Helping people with computers... one answer at a time.

LSASS is a Windows component shown in error messages, often due to a virus infection such as Sasser. Learn about LSASS, LSASS.EXE and how to stay safe.

What are "LSASS", "LSASS.EXE" and "Sasser" and how do I know if I'm infected? What do I do if I am?

The Sasser worm is the most recent and one of the most virulent viruses to impact Windows-based systems. Unlike previous outbreaks, Sasser doesn't even need you to use email or even be at your machine to infect your computer and continue spreading. It exploits a recently patched vulnerability in something called LSASS.EXE.

Yep, it's a nasty one and an example of sophisticated virus attempts yet to come. Even if you're not infected this is an opportunity to review and implement the steps to keep your computer safe.

First, how do you know you have it? Unfortunately, Sasser shares several behaviors common with other recent viruses. The most common sign is that your machine will indicate that there is a problem and will reboot in 60 seconds. The message caused by Sasser should indicate that the problem is in LSASS.EXE.

You should be able to abort the shutdown within those first 60 seconds by doing the following:

  • Press the Start button and then the Run menu item.

  • Type shutdown -a. That's the "shutdown" command, with the "-a" option, which stands for "abort the pending shutdown".

  • Press OK.

"The bottom line is that it's a practical reality that we all need to be vigilant about keeping our computers safe."

This doesn't fix anything; it just lets you get on with the business of disinfecting your computer.

Then, take the following steps:

  • Use a firewall. This can be as simple as turning on the Internet Connection Firewall included in Windows XP, to purchasing and installing hardware devices such as a NAT router. Either of these solutions will likely protect you from Sasser and many other types of non-email-based threats.

  • Install the patch. This patch for your operating system can be found with Microsoft Security Bulletin MS04-011.

  • Remove the virus. There are several Sasser removal tools floating around. Microsoft's What You Should Know About the Sasser Worm and Its Variants has one.

  • Update and run your Anti-Virus software. Make sure that both of those steps happen automatically in the future as well. For example, my virus scanner is configured to check for updates and run a scan nightly.

  • Stay up-to-date. There are several options but I endorse running Windows Automatic Update for Windows XP. My preference is to have it download and notify me of changes that are ready to install. In addition - or, if you prefer, instead - you should also visit Windows Update on a regular basis for additional updates to your system. I probably visit once a month.

The bottom line is that it's a practical reality that we all need to be vigilant about keeping our computers safe. The steps you take to protect yourself from becoming infected are much less onerous than the potential hassle of recovering from a destructive virus. Sasser doesn't appear to be destructive...

...but the next one certainly could be.

Update: Apparently the Sasser worm also modifies a configuration file that renders many Anti-Virus sites and the MicrosoftUpdate site unreachable. So if you can get to this site (Ask Leo!), but not your anti-virus vendor then this might be the problem. It's easy to check.

Open the file "\windows\system32\drivers\etc\hosts" in Notepad. (Press the Start button, click onRun, type Notepad \windows\system32\drivers\etc\hosts, and press OK.) Normally, it will have one entry for something called "localhost". If in addition you see a list of Anti-Virus sites such as Symantec, McAfee, and more, then the worm has struck.

I would take the following steps:

  • Close Notepad.

  • Open Windows Explorer on the directory containing the file "hosts" (A quick way to do this is to press the Start button, click on Run, type\windows\system32\drivers\etc, and press OK.)

  • Right Click on the file hosts and select Rename. Give it a new name, like "oldhosts".

  • Run the command "nbtstat -R". (Press the Start button, click on Run, type nbtstat -R, and press OK.) You should only see a window flash on the screen briefly, but this little bit of magic should force Windows to re-lookup any of those names it might be keeping in memory.

Now you should be able to get to your anti-virus sites until you reboot - apparently the Sasser worm will recreate these bogus host file entries each time you reboot. So download your updates and scan to clean up the virus right away.

Update: As was predicted, follow-on viruses that exploit the same vulnerabilities that Sasser exploits are starting to show up. Sasser removal tools may not work because they are different viruses, even though they share some of the same symptoms. I cannot stress enough the importance of using a firewall, keeping your virus definitions up to date and running virus scans on a regular basis. Two current examples of similar viruses include Kibuv-B and Bobax, both of which have removal instructions up on the Symantec Anti-Virus site.

Article C1936 - May 8, 2004 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

290 Comments
Anonymous
May 16, 2004 3:28 AM

have xp professional. everytime i want to open an application, outlook express/worddocument/pdf doc etc
the computer is stuck. the cpu usage is 100%.

thank you
david

Leo
May 16, 2004 4:29 PM

Have you tried the spyware and antivirus scanning suggestions? Are you using a firewall?

Karn
May 17, 2004 4:29 PM

HEY, where do i find a patch to get rid of the sasser virus (lsass.exe) ??? WHat is the website ???

THANXXXXXXXXXX

Leo
May 17, 2004 4:32 PM

Visit the Microsoft site listed in the article.

elton
May 17, 2004 6:52 PM

that helped! thanks!

Tom Tarrant
May 18, 2004 5:57 AM

Just found that my wife's PC seems to be infected as you describe....reboots in 60 seconds etc,references to Lsass.exe. Unfortunately tried the 'shutdown -a' command but it didn't work, and machine still shut down in the middle of running an on-line virus-check. Does this sound like a new Sasser variant....if so any more clues?

Leo
May 18, 2004 8:23 AM

What happens when you try "shutdown -a"? Any messages?

Eoghan
May 18, 2004 8:29 AM

When i open task manager, the list of processes does not not show. it is just a grey blank and i cannot check what processes are running. do you have any ideas?

Leo
May 18, 2004 8:32 AM

Hadn't heard that one before, it's new to me. Only suggestion I have is to try downloading sysinternals process explorer http://ask-leo.com/d-31017a and see if it will report the task list.

Eoghan
May 18, 2004 8:34 AM

Thanks for the suggestion but when i clicked on that link my internet just closed down.

ivy
May 18, 2004 8:38 AM

I know I have that sasser worm because it is just as you describe... an error message comes up about lsass.exe and shuts down in 60 seconds. However when i run the sasser remover tool, it says my computer is NOT infected with the sasser virus. What do I do now?

Leo
May 18, 2004 8:40 AM

Here's the direct link: http://www.sysinternals.com/ntw2k/freeware/procexp.shtml - it sounds like you've probably got some kind of corruption going on, possibly a virus. I would immediately run a virus scan (making sure to update the virus definitions), a spyware scan (though that seems less likely with these symptoms), and possibley the System File Checker (http://ask-leo.com/archives/000074.html ). Good luck!

Eoghan
May 18, 2004 9:09 AM

Again when i clicked on the direct link for the process explorer my internet just closed down again. it seems to be when i try to reach a site to do with PC safety my browser closes down, and i cannot get to the Norton site to get an online virus check. Any ideas are greatly appreciated.

Leo
May 18, 2004 9:16 AM

As I expected. The article above talks about being able to reach some sites and not others, and how the virus can make that happen - and what to do. Look for the section that begins: "Update: Apparently the Sasser worm also modifies a configuration file ..." and follow the instructions there.

Eoghan
May 18, 2004 9:22 AM

Im sorry for all the bother but i cannot find the section that you have reccomended. Do you have a link or something to get me there?

Leo
May 18, 2004 9:33 AM

It should be on the same page as the page you're commenting on. http://ask-leo.com/archives/000114.html

Eoghan
May 18, 2004 9:34 AM

I have done what the update has said to do but when i open the host file there is no list of sites. it just has the local host entry, but still i cannot get to any of the sites.

Leo
May 18, 2004 9:36 AM

EVERYONE: I just added an update to the article. There are Sasser varients running around that exploit the same vulnerability, may have similar symptoms, but won't be removed by Sasser removal tools. Check the updated article (http://ask-leo.com/archives/000114.html ) for links to Symantec's site where there is more information and removal instructions.

Leo
May 18, 2004 9:38 AM

Eoghan: I don't have a good answer for you, I'm afraid. Right now the only thing that comes to mind is to get anti-virus software and updates onto your computer using another computer and a floppy disk or CD-Rom. I know that's not an option for everyone. If I come up with more information I'll post it here.

Eoghan
May 18, 2004 9:40 AM

Thanks for all the help anyway Leo. ill be back later to check for updates.

Kris
May 19, 2004 3:13 PM

O.k here's a slightly odd occurance, Eoghan mentioned that their pc was shutting down anyway even after trying "shutdown -a". Well it seems my pc is infected with sasser or a variant, and for some reason after copying 'lsass.exe' (from Windows\system32), to my desktop and running it from there, it hasnt since terminated, and nor has my pc been forced to restart. Try that Eoghan, i have no idea if it is a fluke, but i guess it is worth a try.

william
May 19, 2004 4:01 PM

so leo,

everything seems to be fine, but do i need lsass.exe for windows xp to operate or is this part of a potential problem?

thanks

Leo
May 19, 2004 4:13 PM

LSASS.EXE is a required system component. The viruses just happens to cause problems that are reported as having happened LSASS.EXE.

Eoghan
May 20, 2004 4:26 AM

Just out of curiosity. Does the sasser bug effect the disk defragmenter because after i got the bug off my PC i tried to defragment but nothing happens when i try to run it. Any ideas for this one?

Leo
May 20, 2004 8:41 AM

I've not heard any reports of the defragmenter beign affected. If you're running XP, it might be worth running the system file checker http://ask-leo.com/archives/000074.html

Beverly
May 20, 2004 9:05 AM

Leo:
I have the same problem. Have every problem associated with the sasser virus, but when I scan or run the removal tool it finds nothing.I have updated my norton antivirus up to May 19. Could there be another virus? I've also checked for the Kibuv-B and Bobax, but they are not on the computer either. I even went as far as to check for the blaster worm, because I know it will start a computer shutdown too. I've had no luck. Please help!!
Beverly

Leo
May 20, 2004 9:11 AM

Well, it's certainly possible that you're on the leading edge :-(. I just checked the Symantec website and just yesterday they posted another variant of Bobax. http://ask-leo.com/d-symantecavc - Not sure if the Norton definitions are up to that or not yet. Definitely make sure that you're patched so you avoid any new variants as well.

Beverly
May 20, 2004 9:20 AM

Well according to symantec the updates for this virus are on the 19, so I am covered there. I'm actually working on my bosses computer, (he's had this for a week) and I made sure that i updated and got the patch from windows. I've tried everything I can think of. If you have any ideas I would greatly apreciate it. (think I've got to the point of tearing out my hair hehehe)

Steve Elsner
May 24, 2004 7:56 AM

I have been having problems with Outlook Express. When downloading e-mail, I get a McAfee alert that a virus has been detected and deleted (exploit-objectdata). Outlook then times out. When I quit and restart, I get the same message. If I go to Yahoo.com and download my email, all goes well. I delete all of the spam files then log on to Outlook Express and can access my files again.

I am also having problems sending files with attachments. Outlook times out and the file is not sent.

I am useing McAfee firewall and virus scan.

Leo
May 24, 2004 9:18 AM

To me it really sounds like McAfee is interfering with attachments, both coming and going. Is it the latest version? Can you send properly if it's turned off? I'd be very tempted to go to their support site on the web and see if they have anything on this.

jagadeesh
May 25, 2004 5:45 AM

my computer is automaticaly shutdown problem

basically when i have connected my internet explorer or my outlook experss that time my computer is automatically shutdown the problem is sasser virus problem how to remove that virus tell me that solved problme

Domenico
May 25, 2004 7:14 AM

HI GUYZ,

OMG HELP!! LOL!!!!

Im an idiot, so save your breath, lol. I have found the last week to be very entretaining indeed. It all ocurred on the 18th of May. I got hit by sasser... Well, i didnt have a virus scaner and that is because i had just recently accured this computer from my mum (Dont laugh) and it was the first time i had connected to the internet from it. Bad timing i guess...

