Re: lsass.exe fails and reboots

• Previous message: Karl Levinson, mvp: "Re: Registry Cleaner and Spyware"
• In reply to: ChrisOlver: "Re: lsass.exe fails and reboots"
• Next in thread: Roger Abell [MVP]: "Re: lsass.exe fails and reboots"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sun, 5 Jun 2005 15:56:50 -0500

Chris.

If your firewall is allowing connections to port 445 or other unauthorized
ports then you need to close that ASAP. You can use a free self scan site
such as http://scan.sygatetech.com/. Port 445 availability indicates that
file and print sharing is enabled on the external network adapter. You
should disable file and print sharing on that network adapter ASAP. Note
that doing such will not allow you to manage the server via Computer
Management or other means that use SMB however you can use Remote Desktop
Management to manage the server assuming it is enabled. A RDP connection
over the internet would be encrypted. If you are having problems with Kerio
note that Windows 2003 also has a built in firewall [though not a very
flexible one until SP1 but I believe SP1 will enable it by default and may
lock you out] or an ipsec filtering policy that can be used to supplement
the firewall until everything is working correctly. If you try to configure
such you have to be absolutely sure that you will be able to access the
computer before you enable the Windows firewall or ipsec filtering policy or
you can be blocked out to all but local console logon.

 If problems still continue after making sure your network is secure from
the internet and after doing malware scans I would be sure to contact
Symantec to see what they have to say. Not being able to boot into safe mode
is a big disadvantage. Yes I would run Process Explorer, Autoruns, and
TCPView to see if you can find any rouge process that should not be there.
TCPView will show what ports are being used on the computer and by what
process/executable. Autoruns will show what programs are started
automatically when the computer starts up and gives you the option to
disable the program from starting automatically. If you find a questionable
process try searching Google web AND news for more information on the
process and related executable and let Symantec know about it to see if they
can help. The link below is to Microsoft's Antivirus in Depth Guide which
you may want to read. It is geared to system admins and power users. The
last link is to a site that has good info on processes. -- Steve

http://www.microsoft.com/technet/security/topics/serversecurity/avdind_0.mspx
http://www.liutilities.com/products/wintaskspro/processlibrary/

"ChrisOlver" <ChrisOlver@discussions.microsoft.com> wrote in message
news:7C20B853-BA0D-4229-852A-D4A912E56EEC@microsoft.com...
> Hi Steve,
>
> Thanks for your reply. We currently have a fully up-to-date version of
> Symantec Corperate AV running which is updated daily... Sysclean is going
> as
> we speak :) On other forums where ive posted this issue as we are really
> starting to struggle to sort the problem they have all said "firewall
> firewall firewall" now when using a port scanner port 445 (which is sasser
> port) was getting connected by wierd locatitions ie china (these are UK
> gaming servers) but nothing happened after. We are trying to get our
> firewall
> on but having an issue with Kerio Server Firewall which tbh is the best we
> can use.
>
> I cannot boot into safe mode as these servers are only usable via terminal
> services. These are stored in a data centre and i would have to pay for
> techincal support for an admin to do something.
>
> So what do you recommend , use SysInternals and see what the results it
> brings up?
>
>
> "Steven L Umbach" wrote:
>
>> Hi Chris.
>>
>> I guess the problem is not simple if you have already gone through what
>> you
>> have with no success. I don't know what it is offhand but I would suggest
>> that you make sure that you are using the latest virus definition files
>> from
>> your vendor as of today and email or contact them with specifics about
>> your
>> problem. Trend Micro also has a free detection and removal tool called
>> Sysclean and the matching pattern file has a date of June 4, 2005. You
>> simply download Sysclean and the pattern file to a common folder to run
>> from - no need to install. You might also want to try running your
>> malware
>> removal tools in safe mode.
>>
>> SysInternals also makes a number of free tools that may be of help in
>> tracking down processes, port use, and startup programs on your computer
>> such as Process Explorer, TCPView, and Autoruns. They also have a root
>> kit
>> detection tool called RootKitRevealer. When using such tools it is often
>> very helpful to compare results to a like configured known clean
>> computer.
>> The links below may be of help. --- Steve
>>
>> http://www.trendmicro.com/download/dcs.asp
>> http://www.trendmicro.com/download/pattern.asp
>> http://www.sysinternals.com/Utilities/ProcessExplorer.html
>> http://www.virustotal.com/flash/index_en.html
>>
>> "ChrisOlver" <ChrisOlver@discussions.microsoft.com> wrote in message
>> news:60E88BDE-E229-48EB-837E-A876D3E427B6@microsoft.com...
>> > Hello all,
>> >
>> > Simple problem this.. Looks like Sasser Worm has hit my Server 23k
>> > Enterprise (acctually all 3 of our server boxes we have). I get
>> > lsass.exe
>> > has
>> > caused an error and reboots after 60 seconds.. the problem is
>> > intermittent...
>> > its been fine for days and we thought it was just a bug but now its
>> > doing
>> > it
>> > every couple of hours.
>> >
>> > When i boot up in the event log there is: A critical system process,
>> > C:\WINDOWS\system32\lsass.exe, failed with status code c0000005
>> >
>> > Right ive used stinger and norton removal tools but nothing is picking
>> > up
>> > this. Says I am clean? Tried Macfee, Symantec Corprate AntiVirus and
>> > AVG
>> > to
>> > see if it picks it up and get nothing. Tried Adaware and Microsoft
>> > Malicious
>> > Software tool thinking it maybe some form of MalWare but nothing
>> > either.
>> > The
>> > server is fully up-to-date with its Windows patches and service packs.
>> > By
>> > googleing the error someone has had the problem as well but no one
>> > replied
>> > In
>> > sasser related posts they recommended changing the "restart when
>> > crashes"
>> > system in services by changing to restart service instead of restart
>> > computer
>> > but doesnt look like it worked. Someone also said when the error comes
>> > up
>> > do
>> > (i think) shutdown -a in DOS.. thinking this we put it in a bat script
>> > and
>> > launched it every 50 seconds. This failed also ive changed it to 10
>> > seconds
>> > but ill have to wait and see if it works.
>> >
>> > On event log here is the source and id:
>> >
>> > Source: LSAsrv
>> > ID: 5000
>> >
>> > and two of the error messages:
>> >
>> > Faulting application lsass.exe, version 5.2.3790.0, faulting module
>> > lsasrv.dll, version 5.2.3790.1023, fault address 0x0002a411.
>> >
>> > A critical system process, C:\WINDOWS\system32\lsass.exe, failed with
>> > status
>> > code c0000005. The machine must now be restarted.
>> >
>> > If you need any info please say These 3 servers have our customers on
>> > there
>> > and as you can imagine its starting to annoy everyone
>> >
>> > Chris
>>
>>
>>

• Previous message: Karl Levinson, mvp: "Re: Registry Cleaner and Spyware"
• In reply to: ChrisOlver: "Re: lsass.exe fails and reboots"
• Next in thread: Roger Abell [MVP]: "Re: lsass.exe fails and reboots"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]