What are "LSASS", "LSASS.EXE" and "Sasser" and how do I know if I'm infected? What do I do if I am?

Read the article that everyone's commenting on.
Subscribe to the RSS Feed for comments on this article.

ralph those sites u see in notepad mean you are infected, from what ive read online already, im stuc with similar prob, just dont have that variant !

i had the same virus but my anti virus software disinfected it...all of it. ive done all the checks and nothing seems to be left of the sasser worm. i use panda titanium antivirus software. hope this helps, otherwise the instructions given are accurate in disinfcting your computer.

If your computer keeps booting after your get the lsass.exe error, your security registry hive could be corrupt.

****Do This To Fix It****
You can use your XP disk to boot into recovery mode (recovery mode is just a DOS prompt, there's no reinstallation), or if you don't have an XP CD (and you can't borrow one)

Next

rename "c:\windows\sytem32\config\security" to security.bak

then copy c:\windows\repair\security to the location above.

This should get you back into your Windows Installation, update your antivirus progam and start a virus scan to make sure the virus has been cleaned. you might have to re-activate your copy of Windows. I did

i had the same problem couple of weeks ago about the message that appears after windows starts. Here's what i did (by the way im using winxpsp2 on a pc). I simply copied lsass.exe from system32 folder, paste it to windows folder and the error message disappear. I dont know what lsass.exe does but until now i havent encounter any side effects whatsoever, so iguess it works. hope this help.

Everyony should be aware that Lsass is a virus, lsass is Windows system file that has something to do with logging on. Don't delete it.

how can I do this if my windows would not load anymore.. after boot up, the screen just displays an error message about lsass.exe is restricted then my pc restarts.. this happens again and again.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

If Windows won't load, you'll need to perform an repair
install of Windows. More here:
http://ask-leo.com/how_should_i_reinstall_windows.html

Thanks,

Leo

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)

iD8DBQFIJitpCMEe9B/8oqERAiBKAJ9e1QRt343sM/UIxz/vMEzL8FsG1wCfcroa
yesC7FA3vKnhUH1/l2lgh0c=
=gWYW
-----END PGP SIGNATURE-----

Thanks for the above article:
When starting up my laptop I get the Windows loading screen and then I am getting a message prior to Windows login screen. The message box sits on a blue back ground and the header reads "lsass.exe - Application Error", and the txt in the message box reads "The Application Failed to Initialize Properly (0Xc0000006) Click on OK to Terminate the Application". When I click "OK" my laptop sits there with a blue screen and nothing happens, but I can see and move the cursor. I know this isn't a great deal differnt to the other issues posted but it seems like Windows is loading and I am hoping not to have to re-install Windows. Thanks.

RE. cursors.lsass.exe.
I uninstalled NERO and the problem has gone away. Must've been something in the program...

If you still get the C:\WINDOWS\Cursors\lsass.exe is not found after removing the infection it is because the file has been placed in the registry. If you run regedit (and back it up before changing anything!) Navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon. Within this key you will see "Shell"="Explorer.exe C:\\WINDOWS\\Cursors\\lsass.exe" Delete the C:\\WINDOWS\\Cursors\\lsass.exe portion and exit the registry. hat will stop the popup error on startup.

To post a comment on "What are "LSASS", "LSASS.EXE" and "Sasser" and how do I know if I'm infected? What do I do if I am?", please return to that article's main page.