System shutting Down



Ty
07-09-2005, 10:50 PM
Windows Server 2003 Web Edition, is shutting down:
Event Log error
Application popup: System Shutdown : The system is shutting down. Please
save all work in progress and log off. Any unsaved changes will be lost.
This shutdown was initiated by NT AUTHORITY\SYSTEM. Shutdown will begin in
52 seconds. Shutdown message: The system process
'C:\WINDOWS\system32\lsass.exe' terminated unexpectedly with status code 128.
The system will now shut down and restart

Please Help

MAP
07-09-2005, 10:50 PM
Ty wrote:
> Windows Server 2003 Web Edition, is shutting down:
> Event Log error
> Application popup: System Shutdown : The system is shutting down.
> Please save all work in progress and log off. Any unsaved changes
> will be lost. This shutdown was initiated by NT AUTHORITY\SYSTEM.
> Shutdown will begin in 52 seconds. Shutdown message: The system
> process 'C:\WINDOWS\system32\lsass.exe' terminated unexpectedly with
> status code 128. The system will now shut down and restart
>
> Please Help

I can't believe that people are still getting infected with this?
http://www.google.as/search?sourceid=navclient&ie=UTF-8&rls=GGLD,GGLD:2004-36,GGLD:en&q=sasser
--
Mike Pawlak

roberto
07-09-2005, 10:50 PM
Why not?? Problaby this is the first Pc he uses...or his first time
"conected to Internet" or maybe he is just not "updated"

Map, u r "infected" by Sasser Virus. Depend of your OS u must download the
patch that is provided for Microsoft on his site. If u just type on Google:
" MICROSOFT PATCH SASSER VIRUS " they will provide u the link to install
this patch. U may also try to download the removal tool provided by Symantec
http://symantec.com

"MAP" <mikepawlak2REM@OVEhotmail.com> escribió en el mensaje
news:OZ6IuwAfFHA.2844@TK2MSFTNGP14.phx.gbl...
> Ty wrote:
> > Windows Server 2003 Web Edition, is shutting down:
> > Event Log error
> > Application popup: System Shutdown : The system is shutting down.
> > Please save all work in progress and log off. Any unsaved changes
> > will be lost. This shutdown was initiated by NT AUTHORITY\SYSTEM.
> > Shutdown will begin in 52 seconds. Shutdown message: The system
> > process 'C:\WINDOWS\system32\lsass.exe' terminated unexpectedly with
> > status code 128. The system will now shut down and restart
> >
> > Please Help
>
> I can't believe that people are still getting infected with this?
>
http://www.google.as/search?sourceid=navclient&ie=UTF-8&rls=GGLD,GGLD:2004-3
6,GGLD:en&q=sasser
> --
> Mike Pawlak
>
>

David H. Lipman
07-09-2005, 10:50 PM
From: "MAP" <mikepawlak2REM@OVEhotmail.com>

| Ty wrote:
>> Windows Server 2003 Web Edition, is shutting down:
>> Event Log error
>> Application popup: System Shutdown : The system is shutting down.
>> Please save all work in progress and log off. Any unsaved changes
>> will be lost. This shutdown was initiated by NT AUTHORITY\SYSTEM.
>> Shutdown will begin in 52 seconds. Shutdown message: The system
>> process 'C:\WINDOWS\system32\lsass.exe' terminated unexpectedly with
>> status code 128. The system will now shut down and restart
>>
>> Please Help
|
| I can't believe that people are still getting infected with this?
|
http://www.google.as/search?sourceid=navclient&ie=UTF-8&rls=GGLD,GGLD:2004-36,GGLD:en&q=sasser
| --
| Mike Pawlak
|

Status code 128 is not indicative of Sasser.

See the attached...

