What are "LSASS", "LSASS.EXE" and "Sasser" and how do I know if I'm infected? What do I do if I am?

Read the article that everyone's commenting on.
Subscribe to the RSS Feed for comments on this article.

You can't delete LSASS.EXE. It's a required system file. (http://ask-leo.com/archives/000140.html ). You'll need to use the recovery console to copy it back to where it belongs. This article touches on that: http://ask-leo.com/archives/000253.html

Thank for the heads up, but I have the viruses in my Pc right now. But this viruses is just making me reboot I don't know alote about PC.

That (start -a) work for me and I thank you for that, but I don't know how to kill this viruses.
Or I just did't get what you said sorry about that, Can you help me ,one more thing you where sayying there a way to save my PC from viruses like that can you tell me again how to do that.

Thank You!^-^

Hi Shane: did you read the full article? http://ask-leo.com/archives/000114.html It's a step by step answer to your question. If you can be specific about what parts of it confused you I'll try to clarify.

Leo, in the version I have, the command is: shutdown /A
not: shutdown -a
which just shuts down the workstation.

John

During the start up of windows (status bar at 100%) and the login screen popping up, I got a message that said my computer will shut down in 40secs because of lsass.exe.

I ran the removal tool and no sasser worm was found. I look at my registry under the Windows/CurrentVersion/Run and no sign of sasser.

Am I infected with the sasser worm?

Also during Windows loading up and Login Screen, is my computer vulnerable? For example, can people hack to my computer or can virus and worms attack my computer during the Login Screen (before I log in)?

Thanks

You're probably infected with one of the varients that the article talks about. Standard advice: make sure you have an up-to-date virus program, with up-to-date virus definitions, and scan.

And to answer your question: YES the vulnerability that sasser and related viruses take advantage of does NOT require you to be logged in. That's why I've been continually recommending the use of a firewall, such as a NAT router or XP's built in firewall. Either of those will block this vulnerability.

Leo,

The crash only happened once. How can I be sure that I am infected with sasser worm?

I ran symatec and microsoft removal tool and found no sasser worm. I went through the registry and found no sign of the sasser worm.

I do have the zone alarm firewall, its that not enough?

Thanks

I'm not talking about sasser specific removal tools - I mean that you should run a full Anti-virus scanner that looks for all viruses and removes, or at least alerts you to the ones you may have. It may not be Sasser that you have - there are several viruses now that have similar symptoms. That's why you want a AV package that looks for many viruses. I have recommendations here - http://recommend.pugetsoundsoftware.com

And if it only happened once, you may not be infected at all.

I *believe* zonealarm will protect you before logging in.

I have OS windows 2000 & whenever I connect to internet my system reboot again & again

Thanks for the great info you have here. I am recieving the LSASS error and thought it was sasser, but the removal tool said i didnt have it. I checked the hosts file in system32 and everythings fine there, but i cannot sign into hotmail,and ive been having problems with an exponentially slow dialup, after 40 seconds of connecting to the internet, it completely stops. I cannot find what, if anything is taking my bandwidth. Because i cant sign into hotmail, i cant continue to dl Norton antivirus. What antivirus software do you suggest i dl, and does this just sound like a sasser variant, or more than 1 virus? The registry looks fine under "run once.. run hidden etc".

To post a comment on "What are "LSASS", "LSASS.EXE" and "Sasser" and how do I know if I'm infected? What do I do if I am?", please return to that article's main page.