So your proabably wondering why im rambeling on and when im gona get to the point right? Well, after a tremendous and epic battle with 5 viruses on my computer i have not yet succeded in banishing these criters from my computer!! LOL, im having fun but i definately would like a bit of advice if there is any to be given.

The viruses i have after a week of fighting are:

Bobax.A
Ronoper.U

Im not sure if i still have the sasser virus, i happened to have had 2 different strains, both the Sasser.C and the Sasser.E. I have run symantecs "W32.Sasser.Worm Fix Tool" and it has not found them. I know i still have both Bobax.A and Ronoper.U viruses as i have instaled "AVG 6.0 Anti-Virus System" which does not run but it has a scan shell of somesort which warns me of the presence of these 2 viruses.

I cant instal the Mirosoft Security Update as i cannot run it. I cannot run registry ither. I have tried just about all avenues that i know of and have had no results.

So, any tips?

:-)

Domen

Leo
May 25, 2004 8:29 AM

Jagadeesh: Please read the full article. http://ask-leo.com/archives/000114.html

Leo
May 25, 2004 9:27 AM

Domen: well, have you followed all the steps in the article, including the firewall? That should help prevent further infections of this sort. Next, I'd keep hitting the symantec site and search for those specific viruses by name ... even when the scanner doesn't fix 'em, they almost always include manual "hot to remove" steps for each specific virus.

Good luck!

Ming
May 25, 2004 2:40 PM

Right now, in addition to Sasser I also got something that seem even worse...it will kill most fixes that I am trying to apply to my XP Pro system! When I tried to install XP SP1, or Sassor fix, the pop-up dialog will get killed, so that I cannot apply the fix or SP1...some fixes goes through, but most will get kill...anyone know what to do to fix this? I upgraded from XP Home to XP Pro--didn't help...I re-install the MS installer, didn't help either..... PLEASE HELP.

Leo
May 25, 2004 3:31 PM

Have you run virus and spyware checks? Do you have another machine you can use to get the latest virus signatures down? That'd be my approach ... try a couple of different anti-virus programs with the absolute latest signatures. Recommendations: http://recommend.pugetsoundsoftware.com . Given that you seem to have multiple problems, that seems the mostly effective bet.

elina
May 25, 2004 11:33 PM

there r a process "dirote.exe","dorod.exe" appear in my win2000 professional PC,I know it's the Troj virus and serach the website all,but still donnot know what's the effect way to clean the virus?is it only the "Sophos Anti-vius" can do so?i donnot use such software before,please gice me more advice,thanks more!!!

Leo
May 26, 2004 8:22 AM

Sophos is certainly a fine package, though I don't know if it's the only one that can deal with this specific virus. Regardless, using SOME kind of anti-virus software is the right thing to do. If the Sophos web site has information on that specific virus, then I'd certainly suggest downloading and using their virus scanner. And then continue to scan regularly to avoid future infections.

Eric
May 27, 2004 3:01 AM

Hey, if you're not trusting your own AV, there's always online scans, such as the one at Trend Micro (though you need to use IE for it... one of the few things I use it for instead of Mozilla.)

You may also (for future use) want to go to Microsoft's website and get their update CD - they shipped it to me, free of charge (along with Computer Associates' AV and firewall package, which I don't use - I'm happy with AVG Antivirus and Zonealarm.)

Good Luck...

Gabriel Stoica
May 27, 2004 8:31 AM

tank you verry much for your help about sasser virus

Domenico
May 27, 2004 5:15 PM

Hi Leo,

Well, im still trying!! I got a big brake when i downloaded SpyBot!! I scaned my hd which only took about 2hrs and its found 52 files of which it couldnt delete 2 of them. one of them is the bridge.dll which im preaty sure is the ronoper.U virus doing its bad deeds. Now, i cannot find anything on the net that can help me rid myself of this pest!! The only thing is on symatec but it means i have to buy it, please tell me there is another way! Im a student, or soon to be, and im real short of cash!! lol. I will keep you up to date :-)

Thank you so much for the help you have given me so far, even if it hasnt worked yet, im sure it will soon.


Domen

Leo
May 27, 2004 7:27 PM

You might visit Computer Cops (http://ask-leo.com/d-compcops ) or the forums over at Spyware Info (http://ask-leo.com/d-spywareforums ) - they'll probably ask you to run something called "HiJackThis" (http://ask-leo.com/d-hjt ) which creates a report that they can analyze and give you specific steps to take.

Good luck!

Domenico
May 28, 2004 9:14 AM

Hi Leo,

Im still battleing away although i have a feeling i am aproaching the light. I found hijakthis before i posted on here but it would not run. I have tried it again and now it runs for about 4sec before dissapearing into thin air, enogh time for me to creat a log. I will keep you up to date with how im going. This might be the brake i was looking for.

Thanks heaps for your help, even though i dont like crying victory before im in the clear.

:-)


Domen

Sheik
May 28, 2004 5:56 PM

Hi Leo

I rescently installed windows XP Prof in my laptop and I bought macfee internet security software (Virus Scanner/Firewall/Privacy Protection/SpamKiller) and installed in my laptop and when i connected to the internet using a DSL my system is going Crazy. after five minutes in the internet the name in the start button "START" will disappear and that it am unable to do anything I have to hard boot my system and restart to work for five minutes in the internet and again boom its gone. what should i do. I first thought its a SASSER virus so i downloaded Nortorn AV in a different M/c (My friends computer)and installed in my computer and scanned it didnt detect any virus. I badly need help / suggestion. all my work is in that laptop and am stuck now with no options.

Leo
May 30, 2004 4:39 PM

While I might not suspect Sasser, I think your instincts on a virus infection feel right on. I'd be tempted to try a virus scan with a different product as well. (Recommendations: http://recommend.pugetsoundsoftware.com ). There's an outside chance this could be caused by spyware, so check this article: http://ask-leo.com/archives/000131.html . And finally, if the machine will run long enough while not connected to a network, a System File Check might also be appropriate: http://ask-leo.com/archives/000074.html .

Good luck!

Craig
June 1, 2004 6:04 AM

Hi Leo
I recently found a company laptop which kept attempting a dial up connection.
After hunting around a bit I found a program called 'wave eggs.exe'.
I managed to get rid of it, but couldnt find anything on the net about it.
Have you encountered it before and how can I protect against it?
Thanks

Leo
June 1, 2004 9:50 AM

I just addressed that in a new post: http://ask-leo.com/archives/000154.html

Anjum Khan
June 1, 2004 12:10 PM

hey,
I am infected with the virus lsass.exe, it restarts the computers contigously.
i dont know how to cure myself from that. please help me, i cant connect to the internet. because as i connect , in the very next 15 minutes it restarts. please help me.
regards
Anjum

Leo
June 1, 2004 4:15 PM

You need to read the full article here. All the information I currently have is in it.

Frank
June 4, 2004 6:46 AM

Hi Leo,

I got the LSASS.exe infected on my computer (running window 2000). When I saw the error message, I renamed the "lsass.exe" to "lsass_old.exe". Now, I can't start my computer (not even in safe mode). The hd is in "NTFS" format, is there any way I can rename the file back and following the right path to clean the virus?

Thanks,
Frank

Leo
June 4, 2004 10:12 AM

If you made a recovery disk when you installed your OS (or if a recovery disk came with the system), you should be able to boot from that and rename the file.

You might also be able to create a bootable floppy that supports reading NTFS - one such example: http://ask-leo.com/d-ntfsboot - I've never used such a beastie, but it should get you access to the partition long enough for you to rename your lsass.exe back and reboot from the hard drive.

Let me know how it goes...

Clint Heintzelman
June 7, 2004 7:48 AM

I am not sure if LSASS is infected or not! My monitoring system merely tells me (on boot up) that LSASS has changed since the last time I booted and wants to access the internet. I continually answer no, but wonder now if it's a problem. Really want to know how to stop it from changing and how to get rid of this continually asking to access internet.

Leo
June 7, 2004 10:00 AM

My first reaction would be to run the system file checker (http://ask-leo.com/archives/000074.html ) and see if it will repair lsass.exe for you.

Charlie
June 7, 2004 12:34 PM

Lsass.exe: This is definitely the nastiest piece of work I've come across in the last decade. Absolutely nothing I do gets rid of it.
You can reformat in ntfs or Fat32 use Fdisk /MBR
install win ME and then revert back to XP with Fat 32..enter with a boot disk and delete the file..and what happens? no reboot...so it's reformat, reinstall, and everything is back to sqare one again. You can try any virus scanner available symantec, AVG, housecall, the microsoft tools. They don't even recognise it. This thing was developed to make XP obsolete and as far as I'm concerned it's gonna succeed. I'm going back to to ME, won't even consider getting a new hard disk. This thing sits somewhere else.

hary
June 7, 2004 12:42 PM

My Win2k (Prof.) system had a probem of the sort , it removed the dialup networking connection automaticaly and while I tried to add a new connection it says that the Connection name is invalid (its not accepting any name). Hence I applied SP4..this started giving me more trouble. Now I can't start my PC. It boot well and comes almost near to the login screen and suddenly reboots, I tried to boot it in safe mode and in debug mode.. still its not allowing me to boot the system. Pl. help me to solve this problem.

Harry

Leo
June 7, 2004 1:08 PM

Charlie: remember that LSASS.EXE is, in fact, a *required system component*. You can't just "get rid of it". What you can do is disinfect your system from the viruses that manifest as LSASS.EXE errors, and protect yourself from further attacks, all as outlined in the accompanying article.

But I definitely agree that this particular vulnerability, and the viruses that are attacking, are some of the nastiest we've seen to date.

Leo
June 7, 2004 1:14 PM

Harry: the best I can offer at this point is that you'll need to boot from a floppy or CD, possibly your recovery floppies if you made them, and then run a virus scan on the machine. You *may* need to reinstall Win2k and SP4 to fully recover. You should do all this either not connected to the interner, or *after* having installed a firewall to protect you from vulnerabilities while you are scanning/reinstalling.

Stacia
June 7, 2004 4:37 PM

Leo, you have brought my sanity back, I bought a new laptop over the weekend, and that day got infected, this thing is rife! I followed your steps and now I seem clear. I'm not at all technical, but you showed me the way - respect! Good Luck to all the rest, Leo's the one!
Thank you

Stacia

Beau
June 7, 2004 5:31 PM

Mr. Leo..... My computer definately has this bug you speak of... I was soooooo relieved to see that it wasnt just me being a complete idiot, and was so happy that this site shows me what i can do. I am downloading the q317636i.exe file thingy. My computer also has a few more problems. Not just lsass.exe but i was having trouble with my internet explorer, iexplore.exe, which seems to have miraculously ended, because i have been connected to explorer much longer than it would let me. I also get an error with this file, something like ftupd.exe or something. When i was completely clueless of what the problem was, i did the system recovery, (i have no disk) and now i cannon install my symantec firewall. I am sure this is a bad thing. What would you recommend that i do? Is my norton anti-virus running properly? It seems to be but when i scan it finds nothing. Although it has said that it caught this threat; w32.spybot.worm or something very close to that. Please help my situation

Leo
June 7, 2004 7:19 PM

My guess is you are infected with something. My first place to look would be the hosts file I mention in the article. If it's there and full of the addresses of lots of anti-virus sites, that's what's preventing you from accessing those sites. I'd rename it, reboot, and see if you can get the latest set of virus definitions downloaded. As an alternative, you can try some of the alternative on-line virus checkers I mention in my recommendations pages: http://recommend.pugetsoundsoftware.com

Good luck!

