I recently upgraded from ME to XP and after 5, 10 or 20 mins. online I get the following error message:

This system is shutting down. Please save all work in progress and log off. Any unsaved changes will be lost. This shutdown was initiated by NT AUTHORITY\SYSTEM

Time before shutdown: [60 seconds and counting]

Message
The system process 'C:\WINDOWS\system32\lsass.exe' terminated unexpectedly with status code -1073741819.
The system will now shut down and restart.

I found the following article (Article ID : 300038) on the Microsoft Website:

Lsass.exe System Process Unexpectedly Quits with a -1073741819 Status Code

(the link is http://support.microsoft.com/kb/306497/EN-US/#kb4)

This describes my situation exactly, but this error (according to the article) applies to Win2000 and suggests upgrading to the latest service pack for Win2000. I am using XP and have not even had Win2000 installed on this machine.

Should I install SP2 for XP? Has anybody had to deal with this problem before?

Relztah: Howz the AV running? Getting any virus alerts? The last time I had that notice I had Sasser virus, had "NT AUTHORITY/SYSTEM" notice etc., but it may be something else. . .

I'm not saying you have sasser, but until one of the Mods comes along, go to Symantec and run the sasser tool. . . .?

:cool:

By upgrading you have opened the door to the sasser worm which can get into unpatched win2k and winxp systems by just going on line.

Read http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.worm.html

Removal instructions towards the end but the most important thing is to get patched either using the specific patch linked to on that page or by installing the whole of WinXP sp1a or sp2. The problem is getting anything done before the system shuts down.

The problem is getting anything done before the system shuts down.

To abort the shutdown, as soon as the message appears, go to Start> Run, and type shutdown -a<enter>

That should allow you time to do the necessary updates, and run the Sasser removal tool

NO to SP2 at this time! You have to get the infection stopped first.

Yes I have seen this before.
It is either the Sasser or SDBot type of worm that has infected the PC.
You can get the infection under control by copying the Stinger (http://vil.nai.com/vil/averttools.asp) tool to a floppy via a "clean" PC. Write protect the floppy, then disconnect the infected computer from any network or Internet connection, and boot into SAFE mode (F8). Run the Stinger scan from the floppy and it should quarantine the infection. Caution: If you have more than one HDD in the PC you should only have one connected and scanned at a time or the infection will come back from the other HDD. You need to get the PC updated with Windows Update patches and and your AV updated, preferrably behind a firewall before connecting to the network or Internet

I was able to download and run Stinger following the above instructions with no improvement. I also successfully downloaded the newest update of AVG and ran it showing no viruses. Still I get the shutdown, although it seems to take a bit longer. Where do I go from here?

Relztrah

To prevent the shut down, do the following:

Disconnect the computer from the network/Internet connection. (Disconnect the cable if necessary.)
Restart the computer.
As soon as Windows opens and you see the Windows desktop, click Start > Run.
Type:

cmd

and press Enter.


Type:

shutdown -i

and press Enter.


In the Remote Shutdown Dialog that opens, do the following:

Click Add, type your computer name into the Add Computers dialog box, and then click OK.
You can get your computer's name from RClick MyComputer -- Properties -- Computer Name.
In the "Display warning for" field, type 9999.
Type the following text in the Comment box:

Delay Lsass.exe shutdown.


Click OK.


Reconnect the network/Internet connection.
Connect to the Internet, and get the patch from
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

When you have patched your computer and removed the threat, you can re-enable the normal 20 second default warning if you wish.

There are other ways to clean-up but you coud continue with removal using the W32.Sasser Removal Tool from
http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.removal.tool.html

A simple summary:-
DELAY THE SHUTDOWN PERIOD
PATCH THE HOLE
REMOVE THE WORM

When I ran the cleaner tool I got "no infection detected".

When I ran the fix tool I got "W32.sasser.worm has not been found on your computer". Does this mean it has been eliminated? Or was this not a Sasser problem in the first place? I am not getting the shutdown error message, so something worked.

Do you recommend that I now install SP2?

Relztrah

It sounds like you somehow fixed it whatever. If the system is not patched you can catch it (or its cousins) as soon as you go on line again. I would suggest you do a full a/v scan of your system since there are similar related agents that can affect things in this manner.

I would only install SP2 if you are sure you have eliminated all malware first. Would also recommend that you backup your files (or better still your whole system) before installing SP2 at this point in time. If so you can always then get back to where you are now.