Like Sasser, but it's not?

The setup:
An old faithful 400MHz PentiumPro which has run WinXP Home flawlessly for over a year (and Win98 before that). Totally reformatted and re-installed XP last weekend to prepare it for a new life as my girlfriends computer. Everything proceeded without a hitch until I connected it to the Internet via DSL (to start downloading XP updates, register, etc.)

The problem:
Within 1 minute of being connected to the Internet, a message pops up that "LSA Shell (Export Version) has encountered a problem...) then about 45 sec later a window comes up saying that lsass.exe has an exception and needs to close, and the computer will shut down in 60 seconds - which it does, everytime it's connected to the internet. If I don't plug in the DSL modem, it will run all day just fine.

Attempted fixes:
Re-formatted, re-loaded everything from scratch - same results. (The sasser worm wasn't in the news yet)
Downloaded (on a different computer) the sasser detection/removal tool from both the Microsoft site and the Symantec site - both say the PC is NOT infected.
Ad-Aware comes up clean, albeit with old reference file and HiJack This also comes up clean. Norton AntiVirus 2004 finds nothing, but also with relative old reference files.

Microsoft KBase really doesn't have much info about lsass.exe and I don't really know what is going on here. Based on sypmtoms I was convinced this week that it had to be infected with some variant of the sasser worm which I must have received as soon as I initially went online, but none of the telltale signs are there and the tools show it being clean. Oh, BTW - the DSL modem, card, cables and phone line originally used were mine, which I am using right now without problems on this computer. I have also tried it with her brand new modem, card and cables on her phone line, same results.

Any ideas?? Thanks!

 

Im having a similur problem with a nieghbors pc.
the latest stinger and symantecs tool's find nothing.
(all he has is dialup)

if your computer has entered the shutdown stage, hit start, run, then type in
shutdown -a

Im sure youve heard of most of these
Press Ctrl+Alt+Delete once.
Click Task Manager.
Click the Processes tab.
Double-click the Image Name column header to alphabetically sort the processes.
Scroll through the list and look for the following processes:
avserve2.exe ,lsasss.exe with three sss avserve.exe
I dont think skynetave.exe will show but if it does end it also

any process with a name consisting of four or five digits, followed by _up.exe (eg 74354_up.exe).
If you find any such process, click it, and then click End Process.
Exit the Task Manager.

besides the tools you have already tried, use stinger, Network Associates Inc.Stinger: http://vil.nai.com/vil/stinger/

and with the other tool's be sure to make sure they are the latest available

 

Hope you get it sorted, when you do can I suggest you use a very good firewall as well as Norton.

Works for me

Cheers

Elvardo

 

I just read that the service will shut down just from incoming attack attempts, which a firewall will protect you from, even XP's built in. If you don't have a third party firewall running, enable XP's and see what happens. Encourage you to get a third party firewall regardless. Freebies available here. Zone Alarm, Sygate and Kerio are the most popular.

 

Resolved

Good point. I completely forgot that XP does not turn on the firewall out of the box. Once I turned it on, I was able to stay connected without any trouble. Pretty scary that this machine was being pinged so relentlessly! Although I don't get why it exhibited the symptoms of Sasser but was never actually infected - expecially considering the fact that it didn't yet have any updates or service packs applied. Oh well, all's well in dodge city...

 

Glad it worked for you.