Beau
June 7, 2004 8:24 PM

Thank you for all the links to anti virus's and all that, it will be helpful. I attempted to check the hosts file, i found it, but i cannon open it. A messege says it cant open it, because it doesnt know what created it, so it says it can go online and check, and i get a page cannot be found, it tries to go to HTTP 400- Bad Request- Microsoft Internet Explorer... I was very convinced it was this sasser thing that ive got, but ive probably got a whole collection ... Ill start with trying the download for the sasser worm. If problems continue ill move on from there... Well... thanks again- Beau

Leo
June 7, 2004 8:57 PM

Instead of double clicking on the hosts file, run notepad, and then use File, Open to open the file directly. That should let you see what's inside.

Carl Ingalls
June 9, 2004 6:37 AM

Sometimes when I connect to the Internet (dialup), my McAfee firewall alerts me that the program LSASS.EXE has changed since the last time it accessed the Internet. I do not seem to have any of the symptoms of Sasser, and the file "C:\windows\system32\drivers\etc\hosts" does not exist. Should I allow LSASS.EXE to connect to the Internet whenever it asks? I am running Win2K.

Also, a separate question. May I place a link to your website on mine?

Leo
June 9, 2004 9:10 AM

I'm suspicious about your LSASS issue. You may be infected with somthing - perhaps not sasser, but similar. I'd make very sure that you're running an up to date virus scanner regularly. I would not let lsass connect out - I'm not aware of any reason that it should.

And yes, thanks for any link!

Gary Wade
June 9, 2004 12:47 PM

Leo,
When I type in the "\windows\system32\drivers\etc\HOSTS" my computer only goes to the the etc part and does not have a "HOSTS" ? ?

What does this mean? Has the hole already been patched by my automatic updates? If the file HOSTS is missing is it a problem ? I don't think I have sasser because I have never had the rebooting problem but was just going to fix it so I don't get it. Then try and figure out how to turn on the firewall in my XP. I have a Dell Demension 2400 series.

Is it a bad thing that the HOSTS doesn't exist?
Hope I have given you enuf info ? ?

Thanks
Gary Wade

Leo
June 9, 2004 4:10 PM

While a lack of "hosts" is unusual, it shouldn't in itself cause a problem. Basicly I'd simply double check, probably in a command prompt, by going to that directory and looking. Since I don't know *where* you're typing the filename, I don't know that it's really telling you that the file doesn't exist.

lily
June 9, 2004 4:32 PM

I have had the worst time with viruses lately. I have removed the sasser worm 3X and had a Sdbot worm and have the bobax worm. I used trend micro Housecall to delete these files . My norton anti virus protection is somehow disabled and I cannot acess it for very long and it closes shortly after opening it .it is no longer on my desktop tool bar ( bottom right hand corner near the time) and it indicates in the norton for the few seconds I can open it that my email scan is in error. It will only stay open for a few seconds. I have removed and reinstalled this program twice and have two firewalls in place now. I am using the housecall trail protection for now but i want my Norton back.
Any suggestions. And I want to check my registry so I don't reinfect the PC each time any help?

Tim Nelson
June 10, 2004 9:34 PM

Hello. I dont know what is wrong with my computer. I cannot do basically anything on it anymore, so i am using a different one for now. Every time i log on, it waits a few seconds, then does the 60 second shut down thing. I downloaded the fxsasser.exe tool from the symantec site, but it said i didnt have sasser. I also cannot scan my computer with symantec, because whenever i press "scan", the application blows up. I went into the hosts file mentioned above, and there was only the one normal entry. I would apprecciate any help. Thanks

Leo
June 10, 2004 9:45 PM

It certainly sounds like you're infected with one of the related viruses. I'd perform as many of the steps as you can from this article, and also run a system file checker (http://ask-leo.com/archives/000074.html ). You may need to disconnect from the network, and possibly boot into safe mode or from a floppy of CD in order to run a virus check on your system.

zeeshan
June 11, 2004 2:31 AM

how to remove sassor virus\worm in cpmputer please tell me

Jana
June 11, 2004 1:13 PM

I have the lsass.exe worm and i am trying to remove it but every website i go to and use their virus removal tool says i am not infected. HELP

jasmin
June 14, 2004 5:40 AM

Dear Jana

lsass.exe is no worm, no virus and no trojan. It's a file from Microsoft for manage the system rights.
either it's sober:
http://www.symantec.com/avcenter/venc/data/w32.sober.removal.tool.html

or it's Lovegate:
http://securityresponse1.symantec.com/sarc/sarc.nsf/html/w32.hllw.lovgate@mm.html

if someone knows something else, that it could be, please mail me!

Leo
June 14, 2004 8:53 AM

You're correct Jasmin, LSASS.EXE is a part of Windows - it's a required system file that happens to show up in the error message when you are infected with any of a number of different viruses. You list two, there's also Sasser and several others. THe best thing to do it to keep your virus signatures up to date, run virus scans periodically, and even scan with a second AV program from time to time. And of course follow the other steps in the article.

dan
June 14, 2004 12:25 PM

is it possible to include a small SASSER fix on this website?

Leo
June 14, 2004 12:26 PM

I've provided pointers to the fix in the article.

brice
June 14, 2004 1:19 PM

I was wondering if totally wiping your harddrive and reinstalling xp pro will get rid of the sasser virus? If it does will previous files i saved on a cd when i had the virus still be potential infectors?

Leo
June 14, 2004 5:51 PM

It depends on the files, but the short answer is probably yes. The safest thing to do is to run a virus scan on those files before you copy them back. And make sure that when you reinstall you're protected by a firewall so you don't immediately get the virus again over the net.

amalg
June 14, 2004 10:18 PM

i forget my windows 2000 server administrator password
how to change my password or do i reinstall it

jasmin
June 15, 2004 11:10 PM

Can someone post a link with a list of possible virusses and trojans that uses lsass.exe?

I try to find out wich one my friend has. I tried Sasser, Blaster, Sober and Lovegate, but I didn't found the right one.

Leo
June 15, 2004 11:13 PM

There's not much point as the list changes almost daily. My recommendation is to use a virus scanner and it will report which one.

jasmin
June 16, 2004 2:29 AM

thanks Leo, but the virus scan doesn't work..

I'll try another one. Hopefully it will find the right one.

ak
June 17, 2004 10:49 PM

i have a problem with my computer it shuting of after one minute and massaig comes "lsass.exe" some writing is there also.

Leo
June 17, 2004 10:55 PM

Yes, you should follow the instructions in the article.

Chris
June 18, 2004 2:14 AM

hey leo, similar to sasser, i get an error lsass.exe-system error, invalid parameter etc...but my comp shutdowns immediately. plus i was running windows xp repair/blanket install, so its permanently stuck at installation splash screen. any ideas? thanks.

brice
June 18, 2004 9:22 AM

Hey leo if you are completely updated with nortan antivirus and scan your harddrive should it detect the sasser virus? I am completely updated but i originally installed nortan 2002. Also i am expiriencing another problem. At some point a system file called svchost.exe starts to sap my cpu usually taking as much of the processing power as it can and my other programs run like molassas. If I end the process It will display the shutdown in 60seconds window. If i run shutdown -a it will stop but the taskmanager items retain their user identity instead of reverting to unknown and i regain my cpu power Is this the sasser virus?

Jen
June 18, 2004 12:19 PM

Hi, I am not sure what I have and how to get rid of it. I get a pop up box when my PC is booting that says "Lsass.exe" at the top in the blue bar and then in the box itself it says "Item not found". I get this before my PC fully boots so I am not able to go to my start menu or anything. Best I can do is hit F1 and go into setup. Is there anything under setup I can do to stop this from happening so my PC will fully boot?

Leo
June 18, 2004 4:43 PM

Chris: I'd try booting in safe mode to see if it'll get further, but ultimately I think you're going to have to boot from a floppy or CD so you can run an AV scan and repair your system.

Leo
June 18, 2004 4:46 PM

Brice: yes and no. The problem is that new variants are coming out every day, and the AV software manufacturer;s are constantly playing catch-up. Definitely keep your virus signatures up to date - I check for new virus definitions daily. The SVCHOST issue also sounds like yet another virus - http://ask-leo.com/archives/000105.html

Leo
June 18, 2004 4:48 PM

Jen: if it's the setup I think it is, no. You're in the same boat as Chris - you'll need to boot from floppy or CD-ROM to repair your system. Perhaps even reinstalling it will be neccessary. Be sure that a firewall is in place before you connect to the network to avoid getting immediately reinfected.

Daniel
June 19, 2004 11:14 PM

I got the sasser virus, but I had no idea what it was. I cut the lass.exe file (removed it from windows) and pasted it on my desktop. I restarted the computer, but now it go at all. All I get is a black screen and the cursor works and that it. What can I do to solve this problem?

Leo
June 20, 2004 9:55 AM

You can't delete LSASS.EXE. It's a required system file. (http://ask-leo.com/archives/000140.html ). You'll need to use the recovery console to copy it back to where it belongs. This article touches on that: http://ask-leo.com/archives/000253.html

shane
June 21, 2004 12:02 AM

Thank for the heads up, but I have the viruses in my Pc right now. But this viruses is just making me reboot I don't know alote about PC.

That (start -a) work for me and I thank you for that, but I don't know how to kill this viruses.
Or I just did't get what you said sorry about that, Can you help me ,one more thing you where sayying there a way to save my PC from viruses like that can you tell me again how to do that.

Thank You!^-^

Leo
June 21, 2004 9:44 AM

Hi Shane: did you read the full article? http://ask-leo.com/archives/000114.html It's a step by step answer to your question. If you can be specific about what parts of it confused you I'll try to clarify.

John Buettner
June 21, 2004 4:23 PM

Leo, in the version I have, the command is: shutdown /A
not: shutdown -a
which just shuts down the workstation.

John

Billy
June 21, 2004 9:33 PM

During the start up of windows (status bar at 100%) and the login screen popping up, I got a message that said my computer will shut down in 40secs because of lsass.exe.

I ran the removal tool and no sasser worm was found. I look at my registry under the Windows/CurrentVersion/Run and no sign of sasser.

Am I infected with the sasser worm?

Also during Windows loading up and Login Screen, is my computer vulnerable? For example, can people hack to my computer or can virus and worms attack my computer during the Login Screen (before I log in)?

Thanks

Leo
June 21, 2004 10:32 PM

You're probably infected with one of the varients that the article talks about. Standard advice: make sure you have an up-to-date virus program, with up-to-date virus definitions, and scan.

And to answer your question: YES the vulnerability that sasser and related viruses take advantage of does NOT require you to be logged in. That's why I've been continually recommending the use of a firewall, such as a NAT router or XP's built in firewall. Either of those will block this vulnerability.

Billy
June 21, 2004 10:42 PM

Leo,

The crash only happened once. How can I be sure that I am infected with sasser worm?

I ran symatec and microsoft removal tool and found no sasser worm. I went through the registry and found no sign of the sasser worm.

I do have the zone alarm firewall, its that not enough?

Thanks

Leo
June 21, 2004 10:55 PM

I'm not talking about sasser specific removal tools - I mean that you should run a full Anti-virus scanner that looks for all viruses and removes, or at least alerts you to the ones you may have. It may not be Sasser that you have - there are several viruses now that have similar symptoms. That's why you want a AV package that looks for many viruses. I have recommendations here - http://recommend.pugetsoundsoftware.com

And if it only happened once, you may not be infected at all.

I *believe* zonealarm will protect you before logging in.

