Comments
Read the article that everyone's commenting on.
Subscribe to the RSS Feed for comments on this article.
If you made a recovery disk when you installed your OS (or if a recovery disk came with the system), you should be able to boot from that and rename the file.
You might also be able to create a bootable floppy that supports reading NTFS - one such example: http://ask-leo.com/d-ntfsboot - I've never used such a beastie, but it should get you access to the partition long enough for you to rename your lsass.exe back and reboot from the hard drive.
Let me know how it goes...
Posted by: Leo at June 4, 2004 10:12 AMI am not sure if LSASS is infected or not! My monitoring system merely tells me (on boot up) that LSASS has changed since the last time I booted and wants to access the internet. I continually answer no, but wonder now if it's a problem. Really want to know how to stop it from changing and how to get rid of this continually asking to access internet.
Posted by: Clint Heintzelman at June 7, 2004 7:48 AMMy first reaction would be to run the system file checker (http://ask-leo.com/archives/000074.html ) and see if it will repair lsass.exe for you.
Posted by: Leo at June 7, 2004 10:00 AMLsass.exe: This is definitely the nastiest piece of work I've come across in the last decade. Absolutely nothing I do gets rid of it.
You can reformat in ntfs or Fat32 use Fdisk /MBR
install win ME and then revert back to XP with Fat 32..enter with a boot disk and delete the file..and what happens? no reboot...so it's reformat, reinstall, and everything is back to sqare one again. You can try any virus scanner available symantec, AVG, housecall, the microsoft tools. They don't even recognise it. This thing was developed to make XP obsolete and as far as I'm concerned it's gonna succeed. I'm going back to to ME, won't even consider getting a new hard disk. This thing sits somewhere else.
My Win2k (Prof.) system had a probem of the sort , it removed the dialup networking connection automaticaly and while I tried to add a new connection it says that the Connection name is invalid (its not accepting any name). Hence I applied SP4..this started giving me more trouble. Now I can't start my PC. It boot well and comes almost near to the login screen and suddenly reboots, I tried to boot it in safe mode and in debug mode.. still its not allowing me to boot the system. Pl. help me to solve this problem.
Harry
Posted by: hary at June 7, 2004 12:42 PMCharlie: remember that LSASS.EXE is, in fact, a *required system component*. You can't just "get rid of it". What you can do is disinfect your system from the viruses that manifest as LSASS.EXE errors, and protect yourself from further attacks, all as outlined in the accompanying article.
But I definitely agree that this particular vulnerability, and the viruses that are attacking, are some of the nastiest we've seen to date.
Posted by: Leo at June 7, 2004 1:08 PMHarry: the best I can offer at this point is that you'll need to boot from a floppy or CD, possibly your recovery floppies if you made them, and then run a virus scan on the machine. You *may* need to reinstall Win2k and SP4 to fully recover. You should do all this either not connected to the interner, or *after* having installed a firewall to protect you from vulnerabilities while you are scanning/reinstalling.
Posted by: Leo at June 7, 2004 1:14 PMLeo, you have brought my sanity back, I bought a new laptop over the weekend, and that day got infected, this thing is rife! I followed your steps and now I seem clear. I'm not at all technical, but you showed me the way - respect! Good Luck to all the rest, Leo's the one!
Thank you
Stacia
Posted by: Stacia at June 7, 2004 4:37 PMMr. Leo..... My computer definately has this bug you speak of... I was soooooo relieved to see that it wasnt just me being a complete idiot, and was so happy that this site shows me what i can do. I am downloading the q317636i.exe file thingy. My computer also has a few more problems. Not just lsass.exe but i was having trouble with my internet explorer, iexplore.exe, which seems to have miraculously ended, because i have been connected to explorer much longer than it would let me. I also get an error with this file, something like ftupd.exe or something. When i was completely clueless of what the problem was, i did the system recovery, (i have no disk) and now i cannon install my symantec firewall. I am sure this is a bad thing. What would you recommend that i do? Is my norton anti-virus running properly? It seems to be but when i scan it finds nothing. Although it has said that it caught this threat; w32.spybot.worm or something very close to that. Please help my situation
Posted by: Beau at June 7, 2004 5:31 PMMy guess is you are infected with something. My first place to look would be the hosts file I mention in the article. If it's there and full of the addresses of lots of anti-virus sites, that's what's preventing you from accessing those sites. I'd rename it, reboot, and see if you can get the latest set of virus definitions downloaded. As an alternative, you can try some of the alternative on-line virus checkers I mention in my recommendations pages: http://recommend.pugetsoundsoftware.com
Good luck!
Posted by: Leo at June 7, 2004 7:19 PM
Subscribe to the RSS Feed for comments on this article.
To post a comment on "What are "LSASS", "LSASS.EXE" and "Sasser" and how do I know if I'm infected? What do I do if I am?", please return to that article's main page.