Re: lsass.exe is missing on our w2k server and cannot be restored
From: Shannon Jacobs (shanen_at_my-deja.com)
Date: Tue, 18 May 2004 15:40:58 +0900
Hmm... I hope this isn't related to what I discovered on a friend's machine
recently. There were two versions of LSASS present, and one of them was a
Trojan. As usual, when I'm desperately tinkering around without really
understanding, I can't recall all of what I did, though I nearly lost the
"patient" when I was dinging on the wrong (actually the legitimate) LSASS.
In her case, it should be rebuild-the-universe time, but she can't remember
where she left the keys, as the sad joke goes. Probably not useful details,
but I recall that the Trojan was much larger than the real thing, and it was
located in a strange directory tree. The file date was strange, too, but
that may have been part of a deliberate disguise.
If there is (or was) a Trojan involved, that could obviously explain some of
the problems you reported.
> Hi all,
> I have a w2k sp4 server running with exchange. some weeks ago (before
> sasser!) the server started behaving strangely. (=> taskmgr.exe eats
> far too much cpu-time, server freezes when we terminated any process
> via taskmgr.exe, services just stop at random, tlntsvr.exe running ...
> ) so we took a closer look.
> we found out that the windows-update KB835732 couln't be applied. the
> update says, that lsass.exe has to be present in order to install the
> well we thought it was present... but as it turned out, no lsass.exe
> could be found anywhere on our system. so we tried to copy the file
> from an other w2k server to the place where it belongs.
> this seemed to work but when we took a look at the directory,
> lsass.exe was gone. so we tried again, this time we got an error
> saying that the file with the specified name already exists and that
> we cannot replace it (as admin in safe mode!!)
> we rebooted the system with knoppix and found out, that lsass.exe was
> right in place all the time, but apparently somehow hidden from the
> we further found out that it is impossible to create a file with the
> name lsass.exe anywhere on our system at all => same symptoms as
> described above.
> does anyone have a clue what's going on on our server?!
> thanx for your help.
> PS we checked version, date and size of any file running as a process,
> disabled the telnet-server and checked dozens of .com, .dll,
> .exe-files if they are the correct version. => no change, still unable
> to create lsass.exe