Mandar
June 22, 2004 4:21 AM

I have OS windows 2000 & whenever I connect to internet my system reboot again & again

Trin
June 22, 2004 6:16 AM

Thanks for the great info you have here. I am recieving the LSASS error and thought it was sasser, but the removal tool said i didnt have it. I checked the hosts file in system32 and everythings fine there, but i cannot sign into hotmail,and ive been having problems with an exponentially slow dialup, after 40 seconds of connecting to the internet, it completely stops. I cannot find what, if anything is taking my bandwidth. Because i cant sign into hotmail, i cant continue to dl Norton antivirus. What antivirus software do you suggest i dl, and does this just sound like a sasser variant, or more than 1 virus? The registry looks fine under "run once.. run hidden etc".

David Martinez
June 22, 2004 7:27 AM

I have yahoo dsl and have located the lsass.exe I am having issues connecting to the internet. I reset my modem and it connects for a short time then disconnects. I have updated my virus scan and ran it. I was wondering if this is virus related?

Leo
June 22, 2004 8:58 AM

Mandar: have you followed the instructions in the article?

Leo
June 22, 2004 9:01 AM

Trin: Your best bet is to get an Anti-Virus product and current definitions on a CD-Rom - then disconnect your machine from the internet and run the scan. Any of the major scanners should do, but if you're burning a CD-ROM, I'd go ahead and put two on there, and run them both, each in turn. Recommendations here: http://ask-leo.com/d-recommend

Leo
June 22, 2004 9:04 AM

David: it's hard to say. It could be any of a number of things. When you say "located the lsass.exe" what do you mean? It's a valid system file on every Windows XP machine, so it's presence does not mean anything.

JoeM
June 22, 2004 2:40 PM

Hi all,
I have up-to-date Zone-Alarm, and got the signs of the SASSER virus, but it never got to do it's nasty thing.
There was an instance of something like "Lsass (Export Version)" but it asked me if I wanted it to talk to the outside world: Fortunately being a wary kind of guy I said no, and disaster was averted.
Do what Leo says, keep your AV software BANG UP TO DATE! Yes, a software firewall will help and give a certain peace of mind, but it may not be bombproof.
If you run a tight ship, you'll be the least likely to get stung.
JoeM

Tellerian Hawke
June 23, 2004 10:39 AM

I have Norton Personal Firewall 2004. I got a message asking me if I wanted to let the program LSASS.EXE access the internet. It RECOMMENDED that I allow it to do so! Haha. But I said NO, and told it to block all attempts, because I was not sure what LSASS.EXE was. I am glad I did! But at least the firewall brought it to my attention. I feel a bit safer now.

kaveh
June 24, 2004 12:09 AM

Hi,
How i delete "lsass" without anti virus?

rafi
June 24, 2004 2:16 AM

My PC is shuting down every 15min it is showing error of your windows going to shutdown within 50seconds ther is some error in lsass.exe please help me in this regards

Leo
June 24, 2004 9:51 AM

Kaveh: you do NOT delete LSASS. It is a required system file. You need to identify which virus you have (sasser, or some other), and then remove that. The best approach is to use an anti-virus software package. Recommendations here: http://ask-leo.com/d-recommend

Leo
June 24, 2004 9:55 AM

Rafi: you need to read the full article you just added your comment to.

Clinton Heintzelman
June 24, 2004 2:01 PM

When my PC boots it tells me that LSASS has changed since the last time I used it. My firewall asks if I want to continue. Is this a sign that LSASS has been infected??

Leo
June 24, 2004 3:03 PM

It could be. Run a virus scan.

Bhavin
June 29, 2004 12:45 PM

hi,
my pcs been infected by sasser and i deleted the lsass.exe file,now the pc wont boot in xp(i have dual boot option).kindly tell me if pasting lsass.exe file from a friends pc would solve the problem of booting or do i have to install xp again.

Leo
June 29, 2004 8:17 PM

If that friend has the same version of Windows, yes, that should work.

brice
June 30, 2004 12:48 PM

Sorry i don't think this is about the sasser virus but I have this system component called winsecurity.exe start when windows does. It appears in my task manager and starts to sap all cpu power. I can end the task and get all my speed back but the next time i reboot it appears again. Does anyone know what virus this is and how to stop it? Will it get worse? I am completely up to date with nortan but it doesn't seem to catch it. Help!

Leo
June 30, 2004 3:20 PM

Winsecurity.exe is evidently spyware/malware. You should run a spyware scan and that should clean it up. Recommendations for specific programs on my recommendations site: http://ask-leo.com/d-recommend

Togo
July 2, 2004 6:08 AM

I have a laptop (acer) and at windows start up => i have the following alert(before even the case withe the password and the user name): "lsass.exe" -system error. i have to press ok and the pc restarts and so on. It is very probable that sasser has overwrited the file lsass.exe.
Please help me: what can i do, because i can't event start the windos completely, i can't acces the menu, i can't start the safe modde either. please help me.

Leo
July 2, 2004 8:53 AM

It typically means booting from floppy or CD to be able to correct the error. This article may help: http://ask-leo.com/archives/000253.html

Leo
July 2, 2004 10:02 AM

Nen: I'd double check your browser settings, perhaps run the system file checker and a spyware scan. If you can use messenger applications and were able to download the patch, then you *are* accessing the internet ... this looks more like a browser-specific issue.

Eric
July 2, 2004 2:47 PM

emm hi I get no error on my pc but in in the task manager(win xp) theres a lot of processes called 1-lssas.exe 2-lssas.exe 3-lsass.exe...and so on I dont know if my pc is infected what should I do?

Leo
July 2, 2004 2:51 PM

Get and run an up-to-date virus scanner. Recommendations here: http://ask-leo.com/d-recommend

Misty
July 14, 2004 12:53 PM

I am attempting to download the patch and use the removal tool, however shutdown -a does not stop the shutdown process on my system. I am running Windows 2000.

I get a message saying "Cannot find the file 'shutdown' (or one of it's components) Make sure the path and filename are correct andt that all required libraries are available.

Thank you.

Leo
July 14, 2004 4:31 PM

Greg: some of the steps in this article may help: http://ask-leo.com/archives/000253.html

Leo
July 14, 2004 4:56 PM

Misty: this article http://ask-leo.com/archives/000003.html includes links to a tool called "psshutdown" that will do the same thing. Good luck!

Sami
July 15, 2004 7:18 AM

Hello I believe I have sasser or some variant. I have formatted my C drive and deleted all partitions several times but as soon as I reinstall the Operating system (windows 2000 or Xp) I get a reboot error within 60secs and error from lsass.exe Also as soon as I connect to internet all bandwith is used by some thing on my pc. It is incredibile. I though that a format C: would have got rid of this virus. Do you have any help for me? I have tries Norton, Mcaffe , Grisoft AVG and Avast antivirus and also spybot none of these software detect my virus. I am despeate. Please help.

Thanks
Sami

Leo
July 15, 2004 9:08 AM

Are you on a LAN with other machines? If one of those is infected, then it could be that you're getting reinfected immidiately upon connecting to your LAN. Physically unplug from the network and see if that allows you to get further.

John
July 17, 2004 7:58 PM

I keep getting the shutdown screen in 60 seconds when I am using a modem (only when I'm on the road - usually I'm on a network). Norton does not detect the presence of a virus of any sort. Can you help me?

John

Leo
July 17, 2004 8:00 PM

You're probably being attacked, and don't have the latest patches. Make sure windows is up to date, and if you're running Windows XP, enable the firewall when on the road.

Corné
July 18, 2004 11:20 AM

Hello, i had the same troubles, i love to spit in my machine and i found lsass.exe en dirote.exe, it was hard to delete it, i killed it with ewido security site, search it on Google, and look at your processes after you installed the freeware program, i tried also to rewrite the file dirote.exe after ewido found it in my registry and it succeed, after that I had bought a norton internet security installed and al my problems are now over...can i say with my fingers crossed, and when someone has questions email me, it works and i will help.

Greetings from the Netherlands.

Leo
July 18, 2004 11:40 AM

I'm used to reading English written by the Dutch, since my relatives are all in Holland ... but I hopt that "i love to spit in my machine" means something other than it actually says. :-)

Leo (Notenboom - a very Dutch name :-)

Corné
July 18, 2004 11:43 AM

Oh Leo,

Yes i see what you mean, pardon me, i love my machine, and sometimes with troubles i hate him, but i ment to say DIG, look around, yes and Leo a really Dutch name, so i hope my info was interesting enough, bye and in Dutch,

Een hele goedenavond en tot ziens !!

Alex G.
July 19, 2004 3:46 AM

I have just installed WinXP and the first thing that troubled me is this lsass.exe it forces me to reboot in 60 secs. What will i do? Will the security update solve this problem? Also the svchost, it eats a lot of my cpu power when I stay online for a while, what shall I do with this?
Thanks for taking time reading this problem.
Alex

Leo
July 19, 2004 8:59 AM

Yes, you need to follow the steps in this article, including the one about the firewall. If, after that, svchost remains a concern, this article may help: http://ask-leo.com/archives/000105.html

matt
July 20, 2004 4:23 PM

I also get the lsass.exe error. It either gets to the windows loading screen, then 3 seconds later the blue screen of death and the computer restarts. OR is gets to the windows startup screen and says something about I/O and registry files. I also cannot get into safe mode at all to download the microsoft patch/fix. I was able to do that with my other computer on my network, and everything worked again. I am now trying to use it as a slave w/ another harddrive as my main drive, and it wont even read from the drive. It detects it in BIOS and in windows but all it does is automatically ask me if I want to format it and that is it. Lastly, I also tried fixmbr bootcfg/rebuild and chkdsk drive /r in the recovery console but neither of those worked. Im basically at the last straw here, but I know it can be an easy fix if I can just get into windows or safe mode somehow. Can you help?!?

Kevin
July 20, 2004 5:57 PM

I have had this problem for a while now. And thanks to you guys i have just figured a way to get rid of it. BUT..... i have reformatted a 2 times since i got this "virus". Is it possible that this virus stays in the hd even after i reformat? Because thats what happened to me.
The virus stayed on my hd and in my comp even though i reformated :S. Can someone tell me why this happens or does sasser always do that? Please email me or whatever.

Kevin
July 20, 2004 5:59 PM

errr sorry my email address is mrbutt_cheeks@hotmail.com

Leo
July 20, 2004 8:32 PM

Usually that means you're getting reinfected immediately on reconnect to the network. Get behind a firewall.

And to answer your question ... no, viruses do not survive a format of your system drive.

raghu
July 23, 2004 10:40 AM

Hi How can i slove this problem i am not getting removal tool.

Leo
July 23, 2004 2:01 PM

Did you follow the instructions in the article?

m
July 25, 2004 10:25 AM

thanks for the very straightforward directions. unfortunately i am unable to abort shutdown with 'shutdown -a'. any advice??

Leo
July 25, 2004 11:00 AM

m: what happens when you use "shutdown -a" ? Any error messages? Nothing? Looks like it works but nothing happens? I need some details to try and help you :-).

Lalo
July 25, 2004 1:51 PM

My computer showed those symptoms a few days ago just after I reformatted so I hadn't even installed my antivirus. By the time I needed to use yahoo messenger so I installed it first and the problem showed up when I was connected, now I have reformatted again and even after my norton antivirus was up-to-date, problem showed up again. I was using the same yahoo id, so is there a way I can be 'recognized' by someone even though they're supposed not to see me connected so my computer was reinfected deliberately?

Leo
July 25, 2004 3:04 PM

This virus spreads from computer to computer automatically. So it's possible to get reinfected within minutes of simply connecting to the internet. That's why the article talks about using a firewall. A firewall will protect you from that immediate reinfection. Then you can go about updating and patching your system appropriately.

JAHANGIR KHAN
July 27, 2004 7:39 AM

i need its solution how do i download the patch file for this error

Leo
July 27, 2004 8:38 AM

Nidhi: yes, you can copy lsass.exe from another instance of the same version of Windows XP. Lavasoft's AdAware is a fine product - I typically recommend it and Spybot Search & Destroy. (http://ask-leo.com/d-recommend )

Leo
July 27, 2004 8:40 AM

JAHANGIR: the instructions you're looking for are in the article above these commends.

