait for clarification from you
| on what process to follow regarding the 'clean install'.
| Thanks again.
|
| Rocio


.

 

[Dave Patrick]

Ok in this case forget the above.

To do a clean install, either boot the Windows 2000 install CD-Rom or setup
disks. The set of four install disks can be created from your Windows 2000
CD-Rom; change to the \bootdisk directory on the CD-Rom and execute
makeboot.exe (from dos) or makebt32.exe (from 32 bit) and follow the
prompts.

When you get to the point, format the existing system partition (C:\) and
continue the install.

--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

:
| Thanks again Dave for your replay, and I hope this will
| be the last one of a long steam that seems to have
| changed subject on the way.
|
| I just want to recap my understanding before proceeding,
| just to make sure I won't mess it up.
|
| As a bacground info, let me tell you the existing
| structure of the partitions I have now on a 120GB
| hardrive (they are all NTFS file systems):
|
| C = OS 15GB where I have installed MS2000Pro
| (inside the 'C' folder, I have MOUNTED a primary
| partition containing my Progrmas, in a folder called
| other than 'Program Files' so it sits mounted on 'C'
| without a drive letter assignment)
|
| D = DVD drive
| E = CD drive
|
| The following are part of an extended partition, and
| setup as a logical drives
| F = Data
| G = Images
| H = To Backup
| I = downloads
|
| There is also some unpartitioned space.
|
| So, as you mention, the reasigning of letters will be an
| undesirable outcome.
|
| If I understand what you are saying, with the Program CD,
| I run it to make an install, then when I get to the point
| of WHERE to install it (WHERE IT SHOWS THE DIFFERENT
| PARTITIONS, choose DRIVE C, I suppose at that point it
| will ask me if I want to delete everything in it, and I
| say YES, then just after that I abort the install (I
| guess by using 'escape' if there is not other visible
| option to abort).
|
| Then, when I re-start again with the CD to install and I
| do the installation to the C drive, right?
|
| What is the difference of doing the 'abort' move, to just
| ask to do the installation to the C drive and continue
| the install? I suppose it would be that the MOUNTED
| PARTITION will take a drive letter assignment changing
| all others?
|
| Or is that also a possibility doing the 'abort' move?
|
| Waiting for your comments, I thank you again for your
| assistance and patience.
|
| Rocio
|
| BTY, I ran the removing tool for the Sasser worm, and the
| system didn't identify anything, but even after I
| installed all patches, and service pack4, I continue to
| receive notices from my AV about deletions of new
| incoming 'W32.Spybot.worm' infected files. (I also ran
| follow the instructions to remove the 'spybot worm' with
| nothing being identified). Go figure! I'm now reading
| how to install a firewall...

 

[rocio]

Ok, Dave... that seems easier to do! Fiuuu!!!

I will do that in the next day or so, and reinstall all of
the patches, service pack and updates, and then I will
just let a note with the ending results to close the long
query with some type of outcome for future readers.

Thanks again for all your help!
Rocio

-----Original Message-----
Ok in this case forget the above.

To do a clean install, either boot the Windows 2000 install CD-Rom or setup
disks. The set of four install disks can be created from your Windows 2000
CD-Rom; change to the \bootdisk directory on the CD-Rom and execute
makeboot.exe (from dos) or makebt32.exe (from 32 bit) and follow the
prompts.

When you get to the point, format the existing system partition (C:\) and
continue the install.

--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

:
| Thanks again Dave for your replay, and I hope this will
| be the last one of a long steam that seems to have
| changed subject on the way.
|
| I just want to recap my understanding before proceeding,
| just to make sure I won't mess it up.
|
| As a bacground info, let me tell you the existing
| structure of the partitions I have now on a 120GB
| hardrive (they are all NTFS file systems):
|
| C = OS 15GB where I have installed MS2000Pro
| (inside the 'C' folder, I have MOUNTED a primary
| partition containing my Progrmas, in a folder called
| other than 'Program Files' so it sits mounted on 'C'
| without a drive letter assignment)
|
| D = DVD drive
| E = CD drive
|
| The following are part of an extended partition, and
| setup as a logical drives
| F = Data
| G = Images
| H = To Backup
| I = downloads
|
| There is also some unpartitioned space.
|
| So, as you mention, the reasigning of letters will be an
| undesirable outcome.
|
| If I understand what you are saying, with the Program CD,
| I run it to make an install, then when I get to the point
| of WHERE to install it (WHERE IT SHOWS THE DIFFERENT
| PARTITIONS, choose DRIVE C, I suppose at that point it
| will ask me if I want to delete everything in it, and I
| say YES, then just after that I abort the install (I
| guess by using 'escape' if there is not other visible
| option to abort).
|
| Then, when I re-start again with the CD to install and I
| do the installation to the C drive, right?
|
| What is the difference of doing the 'abort' move, to just
| ask to do the installation to the C drive and continue
| the install? I suppose it would be that the MOUNTED
| PARTITION will take a drive letter assignment changing
| all others?
|
| Or is that also a possibility doing the 'abort' move?
|
| Waiting for your comments, I thank you again for your
| assistance and patience.
|
| Rocio
|
| BTY, I ran the removing tool for the Sasser worm, and the
| system didn't identify anything, but even after I
| installed all patches, and service pack4, I continue to
| receive notices from my AV about deletions of new
| incoming 'W32.Spybot.worm' infected files. (I also ran
| follow the instructions to remove the 'spybot worm' with
| nothing being identified). Go figure! I'm now reading
| how to install a firewall...


.

 

[Dave Patrick]

Ok, good luck with it.

--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

:
| Ok, Dave... that seems easier to do! Fiuuu!!!
|
| I will do that in the next day or so, and reinstall all of
| the patches, service pack and updates, and then I will
| just let a note with the ending results to close the long
| query with some type of outcome for future readers.
|
| Thanks again for all your help!
| Rocio

 

[rocio]

What concluded.
I decided to reinstall MS2k to a different partition and
left the original install untoched in 'C'. This was in
part because I could not 'repair' the install as I was
trying to install a program version which contained
Service Pk 3 on top of a program which had already
upgraded to Service Pk4. Therefore a 'clean' new install
needed to be done.

I choose to do install a second version of the same OS, in
a larger partition (thinking that it would hold also the
system and boot option, which at the end did not).

I was able to later, expand the size of my original OS to
hold the space I had originally setup for programs on a
mounted partition originally mounated on C.

That has created some other problems... hanging around in
other postings... in other words...those are a different
story...

Thanks to all for your help!