Lsass.exe problem VIRUS or MEMORY Leak

G

Guest

can anyone please help me
My server is down since last 3 days its host my mails and website
it gives below error

System Shutdown This system is shutting down. Please save
all work in progress and log off. Any unsaved changes will
be lost. This shutdown was initiated by \

Time before shutdown: 00:00:5

Messag

The system process 'C:\WINNT\System32\Lsass.exe'
terminated unexpectedly with status code 128. The system
will now shut down and restart

I have gone thru many articles and i am confused as some say its VIRUS some say its Memory Leak problem

Can anyone guide to me how do i siolve it i can start the server in SAFE MODE I have scanned for Viruses in SAFE mode there isnt any also downloaded Lated DATs
 
J

Jason Hall [MSFT]

--------------------
Thread-Topic: Lsass.exe problem VIRUS or MEMORY Leak
thread-index: AcQujiz+tV4wAAP6TfKv3UO0lfJ5tQ==
X-WN-Post: microsoft.public.win2000.advanced_server
From: "=?Utf-8?B?QW1pdA==?=" <[email protected]>
Subject: Lsass.exe problem VIRUS or MEMORY Leak
Date: Fri, 30 Apr 2004 01:36:04 -0700

can anyone please help me
My server is down since last 3 days its host my mails and website
it gives below error

System Shutdown This system is shutting down. Please save
all work in progress and log off. Any unsaved changes will
be lost. This shutdown was initiated by \

Time before shutdown: 00:00:59

Message

The system process 'C:\WINNT\System32\Lsass.exe'
terminated unexpectedly with status code 128. The system
will now shut down and restart


I have gone thru many articles and i am confused as some say its VIRUS some
say its Memory Leak problem

Can anyone guide to me how do i siolve it i can start the server in SAFE
MODE I have scanned for Viruses in SAFE mode there isnt any also downloaded
Lated DATs
--------------------

There is a known exploit in LSASS that has been resolved by MS04-011. If
you are suffering from a virus infection, installing this update should
resolve the issue.
(If you unplug the network cable you should be able to boot up ok)

If the updated doesn't work, check out the following article:
Q329894: "Windows Does Not Start After You Apply Security Roll Up Package
Q319733"


--
~~ JASON HALL ~~
~ Performance Support Specialist,
~ Microsoft Enterprise Platforms Support
~ This posting is provided "AS IS" with no warranties, and confers no
rights.
~ Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
~ Note: For the benefit of the community-at-large, all responses to this
message are best directed to the newsgroup/thread from which they
originated.
 
B

bdboskovic

I have the same problem.....I have found a virus
qhosts.apd in the system32/drivers/hosts directory. Try
using "stinger" from Mcafee to remove the virus. Be sure
to apply the latest service packs from microsoft.
-----Original Message-----
can anyone please help me
My server is down since last 3 days its host my mails and website
it gives below error

System Shutdown This system is shutting down. Please save
all work in progress and log off. Any unsaved changes will
be lost. This shutdown was initiated by \

Time before shutdown: 00:00:59

Message

The system process 'C:\WINNT\System32\Lsass.exe'
terminated unexpectedly with status code 128. The system
will now shut down and restart


I have gone thru many articles and i am confused as some
say its VIRUS some say its Memory Leak problem
Can anyone guide to me how do i siolve it i can start the
server in SAFE MODE I have scanned for Viruses in SAFE
mode there isnt any also downloaded Lated DATs
 
C

Cindy

I have been having computer problems the past
few days. It only happens when I am hooked up to my router and cable
modem at home. I ran all day at work (well until I had to leave to
get my crown in) today and yesterday with no problem. I assume work
has a much better firewall than is present in my router. Well it
appears theres yet another security leak in windows. BIG SUPRISE
(big eyeroll here). After 2 days of searching I found that I needed
an update. I applied and everything appears ok now. Before I
couldn't be on more than 20 minutes and have the computer shut down
with this message:



System Shutdown This system is shutting down. Please save
all work in progress and log off. Any unsaved changes will
be lost. This shutdown was initiated by \

Time before shutdown: 00:00:59

Message

The system process 'C:\WINNT\System32\Lsass.exe'
terminated unexpectedly with status code 128. The system
will now shut down and restart



This update from microsoft appears to have fixed it:

http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx

Heres some info on it:

http://www.eeye.com/html/Research/Advisories/AD20040413C.html
http://isc.sans.org/diary.php?date=2004-04-26

I would advise anyone running windows to go to the first link to get
the appropriate fix. It appears someone out there is taking
advantage of this security leak and trying to gain control of random
pcs.

