Windows

General discussion

Locked

LSASS.EXE shuting down pc's

By BobbyJGR ·
HELP I have windows 2000 pc's and Windows XP machines and the problem is I am getting a message from Winnt\authority saying something about lsass.exe and code128 and the pc will reboot in 55 seconds. If I take the pc off the network it boots up and stays up. I have run the sasser fix tool from Symantec and the Koberg tool from Symantec neither one found anything. Or Symantec Corp Edition virus definitions are up to date and scanning the pc finds nothing.
Any Ideas.
P.S. As soon as we put the pc back on the network we get the message and the pc reboots
Thanks ahead of time

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

by Joseph Moore In reply to LSASS.EXE shuting down pc ...

Oh yeah, like it has been mentioned, it's a Sasser-style worm thats hitting your machine. It doesn't necessarily need to be Sasser, though. Several viruses/worms have been exploiting the same vulnerability in LSASS.EXE. Viruses like Kibuv, Bobax, Gaobot, Korgo and Explet all use this same attack method, and all would trigger a failure in LSASS.EXE. So, it could be any of them that's hitting you. Just scanning for Sasser and/or Korgo doesn't cut it.

You need the patch to prevent LSASS.EXE from being exploited in the first place to prevent all of these different viruses/worms from triggering the reboot.

Here's the link again for the patch from Microsoft:
http://tinyurl.com/37grk

hope this helps

Collapse -

by BobbyJGR In reply to LSASS.EXE shuting down pc ...

I agree with you all about it being some type of sasser variant, but it's kicking our butt here, I tried patching one pc so far with no luck I will try a few more to see what happens, I called it quits for the night be back early in the a.m. Just to make mention we have about 6 win98 pc's they are all up and running fine, never affected. I am glad it didn't spread acroos our vlans so far it is only on 1 vlan in our other building. I'll keep ya ll updated

Collapse -

by jimart_a In reply to LSASS.EXE shuting down pc ...

I experience that in our server first scan your computer for probable virus, I suggest mcafee stinger (Boot in Safe mode)then have a copy of Microsoft update in Microsoft site download Windows 2000 KB835732 update if you can copy it in your machine much better. Boot in Safe Mode, then have a copy of shutdown.exe you can have a copy in XP machine, install the Windows update. If you encounter an LSASS error execute the (shutdown -a) at run prompt. Have a copy of Zone Lab Pro in your pc to avoid this problem it acts as a firewall and I recommend it for intrusion and virus prevention...I have it can help...

Collapse -

by YetAnotherAdmin In reply to LSASS.EXE shuting down pc ...

When I was hit with Sasser I found that the machines being shut down weren't necessarily infected. In fact most shut downs were on 2k boxes while infections were almost entirely limited to Xp. Patch and run stinger or the microsoft removal tool on all 2k and Xp boxes. If you find a box with more than 1675 infections you can have the title.

Collapse -

by t_alexey In reply to LSASS.EXE shuting down pc ...

Download all patches for winXP from Microsoft.com and install them!
That is all you need.
After that I forgot about Lsass.

Good luck.
Alexey.

Collapse -

by BobbyJGR In reply to

Poster rated this answer.
It wasn't all I needed

Collapse -

by BobbyJGR In reply to LSASS.EXE shuting down pc ...

This question was closed by the author

Related Discussions

Related Forums