Windows XP shuts down with message "C:\Windows\System32\lsass.exe" Status Code 128

[Guest]

It will not boot into normal, and when I get into safe mode it comes up with one of two errors the first is
Windows XP shuts down with message "C:\Windows\System32\lsass.exe" Status Code 12
the other is XP is shutting down due to the RPC

Any Help will be appreciated

Thank
CP

 

[CWatters]

It will not boot into normal, and when I get into safe mode it comes up

with one of two errors the first is

Windows XP shuts down with message "C:\Windows\System32\lsass.exe" Status Code 128
the other is XP is shutting down due to the RPC.

You need to run an antivirus scan. Try here..

http://security.symantec.com/sscv6/default.asp?langid=ie&venid=sym

The lsass.exe error could be a Trojan horse. See here for one possibility...
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.irc.ratsou.b.html

To fix that you could try "Spybot Search and destroy" free from here...
http://www.safer-networking.org/

The RPC shutdown is proably the Blaster worm.

I hope Bruce won't mind if I refer you to his reply to someone else with
Blaster (see below).

Colin (not an MVP)


Greetings --

If you connected the PC to the Internet without having first
enabled a firewall, without having first installed an antivirus
application with current virus definition files, and before installing
the KB824146 Hotfix, you're very likely to get infected from any of
the thousands of PCs on the Internet that are constantly broadcasting
the Blaster and/or Welchia worms. It only takes a few seconds of
exposure.

To stay on-line long enough to get the necessary updates, patches,
and removal tools, click Start > Run, and enter "shutdown -a" when the
next RPC countdown begins. This will abort the shut down. Also, make
sure you've enabled a firewall before starting, to preclude any more
intrusions while getting the updates/patches/tools.

Microsoft Security Bulletin MS03-39
http://support.microsoft.com/?kbid=824146

What You Should Know About the Blaster Worm
http://www.microsoft.com/security/incident/blast.asp

W32.Blaster.Worm a.k.a. W32/Lovesan.Worm
http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html

W32.Blaster.Worm Removal Tool
http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

W32.Welchia.Worm a.k.a. W32/Nachi.Worm
http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html

W32.Welchia.Worm Removal Tool
http://www.symantec.com/avcenter/venc/data/w32.welchia.worm.removal.tool.html

McAfee AVERT Stinger
http://us.mcafee.com/virusInfo/default.asp?id=stinger


Bruce Chambers

 

[mxpcce]

Check the registry i
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Do you see an entry for C:\winnt\avserver.exe ?

It's a new virus called W32.Sasser.Worm according to Symantec. It's i
the definition from 4/30/2004. It exploits the hole patched b
MS04-011.

Delete the registry entry and then close RegEdit so it writes it. The
reboot the server and you should be able to then update your AntiViru
and patch your server.

Since I've removed this virus our server has become stable again


-
mxpcc