Could be all sorts of things, but likely is a virus based on the description. Check the defs, rerun the anti-virus scan and if that doesn't work, it's likely not a bad idea to call Symantec for support. (several refs to similar behavior such as code blue worms, etc.)
http://www.hkcert.org/valert/vinfo/lsass_worm.html is one reference of an interesting worm. -ajm -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Tuesday, July 06, 2004 10:46 AM To: ActiveDir (E-mail) Subject: [ActiveDir] bad logons I'm running win2k AD in mixed mode sp4. My issue is, my GC's are running over the top with lsass.exe sometimes hitting 99%. I have a ton of logon failures in the security log. they are mostly coming from "THE LOGON TO ACCOUNT ADMINSITRATOR(SOMETIMES GUEST OR ASPNET) by Microsoft_Authenticaition_Package_v1_0 has failed." I also have some workstations running an svhost(not svchost) which when i kill, they can logon. Is this some virus or worm i'm unaware of? it seems like it. The only thing that comes close is a w32.spybot.worm(from Symantec) but that virus is over a year old and my defs have been current. i turned up logging on directory related events to 1 but no info that helps. my Exchange 2k server is logging rpc failures to my gc, however the gc is up and dns is fine. any help would be great( i just got back from vacation and this si what i'm saddled with. go figure, life of a net admin). Thanks alot List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
