PDA

View Full Version : Win2k shuts down with message "C:\Windows\System32\lsass.exe" Status Code 128

Joe
Almost immeidately i had 2 PCs go down and return a
dialogue box with this message.

I thought it may be some old DCOM or RPC vulnerability
that wasn't patched, but some newsgroups show this as a
recent topic. Please advise if this is just something
that I am overlooking or a new vulnerability in w2k/sp4.

thanks

Sartan Dragonbane
Most definately a Virus...
Considering that it will only take a well-crafted virus a few minutes to
propogate over the entire internet, you might want to run a scan on the
computers.
Step A) Log on to your computer, and go to Administrative Tools, Services,
Remote Procedure Call (RPC).
Go to the recovery tab, and change all three failures to "Take No Action" so
your computer doesn't reboot while you work on removing whatever virus you
might have.

You can get a free virus scan from Trend Micro --
http://housecall.antivirus.com



"Joe" wrote in message
news:628e01c42e55$1ce95c90$a401280a@phx.gbl...
> Almost immeidately i had 2 PCs go down and return a
> dialogue box with this message.
>
> I thought it may be some old DCOM or RPC vulnerability
> that wasn't patched, but some newsgroups show this as a
> recent topic. Please advise if this is just something
> that I am overlooking or a new vulnerability in w2k/sp4.
>
> thanks
>


joshua
Oh good, I'm not the only one. This happened to me on
restart after installing Windows Updates. The only
difference is mine says ...System32\services.exe. But it's
the same code, 128. How can we get Microsoft to fix this?
Their Updates created the problem...


>-----Original Message-----
>Almost immeidately i had 2 PCs go down and return a
>dialogue box with this message.
>
>I thought it may be some old DCOM or RPC vulnerability
>that wasn't patched, but some newsgroups show this as a
>recent topic. Please advise if this is just something
>that I am overlooking or a new vulnerability in w2k/sp4.
>
>thanks
>
>.
>
So here's what the resolution was: the 2 PCs that went
down in this manner aparently were being exploited by one
of the DCOM or RPC worms that are broadcasting out there.
They both had SP2 and SP3 respectively - so just had to
get Windows Updated to SP4 and install any other critical
updates. After that, we were good to go. SO, my bad for
not keeping my machines updated :-/

It's just interesting that this is not the only "fresh"
post of this issue! So there might be a timing mechanism
in one of those worms that were triggered on April 29,
2004.

Joe

>-----Original Message-----
>Almost immeidately i had 2 PCs go down and return a
>dialogue box with this message.
>
>I thought it may be some old DCOM or RPC vulnerability
>that wasn't patched, but some newsgroups show this as a
>recent topic. Please advise if this is just something
>that I am overlooking or a new vulnerability in w2k/sp4.
>
>thanks
>
>.
>
Cindy
I have been having computer problems the past
few days. It only happens when I am hooked up to my router and cable
modem at home. I ran all day at work (well until I had to leave to
get my crown in) today and yesterday with no problem. I assume work
has a much better firewall than is present in my router. Well it
appears theres yet another security leak in windows. BIG SUPRISE
(big eyeroll here). After 2 days of searching I found that I needed
an update. I applied and everything appears ok now. Before I
couldn't be on more than 20 minutes and have the computer shut down
with this message:



System Shutdown This system is shutting down. Please save
all work in progress and log off. Any unsaved changes will
be lost. This shutdown was initiated by \

Time before shutdown: 00:00:59

Message

The system process 'C:\WINNT\System32\Lsass.exe'
terminated unexpectedly with status code 128. The system
will now shut down and restart



This update from microsoft appears to have fixed it:

http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx

Heres some info on it:

http://www.eeye.com/html/Research/Advisories/AD20040413C.html
http://isc.sans.org/diary.php?date=2004-04-26

I would advise anyone running windows to go to the first link to get
the appropriate fix. It appears someone out there is taking
advantage of this security leak and trying to gain control of random
pcs.

Cindy


wrote in message news:<6a3501c42ee3$05c27360$a401280a@phx.gbl>...
> So here's what the resolution was: the 2 PCs that went
> down in this manner aparently were being exploited by one
> of the DCOM or RPC worms that are broadcasting out there.
> They both had SP2 and SP3 respectively - so just had to
> get Windows Updated to SP4 and install any other critical
> updates. After that, we were good to go. SO, my bad for
> not keeping my machines updated :-/
>
> It's just interesting that this is not the only "fresh"
> post of this issue! So there might be a timing mechanism
> in one of those worms that were triggered on April 29,
> 2004.
>
> Joe
>
> >-----Original Message-----
> >Almost immeidately i had 2 PCs go down and return a
> >dialogue box with this message.
> >
> >I thought it may be some old DCOM or RPC vulnerability
> >that wasn't patched, but some newsgroups show this as a
> >recent topic. Please advise if this is just something
> >that I am overlooking or a new vulnerability in w2k/sp4.
> >
> >thanks
> >
> >.
> >
Peter van der Woude
Probably the new Sasser worm:
http://vil.nai.com/vil/content/v_125007.htm

Peter

> Almost immeidately i had 2 PCs go down and return a
> dialogue box with this message.
>
> I thought it may be some old DCOM or RPC vulnerability
> that wasn't patched, but some newsgroups show this as a
> recent topic. Please advise if this is just something
> that I am overlooking or a new vulnerability in w2k/sp4.
>
> thanks
>