Unsolved
This post is more than 5 years old
19 Posts
0
52110
lsass.exe system shutdown error on windows xp
Hi. I've recently been experiencing a system shutdown that displays the following message: System shutdown in progress by NT Authority\System. An error has occurred in C:\WINDOWS\SYSTEM32\lsass.exe (status code 128). I've been working on this for the past few days and was able to delete all of the malware on my computer w/the help of the virus guys (using hijackthis). Any ideas of where I can go from here? I did run a Norton scan yesterday and today - no viruses found. I've had this problem once before that was an RPC error, which I was able to fix. I don't think I had a problem w/the lsass.exe file originally though. Anyway, here's hoping :)
DELL-Jesse L
Moderator
Moderator
•
16.7K Posts
0
April 28th, 2004 13:00
ddeerrff,
Thanks, I got a bit confused.
DELL-Jesse L
Moderator
Moderator
•
16.7K Posts
0
April 28th, 2004 13:00
gvsurgrl,
Thank you for using the Dell Community Forum.
You have a virus on the system. The information below will give you information on resolving the error.
The "NT Authority" error is caused by a computer "worm" that exploits a vulnerability in Windows Component Services. Microsoft has provided a security patch that repairs the weakness and solves the error.
Follow the six steps below to fix the problem in Windows XP:
1. Disable RPC Notification
~~~~~~~~~~~~~~~~~~~~~~~~~
* Turn off the computer and disconnect all network cables. This includes DSL, cable modem, local network, broadband, and etc.
* Turn on the system. Do not connect to the Internet!
* Click the Start button, and then click Run.
* In the Open box, type: Services.msc
* Click the OK button.
In the list of services scroll halfway to the bottom and double-click the first Remote Procedure entry.
* Click the Recovery tab.
* For all the failure dropdowns, click to select Take No Action.
* Click the OK button to apply the changes.
* Exit the services window by clicking the X in the upper right corner of the window.
NOTE: The RPC Service Notification can be re-enabled after the recommended patches are installed.
2. Download the Anti-Virus Removal File for this Worm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* Reconnect your network cable.
* Download one of these files to your Desktop:
Symantec:
http://securityresponse.symantec.com/avcenter/FixBlast.exe
McAfee:
http://download.nai.com/products/mcafee-avert/Stinger.exe
Follow the on-screen directions to save either of these programs to your Desktop.
3. Download the Security Patch from Microsoft
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* Go to this URL:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/virus/alerts/msblaster.asp
* Download the WinXP (32 bit) security patch.
* Choose to save the file to your Windows Desktop.
* Disconnect your computer from the network cables again.
4. Disable System Restore
~~~~~~~~~~~~~~~~~~~~~~~~~
Before removing the virus, System Restore must be turned off.
* Click the Start button, right-click My Computer, and then left-click Properties from the menu.
* Click the System Restore tab.
* Click to check Turn Off System Restore.
* Click the OK button.
* Click Yes to disable System Restore.
NOTE: After you have removed the virus and applied the patch, repeat these steps to re-enable System Restore. Having this feature enabled allows the system to return to a previous state with little effort.
5. Run Virus-Cleaning Tool
~~~~~~~~~~~~~~~~~~~~~~~~~~
* Find the downloaded file on your Desktop named either:
stinger.exe or FixBlast.exe
* Double-click the file to begin the removal of the virus.
NOTICE: Do not reboot the system or reconnect to the Internet until the Critical Update is installed. Click to deselect Reboot my Computer if that option is presented.
6. Install the Critical Update
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* On your desktop, double-click WindowsXP-KB823980-x86-ENU.exe to expand and execute the patch. For Windows 2000 use Windows2000-KB823980-x86-ENU.exe
* Follow the directions in the wizard to complete the installation.
* Close all open programs including Internet Explorer.
The security patch should be applied when you restart Windows.
* After the system has rebooted, reconnect to the Internet.
If you are still having problems, or you have Windows NT or 2000, please check the Web site below:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/virus/alerts/msblaster.asp
See the Dell Knowledge article below for more information:
Windows 98 and ME users are not affected by this virus.
Message Edited by DELL-Jesse on 04-28-2004 09:42 AM
Dave Lyle
2K Posts
0
April 28th, 2004 13:00
I believe Dell-Jesse was trying to point to the message here.
DELL-Jesse L
Moderator
Moderator
•
16.7K Posts
0
April 28th, 2004 18:00
gvsugrl,
Take a look at the link that ~ddeerrff posted in this thread. It explains it a little better for you.
gvsugrl
19 Posts
0
April 28th, 2004 18:00
gvsugrl
19 Posts
0
April 28th, 2004 22:00
gvsugrl
19 Posts
0
May 2nd, 2004 02:00
jwatt
4.4K Posts
0
May 2nd, 2004 16:00
Also see this McAfee article for removal instructions.
Jim
gvsugrl
19 Posts
0
May 6th, 2004 20:00
Jim (or Jesse) -
Ok, I followed all the directions and that seemed to make the computer worse. Plus, now I can only run my computer after shutting off the shutdown notice (using shutdown.exe -a). The patch didn't work and I didn't see any of the "bad" files under the Task Manager. Also, when I disable the shutdown notice, I'm no longer able to use my D or E drives (CD & DVD), as well as access certain web pages (i.e. bank statements, ticketmaster purchase page). Any more ideas, or am I at the end of the line where I'll have to reload the entire OS? Let me know what you think :)
Jamie
jwatt
4.4K Posts
0
May 6th, 2004 21:00
You might also try one of the free "on-line" virus scanning services such as Trend Micro's "Housecall".
If you do not find any viruses, the machine may be infected by one or more spyware/adware pests. Try following the advice given in the second link listed below - download, update, and run Ad-Aware and SpyBot following the instructions in the second link below. If that doesn't resolve the problem, download and run HijackThis and submit its log files for analysis by the experts in the Virus Information and Removal board.
Jim