10 XP machines shut down at same time.

[Guest]

Have a lab of 10 XP machines.. about once a week or so... all computers at
the same time show 'lsass.. 60 seconds to shutdown restart'. have checked
for all virus'.. don't understand why all 10 do it at the same time. They
are on the same network (10.X.X.X) with internet access. These were 98
machines that were upgraded to XP. Any ideas?

 

[Yves Leclerc]

You need to run an anti-virus program on each. This is the classic symtoms
of a virus infection (Sasser or MSBlaster).

 

[John Harris]

The lsass.exe which is from Microsoft is located at
c:\windows\System32\lsass.exe . There's a few viruses that have been found
to run as lsass.exe to hide from you.


W32.HLLW.Lovgate.C@mm - Symantec Corporation
W32.Mydoom.L@mm - Symantec Corporation
W32.Nimos.Worm - Symantec Corporation
W32.Sasser.E.Worm (Lsasss.exe) - McAfee

lsass.exe is a Windows System File and should be in a system directory. If
it is then this application is safe.

 

[Guest]

I've checked for all the virus' and they are clean. Have Norton Corporate
Edition Anti-virus. Definitions are up-to-date. Also downloaded and ran the
fixes for Sasser, etc ( didn't find any of the virus'). My experience with
these virus' is that it doesn't wait a week or two to occur again. And what
is really confusing me is that all 10 do it at the same time, within seconds
of each other.

 

[Malke]

You need to run an anti-virus program on each. This is the classic
symtoms of a virus infection (Sasser or MSBlaster).

In addition to what Yves said, understand that when you have a network
and network-aware worms, it is common for every machine on the network
to become infected. You need to disconnect each machine from the
network, clean it up thoroughly, and not bring the network up again
until every box is 100% clean.

Malke

 

[Guest]

I've checked for all the virus' and they are clean. Have Norton Corporate
Edition Anti-virus. Definitions are up-to-date. Also downloaded and ran the
fixes for Sasser, etc ( didn't find any of the virus'). My experience with
these virus' is that it doesn't wait a week or two to occur again. And what
is really confusing me is that all 10 do it at the same time, within seconds
of each other.

 

[Malke]

I've checked for all the virus' and they are clean. Have Norton
Corporate
Edition Anti-virus. Definitions are up-to-date. Also downloaded and
ran the
fixes for Sasser, etc ( didn't find any of the virus'). My experience
with
these virus' is that it doesn't wait a week or two to occur again.
And what is really confusing me is that all 10 do it at the same time,
within seconds of each other.

Since all the machines do it at the same time, there must be something
running that is causing it. It is too much of a coincidence that they
all shut down at the same time. What do those 10 machines have in
common? What makes them different from your other computers? I'm afraid
this is one of those times when only hands-on troubleshooting will do.
Be very methodical in your t-shooting - work on one machine, isolated,
at a time. Or else if time is of the essence, just flatten the systems
and reimage the drives.

Malke

 

[Steve N.]

Yves Leclerc wrote:




In addition to what Yves said, understand that when you have a network
and network-aware worms, it is common for every machine on the network
to become infected. You need to disconnect each machine from the
network, clean it up thoroughly, and not bring the network up again
until every box is 100% clean.

Malke

*AND* patched for the vulnerabilities.

Steve

 

[John Harris]

Sound slike flattening them is the best option right now. I can't imagine
having to go through all ten to find what is the same and what is different.
Were they all upgrades from an earlier OS? Did you do a clean install or the
upgrade? Have you checked the server itself for the virus?

 

[Plato]

In addition to what Yves said, understand that when you have a network
and network-aware worms, it is common for every machine on the network
to become infected. You need to disconnect each machine from the
network, clean it up thoroughly, and not bring the network up again
until every box is 100% clean.

Grin. Learned the hard way. Clean one computer, go to the next cube,
clean it, and the first one gets infected again

 

[V Green]

I've checked for all the virus' and they are clean. Have Norton Corporate
Edition Anti-virus. Definitions are up-to-date. Also downloaded and ran the
fixes for Sasser, etc ( didn't find any of the virus'). My experience with
these virus' is that it doesn't wait a week or two to occur again. And what
is really confusing me is that all 10 do it at the same time, within seconds
of each other.

How are they connected to the Internet? Through
one central proxy server or router? I would look at
what is COMMON to all the 10 affected machines,
i.e. the router/proxy. Sounds like, for whatever reason,
it might be letting something through.

 

[JerryMouse]

Have a lab of 10 XP machines.. about once a week or so... all
computers at the same time show 'lsass.. 60 seconds to shutdown
restart'. have checked for all virus'.. don't understand why all 10
do it at the same time. They are on the same network (10.X.X.X) with
internet access. These were 98 machines that were upgraded to XP.
Any ideas?

Remove 1 machine from the network.

I. If it does NOT go down when the remaining nine do, then you have
something being broadcast. Continue disconnecting machines until you find
the one doing the broadcasting. Concentrate on it.


II. If the disconnected machine DOES go down at (roughly) the same time as
the others, you can use it as your test bed to discover what's amiss with
all.

 

[Alan Wilcox]

Good approach. I'd also suggest ...

1. Rebuild just one machine, keep offline; see that it stays up when the 9 quit.
2. Put that single good one back in the network; does it stay up or quit?

Alan