lsass.exe is missing on our w2k server and cannot be restored

  • Thread starter Thread starter Dominik
  • Start date Start date
D

Dominik

Hi all,

I have a w2k sp4 server running with exchange. some weeks ago (before
sasser!) the server started behaving strangely. (=> taskmgr.exe eats
far too much cpu-time, server freezes when we terminated any process
via taskmgr.exe, services just stop at random, tlntsvr.exe running ...
) so we took a closer look.

we found out that the windows-update KB835732 couln't be applied. the
update says, that lsass.exe has to be present in order to install the
update.

well we thought it was present... but as it turned out, no lsass.exe
could be found anywhere on our system. so we tried to copy the file
from an other w2k server to the place where it belongs.

this seemed to work but when we took a look at the directory,
lsass.exe was gone. so we tried again, this time we got an error
saying that the file with the specified name allready exists and that
we cannot replace it (as admin in safe mode!!)

we rebooted the system with knoppix and found out, that lsass.exe was
right in place all the time, but apparently somehow hidden from the
w2k-filesystem.

we further found out that it is impossible to create a file with the
name lsass.exe anywhere on our system at all => same sympthoms as
described above.

does anyone have a clue what's going on on our server?!

thanx for your help.

dominik

PS we checked version, date and size of any file running as a process,
disabled the telnet-server and checked dozens of .com, .dll,
..exe-files if they are the correct version. => no change, still unable
to create lsass.exe
 
If you have not done such I would certainly check your computer for virus infection
with a virus package scanning the total system with the latest virus definitions and
maybe trying McAfee Stinger [free download] as a second opinion. The other thing you
may want to try after that is to use System File Checker via sfc /scannow at the
command line to see if it helps. Also verify your firewall is protecting your
computer/network properly only allowing authorized access on necessary inbound ports.
The best way to check your firewall is by an outside scan with a port scanner such as
the free Superscan utility from Founstone, though using a selfscan site is a good
start until you can do it right. --- Steve

http://vil.nai.com/vil/stinger/
http://support.microsoft.com/default.aspx?scid=kb;en-us;222471
http://scan.sygatetech.com/ -- self scan site.
 
I am having the same problem only it is other files. One of the files is a
Norton Corporate Edition file that does not let Norton run anymore. I also
found that any files that start with "default" on the root of a web folder
is also not present.

If I look at the folders across the network from another system, all of the
files are there. Something on the system is not allowing windows to see the
files even though they are present.

I have tried everything I can think of. I have tried scans from multiple
virus companies. I have searched all of the virus companies to see if they
have any information on this and could find nothing.
 
I don't see how Windows 2000 can even boot if LSASS is not showing in the Task Manager. It should be almost at the very top.
 
Hmm... I hope this isn't related to what I discovered on a friend's machine
recently. There were two versions of LSASS present, and one of them was a
Trojan. As usual, when I'm desperately tinkering around without really
understanding, I can't recall all of what I did, though I nearly lost the
"patient" when I was dinging on the wrong (actually the legitimate) LSASS.
In her case, it should be rebuild-the-universe time, but she can't remember
where she left the keys, as the sad joke goes. Probably not useful details,
but I recall that the Trojan was much larger than the real thing, and it was
located in a strange directory tree. The file date was strange, too, but
that may have been part of a deliberate disguise.

If there is (or was) a Trojan involved, that could obviously explain some of
the problems you reported.
 
(Jacobs nonsense snipped):

Fair warnings to the contributors to this groups: Shannon Jacobs is a
sick latrine-washer who periodically forgets to take his medication.
Be good to him. Pretend you don't notice anything. After all, he is
not dangerous as long as four trained nurses keep a firm hand on him.
However, his medical history showed that once he had escaped, bitten a
dog, and gotten the poor dog rabid sick. Don't touch your computer
after receiving messages from Shannon Jacobs and rub your fingertips
with pure-grade alcohol.

-Mark
 
My apologies for that off topic intrusion into this newsgroup. It's sort of
like being followed around by a very sick puppy. I actually think he's one
of those mentally perturbed and aggressively ignorant Americans. Not just
aggressive about his ignorance, but apparently even proud of it. I do hope
the nation recovers from this affliction. If you are an American, I do
encourage you to vote, and I even think you should remember what sort of
people do support BushCo, but this is NOT the place for that topic. Again,
my most sincere apologies for the intrusion and the waste of your time.
 
Back
Top