Nate
July 27, 2004 3:06 PM

I just got a notification from Norton Internet Security telling me that a remote computer (IP 81.178.255.205) was attempting to open 'lsass.exe'. It was recommended by NIS to allow, so I did, not knowing this was possibly related to the virus. Am I infected? Virus Scan says no, but can this be a coincidence?

Leo
July 27, 2004 9:39 PM

I'd simply make sure to keep your virus scanning database up to date, and scan regularly. It's hard to say whether you've been infected or not, so I'd simply stay extra cautious for a bit.

Mike
July 28, 2004 6:33 AM

After updating Windows XP and then scanning and cleaning a computer with several viruses including the Sasser Worm and Blaster Worm I have lost the Ctrl+Alt+Del task manager function. Also I cant access msconfig or regedit from the Run command anymore. What has been knocked out and how can I fix it? Help!!!

Thanks

Leo
July 28, 2004 7:00 PM

Almost impossible to say - it could be many things. I'd start with a System File Check: http://ask-leo.com/archives/000074.html

i am infected
August 4, 2004 6:41 PM

my computer doesn't restart

Leo
August 4, 2004 6:45 PM

I'd send you to this article to start regaining control of your computer: http://ask-leo.com/archives/000253.html

Good luck!

yuriy
August 25, 2004 2:21 PM

First thing I noticed is on startup, a popup that says: you or a program is trying to access www. .ru (forgot the name of the site but the site doesnt exist) then after a few days the computer starts automaticly connecting to the internet without my authorization and if i hit cancle it does it again in a few minutes. I tried Ad-aware and 4 other simular programs to ditect it but couldnt ditect any spyware. Also I noticed this new prosses: the lsass.exe and the alg.exe and it doesnt let me terminate the lsass.exe, saying that: "This is a critical system process. Task Manager cannot end this process."

any suggestions? I need help

Leo
August 25, 2004 2:24 PM

Are you up to date on running virus scans? Sounds like a virus. As this article points out, lsass.exe IS a require system component.

richard
August 27, 2004 9:12 AM

nbtstat -R reloads the netbios name cache, not the DNS cache, which is what will stop resolution of web sites.

ipconfig /flushdns is the command you'll want.

hiral
August 31, 2004 3:38 AM

just i have to got the error message of lsass.exe file and it will reboot after 60 seconds. i tried a lot and i have to make changes in active directory sites and services option and there it will show the replication time and i have change replication. i didn't get any solution for that. please give me solution of that and just one dialogue box appear and it will restarted and from run if i give command shutdown -a it is not working in windows 2000 server operating system with domain.
Please kindly inform me the solution of these. first it was restarted within 15 to 20 minutes but now it will restarted after 1 and half day.

bye....
hiral
URL Software Pvt. Ltd.

Leo
August 31, 2004 8:40 AM

The article you just commented on has the most up to date information. Be sure you follow all steps.

Jes
August 31, 2004 12:12 PM

the command shutdown -a doesn't work on my system ...

Leo
August 31, 2004 12:19 PM

Not found or runs but doesn't shut down?

Jon
September 2, 2004 5:34 AM

Hi Leo

I think I am free of the sasser exploit virus but I am not sure. I have a pc with xp professional and a search shows that I have lsass.exe in the following two places locations:
[1] c:\windows\system32\lsass.exe - (size 12K type: application)
[2] c:\windows\servicepackfiles\i386\lsass.exe - (size:12 type: application.

On my Laptop with xp home edition, I also have lsass.exe and LSASS.EXE in the following locations:
[1] c:\I386\LSASS.EXE - (size: 9k type: EX_file)
[2] c:\windows\system32\lsass.exe - (size: 12k type: application)

I looked at the host file on my laptop but only saw one line in it for the localhost and it's relevant IP.

My problem is I got internet security pro. 2004 and sygate pro firewall, but time and time again I get a message from sygate firewall saying it has blocked a buffer overflow attempt on LSASS.EXE.

I am concerned if I have the virus and not know about it. I did a scan yesterday and all seems well. I also updated the KB835732 hotfix but I read on the web that LSASS.EXE and lsass.exe are two different files and the capitalised version is a suspect. in otherwords the:
lsass.exe is innocent
LSASS.EXE could be a suspicious file and the fact that it doesn't reside within the windows/sytem directory??

Can you shed any light on this?

Jon
September 2, 2004 5:58 AM

Some goods links for Leo and everyone out there.

Symantec : http://securityresponse.symantec.com/avcenter/security/Content/10108.html

Spyware/Adware/Keylogger/Firewall protection:

On this link look for SpywareBlaster and Spybot -Search & Destroy and download them. They are free and extremely good. http://www.spychecker.com/software/antispy.html


Full choice of software are at http://www.spychecker.com/moresoftware.html

enjoy :-)

Leo
September 2, 2004 7:49 PM

Jon: The other locations for lsass.exe seem fine .. they're probably in a copy of your installation CD or service pack that's been copied to your hard drive. The buffer overflow attack is probably a report of an external attempt from the internet to exploit your system. Sounds like your firewall is catching it, as it should.

For the record, in Windows capitalization does NOT count - lsass.exe and LSASS.EXE are the same.

Jon
September 3, 2004 7:17 AM

Thanks Leo

I got the Lsass.exe mixed up with Lsasss.exe. I copied and pasted a comment from a forum I stumbled across today.

--------------
Lsass.exe is a normal system file on XP. However, it was the target of the Sasser worm and if the system wasn't up to date on security patches it could have gotten hit by that worm. In fact, if the system isn't up to date on security patches there are quite a few baddies that will eat it alive.

Careful of the spelling too since about version #5 of Sasser (W32.Sasser.E.) places a file on the PC called Lsasss.exe (note the extra letter 's').

If Norton won't scan she has probably been hit. You can take a look Here and download a removal tool Symantec (Norton) has developed. It should work even if the normal AV won't run.

Also be a very good idea to run an online scan at one of the sites that offer the feature. RAV is good.

Since this now looks pretty much like a virus issue, moving the thread to Security.
----------------

Tony
September 5, 2004 5:37 AM

Just wondering what the lasting effects of Sasser are. I bought a new laptop and went to windows update to get the patch (ironicaly to protect it from sasser) and in about 10 min of being online got hit. I run a firewall at home so I never had any problems.

I'm on the road right now and can't get to my installation disks to reformat and start fresh (with an antivirus program and a firewall). Right now the lap top is powered down with the battery removed, over time will the virus do any more damage?

Leo
September 5, 2004 9:55 PM

Once cleaned and patched, there should be no lasting affects. As you note, you definitely want to be running a firewall. On the road, I'd enable XP's built-in firewall.

Ambra Dickie
September 6, 2004 12:48 PM

Hi there, it appears I've been hit with the sasser bug. My problem is that the virus seems to have struck my administrative rights. It is a personal home computer with only one user- me- yet I can't seem to find the virus with the removal files because it's hiding in system restore, which I can't disable because I don't have "administrative rights". I've been struggling with this one for awhile now, but don't seem to be able to get over this problem. I can't restore either, because again I don't have the right. If you can help, that would be great, thanks!

Leo
September 6, 2004 9:33 PM

I'd try booting in safe mode (discused in http://ask-leo.com/my_computer_locks_up_and_wont_boot_what_do_i_do_.html ) or using the recovery console and seeing if you can get at the system restore files.

Pete
September 7, 2004 6:01 PM

What is the path for the shutdown -a statement?

Pete

Leo
September 7, 2004 7:50 PM

Turns out not all machines have shutdown.exe. Using another computer you can download psshutdown from sysinternals: http://ask-leo.com/d-sysinternals

basu
September 9, 2004 2:17 AM

ok my problems start like this
I'm browsing the net and then the comp just restarts and says that WinXp has recovered from a serious error. Then a little while later I get a message saying that Remote Procedure call has terminated unexpectedly & shuts down in one min. I thought it was MSBLAST but the Symantec remover tool didn't find anything. I was on the internet during both cases. I patched up RPC after running the remover.
Nothing seems wrong until about a week or two later when the computer won't boot and keeps restarting. I don't know what's going on. This has happened two or three times & reinstalling WinXP is the only way out. Please help.
Thanks

Leo
September 9, 2004 7:27 PM

I'd make sure you were behind a firewall ... sounds like you're getting re-infected fairly quickly. Also sounds like you're not completely patched and/or up to date.

Leslie
September 18, 2004 3:42 AM

I had troubles with Sasser in June, cleaned my computer and now it's OK.
I'm now looking through my computer and find in \Windows\PCHealth\ErrorRep\UserDump more than 100 files named : "lsass.exe.20040505-191212-00.hdmp" (264 MB!!!!). Can I delete these files?
Thanks,
Leslie

Leo
September 18, 2004 9:04 AM

I sure would. If you're at all concerned, first copy them to some off-line storage (i.e. burn them to a CD-ROM) in case for some reason they'd need to be replaced, but it seems unlikely.

dan
September 27, 2004 3:44 AM

look at http://www.processlibrary.com/directory/files/lsass/

Ben
September 29, 2004 7:25 PM

I have a runaway task: lsass.exe and I can't get it to stop. My task manager shows my cpu usage to be a constant 75-100%. Lsass.exe as a process is using 84,904K of memory. I don't think I am infected with a virus: I have been running updated antivirus and firewall. Are there any known problems with this program other than virus infection? Any help would be greatly appreciated.
Ben

Leo
September 29, 2004 7:28 PM

All the cases I've heard about so far has been virus related - either being infected, or being under attack. So I don't really have any good answers for you. If that's a hardware firewall, and there are other machines behind it with you, you might double check that one of them isn't infected and attacking. Might also be good to use an additional different virus scanner, and double check that you're up to date at windows update.

julian
October 2, 2004 2:24 PM

hi there, every time i run my virus checker, it runs for so long and then restarts my computer. is there anything i can do to stop it shutting down so as i can run the full virus checker??

julian
October 2, 2004 2:27 PM

sorry, i forgot to mention im on windows xp

Leo
October 2, 2004 4:07 PM

I'd try another virus checker. There are several free on the net (check my recommendations page: http://ask-leo.com/d-recommend )

dushyant
October 13, 2004 11:04 AM

I have computer running with Windows 2000 Professional. Now the problem is that, when i start computer it will automatically
shut down after some time and searched for this is error and it is due to lsass.exe worm problem.
I am really frustrating of getting this error. I also found that this error due to lsass.exe virus. Is this true? My computer shutdown due to this lsass.exe shutdown error. Suggest me how do fix this lsass.exe error?

I am very thankful to you if you will suggest me any solution.

Hertie
October 15, 2004 10:54 AM

I just experienced it a while ago. I dunno if I'm correct but it has got to do something with the window updates. I've noticed that everytime I connect to the internet, the windows update shows up on the taskbar and automatically downloads and so is the lsass.exe error message. So what I did, I finished DL-ing the latest windows update first then changed the windows update setting to "notify first blah blah blah" and it worked.... for now.

einars
October 18, 2004 9:14 AM

How to kill the Isass????????????????????

Leo
October 18, 2004 9:38 AM

DON'T kill it. It's a part of the operating system, and Windows won't run without it. Read the article for what to do.

NeoeN
October 18, 2004 4:31 PM

Huh, hate to be the dumb guy here, But what is LSASS? And why do we need it?

Leo
October 18, 2004 4:37 PM

The short version is that LSASS.EXE is simply one of the files that make up part of the Windows operating system itself. LSASS stands for "Local Security Authority Subsystem Service". Windows can't run without it.

