Helping people with computers... one answer at a time.
Windows runs software when you log in, but if it can't be found, Windows reports an error. This can happen after an incomplete virus removal.
When my computer has boots up I get a pop up stating "Windows cannot find 'C:\WINDOWS\system\|sass.exe'. make sure you type the name correctly, and then try again. to search for a file click the Start button, and then click Search."
How do I get rid of it?
•
This question shows one of the very subtle ways that virus writers try to fool you.
And there's no question, you have, or had, a virus.
•
Consider the following list of file names:
|
They all look similar, don't they? In fact, depending on your machine and installed fonts, some of them may look identical. But they are four very different file names (vertical bar - sass.exe, lower case "L" - sass.exe, lower case "I" - sass.exe, and the number one - sass.exe). One of these names is legitimate.
In fact, not only is it legitimate, but it's a required Windows component. Your system won't run without it.
The rest? Malware. Malware trying to look like a required system file.
My guess is that your anti-virus scan caught the malware at some point and removed the actual file in question. But what it didn't do is remove the registry entry that caused that file to be automatically run at start up.
Fortunately, that's a relatively easy fix, though it does require caution.
Grab a copy of the free autoruns utility from Microsoft. Fire it up and after it scans your system startup entries you'll see a screen much like this:
There are many places that Windows can be instructed to run software automatically, and autoruns attempts to display them all.
Now, pay careful attention to exactly how the start up entry is spelled in that error message. I can't stress this enough - virus writers are counting on you to get this wrong, since getting it wrong can render your system unbootable.
Press CTRL+F and enter the base name of what you're looking for. In the case of the question asked here, enter |sass.exe (that's a vertical bar followed by sass.exe). Press Find Next.
If there's an auto-run entry that references that name (and by the error message you're getting, there is), autoruns will find it.
|
Important: make absolutely sure the entry is not "lsass.exe" - the letters "l", "s", "a", "s", "s" .exe. That is a required system component. Deleting that may make your system unbootable. |
Dismiss the search box and press CTRL+D to delete the entry that it found. You might consider repeating the search just in case there's another reference.
Reboot your system and your warning should be gone.
Now, I don't have that virus on my system, so I'm going to show you what you should not delete:
This shows a reference in autoruns to the valid, legitimate and required "lsass.exe". There are several clues that this is the legitimate and proper file that should not be deleted:
-
The name is spelled properly: "l", "s", "a", "s", "s" .exe.
-
Microsoft is listed as the vendor.
-
The location referenced is correct (%SYSTEMROOT%\system32\lsass.exe) - it uses both the "%SYSTEMROOT%" variable, as Windows would, it's the correct name ("lsass.exe"), and it's in the correct folder: system32.
Typically a virus attempt will at a minimum get the filename wrong, and if it gets the filename right it'll likely get the location wrong.
Do not delete the entries referencing "%SYSTEMROOT%\system32\lsass.exe". But if the filename matches the error message you're seeing, and it's clearly not the "real" lsass, then delete or disable it to remove the warning.
Or, if you're not sure and want to be extra cautious, consult your
local Windows computer geek. 
Article C3463 - August 1, 2008
Leo A. Notenboom has been playing with computers since he
was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed.
After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers
to common computer and technical questions. More about Leo.
Good article Leo
I struck this problem on 2 machines last month, and it took hours of googling to learn exactly what you have layed out above.
Posted by: anth11 at August 7, 2008 6:41 PMIn my case the problem was caused by the QQpass Trojan.
I saved one computer but had to wipe the other.
hi.i'm taking an error like this ..Windows cannot find 's' " error message on login..Looks like same this error ("Windows cannot find |sass.exe") but i cant find 's' folder anywhere..i cant find 's' via this programme(autoruns)..What can i do?
Posted by: Nuri at August 26, 2008 4:27 AMmy problem is very similiar, but has the small lsass.exe. this error message starts right at startup and will not let me do anything. It also has a counter in 60 seconds the computer will reboot and it keeps doing this. Is there any way to help!!!!
Posted by: Jessica Stokes at December 16, 2008 12:55 PMI cannot connect to the internet, and windows I believe has been lost on my computer, everytime I turn on the computer, it says that the disc drives cannot be found, then I have to press F1 just to get to the icons, but when I do it's saying that windows cannot be found, or it's damaged and to reinstall windows, why is this happening, and how do I fix this problem? by the way I don't have the windows installation disc any longer.
Posted by: Taisheka Johnson at April 27, 2009 10:38 AMI recently bought a antivirus program, scanned my system, and it quarantined a virus. I went through all the steps, and I thought it finished the virus off, but aftewards, I started getting a similar message every 30 minutes or so:
"Windows cannot find 'C:\Users\Philip\AppData\Local\Temp\NEW65B5.tmp.exe'. Make sure you typed the name correctly, and then try again."
This loops. Every 30 minutes (roughly - I haven't timed it.)
Is this the same problem, or very similar? I'm just hoping I can download autoruns and get rid of this problem. But I got a nasty feeling it's probably something a lot worse...
Thanks!
Posted by: Philip at November 12, 2009 8:21 PM