Re: lsass.exe is missing on our w2k server and cannot be restored

From: Shannon Jacobs (shanen_at_my-deja.com)
Date: 05/18/04

  • Next message: Merrick: "Windows 2000 users accounts get locked out"
    Date: Tue, 18 May 2004 15:40:58 +0900
    
    

    Hmm... I hope this isn't related to what I discovered on a friend's machine
    recently. There were two versions of LSASS present, and one of them was a
    Trojan. As usual, when I'm desperately tinkering around without really
    understanding, I can't recall all of what I did, though I nearly lost the
    "patient" when I was dinging on the wrong (actually the legitimate) LSASS.
    In her case, it should be rebuild-the-universe time, but she can't remember
    where she left the keys, as the sad joke goes. Probably not useful details,
    but I recall that the Trojan was much larger than the real thing, and it was
    located in a strange directory tree. The file date was strange, too, but
    that may have been part of a deliberate disguise.

    If there is (or was) a Trojan involved, that could obviously explain some of
    the problems you reported.

    Dominik wrote:
    > Hi all,
    >
    > I have a w2k sp4 server running with exchange. some weeks ago (before
    > sasser!) the server started behaving strangely. (=> taskmgr.exe eats
    > far too much cpu-time, server freezes when we terminated any process
    > via taskmgr.exe, services just stop at random, tlntsvr.exe running ...
    > ) so we took a closer look.
    >
    > we found out that the windows-update KB835732 couln't be applied. the
    > update says, that lsass.exe has to be present in order to install the
    > update.
    >
    > well we thought it was present... but as it turned out, no lsass.exe
    > could be found anywhere on our system. so we tried to copy the file
    > from an other w2k server to the place where it belongs.
    >
    > this seemed to work but when we took a look at the directory,
    > lsass.exe was gone. so we tried again, this time we got an error
    > saying that the file with the specified name already exists and that
    > we cannot replace it (as admin in safe mode!!)
    >
    > we rebooted the system with knoppix and found out, that lsass.exe was
    > right in place all the time, but apparently somehow hidden from the
    > w2k-filesystem.
    >
    > we further found out that it is impossible to create a file with the
    > name lsass.exe anywhere on our system at all => same symptoms as
    > described above.
    >
    > does anyone have a clue what's going on on our server?!
    >
    > thanx for your help.
    >
    > dominik
    >
    > PS we checked version, date and size of any file running as a process,
    > disabled the telnet-server and checked dozens of .com, .dll,
    > .exe-files if they are the correct version. => no change, still unable
    > to create lsass.exe


  • Next message: Merrick: "Windows 2000 users accounts get locked out"