60 seconds until shutdown (sasser?)

system keeps shutting down in 60 seconds (even in safe mode)

“This system is shutting down. Please save all... This shutdown was initiated by NT AUTHORITY\SYSTEM.

Message: The system process 'c:\windows\system32\lsass.exe' terminated unexpectedly with the status code -1073741676. The system will now shut down and restart.â€

lsass.exe is exploited by the sasser virus but I could not find any of the values associated with the sasser.A - sasser.F in the regestry.

nor was there any suspicious processes running, nor are there any unknown startup regestry keys in Hkey_current_users, or hkey_local_machine.

suggestions???

where else could a virus start from, and if i don't see it in the process list, then can it be a virus??

The os is win2000 so I have no "startup -a" nor do i have "msconfig ".

thnx,

 

Have you seen this ?
http://www.microsoft.com/security/incident/sasser_print2000.asp

The command to stop the shutdown is

On the taskbar at the bottom of your screen, click Start, and then click Run.
Type: cmd and then click OK.
At the command prompt, type: shutdown.exe -a and then press ENTER.

But thats not mentioned on the Win2000 page

 

Do you have a firewall running? If not, just an incoming attack can shut down the service, no need to be infected.

 

Lonnie - shutdown.exe isn't a part of the normal 2K install. You gotta get it from the resource kit. It does come standard with XP.

 

Thanks Newt I was unsure of that.

noahdfear is correct a PC doesn't necessarily need to be infected to get the shutdown message merely being unpatched and without a firewall is enough.
But I would get and use several removal tool's nonetheless

 

thnx,

the problem is is that I don't hav enough time to run any removal tools.

the system shutsdown almost immediatly after login, and this install has no resource kit installed.

I'm not sure if firewall is enabled (not my PC).

note, this happens even when internet is disconnected.

is there another way to abort the shutdown?

 

You will need to get shutdown.exe. If you get the res kit onto another PC and copy off shutdown.exe (no install, just a file that will run), you can boot the affected PC to the recovery console via Install CD boot, copy the file to the PC, and be able to block shutdown that way.

Alternative (but still requiring the same method to get it on your PC) would be PSShutdown from www.sysinternals.com .