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

David H. Lipman
07-09-2005, 10:50 PM
From: "Ty" <Ty@discussions.microsoft.com>

| Windows Server 2003 Web Edition, is shutting down:
| Event Log error
| Application popup: System Shutdown : The system is shutting down. Please
| save all work in progress and log off. Any unsaved changes will be lost.
| This shutdown was initiated by NT AUTHORITY\SYSTEM. Shutdown will begin in
| 52 seconds. Shutdown message: The system process
| 'C:\WINDOWS\system32\lsass.exe' terminated unexpectedly with status code 128.
| The system will now shut down and restart
|
| Please Help

It sounds like you have a DLL corruption, wrong version of a Lsass file or a hardware
problem.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

roberto
07-09-2005, 10:50 PM
Well David.... is it possible that the "status code" has changed the
number?? Too many words ...the same type of sentence (warning)....except for
the status code number.... it looks like our friend Ty has been afected by
Sasser... lets make him to install the patch and then we will see if its
wrong version of lsass file (in my modest opinion i dont think that a DLL
corruption could "act" like this) or see if we have another victim of that
german teenager who wanted to "help their parents bussines"

Robert
Cuba

"David H. Lipman" <DLipman~nospam~@Verizon.Net> escribió en el mensaje
news:uxEr4kOfFHA.3916@tk2msftngp13.phx.gbl...
> From: "Ty" <Ty@discussions.microsoft.com>
>
> | Windows Server 2003 Web Edition, is shutting down:
> | Event Log error
> | Application popup: System Shutdown : The system is shutting down.
Please
> | save all work in progress and log off. Any unsaved changes will be
lost.
> | This shutdown was initiated by NT AUTHORITY\SYSTEM. Shutdown will begin
in
> | 52 seconds. Shutdown message: The system process
> | 'C:\WINDOWS\system32\lsass.exe' terminated unexpectedly with status code
128.
> | The system will now shut down and restart
> |
> | Please Help
>
> It sounds like you have a DLL corruption, wrong version of a Lsass file or
a hardware
> problem.
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>

David H. Lipman
07-09-2005, 10:50 PM
From: "roberto" <ralplavner@HotPOP.com>

| Well David.... is it possible that the "status code" has changed the
| number?? Too many words ...the same type of sentence (warning)....except for
| the status code number.... it looks like our friend Ty has been afected by
| Sasser... lets make him to install the patch and then we will see if its
| wrong version of lsass file (in my modest opinion i dont think that a DLL
| corruption could "act" like this) or see if we have another victim of that
| german teenager who wanted to "help their parents bussines"
|
| Robert
| Cuba

No, it isn't.
http://vil.nai.com/vil/content/v_125007.htm

In actuality there are several infectors that now exploit the buffer overflow vulnerability
noted in the LSA Shell. Sasser was just the first to exploit it. Others include or are
variants of; Qhosts.apd, W32/GAObot, W32/Plexus, W32/MyDoom, W32/Radebot, W32/SDbot and the
W32/Mytob. Those infectors that use TCP port 445 to exploit the vulnerability will generate
status code -1073741819. If other status codes are generated then it is indicative of
"other" Lssas related problems. To date I have read numerous threads that "looked like" a
LSA Shell Exploit but turned out to be other than worm related causative factors.

In addition, the "IRC-Bun" uses the file named LSASS.EXE.

You stated ... "in my modest opinion i dont think that a DLL corruption could "act" like
this" I my experiences I disagree.

As a parallel note, I ran into a Gateway PC running WinXP Media Center. I was given it to
service because it was infected with all sorts of malware. To make a long story short, when
I ran Ad-Aware SE on the platform, shortly after the scan started, I received a "NT
AUTHORITY\SYSTEM" shutdown message "...because the Remote Procedure Call (RPC) service
terminated unexpectedly". One would think that would be caused by a RPC/RPCSS DCOM Exploit
associated with the Lovsan/Blaster worm. However, that was not the case. A piece of
adware/spyware (still unidentified) had a self protection scheme to block its removal by
causing the RPC Service termination failure. This would block the casual PC user from
successfully scanning the platform and removing the malware. Of course it was just a matter
of executing "shutdown -a" to stop the shutdown process and continue the scan w/o further
problems.


Lastly:

The patch for Win2003 Server associated with KB835732 can be downloaded at the following
URL...
http://www.microsoft.com/downloads/details.aspx?FamilyId=EAB176D0-01CF-453E-AE7E-7495864E8D8C&displaylang=en


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

roberto
07-09-2005, 10:50 PM
Thanks for ur quotes David!! U r always so helpful!! Thats whats this group
is for...!! Of course i said it was on my modest opinion...im sure i dont
have ur experience...i wish i could have it!!!

