What are "LSASS", "LSASS.EXE" and "Sasser" and how do I know if I'm infected? What do I do if I am?

Read the article that everyone's commenting on.
Subscribe to the RSS Feed for comments on this article.

I would install Windows from scratch, and install both of those programs *before* connecting to the internet or your local network. It sounds like you're getting infected immediately, so stay disconnected until you've got the firewall up and running.

Here is the fix that I have discovered. There are two main differences in the way your computer behaves, I have yet to discover what decides these differences. The first type is the one where your computer comes on but turns back off after about a minute. The second type is the one that most of the past few people have been describing (The one I got as well), which is the error box that comes up right after the XP screen, and clicking OK will cause a reboot. If you have the second type, start from step one, if you have the first type, follow the instructions in the article to delay the shutdown.

1. Pop in your XP CD-ROM. Boot your computer from that CD-ROM. On the screen that comes up asking what you want to do, select the option to install windows. Follow the instructions, but DO NOT let it format your hard drive. Instead, just install windows a second time to another folder (I put mine in C:\Windows2). This will provide you a way to get on your computer to fix your worm virus. Reboot your computer, not from the CD-ROM, but from the Hard Drive, selecting the Windows XP installation that you just installed.

2. Download the Windows XP patch that will prevent it from finding you again. I cannot stress this enough, this virus seems to reinstate itself on computers that have had it previously, but this patch seems to fix this problem. It can be found at http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx Restart your computer, once again, loading on the second installation of XP.

3. Run the Symantec W32.Sasser.Worm removal tool. Symantec did a fantastic job of finding a way to get rid of this virus and has made it available for free. You can download it at http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.removal.tool.html

4. Restart your computer, this time try loading your old version of windows XP, it should load without a problem.

5. In order to make sure you don't get this virus again, be sure to follow the instructions given in the article about getting AntiVirus and Firewall Programs installed on your computer.

God Bless!
- Andy Hudson
www.TheTechMen.com

I've downloaded everything to perform Andy's fix as listed above. However, my HP machine didn't come with an XP cd. My manual says "for a small shipping fee, we'll ship you the cd's" (?!?!!). So, since I'm in a hurry to fix my pc, and don't want to wait on HP to ship me the cd's, can I use XP cd's that came with an E-machine desktop at work? Or some other brand if I can find one?
Thanks

Probably not... this article has more: http://ask-leo.com/can_i_install_windows_xp_using_one_manufacturers_cd_on_a_different_pc.html

Thanks. I was afraid of that. I'm trying to track down an HP disk from a friend.
Thanks again,
Murph

I got my hands on an OEM XP cd and was able to boot with it. I was able to go through Andy's steps to repair the lsass.exe problem, however the Symantec tool didn't find Sasser (I ran it twice). So I'm back to square one. Any suggestions of other things to try?
Thanks,
Murph

I should have read your article closer the first time. I saw your reference to the KIBUV and BOBAX viruses this time. Does anyone have experience removing either of these two? If so did you use Symantec? I use AVG Free, but I haven't found much evidence that AVG will remove any of the LSASS.exe related viruses.
Thanks,
Murph

Hi, I have the second type of this problem as referred to in the Tech Mens fix above; I have followed the procedure for removal to the letter (several times), but with no luck. All of the Anti virus/worm tools including Symantec come up that the system is clear? I have tried deleting the LSASS.exe file from the corrupted version of XP and replacing it from the newly installed XP, but no joy. Any suggestions as to what I can do next would be gratefully received.

Simon, it sounds like we're working on an identical problem. You mention using Symantec, do you mean you've scanned with Norton AntiVirus, or you've just used Symantec's specific Sasser removal tool? The reason I ask is that I was about to go out and purchase Norton.
Murph

Murph yes it does sound the same, very frustrating, I have used several Spycatcher, Symantec's specific Sasser tool, Xoftspy and Microsoft Malicious Software remover tool I have not used Norton yet!!

To post a comment on "What are "LSASS", "LSASS.EXE" and "Sasser" and how do I know if I'm infected? What do I do if I am?", please return to that article's main page.