Windows 2000 shutdown code???
Thread Starter
Scooby Regular
Joined: Dec 2001
Posts: 2,569
Likes: 0
From: Cheshire
Windows 2000 shutdown code???
Just upload and installed some Windows 2000 patches, all went well...
Sysytem reboots, but after the windows screen comes up with a dialogue saying something about NT authroisation shutdown code 128 after 1 minute. It then shutsdown and reboots. Keep happening over and over
Any ideas how to solve it?
Cheers
J
Sysytem reboots, but after the windows screen comes up with a dialogue saying something about NT authroisation shutdown code 128 after 1 minute. It then shutsdown and reboots. Keep happening over and over
Any ideas how to solve it?
Cheers
J
Scooby Regular
Joined: May 2003
Posts: 1,165
Likes: 0
From M$ site
http://support.microsoft.com/?kbid=318447
If it not this you may have Sasser or Blaster Virus
Nick
http://support.microsoft.com/?kbid=318447
If it not this you may have Sasser or Blaster Virus
Nick
Thread Starter
Scooby Regular
Joined: Dec 2001
Posts: 2,569
Likes: 0
From: Cheshire
Originally Posted by Nicks VR4
From M$ site
http://support.microsoft.com/?kbid=318447
If it not this you may have Sasser or Blaster Virus
Nick
http://support.microsoft.com/?kbid=318447
If it not this you may have Sasser or Blaster Virus
Nick
Spot on Nick
, i've printed the resolution and will try it as soon as I get in....Cheers very much
J
Thread Starter
Scooby Regular
Joined: Dec 2001
Posts: 2,569
Likes: 0
From: Cheshire
New problem
I know I have to adjust regedit, but I can't get to it. The computer boots up and goes into shutdown even in Safe Mode..
Any idea how to get into regedit... or break the loop of shutting down?
Cheers
J
I know I have to adjust regedit, but I can't get to it. The computer boots up and goes into shutdown even in Safe Mode..
Any idea how to get into regedit... or break the loop of shutting down?
Cheers
J
Scooby Regular
Joined: May 2003
Posts: 1,165
Likes: 0
You could try using McAfee's stinger to get rid if you can download off another machine and put on floppy and run it
Or try this off M$ site
On Windows 2000 systems, to prevent LSASS.EXE from crashing (thereby restarting the operating system) unplug the network cable (or disable the network adapter before LSASS.EXE crashes) and then perform any one of the following steps to prevent the worm from crashing LSASS.EXE:
1.
Create a file called %systemroot%\debug\dcpromo.log and make the file read-only. To do this, type the following command:
echo dcpromo >%systemroot%\debug\dcpromo.log & attrib +r %systemroot%\debug\dcpromo.log
NOTE: This is the most effective mitigation technique as it completely mitigates this vulnerability by causing the vulnerable code to never be executed. This work-around will work for packets sent to any vulnerable port.
2.
Enable advanced TCP/IP filtering on all adapters to block all un-solicited inbound TCP packets
• Go to Start, Run and type Control and press enter
• In the new Control Panel window double click on Network and Dialup Connections
• Right click on the adapter that is connected to the Internet or the infected network and select Properties
• Double click Internet Protocol (TCP/IP)
• Click Advanced
• Select the Options tab
• Double click TCP/IP filtering
• Check the Enable TCP/IP filtering (all adapters) checkbox
• Select the Permit Only button above TCP Ports
NOTE: Do NOT add any ports to this list and do NOT select the Permit Only button above the UDP Ports label.
• Press OK 4 times and then select Yes when prompted to reboot the system (you must reboot for these settings to take effect)
This is an alternate mitigation technique that can be used to block all attempts to exploit the vulnerability via the TCP protocol. This will not prevent malformed UDP packets from reaching a vulnerable port and does not completely block the vulnerability like the steps outlined above.
3.
Temporarily stop the server service by typing the following command line:
net stop server /y
NOTE: This technique will only block exploit attempts that occur via TCP 139 and 445.
If the machine is currently infected with the Sasser worm it may start flooding the local network connection as soon as the cable is plugged back in making it impossible to download updates. To temporarily disable the worm use Task Manager to kill the following processes:
• End any process beginning with 4 or more numbers and “_up.exe” (for example, 12345_up.exe)
• End any process starting with avserve (for example, avserve.exe, avserve2.exe)
• End any process named skynetave.exe
• End any process named hkey.exe
• End any process named msiwin84.exe
• End any process named wmiprvsw.exe
NOTE: Do not end the process named wmiprvse.exe it is a legitimate system process.
After stopping the worm processes you should be able to download the security update and a Sasser removal tool.
Or try this off M$ site
On Windows 2000 systems, to prevent LSASS.EXE from crashing (thereby restarting the operating system) unplug the network cable (or disable the network adapter before LSASS.EXE crashes) and then perform any one of the following steps to prevent the worm from crashing LSASS.EXE:
1.
Create a file called %systemroot%\debug\dcpromo.log and make the file read-only. To do this, type the following command:
echo dcpromo >%systemroot%\debug\dcpromo.log & attrib +r %systemroot%\debug\dcpromo.log
NOTE: This is the most effective mitigation technique as it completely mitigates this vulnerability by causing the vulnerable code to never be executed. This work-around will work for packets sent to any vulnerable port.
2.
Enable advanced TCP/IP filtering on all adapters to block all un-solicited inbound TCP packets
• Go to Start, Run and type Control and press enter
• In the new Control Panel window double click on Network and Dialup Connections
• Right click on the adapter that is connected to the Internet or the infected network and select Properties
• Double click Internet Protocol (TCP/IP)
• Click Advanced
• Select the Options tab
• Double click TCP/IP filtering
• Check the Enable TCP/IP filtering (all adapters) checkbox
• Select the Permit Only button above TCP Ports
NOTE: Do NOT add any ports to this list and do NOT select the Permit Only button above the UDP Ports label.
• Press OK 4 times and then select Yes when prompted to reboot the system (you must reboot for these settings to take effect)
This is an alternate mitigation technique that can be used to block all attempts to exploit the vulnerability via the TCP protocol. This will not prevent malformed UDP packets from reaching a vulnerable port and does not completely block the vulnerability like the steps outlined above.
3.
Temporarily stop the server service by typing the following command line:
net stop server /y
NOTE: This technique will only block exploit attempts that occur via TCP 139 and 445.
If the machine is currently infected with the Sasser worm it may start flooding the local network connection as soon as the cable is plugged back in making it impossible to download updates. To temporarily disable the worm use Task Manager to kill the following processes:
• End any process beginning with 4 or more numbers and “_up.exe” (for example, 12345_up.exe)
• End any process starting with avserve (for example, avserve.exe, avserve2.exe)
• End any process named skynetave.exe
• End any process named hkey.exe
• End any process named msiwin84.exe
• End any process named wmiprvsw.exe
NOTE: Do not end the process named wmiprvse.exe it is a legitimate system process.
After stopping the worm processes you should be able to download the security update and a Sasser removal tool.
Thread
Thread Starter
Forum
Replies
Last Post
Mattybr5@MB Developments
Full Cars Breaking For Spares
12
Nov 18, 2015 07:03 AM