melinhomes
asked on
LSA Shell encountered a problem and needed to close
Hi.
We're having a problem with one of our servers at a remote site & if I had any hair, I'd be tearing it out. The issue is with a server running SBS2003.
We needed to switch our Antivirus software on the server. We were using E-Trust but switched to ClamWin as it's a temporary solution for an office that is likely to be getting integrated into our own in the near future.
Since doing this, we're constantly having the LSA Shell message in the title of this thread come up on screen in a windows crash report. The generated files are attached below.
Once the LSA Shell message comes up, the system then initiates the lsass.exe shutdown command, giving me 30 seconds notice of the PC being shut down. I can run the shutdown -a command to stop it but once this happens, the users do not have access to their email or their network drives.
Initially I thought that switching the Anti-Virus had caused us to pick up the Sasser virus. But this does not appear to be the case. I've run the Antivirus scan in full, used Symantec's Sasser removal tool which didnt locate the Virus at all & also ensured that it is fully patched with the correct service pack on it.
It appears as if in removing the AV that it has yanked out some of the dll files or registry files linking the two together & as a result is causing the issue. Somehow corrupting the lsass.exe executable file. However, i'm a little stumped as to what to do to resolve this.
Could anybody help advise or make a suggestion regarding this? It would be much appreciated.
manifest.txt
appcompat.txt
We're having a problem with one of our servers at a remote site & if I had any hair, I'd be tearing it out. The issue is with a server running SBS2003.
We needed to switch our Antivirus software on the server. We were using E-Trust but switched to ClamWin as it's a temporary solution for an office that is likely to be getting integrated into our own in the near future.
Since doing this, we're constantly having the LSA Shell message in the title of this thread come up on screen in a windows crash report. The generated files are attached below.
Once the LSA Shell message comes up, the system then initiates the lsass.exe shutdown command, giving me 30 seconds notice of the PC being shut down. I can run the shutdown -a command to stop it but once this happens, the users do not have access to their email or their network drives.
Initially I thought that switching the Anti-Virus had caused us to pick up the Sasser virus. But this does not appear to be the case. I've run the Antivirus scan in full, used Symantec's Sasser removal tool which didnt locate the Virus at all & also ensured that it is fully patched with the correct service pack on it.
It appears as if in removing the AV that it has yanked out some of the dll files or registry files linking the two together & as a result is causing the issue. Somehow corrupting the lsass.exe executable file. However, i'm a little stumped as to what to do to resolve this.
Could anybody help advise or make a suggestion regarding this? It would be much appreciated.
manifest.txt
appcompat.txt
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The issue wasn't actually a sasser infection, I ran various tools, none of which found any viruses. The problem appeared to be a corruption of a piece of the redunant antivirus software that had left itself in the system.
I used the various commands usually used to stop shutdown with Sasser which allowed me to get into the registry & remove the entries for the dead software which resolved the issue.