Cindy
 
G

Guest

Hi Cindy
It indded is a Virus Issue Worm virus
To resolve this i remved my system from Network then i blocked all my ports and slowly removed one by one and kep t only the iones whcih i need for my operations . the problem is soplved since 3 days it ahs not restarted once too
try doing it its a WORM virus


----- Cindy wrote: ----

I have been having computer problems the pas
few days. It only happens when I am hooked up to my router and cabl
modem at home. I ran all day at work (well until I had to leave t
get my crown in) today and yesterday with no problem. I assume wor
has a much better firewall than is present in my router. Well i
appears theres yet another security leak in windows. BIG SUPRIS
(big eyeroll here). After 2 days of searching I found that I neede
an update. I applied and everything appears ok now. Before
couldn't be on more than 20 minutes and have the computer shut dow
with this message



System Shutdown This system is shutting down. Please sav
all work in progress and log off. Any unsaved changes wil
be lost. This shutdown was initiated by
Time before shutdown: 00:00:5

Messag

The system process 'C:\WINNT\System32\Lsass.exe
terminated unexpectedly with status code 128. The syste
will now shut down and restar



This update from microsoft appears to have fixed it

http://www.microsoft.com/technet/security/bulletin/ms04-011.msp

Heres some info on it

http://www.eeye.com/html/Research/Advisories/AD20040413C.htm
http://isc.sans.org/diary.php?date=2004-04-2

I would advise anyone running windows to go to the first link to ge
the appropriate fix. It appears someone out there is takin
advantage of this security leak and trying to gain control of rando
pcs.

Cind
 
W

wizaaard

Got the same error last 2 days. Place to look/clean is in
the registry
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. I
got/removed avserve2.exe (also delete from c:\Windows).
This is not a solution; gets u back up until the next
time.
-----Original Message-----
can anyone please help me
My server is down since last 3 days its host my mails and website
it gives below error

System Shutdown This system is shutting down. Please save
all work in progress and log off. Any unsaved changes will
be lost. This shutdown was initiated by \

Time before shutdown: 00:00:59

Message

The system process 'C:\WINNT\System32\Lsass.exe'
terminated unexpectedly with status code 128. The system
will now shut down and restart


I have gone thru many articles and i am confused as some
say its VIRUS some say its Memory Leak problem
Can anyone guide to me how do i siolve it i can start
the server in SAFE MODE I have scanned for Viruses in
SAFE mode there isnt any also downloaded Lated DATs
 
N

Nathan Thomas Sr

Jason,

I tried sending you an email, and this may sound as odd, but did you ever
live in Puerto Rico? If you haven't, forgive me, but if you did, shoot me an
email.

Nathan
 
J

Jason Hall [MSFT]

--------------------
Content-Class: urn:content-classes:message
From: "wizaaard" <[email protected]>
Subject: Lsass.exe problem VIRUS or MEMORY Leak
Date: Mon, 3 May 2004 15:24:32 -0700
Got the same error last 2 days. Place to look/clean is in
the registry
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. I
got/removed avserve2.exe (also delete from c:\Windows).
This is not a solution; gets u back up until the next
time.
-------------------

You are partway there......

Sasser info:
====================
http://sarc.com/avcenter/venc/data/w32.sasser.worm.html

Sasser removal tool:
====================
http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.removal.t
ool.html

Manual Sasser removal:
=====================
Use the Task manager to kill the following processes:
*_up.exe
avserv*.exe
hkey.exe
msiwin84.exe
wmiprvsw.exe
Use Regedit from the command line to look for and remove any of the the
following keys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"avserve.exe" = C:\WINDOWS\avserve.exe
HLKM\Software\Microsoft\Windows\CurrentVersion\Run
"windows"="hkey.exe"
"Microsoft Update"="msiwin84.exe"
"System Updater Service"="wmiprvsw.exe"
"avserve2.exe = %WINDIR%\avserve2.exe"

Search for & delete the following files from the harddrive:
C:\WINDOWS\avserv*.exe
c:\WINDOWS\system32\*_up.exe
avserve*.exe
hkey.exe
msiwin84.exe
wmiprvsw.exe



--
~~ JASON HALL ~~
~ Performance Support Specialist,
~ Microsoft Enterprise Platforms Support
~ This posting is provided "AS IS" with no warranties, and confers no
rights.
~ Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
~ Note: For the benefit of the community-at-large, all responses to this
message are best directed to the newsgroup/thread from which they
originated.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top