Rebekah
October 21, 2004 2:04 AM

I have several protecting programs running, (i.e. Norton's Internet Security, SpySweeper, Spybot S&D, GhostSurf2005, Adaware, Panda, and Pest Patrol) all of which are updated every few days. None of these seem to be able to detect anything relating to the lsass, but I am constantly getting the system shutdown notice from the lsass file. I barely have time to run them before the pc shuts off, and even when I run them in time, they still do not detect any threats. Help??
Any ideas would be greatly appreciated.
Thanks!

Leo
October 21, 2004 5:09 PM

My guess is that you're not behind a firewall and or you may be under attack from another machine that is infected. Make sure you're fully patched, and get behind a firewall if you can.

Yuggie
October 24, 2004 11:53 PM

Hi, Leo

My problem is different as above comments.

My Win2K server (SP4) is a DC. When it was set up about 3 years ago, I installed NAV Ver 5.0. After a year, I removed NAV.which made the system un-stable. One year ago, the system started rebooting by itself occasionary. In November '03, I installed NOD32 AV and found Nimda.E virus. Then AV scan everyday.

The reboot have carried on for more than a year and show me this error,

Application exception occurred:
App: lsass.exe (pid=264)
When: 2/8/2004 @ 15:44:10.814
Exception number: c0000005 (access violation)

I don't think it was affected by Sasser because it happended before Sasser was found. It rebooted randomly from once two weeks to 3 times a day. No particular process/log happened before the reboot. Then I found lsass.exe caused it.

I searched the Net but none of them matched my case so far. I guess it could be the result of the removal of Norton AV.

I did install the MS Sasser update and scanned the system with MS and Norton remove tool. No virus found.

Any comment would be appreciated.

Thanks, Yuggie

Leo
October 26, 2004 9:11 AM

Given the instability caused by NAV, I'd be really tempted to reinstall Win2k - at least a repair install on top of your existing install. It's too difficult at this point to really diagnose as there are so many unknowns.

paritosh pande
October 27, 2004 1:53 AM

what is the meening of"shutdown -a" command?
but how will we close our system after using this command?

Leo
October 27, 2004 4:59 AM

shutdown controls your system shutdown. The "-a" command instructs it to "abort any shutdown already in progress". When you are ready to realy shutdown or reboot your system, just use the Start menu, Shutdown option as normal.

grimm
October 30, 2004 9:28 AM

Dear Leo,
My friend's computer had ALL the symptoms of the Sasser worm. We followed your instructiions up to the point of worm removal. She could not find any of the avserve, avserve2, netsky, etc. processes. Her computer no longer shuts down. We installed Stinger which found and destroyed W32/NACHILTFTPD.VIRUS, also referred to as the Natchi worm. I thought this worm was self-destructing January 1, 2004. She now has installed firewall and is updating all her anti-virus applications......YET, I still suspect she has a variant of the Sasser worm there somewhere. Any suggestions?

Leo
October 30, 2004 10:55 PM

What version of Windows? If XP, have you run the system file checker?

grimm
November 2, 2004 8:51 AM

Thanks, Leo.
She has Windows XP. Sorry to be so dim, but how do I run Systems File Checker?

Leo
November 2, 2004 1:36 PM

Funny you should ask ... I happen to have an article on that :-).

http://ask-leo.com/what_is_the_system_file_checker_and_how_do_i_run_it.html

hbkb
November 13, 2004 7:53 AM

Broken-link report: The checker is available on http://www.microsoft.com/security/incident/sasser.mspx

Leo
November 13, 2004 1:00 PM

Thanks for the report. I've fixed the references.

Ole
November 24, 2004 4:36 AM

Norman virus control seems not to recognize the sasser worm regarding lsass.exe
My company has got a lot a trouble with it,
and we are considering to use Symantec in the future.

Ole

Zak
November 30, 2004 7:24 AM

I think I have the sasser virus. I rebooted my laptop this morning and I am now getting the following error: lsass.exe - System Error Object name not found. I cannot get my laptop to boot in normal or safe mode. Do I have any options available to me other than rebooting from the recovery CD and loosing everything on my HD?

Leo
November 30, 2004 9:59 AM

Rebooting from the recovery CD does not imply you'll lose your data. You should be able to repair Windows with it.

ananth nag srinivas
January 19, 2005 1:44 AM

hi,i have one problem,my laptop is suddenly shutdown in the middle of the work.it happeninig daily,my work is pending.what is problem.

Leo
January 19, 2005 8:44 AM

There are so many possible reasons for this it's hard to say. Have you done a virus and spyware scan? How does it shutdown: crash, turn off or does it go into standby? What version of Windows? Is Windows fully up to date with patches? Is there any consistancy with what you're doing at the time it shuts down? Have you added or removed any hardware or software recently?

hyungjin
January 24, 2005 12:58 PM

lsass.exe - unable to locate component
this application has failed to start because
LSASRV.dll was not found
re-installing may fix this problem.

Any ideas Leo? Thanks for any help!

Leo
January 28, 2005 4:53 PM

Windows XP? I'd run the System File Checker to see if that repairs it. http://ask-leo.com/what_is_the_system_file_checker_and_how_do_i_run_it.html

John Dotson
February 23, 2005 9:35 AM

I have just now managed to recover from the Sasser worm. My antivirus "caught" the worm by deleting lsass.exe. Deleting this caused my computer to be unbootable. I had to use the recovery CD from Dell. I pressed F12 to boot from CD and then I had to press F8 to accept the service agreement. Next I pressed enter not R. On the next page I pressed R to re-install and the healing process began. My data was preserved and twelve and a half hours later my system is functioning again. Six hours of that was re-installing the windows service packs and updates!

spyware
March 8, 2005 1:32 PM

I see that in your article about lsass.exe you refer only to sasser worm. Lsass.exe is windows system file and having it doesn't mean you are infected for sure.
http://www.2-spyware.com/file-lsass-exe.html

gary
March 17, 2005 7:37 PM

lsass.exe prevents my computer from booting; what to do?

Leo
April 17, 2005 2:28 PM

Boot in safe mode, and run an up-to-date anti-virus scan.

d.shankarnarayana
May 7, 2005 6:04 AM

None have suggested the proper patch that fixes the lsass.exe remote shutdown problem.. could anyone help?

Leo
May 8, 2005 3:44 PM

As the article says, the "proper patch" is to run an up to date anti-virus program, and to make sure that you have all patches installed from Windows Update.

Diane
May 19, 2005 12:49 PM

A BLUE SCREEN COMES UP ON MY COMPUTER FOR ABOUT 5 SECONDS WITH LOADS OF WORDS BUT I SAW THE WORDS REGISTRY ERROR, I'VE TRIED SAFE MODE, EVERYTHING, IT WON'T COME ON. iT JUST KEEPS RESTARTING. CAN'T TYPE NOTHING ON IT. HELP PLEASE

Leo
May 19, 2005 7:29 PM

I'd look into a repair install of Windows. This article has more: http://ask-leo.com/my_computer_locks_up_and_wont_boot_what_do_i_do.html

dashorabhai
May 31, 2005 3:39 AM

hi buddy
this is solutionof LSASS.exe
write downSpecify Executable Files to be Lauched by Winlogon (Windows NT/2000/XP)
Category: Home > Security > System

This tweak can be easily applied using WinGuides Tweak Manager.
Download a free trial now!

This setting specifies a list of executable files to be run by Winlogon in the system context when Windows starts.

Open your registry and find the key below.

Create a new String value, or modify the existing value called 'System' using the settings below.

Exit your registry, you may need to restart or log out of Windows for the change to take effect.




(Default) REG_SZ (value not set)
System REG_SZ "lsass.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon


Settings:
System Key: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
Name: System
Type: REG_SZ (String Value)
Value: (default = lsass.exe)

mail me jaipurhandsome@yahoo.com
bye

Andrew
June 22, 2005 1:10 AM

I couldn't buy you a latte !! The link ain't there, man. I'd love to, but I just couldn't get any of the PayPal links to go anywhere.

Leo
June 22, 2005 5:39 PM

LOL... thanks for letting me know! I fixed it.

BG69
June 27, 2005 4:52 AM

if lsass.exe is anywhere but C:\windows\system32 remove it..........

krishnachaitanyaperam
July 23, 2005 10:12 AM

my system shutdowns showing an error that NT authority has initiated the shutdown because of the error in c:\windows\system32\lsass.exe

can you suggest me how to over come this problem?

Leo
July 23, 2005 11:16 AM

Follow the steps in the article. It sounds like a classic case of the Sasser worm.

John
July 28, 2005 10:46 AM

I have the same problem on windows 2003 SBS....is there any hope to fix without a reload?


I have the error msg "Lsass.exe "When trying to update a password the return status indicates that the value provided as the current password is not correct". I can not apply any of the fixes from the "start" "Run" or C prompt as the pc shutsdown and restarts and shutsdown and.....
before the taskbar has a chance to come up. Is all hope lost? I would be grateful for any advice.

Posted by: Shelby at July 25, 2005 01:04 AM

Leo
July 30, 2005 4:38 PM

I would try rebooting in safe mode, or booting from the CD-ROM into the recovery console. If that doesn't work, then I'd boot from CD and attempt a repair install.

arick
August 15, 2005 9:15 AM

hi

my computer before the windows is up is showing the lsass message and then immidiatly reboots so i cant access the start button and stop the shutdown in the way you indicated !!
what to do?
thanks
arick

Leo
August 15, 2005 9:17 AM

Gee: You'll need to boot into safe mode, or boot from floppy or CD and move the file back. It's a required system component.

crayonsvn
August 18, 2005 7:31 PM

Hi,

I know I was dumb when I went to regedit and deleted all keys related to "lsass"..Now the system crashes ... started with only blue screen... I am using Window XP...what should I do?

Many thanks in advance!

HA

PS: I am trying to search article in this site but the link is disable...If you dont mind, pls help me this time.

Leo
August 18, 2005 7:36 PM

I believe you're facing a repair/reinstall of Windows. Boot from your Windows CD and follow the prompts for a repair.

Eric
August 20, 2005 12:36 AM

im getting a lsass.exe - unable to locate component
this application has failed to start because LSASRV.dll was not found. Re-installing the application may fix this problem.

i get this everytime i turn on my computer and once i click ok the screen just stays black. Starting under safe mode it does the same thing. Could use a little help please.

Leo
August 20, 2005 4:10 PM

The best option is a repair-install from your Windows CDs.

Shahid
September 5, 2005 7:23 AM

Anybody can use CA's e-Trust anti virus, version 7.1 to got rid off lsass.exe

Just install the s/w and scan ur machine with latest definition file. Ur problem is resolved.

Thanks

spyware
September 25, 2005 6:20 AM

spyware parasites tries to use various file names similar to legitimate system files. lsass.exe file is no different. It is legitimate file but exploited a lot by parasites.
http://www.2-spyware.com/file-lsass-exe.html

Vincenzo
October 18, 2005 8:32 AM

Leo:
regarding the instruction to lookup hosts file with notepad, mine only works if I enter (Start - Run) C:\windows\... and then select notepad from the "what to open with" window that pops up. Also, I use SpySweeper which keeps all its list of sites etc - appended with "SpySweeperCSS" - in the hosts file, following the top entry of "local host".

I'm using Windows XP Pro SP2.

Thought you'd like to know. Others may be experiencing the same difficulty, or variation with access through Start/Run menu.

Regards

V

ck mishra
October 21, 2005 12:10 AM

sir,
my computer is in the problem. How i can delete the lsass.exe from my pc

Leo
October 21, 2005 8:48 AM

DO NOT DELETE LSASS.EXE it is a vital system component. Follow the recovery instructions from the article you just commented on ... which boils down to: run an up-to-date anti-virus scan.

