Lsass Error

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

Hi,

Need your immediate help. All of a sudden approx 25
machines have developed a malicious problem at EXL Noida.
Every now and then they give the error message "Lsass.exe
terminated unexpectedly with error code 128" and reboots.
We have checked these machines for virus through Mcafee
Virus Enterprise that is installed as well as third party
tools that from Microsoft/CA/Symantec/Mcafee for Sasser,
but none of these have reported any infections. Also
checked for the patch Windows2000-KB835732-x86-ENU.EXE
(MS04-011), but the problem is happening even on the
machines which have these patches installed long back.
Have also checked the machines thoroughly for the symptoms
mentioned by many websites to look for Sasser infections,
but found nothing. Event viewer of the affected systems is
also not indicating any anomaly.



Request your expertise in cracking and preventing this
problem from spreading. Please let us know in case you
need more information



Thanks,

Vinay Goel

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

Make sure these computers are 100 percent up to date on critical updates,
assuming they have been tested to not cause a problem with your
configuration, though you are on a short time frame solution. However
installing a needed critical update will not help and existing problem but
can help prevent reoccurance.

Those computers need to be isolated from any other properly functioning
computers ASAP until it can be determined what the problem is, what course
of action needs to be taken that may involve a total rebuild, and repairs
and preventive measures have been implemented.

Contact your antivirus vendor ASAP as how to proceed and for any other
helpful info. In the mean time third party tools may help determine what
processes/executables/registry entries are causing this to happen. Booting
into safe mode with networking may help in giving more time to see what is
going on. SysInternals has some free tools. In particular Process Explorer,
Autoruns, and TCPView should help. Also search
http://www.symantec.com/avcenter/ and http://www.google.com web AND groups
to see if you can track down any more info relating to what you find. ---
Steve

http://www.sysinternals.com/ntw2k/freeware/procexp.shtml

"Vinay Goel" <anonymous@discussions.microsoft.com> wrote in message
news:2fe601c470cd$10bd8940$a501280a@phx.gbl...
> Hi,
>
> Need your immediate help. All of a sudden approx 25
> machines have developed a malicious problem at EXL Noida.
> Every now and then they give the error message "Lsass.exe
> terminated unexpectedly with error code 128" and reboots.
> We have checked these machines for virus through Mcafee
> Virus Enterprise that is installed as well as third party
> tools that from Microsoft/CA/Symantec/Mcafee for Sasser,
> but none of these have reported any infections. Also
> checked for the patch Windows2000-KB835732-x86-ENU.EXE
> (MS04-011), but the problem is happening even on the
> machines which have these patches installed long back.
> Have also checked the machines thoroughly for the symptoms
> mentioned by many websites to look for Sasser infections,
> but found nothing. Event viewer of the affected systems is
> also not indicating any anomaly.
>
>
>
> Request your expertise in cracking and preventing this
> problem from spreading. Please let us know in case you
> need more information
>
>
>
> Thanks,
>
> Vinay Goel
>

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

Thanks Steve. Will work out as per your suggestions.

Vinay

>-----Original Message-----
>Make sure these computers are 100 percent up to date on
critical updates,
>assuming they have been tested to not cause a problem
with your
>configuration, though you are on a short time frame
solution. However
>installing a needed critical update will not help and
existing problem but
>can help prevent reoccurance.
>
>Those computers need to be isolated from any other
properly functioning
>computers ASAP until it can be determined what the
problem is, what course
>of action needs to be taken that may involve a total
rebuild, and repairs
>and preventive measures have been implemented.
>
>Contact your antivirus vendor ASAP as how to proceed and
for any other
>helpful info. In the mean time third party tools may help
determine what
>processes/executables/registry entries are causing this
to happen. Booting
>into safe mode with networking may help in giving more
time to see what is
>going on. SysInternals has some free tools. In particular
Process Explorer,
>Autoruns, and TCPView should help. Also search
>http://www.symantec.com/avcenter/ and
http://www.google.com web AND groups
>to see if you can track down any more info relating to
what you find. ---
>Steve
>
>http://www.sysinternals.com/ntw2k/freeware/procexp.shtml
>
>"Vinay Goel" <anonymous@discussions.microsoft.com> wrote
in message
>news:2fe601c470cd$10bd8940$a501280a@phx.gbl...
>> Hi,
>>
>> Need your immediate help. All of a sudden approx 25
>> machines have developed a malicious problem at EXL
Noida.
>> Every now and then they give the error
message "Lsass.exe
>> terminated unexpectedly with error code 128" and
reboots.
>> We have checked these machines for virus through Mcafee
>> Virus Enterprise that is installed as well as third
party
>> tools that from Microsoft/CA/Symantec/Mcafee for Sasser,
>> but none of these have reported any infections. Also
>> checked for the patch Windows2000-KB835732-x86-ENU.EXE
>> (MS04-011), but the problem is happening even on the
>> machines which have these patches installed long back.
>> Have also checked the machines thoroughly for the
symptoms
>> mentioned by many websites to look for Sasser
infections,
>> but found nothing. Event viewer of the affected systems
is
>> also not indicating any anomaly.
>>
>>
>>
>> Request your expertise in cracking and preventing this
>> problem from spreading. Please let us know in case you
>> need more information
>>
>>
>>
>> Thanks,
>>
>> Vinay Goel
>>
>
>
>.
>

 

[frank]

Archived from groups: microsoft.public.win2000.security (More info?)

