Lsass Error

[Vinay Goel]

Hi,

Need your immediate help. All of a sudden approx 25
machines have developed a malicious problem at EXL Noida.
Every now and then they give the error message "Lsass.exe
terminated unexpectedly with error code 128" and reboots.
We have checked these machines for virus through Mcafee
Virus Enterprise that is installed as well as third party
tools that from Microsoft/CA/Symantec/Mcafee for Sasser,
but none of these have reported any infections. Also
checked for the patch Windows2000-KB835732-x86-ENU.EXE
(MS04-011), but the problem is happening even on the
machines which have these patches installed long back.
Have also checked the machines thoroughly for the symptoms
mentioned by many websites to look for Sasser infections,
but found nothing. Event viewer of the affected systems is
also not indicating any anomaly.



Request your expertise in cracking and preventing this
problem from spreading. Please let us know in case you
need more information



Thanks,

Vinay Goel

 

[Steven L Umbach]

Make sure these computers are 100 percent up to date on critical updates,
assuming they have been tested to not cause a problem with your
configuration, though you are on a short time frame solution. However
installing a needed critical update will not help and existing problem but
can help prevent reoccurance.

Those computers need to be isolated from any other properly functioning
computers ASAP until it can be determined what the problem is, what course
of action needs to be taken that may involve a total rebuild, and repairs
and preventive measures have been implemented.

Contact your antivirus vendor ASAP as how to proceed and for any other
helpful info. In the mean time third party tools may help determine what
processes/executables/registry entries are causing this to happen. Booting
into safe mode with networking may help in giving more time to see what is
going on. SysInternals has some free tools. In particular Process Explorer,
Autoruns, and TCPView should help. Also search
http://www.symantec.com/avcenter/ and http://www.google.com web AND groups
to see if you can track down any more info relating to what you find. ---
Steve

http://www.sysinternals.com/ntw2k/freeware/procexp.shtml

 

[Guest]

Thanks Steve. Will work out as per your suggestions.

Vinay

-----Original Message-----
Make sure these computers are 100 percent up to date on critical updates,
assuming they have been tested to not cause a problem with your
configuration, though you are on a short time frame solution. However
installing a needed critical update will not help and existing problem but
can help prevent reoccurance.

Those computers need to be isolated from any other properly functioning
computers ASAP until it can be determined what the problem is, what course
of action needs to be taken that may involve a total rebuild, and repairs
and preventive measures have been implemented.

Contact your antivirus vendor ASAP as how to proceed and for any other
helpful info. In the mean time third party tools may help determine what
processes/executables/registry entries are causing this to happen. Booting
into safe mode with networking may help in giving more time to see what is
going on. SysInternals has some free tools. In particular Process Explorer,
Autoruns, and TCPView should help. Also search
http://www.symantec.com/avcenter/ and

http://www.google.com web AND groups

 

[Frank]

-----Original Message-----
Hi,

Need your immediate help. All of a sudden approx 25
machines have developed a malicious problem at EXL Noida.
Every now and then they give the error message "Lsass.exe
terminated unexpectedly with error code 128" and reboots.
We have checked these machines for virus through Mcafee
Virus Enterprise that is installed as well as third party
tools that from Microsoft/CA/Symantec/Mcafee for Sasser,
but none of these have reported any infections. Also
checked for the patch Windows2000-KB835732-x86-ENU.EXE
(MS04-011), but the problem is happening even on the
machines which have these patches installed long back.
Have also checked the machines thoroughly for the symptoms
mentioned by many websites to look for Sasser infections,
but found nothing. Event viewer of the affected systems is
also not indicating any anomaly.



Request your expertise in cracking and preventing this
problem from spreading. Please let us know in case you
need more information



Thanks,

Vinay Goel

.

Vinay,



Hello. I currently am experiencing these
same symptoms. Also has disabled internet by flooding
firewall with outgoing requests. It seems to be
associated with a process called "svchosting.exe". It
also creates 4 registry entries starting the same
process. I have had 3 pc's which sent over 9 billion
packets in an hour, yet there is no documentation on this
anywhere on the internet. Currently using Norton
Corporate Edition, but haven't seen anything on any anti-
virus sight. Good Luck. Hope this helps.


Frank

 

[Matt Johnson]

Vinay,



Hello. I currently am experiencing these
same symptoms. Also has disabled internet by flooding
firewall with outgoing requests. It seems to be
associated with a process called "svchosting.exe". It
also creates 4 registry entries starting the same
process. I have had 3 pc's which sent over 9 billion
packets in an hour, yet there is no documentation on this
anywhere on the internet. Currently using Norton
Corporate Edition, but haven't seen anything on any anti-
virus sight. Good Luck. Hope this helps.


Frank

We are having the same problem with two machines. SVCHosting.exe is
using 100% of the CPU. One machine that will be on our system after
we baseline it has about 20 Windows Updates waiting in the queue to
run. There is another machine that is baseline that was up to date.
It is writing 4 registry keys:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SVCHosting.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\SVCHosting.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SVCHosting.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\SVCHosting.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\SVCHosting.exe

Go into SAFE MODE and use regedit to remove all of the registry keys
above. You can also search the registry for svchosting.exe and delete
each occurence.

 

[Ben Finberg]

It appears to be a new variant of the Backdoor.Sdbot Trojan horse.
Symantec's Intelligent Updater definitions catch it as of the 25th,
although it appears that the Live Update defs have yet to catch up.

It definitely appears to replicate using a recently discovered Windows
security hole; our most patched workstations were not infected, while
the others were.

Here's a write-up of the Sdbot family:

http://securityresponse.symantec.com/avcenter/venc/data/backdoor.sdbot.html

Ben

 

[Guest]

-----Original Message-----
systems
is




Vinay,



Hello. I currently am experiencing these
same symptoms. Also has disabled internet by flooding
firewall with outgoing requests. It seems to be
associated with a process called "svchosting.exe". It
also creates 4 registry entries starting the same
process. I have had 3 pc's which sent over 9 billion
packets in an hour, yet there is no documentation on this
anywhere on the internet. Currently using Norton
Corporate Edition, but haven't seen anything on any anti-
virus sight. Good Luck. Hope this helps.


Frank

We are having the same problem with two machines. SVCHosting.exe is
using 100% of the CPU. One machine that will be on our system after
we baseline it has about 20 Windows Updates waiting in the queue to
run. There is another machine that is baseline that was up to date.
It is writing 4 registry keys:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SVCHos ting.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\SV CHosting.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SVCHos ting.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\SV CHosting.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunService

s\SVCHosting.exe

Go into SAFE MODE and use regedit to remove all of the registry keys
above. You can also search the registry for svchosting.exe and delete
each occurence.
.
[/QUOTE]

Thank you for the response.
Deleting the registry entries helped.
Also had put the file in the C:\Windows\System or
C:\Winnt\System32.

Was not completely stopped until these files were cleared.
Thanks again.

Frank