My computer's spontaneously shutting down.

Rogue 9 · Post by **Rogue 9** » 2004-05-03 04:04pm

Error Message wrote:This system is shutting down. Please save all work in progress and log off. Any unsaved changes will be lost. This shutdown was authorized by NT AUTHORITY\SYSTEM. Timer countdown.

The system process C:\WINDOWS\system32\lsass.exe terminated unexpectedly with status code -1073741819. The system will now shut down and restart.

Anybody know what the hell this is? I have no clue how long I have until it does this again; it just happened twice within five minutes. Its doing it again right now. What the hell?

Okay, that's all of it. I'm running Windows XP. What gives? Its done it five times now.

Hamel · Post by **Hamel** » 2004-05-03 04:08pm

2000/NT/XP?

This happens when ya end one of the svchost processes in task manager. Something might be killing it.

Rogue 9 · Post by **Rogue 9** » 2004-05-03 04:12pm

I'm getting as much of it as I can while the timer's running. That's almost all of it.

Hamel · Post by **Hamel** » 2004-05-03 04:35pm

Rogue 9 wrote:I'm getting as much of it as I can while the timer's running. That's almost all of it.

Try running in safe mode, and if possible, scan for viruses. Something is killing critical system processes.

Rogue 9 · Post by **Rogue 9** » 2004-05-03 04:36pm

Won't let me get through a virus scan. Not enough time. It seems to be getting more frequent.

Hamel · Post by **Hamel** » 2004-05-03 04:38pm

Rogue 9 wrote:Won't let me get through a virus scan. Not enough time. It seems to be getting more frequent.

Boot from your OS' CD and use the recovery console to repair your installation. At the most you would replace the OS, and would not lose your other files.

Dahak · Post by **Dahak** » 2004-05-03 04:39pm

That, my friend, is the sasser virus.
Useful information

Rogue 9 · Post by **Rogue 9** » 2004-05-03 04:48pm

Damn, its doing it again and the virus scan didn't find it first.

Dahak · Post by **Dahak** » 2004-05-03 04:54pm

Rogue 9 wrote:Damn, its doing it again and the virus scan didn't find it first.

Download the patch here.
Download removal tool here.

Rogue 9 · Post by **Rogue 9** » 2004-05-03 04:54pm

Shuts down before the download completes. I've been trying it.

Hamel · Post by **Hamel** » 2004-05-03 04:56pm

Rogue 9 wrote:Shuts down before the download completes. I've been trying it.

Have you tried safe mode or the recovery console yet?

Dahak · Post by **Dahak** » 2004-05-03 04:58pm

Rogue 9 wrote:Shuts down before the download completes. I've been trying it.

When it shuts down, go to start menu -> run, and type "shutdown -a" in it.

Rogue 9 · Post by **Rogue 9** » 2004-05-03 04:59pm

WOOHOO! VICTORY IS MINE!

It was Sasser B. I just hope there's not another copy on here...

Edit: The file name was C:\WINDOWS\avserve2.exe

phongn · Post by **phongn** » 2004-05-03 07:17pm

This is why you routinely go to Windows Update or have it automatically update for you. The patch has been out for more than two weeks.

Xon · Post by **Xon** » 2004-05-03 09:16pm

Do your self and the world a favour.

Put a router/hardware/software firewall between your computer and the internet and block the TCP/IP ports: 139-445.

Those ports have known security issues, do not allow them to be exposed to the internet. Exposing this ports to the internet is a stupid(And in Australia aurgably criminal) thing todo.

Pu-239 · Post by **Pu-239** » 2004-05-03 09:33pm

Why not everything below, say, 1500-2000 (exempting P2P software)? Anyway, I just nmapped the win2k computer upstairs (not mine, my sister's).

Nmap of Win2k computer upstairs:

Code: Select all

135/tcp  open  msrpc
139/tcp  open  netbios-ssn
389/tcp  open  ldap
445/tcp  open  microsoft-ds
1002/tcp open  windows-icfw
1025/tcp open  NFS-or-IIS
1720/tcp open  H.323/Q.931

Can anyone explain what is happening above? I'm not a windows expert.

Also note that this computer is deliberately connected to the internet w/o any software firewall, since it interferes with internet connection sharing (so how do I rectify this and still allow ICS to work.. yes, I will claim writing IPTables scripts is 1000x easier to understand)(my sister insists on having it dial out directly when she is home, despite the fact that things are noticibly faster when things are routed through a caching proxy server

. She also insists on using IE... it's been amazing how no malware is on it yet (then again, lots of malware probably is on it, just undetected due to lack of spyware removal programs)).

phongn · Post by **phongn** » 2004-05-03 09:50pm

You are playing with fire not having anything on it. If she gets hit, browbeat her into letting you put something on ... and software firewalls should cooperate with ICS since you have the option of only blocking the dial-up networking adapter.

Port 135 is the Remote Procedure Call service. You can't shut that down.
Port 139 is for NetBIOS-based SMB/CIFS networking
Port 389 is for LDAP authentication (i.e. ActiveDirectory)
Port 1002 looks like its related to the built-in Windows firewall but it can also be used for NetMeeting
Port 1025 is related to IIS ... does she have Personal Web Sharing enabled?
Port 1720 is for various interactive media stuff.

Pu-239 · Post by **Pu-239** » 2004-05-03 11:58pm

I don't think she is using PWS or videoconferencing.... oh, and the udp scan:

Code: Select all

PORT    STATE SERVICE
53/udp  open  domain
135/udp open  msrpc
137/udp open  netbios-ns
138/udp open  netbios-dgm
445/udp open  microsoft-ds
500/udp open  isakmp

I've never gotten IPSEC to work w/ ICS blocking all ports listed by nmap or using KPF w/o having timeout errors, even with sharing explicitly enabled for KPF... need to look at it if/when computer upstairs gets nuked, since currently not allowed to use computer.

Stark · Post by **Stark** » 2004-05-04 08:46pm

I occassionally get the same error and shutdown after a few hours of downloading with emule; I've got no virus activity tho. Bloody emule