>-----Original Message-----
>Hi,
>
>Need your immediate help. All of a sudden approx 25
>machines have developed a malicious problem at EXL
Noida.
>Every now and then they give the error
message "Lsass.exe
>terminated unexpectedly with error code 128" and
reboots.
>We have checked these machines for virus through Mcafee
>Virus Enterprise that is installed as well as third
party
>tools that from Microsoft/CA/Symantec/Mcafee for Sasser,
>but none of these have reported any infections. Also
>checked for the patch Windows2000-KB835732-x86-ENU.EXE
>(MS04-011), but the problem is happening even on the
>machines which have these patches installed long back.
>Have also checked the machines thoroughly for the
symptoms
>mentioned by many websites to look for Sasser
infections,
>but found nothing. Event viewer of the affected systems
is
>also not indicating any anomaly.
>
>
>
>Request your expertise in cracking and preventing this
>problem from spreading. Please let us know in case you
>need more information
>
>
>
>Thanks,
>
>Vinay Goel
>
>.




Vinay,



Hello. I currently am experiencing these
same symptoms. Also has disabled internet by flooding
firewall with outgoing requests. It seems to be
associated with a process called "svchosting.exe". It
also creates 4 registry entries starting the same
process. I have had 3 pc's which sent over 9 billion
packets in an hour, yet there is no documentation on this
anywhere on the internet. Currently using Norton
Corporate Edition, but haven't seen anything on any anti-
virus sight. Good Luck. Hope this helps.


Frank
>

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

"Frank" <anonymous@discussions.microsoft.com> wrote in message news:<3c4401c472b9$becf0110$a401280a@phx.gbl>...
> >-----Original Message-----
> >Hi,
> >
> >Need your immediate help. All of a sudden approx 25
> >machines have developed a malicious problem at EXL
> Noida.
> >Every now and then they give the error
> message "Lsass.exe
> >terminated unexpectedly with error code 128" and
> reboots.
> >We have checked these machines for virus through Mcafee
> >Virus Enterprise that is installed as well as third
> party
> >tools that from Microsoft/CA/Symantec/Mcafee for Sasser,
> >but none of these have reported any infections. Also
> >checked for the patch Windows2000-KB835732-x86-ENU.EXE
> >(MS04-011), but the problem is happening even on the
> >machines which have these patches installed long back.
> >Have also checked the machines thoroughly for the
> symptoms
> >mentioned by many websites to look for Sasser
> infections,
> >but found nothing. Event viewer of the affected systems
> is
> >also not indicating any anomaly.
> >
> >
> >
> >Request your expertise in cracking and preventing this
> >problem from spreading. Please let us know in case you
> >need more information
> >
> >
> >
> >Thanks,
> >
> >Vinay Goel
> >
> >.
>
>
>
>
> Vinay,
>
>
>
> Hello. I currently am experiencing these
> same symptoms. Also has disabled internet by flooding
> firewall with outgoing requests. It seems to be
> associated with a process called "svchosting.exe". It
> also creates 4 registry entries starting the same
> process. I have had 3 pc's which sent over 9 billion
> packets in an hour, yet there is no documentation on this
> anywhere on the internet. Currently using Norton
> Corporate Edition, but haven't seen anything on any anti-
> virus sight. Good Luck. Hope this helps.
>
>
> Frank
> >

We are having the same problem with two machines. SVCHosting.exe is
using 100% of the CPU. One machine that will be on our system after
we baseline it has about 20 Windows Updates waiting in the queue to
run. There is another machine that is baseline that was up to date.
It is writing 4 registry keys:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SVCHosting.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\SVCHosting.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SVCHosting.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\SVCHosting.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\SVCHosting.exe

Go into SAFE MODE and use regedit to remove all of the registry keys
above. You can also search the registry for svchosting.exe and delete
each occurence.

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

It appears to be a new variant of the Backdoor.Sdbot Trojan horse.
Symantec's Intelligent Updater definitions catch it as of the 25th,
although it appears that the Live Update defs have yet to catch up.

It definitely appears to replicate using a recently discovered Windows
security hole; our most patched workstations were not infected, while
the others were.

Here's a write-up of the Sdbot family:

http://securityresponse.symantec.com/avcenter/venc/data/backdoor.sdbot.html

Ben