RLewis
October 25, 2005 5:41 AM

As soon as I run my computer, windows attempts to load and I get the following error, "lsass.exe - Unable to locate component

This application has failed to start because LSASRV.dll was not found. Re-installing the application may fix this problem."

When I click OK the screen goes blank. I cannot get to any XP screen or function; same goes for safe mode boot up, same error. How can I boot up to a cmd screen ?

Leo A. Notenboom
October 27, 2005 8:49 AM

You need to perform a repair install from your Windows XP CD-ROM. Do not connect to the internet until you've run a complete and up-to-date anti-virus scan.

Pankaj
October 28, 2005 6:16 AM

hi Leo i would like to reccomend a simple step for sasser and blaster worm or lsass error when system shuts down, restart the system in safe mode and turn off the port 445, then run stinger and sasser and blaster worm will be removed, to close port 445 one has to go to right click on my computer then click on manage select device manager click on view go to show hidden devices now under non-plug and play drivers select net-bios over TCP/IP right click on it and select disable system needs to restart, this has helped me a lot in troubleshooting sasser worm,

marcus
October 28, 2005 2:30 PM

hello i dont know if the comutper has the sasser virus or not but at start up it goies to an error message
isass.exe system error
An I/O operation initiated by the registery
unrecoverable the registry could not read in or read out,or flush one of the filesthat contained the system image of the registy.
press ok
then it goes to starting window then restarts the computer a loops like this for a while and every so ofton it will boot up like nothing happens i have a registery fixer did the scan and it comes up with nothing does this sound like the sassy oh yea at first i thought it was a hard drive failure so i replaced that setup windows did all he download of updates and then it stated it
marcus thanks

David
October 30, 2005 7:41 PM

Leo,

ref Gils Post on 27th - I have two laptops both running MS auto updates warnings (all security patches are loaded) and McFee auto updates on the full security centre, I run adware, spywareblaster and spybot on both laptops.
like Gil's we just started to have problems around the 27th. One laptop won't boot up (my son's)! we try and turn on, it starts Windows then freezes with a windows error box "lsass.exe - system error - insufficient system resources exist to complete the API"

if we click okay - like Gils - it starts all over again. It just keeps cycling the same error each time windows tries to boot up.

so I'm confused, I'm computer literate, no reason why the real Lsass should fail overnight, all protective measures in place on both PCs for virus, spyware, malware, but at the roughly the same time as Gil's problem we also have a problem -

but it does not match with news - if this was a new problem / variant millions would have been hit by now - and they have not - so !!! is it a fluke / coincidence and I need to reinstall windows ?

Lakshitha
November 3, 2005 9:06 PM

Leo,

One of my Win 2k3 is giving this lsass.exe error with the status code 1073740972. I don't know why this is happening. It wont even let me in through safemode. It restarts when I try to go on safemode. I got McAfee as my virus scan and ISA as my firewall. What is the port this lsass is getting infected? How to get rid of this situation? I followed your steps and I installed all the hotfixes. I hope I will not get this issue in future after these hotfix installation. But what if I get the problem again? What should I do?

Thanks,
Lakshitha

rana
November 4, 2005 3:54 AM

I got LSASS.exe message every time in my windows 2000 prof. system when I'm plugging my internet cable.Pls give suggetion how to rectify that prob. as soon as possible.


Thanking You,
SK Rana

Leo
November 9, 2005 7:16 PM

Sounds like you need to get behind a firewall. http://ask-leo.com/do_i_need_a_firewall_and_if_so_what_kind.html

Ronny
November 15, 2005 6:10 PM

My computer completely lost everything. I restores Windows and then purchase McAfee AntiVirus and Firewall. When I try to load both I get this stupid lsass.exe and it won't let me quaratine, clean or delete. How do I fix?

Leo
November 15, 2005 8:49 PM

I would install Windows from scratch, and install both of those programs *before* connecting to the internet or your local network. It sounds like you're getting infected immediately, so stay disconnected until you've got the firewall up and running.

TheTechMen.com
December 6, 2005 9:58 PM

Here is the fix that I have discovered. There are two main differences in the way your computer behaves, I have yet to discover what decides these differences. The first type is the one where your computer comes on but turns back off after about a minute. The second type is the one that most of the past few people have been describing (The one I got as well), which is the error box that comes up right after the XP screen, and clicking OK will cause a reboot. If you have the second type, start from step one, if you have the first type, follow the instructions in the article to delay the shutdown.

1. Pop in your XP CD-ROM. Boot your computer from that CD-ROM. On the screen that comes up asking what you want to do, select the option to install windows. Follow the instructions, but DO NOT let it format your hard drive. Instead, just install windows a second time to another folder (I put mine in C:\Windows2). This will provide you a way to get on your computer to fix your worm virus. Reboot your computer, not from the CD-ROM, but from the Hard Drive, selecting the Windows XP installation that you just installed.

2. Download the Windows XP patch that will prevent it from finding you again. I cannot stress this enough, this virus seems to reinstate itself on computers that have had it previously, but this patch seems to fix this problem. It can be found at http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx Restart your computer, once again, loading on the second installation of XP.

3. Run the Symantec W32.Sasser.Worm removal tool. Symantec did a fantastic job of finding a way to get rid of this virus and has made it available for free. You can download it at http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.removal.tool.html

4. Restart your computer, this time try loading your old version of windows XP, it should load without a problem.

5. In order to make sure you don't get this virus again, be sure to follow the instructions given in the article about getting AntiVirus and Firewall Programs installed on your computer.

God Bless!
- Andy Hudson
www.TheTechMen.com

Murph
December 19, 2005 6:35 AM

I've downloaded everything to perform Andy's fix as listed above. However, my HP machine didn't come with an XP cd. My manual says "for a small shipping fee, we'll ship you the cd's" (?!?!!). So, since I'm in a hurry to fix my pc, and don't want to wait on HP to ship me the cd's, can I use XP cd's that came with an E-machine desktop at work? Or some other brand if I can find one?
Thanks

Leo A. Notenboom
December 19, 2005 10:51 AM

Probably not... this article has more: http://ask-leo.com/can_i_install_windows_xp_using_one_manufacturers_cd_on_a_different_pc.html

Murph
December 19, 2005 11:21 AM

Thanks. I was afraid of that. I'm trying to track down an HP disk from a friend.
Thanks again,
Murph

Murph
December 21, 2005 5:55 AM

I got my hands on an OEM XP cd and was able to boot with it. I was able to go through Andy's steps to repair the lsass.exe problem, however the Symantec tool didn't find Sasser (I ran it twice). So I'm back to square one. Any suggestions of other things to try?
Thanks,
Murph

Murph
December 21, 2005 6:48 AM

I should have read your article closer the first time. I saw your reference to the KIBUV and BOBAX viruses this time. Does anyone have experience removing either of these two? If so did you use Symantec? I use AVG Free, but I haven't found much evidence that AVG will remove any of the LSASS.exe related viruses.
Thanks,
Murph

Simon
December 21, 2005 7:46 AM

Hi, I have the second type of this problem as referred to in the Tech Mens fix above; I have followed the procedure for removal to the letter (several times), but with no luck. All of the Anti virus/worm tools including Symantec come up that the system is clear? I have tried deleting the LSASS.exe file from the corrupted version of XP and replacing it from the newly installed XP, but no joy. Any suggestions as to what I can do next would be gratefully received.

Murph
December 21, 2005 8:37 AM

Simon, it sounds like we're working on an identical problem. You mention using Symantec, do you mean you've scanned with Norton AntiVirus, or you've just used Symantec's specific Sasser removal tool? The reason I ask is that I was about to go out and purchase Norton.
Murph

Simon
December 21, 2005 12:43 PM

Murph yes it does sound the same, very frustrating, I have used several Spycatcher, Symantec's specific Sasser tool, Xoftspy and Microsoft Malicious Software remover tool I have not used Norton yet!!

Dok Washington
December 26, 2005 8:30 PM

I have windows xp pro and i just got the message:
lsass.exe, and It will not boot up, can't even get to the system to do any work, is there any hope? I was thinking if there's a way I could download the info to a cd and maybe run it on this computer. any chance of that?
Any help will be deeply appreciated, if your idea helps, I'll send you a cool T-shirt

Dok Washington
dok73@cox.net

Leo
December 26, 2005 8:31 PM

You can try running a repair install of Windows.
http://ask-leo.com/how_should_i_reinstall_windows.html

Ashutosh
December 27, 2005 2:24 AM

I have Windows XP home edition. On start up i get a system error saying lsass.exe "Object name not found" and on pressing OK the machine reboots. This goes on and on. I cant even start in any of the safe modes. I am totally clueless as there is no mention of this error even on Microsofts website. Please help!

Leo A. Notenboom
December 27, 2005 10:15 AM

You'll need to reboot from CD and perform a repair install of Windows. http://ask-leo.com/how_should_i_reinstall_windows.html

Ashutosh
December 27, 2005 9:53 PM

Thanks for your prompt reply but my problem is that i cannot access the files at all and thus cannot take back up. The error message appears immediately on windows loading and on pressing OK the machine rebots so there is no way I can take a back up. What are the other ways of taking back up before reinstalling windows? Thank you.

Leo
December 27, 2005 10:03 PM

Well, a repair install should install without destroying things. I agree a backup first is advisable, but not always practical. I'd look into bootdisk.com and see if you can come up with a disk you can boot from that perhaps woudl allow you to back up across the network.

Murph
January 4, 2006 10:06 AM

Ashutosh, it sounds like you've got the same problem I've got. If you'll go to page 35 of the posts to this article and follow Andy Hudson's instructions to install a second copy of XP to Windows2 folder, you'll be able to find your files that need backing up. You can then burn a cd or save them to a jump drive. You'll have to enter BIOS by pressing (probably)F1 immediately after startup and set your machine to boot from cd first. I still haven't got my pc fixed, but I was able to retrieve all my data. If you'll read this entire article, you'll find all sorts of good ideas to try, it just seems some infections are harder to recover from. My next step is to format and reinstall.
Murph

Chris
January 10, 2006 11:30 PM

I have learned a lot from these pages but the instructions do not go all the way for those of us not cumputer "savants." For example, I can follow the logic of re-installing Windows XP in a different folder to bypass the "lsass.exe" worm virus I somehow got, but it did not tell me SPECIFICALLY how to do this. I am working with a laptop for the first time & it got into some terminology about partions and UNpartitioned space. If someone could walk us ignorant folk on which options to choose and how to actually DO the re-install into a different folder, it would be much more helpful. I will continue to write comments tonight as I try to work through this very inconvenient problem. Thanks for hearing me vent!! ---CC in Seattle

leon
March 23, 2006 3:21 PM

Are most of the viruses corporate-based? Dont u think Microsoft and Norton are the biggest viral organization? Its a shifty marketing strategy to create your own enemy and then destroy it!

Frank
April 13, 2006 8:50 AM

If you cannot boot into XP you can resintall XP over the top of itself by booting off the CD and using the reapir feature. Conversely, if you have a HP or Compaq you can press F10 on boot up and use the non destructive recovery option to repair Xp. This usually leaves all of your non system files intact

HPH

A very depressed lemming... (ROB)
April 30, 2006 10:11 PM

I have been searching the internet for over 3 hours now, (from a laptop that is not suffering from the following)... and no where have I been able to find an answer that shows the fix to the problem: I am UNABLE to access windows through any mode (including, safe, last known good configuration etc....). for once I did not back up my data before shutting down and am now unable to access my computer. I seem unable to locate the c:\ so that at the very least I could delete lsass.exe through DOS, (NOT the system32 file), but any others. I am a network engineer not a computer engineer so I have a basic-intermediate knowledge of computers. I REALLY need to fix this problem but trying to use a boot disk I am unable to locate my c:\, (I am unsure as to whether this is due to me being ignorant or the problem I have or is part of the problem iteself). I recently have had a few viruses, (thanks to the wife, :( ), and I had downloaded hijackthis and a couple of other anti spyware/virus etc programmes. I was running ad-aware and avast antivirus on their own before this. I now have the same problem that others seem to have posted and I am unable to re-install my OS as I no longer have a windows disk. I feel I am in way over my head with this one as I have been changing BIOS settings etc, surely there is a boot disk somewhere that will fix this problem?

