Have just changed ISP on son's computer. Everything straightforward until I removed the old ISP (using the remove mechanism) after which the warning 'Windows is shutting down' (in ONE minute) came on the screen. Not possible to stop this and so close down it did! From then on whatever command was made, the above warning came on screen and activated.....despite the fact that the selected command dialogue box always opened in the background. Your thoughts please!!
Laptop running XP

H49

Could be the the sasser virus. I had ot two days ago and it shut everything down..

Use the fix from symantec listed here removal tool (http://www.symantec.com/avcenter/venc/data/w32.sasser.worm.html)

It will remove the virus from your system and also read the details as well. You can check it manually as well to see if its completely gone.

Make sure you then update your virus definitions.

Helen49,

Your Son has MSBlaster worm:

WORM_MSBLAST.GEN (http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAST.GEN)

(As a note: If Windows is going to crash, it just crashes. It is not going to give you 60 seconds to do your work before shutting down.)

Take Care,

Richard

One World 22 & Richard.....thank you for the advice. It did take the 60seconds to shut down, counting down before it commenced.

H49

Helen49,

Follow the directions from the link I gave you above. Then run Trend Micro's Housecall (http://housecall.trendmicro.com/) to make sure his system is clean.

I would also run Lavaoft's Ad-Aware (http://www.lavasoftusa.com/software/adaware/) to make sure you have any Spyware your system.

Once that has completed, download every patch Microsoft has for the OS.

Take Care,

Richard

Just cleaned the "Sasser" virus from someone's machine. It behaves almost the same as "Blaster" . In the closing down message it mentions "lsass.exe" which indicates you've got it.
Regards
FBW

all help appreciated guys. Many thanks.

H49

Flybywyre, lsass.exe (http://www.liutilities.com/products/wintaskspro/processlibrary/lsass/) is a windows application which is required and will always be present - the worm infects it causing the problem. The real clue is that you can see avserver.exe running when you do a ctrl-alt-del.

Charles

Hi Helen,

Please download 'Hijack This!' from here (http://www.thespykiller.co.uk/), unzip, and place it in it’s own folder, (not in the temp folder, or on the desktop) doubleclick HijackThis.exe, and hit "Scan". When the scan is finished, click "Save Log", and copy and paste it in a PM to me.

This will give me a rundown of what’s going on in your PC. Don’t fix anything yourself yet, as a lot of the stuff on that list will be harmless or required.

(You may have all now guessed that this is a C&P).. :) :ok:

Cheers

Liam

Thanks AMOW's.............

As I said it shows up in the RPC message

Regards
FBW

Odd one here. I tried to run Trend Micro Housecall (I've done so before but not for a couple of years). It wanted to download and install a plugin for Netscape.

But I don't use Netscape. I use Mozilla (v 1.7RC1 at the moment), and it couldn't find the Netscape Plugins folder so refused to go any further. I showed it the Mozilla one, but that didn't satisfy it.

Sounds like Mozilla is even more secure than I thought!