You stated " However, that was not the case. A piece of adware/spyware
(still unidentified) had a self protection scheme to block its removal by
causing the RPC Service termination failure" See i have never experimented
with this kind of "things" ....u said it was a A piece of adware/spyware
..... still unidentified...when u said is still unidentified u mean that, for
example, it happened 1 month ago and TODAY u r still wondering why and
how....AND WHO??? If u can tell more about this......

Thanks

Robert
CUBA



"David H. Lipman" <DLipman~nospam~@Verizon.Net> escribió en el mensaje
news:evZMCQPfFHA.484@TK2MSFTNGP14.phx.gbl...
> From: "roberto" <ralplavner@HotPOP.com>
>
> | Well David.... is it possible that the "status code" has changed the
> | number?? Too many words ...the same type of sentence (warning)....except
for
> | the status code number.... it looks like our friend Ty has been afected
by
> | Sasser... lets make him to install the patch and then we will see if its
> | wrong version of lsass file (in my modest opinion i dont think that a
DLL
> | corruption could "act" like this) or see if we have another victim of
that
> | german teenager who wanted to "help their parents bussines"
> |
> | Robert
> | Cuba
>
> No, it isn't.
> http://vil.nai.com/vil/content/v_125007.htm
>
> In actuality there are several infectors that now exploit the buffer
overflow vulnerability
> noted in the LSA Shell. Sasser was just the first to exploit it. Others
include or are
> variants of; Qhosts.apd, W32/GAObot, W32/Plexus, W32/MyDoom, W32/Radebot,
W32/SDbot and the
> W32/Mytob. Those infectors that use TCP port 445 to exploit the
vulnerability will generate
> status code -1073741819. If other status codes are generated then it is
indicative of
> "other" Lssas related problems. To date I have read numerous threads that
"looked like" a
> LSA Shell Exploit but turned out to be other than worm related causative
factors.
>
> In addition, the "IRC-Bun" uses the file named LSASS.EXE.
>
> You stated ... "in my modest opinion i dont think that a DLL corruption
could "act" like
> this" I my experiences I disagree.
>
> As a parallel note, I ran into a Gateway PC running WinXP Media Center. I
was given it to
> service because it was infected with all sorts of malware. To make a long
story short, when
> I ran Ad-Aware SE on the platform, shortly after the scan started, I
received a "NT
> AUTHORITY\SYSTEM" shutdown message "...because the Remote Procedure Call
(RPC) service
> terminated unexpectedly". One would think that would be caused by a
RPC/RPCSS DCOM Exploit
> associated with the Lovsan/Blaster worm. However, that was not the case.
A piece of
> adware/spyware (still unidentified) had a self protection scheme to block
its removal by
> causing the RPC Service termination failure. This would block the casual
PC user from
> successfully scanning the platform and removing the malware. Of course it
was just a matter
> of executing "shutdown -a" to stop the shutdown process and continue the
scan w/o further
> problems.
>
>
> Lastly:
>
> The patch for Win2003 Server associated with KB835732 can be downloaded at
the following
> URL...
>
http://www.microsoft.com/downloads/details.aspx?FamilyId=EAB176D0-01CF-453E-
AE7E-7495864E8D8C&displaylang=en
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
>

David H. Lipman
07-09-2005, 10:50 PM
From: "roberto" <ralplavner@HotPOP.com>

| Thanks for ur quotes David!! U r always so helpful!! Thats whats this group
| is for...!! Of course i said it was on my modest opinion...im sure i dont
| have ur experience...i wish i could have it!!!
|
| You stated " However, that was not the case. A piece of adware/spyware
| (still unidentified) had a self protection scheme to block its removal by
| causing the RPC Service termination failure" See i have never experimented
| with this kind of "things" ....u said it was a A piece of adware/spyware
| .... still unidentified...when u said is still unidentified u mean that, for
| example, it happened 1 month ago and TODAY u r still wondering why and
| how....AND WHO??? If u can tell more about this......
|
| Thanks
|
| Robert
| CUBA


The particular piece of malware that caused the RPC Shutdown initiation when being scanned
with Ad-aware was never identified. It happened to me in 2004. Since then I have discussed
with with a few others who also experienced the same situation but they too had not
identified the malware that caused this action.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm


System shutting Down