It is the standard error message on boot: : "when trying to update password the return value indicates that the current value provided as the current password is not correct". The computer then restarts and does the same again.

If anyone could give me an answer to this I would be very greatful.

many thanks and kidest regards

Numpty.

Leo
April 30, 2006 10:19 PM

Your hard disk is probably formatted NTFS and thus inaccessible to plain old DOS. You'll need to come up with another boot media that includes NTFS support. You might consider something Knoppix (if you're Linux literate), or using BartPE to build a boot CD for Windows (using another machine, of course). You might also try bootdisk.com, or look for a DOS based NTFS driver that you can add to a normal DOS boot disk.

Martin
May 5, 2006 5:01 PM

I see your problem, the reason you cannot access C:\ from a floppy is because the hard drive is in NTFS format, meaning, it does not support Dos Mode on boot, only through shell from within Windows Xp or better.

There is a fix though, there are various NTFS bootable files for creating a Disk which emulates NTFS boot, now these arent the best by any means, but they do work, try this link which will hopefully explain what to do, http://www.nthelp.com/351/boot.htm

Also I see you mention lsass.exe thats a file which Windows makes a lot of reference to, in fact it can render the internet unusable, I dont know a lot about it, unfortunately the hackers do, I dont think deleting it from Dos will resolve the problem, if you need further assistance, please email me and I will try to ellaborate some more.

Ronnie
May 9, 2006 9:38 AM

For those of you who can't boot and are getting a lass.exe error, I found a solution here: http://computing.net/windowsxp/wwwboard/forum/46198.html
Worked great for me. Good Luck.

Schnazola
June 20, 2006 6:34 PM

I apologize if this specific error has been addressed, but a search of the site turned up nothing for the "endpoint format error."

A buddy of mine is now experiencing the following error upon bootup of his Dell Dimension 8200 running Windows XP Home: "LSASS.exe System Error - The endpoint format is invalid."

There is an OK button displayed in the error-message box. Pressing it reboots the machine before the Windows Desktop is displayed. (So it's not possible to click Start, Run, shutdown -a.) This error persists in every mode, including Safe Mode.

I found in the Dell knowledge base an article for restoring LSASS.exe from a Windows installation CD, although the error message in the article is not identical to the one my buddy is experiencing. We tried it, and it failed to resolve the problem. For those Dell owners who have nothing left to lose, here's the link to the Dell article: http://support.dell.com/support/topics/global.aspx/support/dsn/en/document?docid=F7C2CE720E6043E9A9C7BC633223D508&c=us&l=en&s=gen

Has anyone else experienced the endpoint-format version of this error? If so, did you have any luck repairing it?

Schnazola
June 26, 2006 9:22 AM

All my attempts to fix the "LSASS.exe System Error -- The endpoint format in invalid" error have failed spectacularly.

A bit of good news, tho: I booted from the CD dive using a Knoppix CD. I was able to copy all the important data to a portable hard drive. I then formatted and re-installed.

Nothing like a format & re-install to clear your PC of problems. So, I guess not ALL my attempts to fix the problem failed.

Miguel
June 26, 2006 11:07 PM

Hey Schnazola! I read your comment about using Knoppix. I am pretty new on the whole Linux system, so I will try it and also hope to save my data from my desktop. I got the "An invalid parameter was passed to a service or function" for the lsass.exe and it is extremely frustrating to not find a quick solution for it. O well.

Barry
June 30, 2006 4:45 PM

Hi Leo:

I am wondering if you know what my computer might be infected with - the symptoms are that my desktop icons simply go out of control every now and then. They open and close as if possessed and the mouse pointer goes out of my control too. It is as if someone is remote controlling my desktop and has made my control ineffectual. After about 15-20 seconds my desktop goes back to normal. But in the process some programs or webpages I was on get shut down.

Any ideas what could be going on??

Thanks in advance for any help you can give,

Barry

Leo
June 30, 2006 4:49 PM

Sounds like this problem: http://ask-leo.com/why_does_my_computer_go_nuts_sometimes.html

tom turner
July 1, 2006 9:14 AM

W2K -I deleted the entries for lsass from the registry, don't ask. I did not delete the file from c:\winnt\system32. I replaced all, i believe, the entries but I am getting RPC errors, there are no icons in Networkplaces, It says I have no admin rights to do anything. MC>manage> user & groups won't run because RPC is not available, net start rpcss does not fix the issue HELP!!! Where can I get a list of entries that I deleted? How do I get RPC back up?

Hans
July 1, 2006 9:18 AM

Given that we don't know everything that's now happened to your registry, the only think I can suggest it is a reinstall of Windows.

Schnazola
July 4, 2006 9:42 AM

>>>Hey Schnazola! I read your comment about using Knoppix. I am pretty new on the whole Linux system....

zertndo
July 26, 2006 10:28 AM

Leo,
About the LSASS.EXE article. This can be a trojan, but it is also a very necessary Windows component file. No one should delete it without knowing the location as this has a lot to do with whether it is a virus or not. Spyware uses this file, also. Microsoft claims that WinTasks 5.0 can help with this problem.

Morgii
July 26, 2006 10:12 PM

Ok, so this regards to the lsass.exe error endpoint format is invalid...
It seems as though I have fixed the problem though it took quite sometime (I use SP2 Win XP Pro)
1) boot your comp w/ the win xp cd in and repair windows
2) once there I did a chkdsk /r which took about an hour but found several errors on the disk and fixed them
3) I rebooted by typing exit but found no error msg but STILL rebooted by itself
4) tried to reboot into safe mode by pressing F8 but decided to go into debugger mode which is like safe mode i guess..?
5) installed registry mechanic full ver. on the compe and ran a full deep scan -- found over 900 bloody errors on the registry!!!!!!!!!!
6) rebooted. and work impeccably.
i hope this helps anyone with this problem, it was not fun and i thought i was gonna lose everything but found a workaround
Have fun,
Morgii

Jon
October 18, 2006 10:35 AM

I found a possible remedy at the HP site for the black screen effect. The website is
http://h10025.www1.hp.com/ewfrf/wc/document?lc=en&cc=us&product=89876&dlc=&docname=c00254484

Ali
March 1, 2007 7:40 PM

My son's PC was infected by LSASS.EXE. I removed from my system by access the registry (regedit). used the "Find" option under the edit menu and located the all of the key values that contained lsass.exe and deleted them. It solved my problem. Good luck..

Archangel
March 20, 2007 1:45 AM

Windows is complete garbage, but unfortunately we are almost required to use it nowadays. What the other people say is true; you will end up having to format your HD and install Windows XP again. I had that error before, as well. What none of the Microsoft Techs, or most other advocates of this horrible OS, will tell you is that there is a way to get the data off that you need.

You use something called a LiveCD / LiveDVD. It is a version of Linux that is booted from the disk itself. You can use it anytime that you would like. Hell, my Windows works fine and I use it my computer occasionally just for kicks. By booting the computer while this disc is in the drive, you can boot into Linux before Windows. This will allow you to use a CD/DVD burner (internal or external) or a flash drive to get all of your data off and onto discs or another computer temporarily. Just be sure that all peripheral devices (including removable media) are plugged in prior to booting into Linux, otherwise Linux may not recognize it.

Gordon
May 16, 2007 7:31 AM

I clicked on a link in some search results and was immediately notified that a program was trying to access the internet. I blocked it. Still, a program called "lsass.exe" was loaded into my start-up programs. My anti-spyware allowed me to disable them right away. I then ran scans that said my computer is not infected. Still, what a scare. Never click on links and I recommend SpySweeper!

Stormie
May 21, 2007 9:10 AM

Just don't use "spyware stormer"... That is how I ended up with the System Error "The endpoint format is invalid"...It deleted registry values, and now my puter is FUBAR.

Ralph
July 22, 2007 10:42 AM

leo, when I have searched thru and opend the hosts file in note pad, I see somany web addresses there. Many of which are links to porn sites. Does this mean I cant access those sites, I mean; what are the links doing there?

stuctoo
July 29, 2007 12:14 PM

ralph those sites u see in notepad mean you are infected, from what ive read online already, im stuc with similar prob, just dont have that variant !

rpk
August 24, 2007 10:44 AM

i had the same virus but my anti virus software disinfected it...all of it. ive done all the checks and nothing seems to be left of the sasser worm. i use panda titanium antivirus software. hope this helps, otherwise the instructions given are accurate in disinfcting your computer.

Jaymes
August 29, 2007 7:04 PM

If your computer keeps booting after your get the lsass.exe error, your security registry hive could be corrupt.

****Do This To Fix It****
You can use your XP disk to boot into recovery mode (recovery mode is just a DOS prompt, there's no reinstallation), or if you don't have an XP CD (and you can't borrow one)

Next

rename "c:\windows\sytem32\config\security" to security.bak

then copy c:\windows\repair\security to the location above.


This should get you back into your Windows Installation, update your antivirus progam and start a virus scan to make sure the virus has been cleaned. you might have to re-activate your copy of Windows. I did

christian
September 16, 2007 7:07 PM

i had the same problem couple of weeks ago about the message that appears after windows starts. Here's what i did (by the way im using winxpsp2 on a pc). I simply copied lsass.exe from system32 folder, paste it to windows folder and the error message disappear. I dont know what lsass.exe does but until now i havent encounter any side effects whatsoever, so iguess it works. hope this help.

Wayne
February 25, 2008 5:09 AM

Everyony should be aware that Lsass is a virus, lsass is Windows system file that has something to do with logging on. Don't delete it.

mike
May 9, 2008 8:40 PM

how can I do this if my windows would not load anymore.. after boot up, the screen just displays an error message about lsass.exe is restricted then my pc restarts.. this happens again and again.

Leo
May 10, 2008 4:10 PM

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

If Windows won't load, you'll need to perform an repair
install of Windows. More here:
http://ask-leo.com/how_should_i_reinstall_windows.html

Thanks,

Leo


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)

iD8DBQFIJitpCMEe9B/8oqERAiBKAJ9e1QRt343sM/UIxz/vMEzL8FsG1wCfcroa
yesC7FA3vKnhUH1/l2lgh0c=
=gWYW
-----END PGP SIGNATURE-----

Rod
May 12, 2008 1:25 PM

Thanks for the above article:
When starting up my laptop I get the Windows loading screen and then I am getting a message prior to Windows login screen. The message box sits on a blue back ground and the header reads "lsass.exe - Application Error", and the txt in the message box reads "The Application Failed to Initialize Properly (0Xc0000006) Click on OK to Terminate the Application". When I click "OK" my laptop sits there with a blue screen and nothing happens, but I can see and move the cursor. I know this isn't a great deal differnt to the other issues posted but it seems like Windows is loading and I am hoping not to have to re-install Windows. Thanks.

Gary
August 28, 2008 12:15 PM

RE. cursors.lsass.exe.
I uninstalled NERO and the problem has gone away. Must've been something in the program...

activenets dot com
October 25, 2008 4:51 PM

If you still get the C:\WINDOWS\Cursors\lsass.exe is not found after removing the infection it is because the file has been placed in the registry. If you run regedit (and back it up before changing anything!) Navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon. Within this key you will see "Shell"="Explorer.exe C:\\WINDOWS\\Cursors\\lsass.exe" Delete the C:\\WINDOWS\\Cursors\\lsass.exe portion and exit the registry. hat will stop the popup error on startup.

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.