Lsass.exe crashing issue

[cdogg]

It's been some time since I've dealt with the Sasser virus. In the past, I've been able to go to Start -> Run and quickly type "shutdown -a" to delay it. Then I'd type the "shutdown -i" command to set a longer expiring time (9999) for patching the PC and cleaning the infection.

However...

This variant is a bit different. Within a split second of the network login screen appearing, the shutdown dialog box appears. Although it starts counting down from 1 minute, after 20 seconds it restarts. I don't have enough time to log into Windows to stop it.

Safe mode is the same way, except I don't even see the dialog box. Within 20 seconds of the Safe Mode welcome screen appearing, it just restarts.

Once I have time to work within Windows, I know what I need to do. But does anyone have any clue as to how I can buy myself more time?

~cdogg
"Insanity: doing the same thing over and over again and expecting different results." - Albert Einstein
[tab][navy]For general rules and guidelines to get better answers, click here:[/navy] faq219-2884

 

[Grenage]

Is it possible to take it off the network within the allocated time? If so, then you could at least perhaps try some for of batch script so that next time it loads, it kicks in first?


Carlsberg don't run I.T departments, but if they did they'd probably be more fun.

 

[cdogg]

Yeah, I suppose I forgot to mention that physically disconnecting it from the network hasn't helped. But thanks for the suggestion...

~cdogg
"Insanity: doing the same thing over and over again and expecting different results." - Albert Einstein
[tab][navy]For general rules and guidelines to get better answers, click here:[/navy] faq219-2884

 

[Grenage]

Sorry, my terminology was a bit poor there. What I meant to say is, if you were to take it off the domain, perhaps a script could run on startup before the sasser shutdown was initiated?


Carlsberg don't run I.T departments, but if they did they'd probably be more fun.

 

[cdogg]

Well that's the thing. The login prompt is as far as I get on the workstation. I don't have enough time to do anything before the restart occurs.

Removing the computername from the domain on the PDC then deploying a script wouldn't help either, since the workstation will still stall at the logon prompt. Maybe you're on to something and I'm just not understanding the steps I need to take!

~cdogg
"Insanity: doing the same thing over and over again and expecting different results." - Albert Einstein
[tab][navy]For general rules and guidelines to get better answers, click here:[/navy] faq219-2884

 

[cdogg]

Here's an update...


The error message contains:
"[blue]C:\windows\system32\lsass.exe terminated unexpectedly with status code 128[/blue]"

I've already looked at:

http://support.microsoft.com/kb/318447

http://support.microsoft.com/kb/301684/

I'm about ready to image a new drive and let this guy pull his data over that he wants to keep.

~cdogg
"Insanity: doing the same thing over and over again and expecting different results." - Albert Einstein
[tab][navy]For general rules and guidelines to get better answers, click here:[/navy] faq219-2884

 

[Grenage]

Hi, cdogg.

Sorry, I meant if you remove the computer from the domain on the computer itself, so that there is no prompt and it loads straight onto the desktop. Perhaps then a script could run shutdown -a before the shutdown prompt kicked in.

Still, you'll know best from using the machine, if it would have a chance of working. Unfortunately I, like you, am not aware of any other way to abort the shutdown sequence. It's been a long time since I've run the Sasser removal tools, how quickly do they normally do the job?

Russell.


Carlsberg don't run I.T departments, but if they did they'd probably be more fun.

 

[Ploper001]

Sorry, I meant if you remove the computer from the domain on the computer itself

But how can he remove the computer from the domain if he cannot login? Maybe using a local Administrator account from Safe Mode? I have no idea about networking sorry...

Oh, and Sasser Removal Tools take a few minutes in my experience.

 

[Grenage]

I figure you could probably enter a ocal user/pass and take it off the domain in about 50 seconds or so. I suppose it's dependent on the speed of the machine.


Carlsberg don't run I.T departments, but if they did they'd probably be more fun.

 

[cdogg]

Thanks for the suggestions all, but I have chosen instead to slave the drive and pull data over to a newly imaged drive.

To answer your concern about the domain, the PC's we have here will still present an NT login prompt even if the PC is not a member. Also at one point almost two years ago, we were a Novell shop. So most of the workstations I support still have the Novell login prompt as well (though the login script/protocols are disabled).

Yeah, it was driving me crazy. Although I could quickly select workstation only and try to log in as the administrator, it was taking longer than 20 seconds to type the login and bring up the desktop.

Thanks again though...

~cdogg
"Insanity: doing the same thing over and over again and expecting different results." - Albert Einstein
[tab][navy]For general rules and guidelines to get better answers, click here:[/navy] faq219-2884