Re: Lsass Error
anonymous_at_discussions.microsoft.com
Date: 07/27/04
- Next message: Sean McCourt: "Windows 200 SIDs - Viewing"
- Previous message: mmac: "Re: Should I install my own CA for use with OWA?"
- In reply to: Matt Johnson: "Re: Lsass Error"
- Next in thread: Ben Finberg: "Re: Lsass Error"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 26 Jul 2004 16:55:35 -0700
>-----Original Message-----
>"Frank" <anonymous@discussions.microsoft.com> wrote in
message news:<3c4401c472b9$becf0110$a401280a@phx.gbl>...
>> >-----Original Message-----
>> >Hi,
>> >
>> >Need your immediate help. All of a sudden approx 25
>> >machines have developed a malicious problem at EXL
>> Noida.
>> >Every now and then they give the error
>> message "Lsass.exe
>> >terminated unexpectedly with error code 128" and
>> reboots.
>> >We have checked these machines for virus through
Mcafee
>> >Virus Enterprise that is installed as well as third
>> party
>> >tools that from Microsoft/CA/Symantec/Mcafee for
Sasser,
>> >but none of these have reported any infections. Also
>> >checked for the patch Windows2000-KB835732-x86-
ENU.EXE
>> >(MS04-011), but the problem is happening even on the
>> >machines which have these patches installed long
back.
>> >Have also checked the machines thoroughly for the
>> symptoms
>> >mentioned by many websites to look for Sasser
>> infections,
>> >but found nothing. Event viewer of the affected
systems
>> is
>> >also not indicating any anomaly.
>> >
>> >
>> >
>> >Request your expertise in cracking and preventing
this
>> >problem from spreading. Please let us know in case
you
>> >need more information
>> >
>> >
>> >
>> >Thanks,
>> >
>> >Vinay Goel
>> >
>> >.
>>
>>
>>
>>
>> Vinay,
>>
>>
>>
>> Hello. I currently am experiencing these
>> same symptoms. Also has disabled internet by flooding
>> firewall with outgoing requests. It seems to be
>> associated with a process called "svchosting.exe". It
>> also creates 4 registry entries starting the same
>> process. I have had 3 pc's which sent over 9 billion
>> packets in an hour, yet there is no documentation on
this
>> anywhere on the internet. Currently using Norton
>> Corporate Edition, but haven't seen anything on any
anti-
>> virus sight. Good Luck. Hope this helps.
>>
>>
>> Frank
>> >
>
>We are having the same problem with two machines.
SVCHosting.exe is
>using 100% of the CPU. One machine that will be on our
system after
>we baseline it has about 20 Windows Updates waiting in
the queue to
>run. There is another machine that is baseline that was
up to date.
>It is writing 4 registry keys:
>HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SVCHos
ting.exe
>HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\SV
CHosting.exe
>HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SVCHos
ting.exe
>HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\SV
CHosting.exe
>HKLM\Software\Microsoft\Windows\CurrentVersion\RunService
s\SVCHosting.exe
>
>Go into SAFE MODE and use regedit to remove all of the
registry keys
>above. You can also search the registry for
svchosting.exe and delete
>each occurence.
>.
>
Thank you for the response.
Deleting the registry entries helped.
Also had put the file in the C:\Windows\System or
C:\Winnt\System32.
Was not completely stopped until these files were cleared.
Thanks again.
Frank
- Next message: Sean McCourt: "Windows 200 SIDs - Viewing"
- Previous message: mmac: "Re: Should I install my own CA for use with OWA?"
- In reply to: Matt Johnson: "Re: Lsass Error"
- Next in thread: Ben Finberg: "Re: Lsass Error"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
