Joe said:
Am I to understand that I need to FORMAT my c: drive. I did not gat a
restore cd with my computer. How do I re- install XP and the
applications?
I'm not an expert on these things. But of the little I know from recent
experience...
Blaster typically attacks the RPC service. "lsass.exe" is the Local
Security Authority Service, and it's failure is causing Windows XP to
reboot in an attempt to recover.
The failure is likely to be virus related. Could even have started with
Blaster or one of its variants.
You can tell WinXP to abort the shutdown when the "60 second warning"
comes up by clicking Start, Run, typing SHUTDOWN -A into the Program to
Run and hitting enter. That should buy you some time.
You can then change the Service recovery mode by opening up the services
tab (easiest way is to click Start, Run, and type SERVICES.MSI and
hitting enter, or so I believe, but I don't have an XP machine available
to check at the moment).
Once you have the Services Tab open, find the Local Security Authority
Service, right-click on it and select Properties. In the Properties tab
make sure that the executable is C:\WINDOWS\LSASS.EXE to be certain
we're in the right place (remember, I'm not an expert in these things).
If so, go to the Recovery tab of the Properties dialogue, and it'll have
three settings - "On First Failure", "On Second Failure" and "On Third
Failure". All three will be set to Reboot. Change them to Restart so
that the service restarts itself on failure rather than the whole
machine.
Odds are you're going to have to fix your LSASS service, but first you
have to fix the cause. A lot of this is going to be down to you and your
own ingenuity unless you have an expert in these things immediately to
hand. But in rough terms, do the following:
Firewall your Internet Connection if you haven't already. Never, EVER
connect to the Internet on an XP machine except through a firewall.
Windows XP comes with a built in firewall. Use that for now if you have
nothing else.
Disable System Restore. To do this, right-click on "My Computer" and
look for the tick-box that lets you do this. And tick the tick-box, of
course. This bit is really important. Whilst System Restore is active,
nothing can get at the files (and possible malware, viruses, etc) that
might be lurking in your _Restore folder.
Download and run the latest version of McAffee Stinger. Find it
here
http://download.nai.com/products/mcafee-avert/stinger.exe
Note, if McAffee doesn't find anything, doesn't mean that you are not
infected. Remember, we're trying to close the stable door after the
horse has bolted. Contrary to popular opinion, it's sometimes
worthwhile, but not always.
Download, install, update and run Ad-Aware 6.0. Find it here
http://www.lavasoftusa.com/
Download, install, update and run Spybot Search & Destroy. Find it here
http://www.safer-networking.org/
With respect to Ad-Aware and Spybot, updating them before you run them
is critical. Run them in the above order, and let them delete everything
they find.
Even if you don't have a virus, none of the above is going to do you any
harm anyway, and will go a long way towards making your PC a happier
machine
At this point, in my case, I was still out on a limb. My machine wasn't
crashing any more, but I was still infected. I ended up going down
through the Services both active and marked for start-up (in MSCONFIG)
until I found the one that was put there by the virus. More a case of
desperation and trial and error than wit or cunning.
In my case, the viral service was marquarading as ASCD in the Services
tab of Taskmanager and "Microsoft cfg" in the Services.msi and MSCONFIG
start-up list. Once I found it, I stopped it, located and renamed its
executables and removed it from the start-up list in MSCONFIG and killed
every entry of it in Regedit.
Because your Local Security Authority service is obviously causing you
grief, you need to fix it. I understand that you can download LSP-Fix
from
http://www.cexx.org/lspfix.htm though I haven't used this myself.
Once you believe your LSASS service is fixed, re-open the Services tab
and set the recovery modes back to Reboot. If you've been successful
then your machine should now stay stable.
Now sort out your firewall. I'm using now Norton Personal Firewall
myself, but ZoneAlarm served me well for years and I've heard it
recommended elsewhere on this forum. It should be easy enough to find
through Google.
With your firewall setup, it's time to sort out your virus protection.
Again, I'm using Norton, but another recommendation from somebody else
here is F-Prot (
http://www.f-prot.com/). Whatever you use, install it,
get it bang up to date and then run a full scan. You may well still find
stuff lurking down there. If you don't kill it now it'll get you later.
Now goto Windows Update (
http://windowsupdate.microsoft.com) and make
sure your copy of XP is patched up to current. Failing to do this is the
equivalent of leaving an open invitation for more grief. It's also a
good way of restoring your confidence that you are once more clean.
Hope some of this helps. Patience and perseverance are the main things
you're going to need. Others here will be better able to advise you, I'm
sure. As I said, I'm not an expert, just a sympathiser with a little
recent, similar experience myself.
Good luck.
-Bill
