What are "LSASS", "LSASS.EXE" and "Sasser" and how do I know if I'm infected? What do I do if I am?

Read the article that everyone's commenting on.
Subscribe to the RSS Feed for comments on this article.

I have been searching the internet for over 3 hours now, (from a laptop that is not suffering from the following)... and no where have I been able to find an answer that shows the fix to the problem: I am UNABLE to access windows through any mode (including, safe, last known good configuration etc....). for once I did not back up my data before shutting down and am now unable to access my computer. I seem unable to locate the c:\ so that at the very least I could delete lsass.exe through DOS, (NOT the system32 file), but any others. I am a network engineer not a computer engineer so I have a basic-intermediate knowledge of computers. I REALLY need to fix this problem but trying to use a boot disk I am unable to locate my c:\, (I am unsure as to whether this is due to me being ignorant or the problem I have or is part of the problem iteself). I recently have had a few viruses, (thanks to the wife, :( ), and I had downloaded hijackthis and a couple of other anti spyware/virus etc programmes. I was running ad-aware and avast antivirus on their own before this. I now have the same problem that others seem to have posted and I am unable to re-install my OS as I no longer have a windows disk. I feel I am in way over my head with this one as I have been changing BIOS settings etc, surely there is a boot disk somewhere that will fix this problem?

It is the standard error message on boot: : "when trying to update password the return value indicates that the current value provided as the current password is not correct". The computer then restarts and does the same again.

If anyone could give me an answer to this I would be very greatful.

many thanks and kidest regards

Numpty.

Your hard disk is probably formatted NTFS and thus inaccessible to plain old DOS. You'll need to come up with another boot media that includes NTFS support. You might consider something Knoppix (if you're Linux literate), or using BartPE to build a boot CD for Windows (using another machine, of course). You might also try bootdisk.com, or look for a DOS based NTFS driver that you can add to a normal DOS boot disk.

I see your problem, the reason you cannot access C:\ from a floppy is because the hard drive is in NTFS format, meaning, it does not support Dos Mode on boot, only through shell from within Windows Xp or better.

There is a fix though, there are various NTFS bootable files for creating a Disk which emulates NTFS boot, now these arent the best by any means, but they do work, try this link which will hopefully explain what to do, http://www.nthelp.com/351/boot.htm

Also I see you mention lsass.exe thats a file which Windows makes a lot of reference to, in fact it can render the internet unusable, I dont know a lot about it, unfortunately the hackers do, I dont think deleting it from Dos will resolve the problem, if you need further assistance, please email me and I will try to ellaborate some more.

For those of you who can't boot and are getting a lass.exe error, I found a solution here: http://computing.net/windowsxp/wwwboard/forum/46198.html
Worked great for me. Good Luck.

I apologize if this specific error has been addressed, but a search of the site turned up nothing for the "endpoint format error."

A buddy of mine is now experiencing the following error upon bootup of his Dell Dimension 8200 running Windows XP Home: "LSASS.exe System Error - The endpoint format is invalid."

There is an OK button displayed in the error-message box. Pressing it reboots the machine before the Windows Desktop is displayed. (So it's not possible to click Start, Run, shutdown -a.) This error persists in every mode, including Safe Mode.

I found in the Dell knowledge base an article for restoring LSASS.exe from a Windows installation CD, although the error message in the article is not identical to the one my buddy is experiencing. We tried it, and it failed to resolve the problem. For those Dell owners who have nothing left to lose, here's the link to the Dell article: http://support.dell.com/support/topics/global.aspx/support/dsn/en/document?docid=F7C2CE720E6043E9A9C7BC633223D508&c=us&l=en&s=gen

Has anyone else experienced the endpoint-format version of this error? If so, did you have any luck repairing it?

All my attempts to fix the "LSASS.exe System Error -- The endpoint format in invalid" error have failed spectacularly.

A bit of good news, tho: I booted from the CD dive using a Knoppix CD. I was able to copy all the important data to a portable hard drive. I then formatted and re-installed.

Nothing like a format & re-install to clear your PC of problems. So, I guess not ALL my attempts to fix the problem failed.

Hey Schnazola! I read your comment about using Knoppix. I am pretty new on the whole Linux system, so I will try it and also hope to save my data from my desktop. I got the "An invalid parameter was passed to a service or function" for the lsass.exe and it is extremely frustrating to not find a quick solution for it. O well.

Hi Leo:

I am wondering if you know what my computer might be infected with - the symptoms are that my desktop icons simply go out of control every now and then. They open and close as if possessed and the mouse pointer goes out of my control too. It is as if someone is remote controlling my desktop and has made my control ineffectual. After about 15-20 seconds my desktop goes back to normal. But in the process some programs or webpages I was on get shut down.

Any ideas what could be going on??

Thanks in advance for any help you can give,

Barry

Sounds like this problem: http://ask-leo.com/why_does_my_computer_go_nuts_sometimes.html

W2K -I deleted the entries for lsass from the registry, don't ask. I did not delete the file from c:\winnt\system32. I replaced all, i believe, the entries but I am getting RPC errors, there are no icons in Networkplaces, It says I have no admin rights to do anything. MC>manage> user & groups won't run because RPC is not available, net start rpcss does not fix the issue HELP!!! Where can I get a list of entries that I deleted? How do I get RPC back up?

To post a comment on "What are "LSASS", "LSASS.EXE" and "Sasser" and how do I know if I'm infected? What do I do if I am?", please return to that article's main page.