Archived from groups: microsoft.public.windowsxp.general (
More info?)
None of this will work as I cannot get into Windows with the affected
computer. Not in Safe Mode either.
The computer shuts down before I can do anything in Windows.
"David H. Lipman" wrote:
> From: "Duck" <Duck@discussions.microsoft.com>
>
> | The computer will only boot partway. I get a system shutdown in 60 seconds
> | even before I get to the desktop. It says lsass.exe terminated unexpectedly.
> | Also 1073741819 shows as a status code.
> |
> | I've tried Safe Mode and last known good configuration and neither works.
> |
> | I've tried taking the hard drive out of the computer and installing it as a
> | second drive to scan for viruses. I've used AVG and NAV, both updated, to
> | scan for viruses. I've also used Fxsasser.exe from Symantec to scan the
> | drive. None of these found anything at all.
> |
> | I've also tried replacing the lsass.exe file with a known good one.
> |
> | I cannot get the computer to boot so I cannot do anything with the drive
> | while it is in the computer.
> |
> | How can I fix this?
>
> Download the patch (below). Put the patch, Stinger on media (CDROM, ZIP Disk, USB Flash
> drive, etc) disconnect the affected PC from the Internet and install the patch. Then reboot
> the PC and perform the following scan of the PC using Stinger and the below Multi AV Commnad
> Line Scanner front end utility !
>
> If you have the SHUTDOWN.EXE utility from the Win2K Resource kit, you can perform the
> following when you get the shutdown message.
>
> Go to; Start --> Run
> enter; shutdown /a
>
> If you don't have the SHUTDOWN.EXE utility, I have posted a copy in the News Group;
> alt.binaries.comp.virus
> In the post entitled "SHUTDOWN.EXE for Win2K platforms for RPC/DCOM and LSASS shutdown
> issues"
>
> This will halt the shutdown and give you a chance to Download the McAfee worm removal tool,
> Stinger: http://vil.nai.com/vil/stinger/
>
> Please read the following URL:
>
http://www.microsoft.com/security/incident/sasser_printxp.mspx
>
> Install the following patch for the LSASS vulnerability addressed by; KB835732
>
http://www.microsoft.com/downloads/details.aspx?FamilyId=0692C27E-F63A-414C-B3EB-D2342FBB6C00&displaylang=en
>
> Please read:
http://www.microsoft.com/security/incident/sasser.mspx
>
>
> You also need a FireWall. If you don't patch the PC and not use a FireWall then you will
> just be re-infected.
> I also suggest the installation of ALL MS Critical Updates ASAP.
>
>
> You can also scan the system using the below multi AV Command Line Scanner front end utility
>
> Dump the contents of the IE Temporary Internet Folder cache (TIF)
> Start --> Settings --> Control Panel --> Internet Options --> Delete Files
>
> Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
> Tools --> Options --> Privacy --> Cache --> Clear
>
> Download MULTI_AV.EXE from the URL --
>
http://www.ik-cs.com/programs/virtools/Multi_AV.exe
>
> It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
>
http://kixtart.org Kixtart is CareWare } two batch files, four Kixtart scripts, one Link
> (.LNK) file, this PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
> simplify the process of using up to 3 different Anti Virus Command Line Scanners to remove
> viruses and various other malware.
>
> C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
> This will bring up the initial menu of choices and should be executed in Normal Mode. This
> way all the components can be downloaded from each AV vendor’s web site.
> On Win9x/ME the choices are; Trend, McAfee, Exit the menu and Reboot the PC
> On NT4, Win2k, WinXP and Win2003 Server the choices are; Sophos, Trend, McAfee, Exit the
> menu and Reboot the PC.
>
> You can choose to go to each menu item and just download the needed files or you can
> download the files and perform a scan in Normal Mode. Once you have downloaded the files
> needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
> during boot] and re-run the menu again and choose which scanner you want to run in Safe
> Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.
>
> When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
> file.
>
> To use this utility, perform the following...
> Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
> Choose; Unzip
> Choose; Close
>
> Execute; C:\AV-CLS\StartMenu.BAT
> { or Double-click on 'Start Menu' in C:\AV-CLS }
>
> NOTE: You may have to disable your software FireWall or allow WGET.EXE and/or FTP.EXE to go
> through your FireWall to allow them to download the needed AV vendor related files.
>
> * * * Please report back your results * * *
>
>
>
> --
> Dave
>
http://www.claymania.com/removal-trojan-adware.html
>
http://www.ik-cs.com/got-a-virus.htm
>
>
>