|
Summary: LSASS is a Windows component shown in error messages, often due to a virus infection such as Sasser. Learn about LSASS, LSASS.EXE and how to stay safe. What are "LSASS", "LSASS.EXE" and "Sasser" and how do I know if I'm infected? What do I do if I am? The Sasser worm is the most recent and one of the most virulent viruses to impact Windows-based systems. Unlike previous outbreaks, Sasser doesn't even need you to use email or even be at your machine to infect your computer and continue spreading. It exploits a recently patched vulnerability in something called LSASS.EXE. Yep, it's a nasty one and an example of sophisticated virus attempts yet to come. Even if you're not infected this is an opportunity to review and implement the steps to keep your computer safe. • First, how do you know you have it? Unfortunately, Sasser shares several behaviors common with other recent viruses. The most common sign is that your machine will indicate that there is a problem and will reboot in 60 seconds. The message caused by Sasser should indicate that the problem is in LSASS.EXE. You should be able to abort the shutdown within those first 60 seconds by doing the following:
"The bottom line is that it's a practical reality that we all need to be vigilant about keeping our computers safe."
This doesn't fix anything; it just lets you get on with the business of disinfecting your computer. Then, take the following steps:
The bottom line is that it's a practical reality that we all need to be vigilant about keeping our computers safe. The steps you take to protect yourself from becoming infected are much less onerous than the potential hassle of recovering from a destructive virus. Sasser doesn't appear to be destructive... ...but the next one certainly could be. Update: Apparently the Sasser worm also modifies a configuration file that renders many Anti-Virus sites and the MicrosoftUpdate site unreachable. So if you can get to this site (Ask Leo!), but not your anti-virus vendor then this might be the problem. It's easy to check. Open the file "\windows\system32\drivers\etc\hosts" in Notepad. (Press the Start button, click onRun, type Notepad \windows\system32\drivers\etc\hosts, and press OK.) Normally, it will have one entry for something called "localhost". If in addition you see a list of Anti-Virus sites such as Symantec, McAfee, and more, then the worm has struck. I would take the following steps:
Now you should be able to get to your anti-virus sites until you reboot - apparently the Sasser worm will recreate these bogus host file entries each time you reboot. So download your updatesand scan to clean up the virus right away. Update: As was predicted, follow-on viruses that exploit the same vulnerabilities that Sasser exploits are starting to show up. Sasser removal tools may not work because they are different viruses, even though they share some of the same symptoms. I cannot stress enough the importance of using a firewall, keeping your virus definitions up to date and running virus scans on a regular basis. Two current examples of similar viruses include Kibuv-B and Bobax, both of which have removal instructions up on the Symantec Anti-Virus site. News & Information:
Related:
Ask Leo! - What's a firewall and how do I set one up? Article 194 | Posted May 8, 2004 |
askleo: Photo: Keyboard Filth http://bit.ly/sSgx (5-Jan 1:46pm PT) askleo: RT @JeffWalker: Awesome blog post - "How To Become Wealthy RIGHT NOW"... (5-Jan 12:46pm PT) askleo: LOL! RT @IAC_Heather: You know how we have TGIF, maybe we should have... (5-Jan 12:41pm PT) Popular & Hot How do I change my MSN Hotmail password? How do I delete history items from my Google tool bar? I accidentally deleted my Recycle Bin in Vista - how do I get it back? My desktop Recycle Bin has disappeared - why, and how do I get it back? New & Important How can I get the old Windows Live Hotmail back? Internet Safety: How do I keep my computer safe on the internet?
Stay Informed Archives Advertisers |
•
how can I do this if my windows would not load anymore.. after boot up, the screen just displays an error message about lsass.exe is restricted then my pc restarts.. this happens again and again.
Posted by: mike at May 9, 2008 8:40 PM-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
If Windows won't load, you'll need to perform an repair
install of Windows. More here:
http://ask-leo.com/how_should_i_reinstall_windows.html
Thanks,
Leo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
iD8DBQFIJitpCMEe9B/8oqERAiBKAJ9e1QRt343sM/UIxz/vMEzL8FsG1wCfcroa
Posted by: Leo at May 10, 2008 4:10 PMyesC7FA3vKnhUH1/l2lgh0c=
=gWYW
-----END PGP SIGNATURE-----
Thanks for the above article:
Posted by: Rod at May 12, 2008 1:25 PMWhen starting up my laptop I get the Windows loading screen and then I am getting a message prior to Windows login screen. The message box sits on a blue back ground and the header reads "lsass.exe - Application Error", and the txt in the message box reads "The Application Failed to Initialize Properly (0Xc0000006) Click on OK to Terminate the Application". When I click "OK" my laptop sits there with a blue screen and nothing happens, but I can see and move the cursor. I know this isn't a great deal differnt to the other issues posted but it seems like Windows is loading and I am hoping not to have to re-install Windows. Thanks.
god article . is that isass.exe replaced lsass.exe ? how will i remove that virus from my system Manually? pls write smthing
Posted by: chinthaka at June 10, 2008 1:32 AMI am getting the message as Leo's. Can anyone help?
Posted by: Saritha at August 22, 2008 11:33 AMI am experiencing a problem with cursors.lsass.exe. The warning appears after start up when trojan remover program runs. I have updated my anti virus software and ad/mal aware programs and none of those programs find anything wrong. Should I just ignore the message each time the trojan remover runs?
Posted by: Gary at August 27, 2008 3:21 AMRE. cursors.lsass.exe.
Posted by: Gary at August 28, 2008 12:15 PMI uninstalled NERO and the problem has gone away. Must've been something in the program...
Same problem i have it appears everytime i reboot my computer but when I rename lsass.exe to lsass.txt it never shown again why?
Posted by: Angel at September 17, 2008 6:06 PMIf you still get the C:\WINDOWS\Cursors\lsass.exe is not found after removing the infection it is because the file has been placed in the registry. If you run regedit (and back it up before changing anything!) Navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon. Within this key you will see "Shell"="Explorer.exe C:\\WINDOWS\\Cursors\\lsass.exe" Delete the C:\\WINDOWS\\Cursors\\lsass.exe portion and exit the registry. hat will stop the popup error on startup.
Posted by: activenets dot com at October 25, 2008 4:51 PMi have a serious pc issue every time i start it up the desktop is missing with the start bar or its there and i cant go on the internet its like i never ever even clicked the icon. like right now for me to be own it has to be in SAFEMODE WITH NET WORKING AND THE PAGE IS BLACk when i log in with no icons just safe mode wording in every corner. i open task manager go to file click new task and open fire fox since explorer is down. remember the screen is stupid pixelated in safe mode. and that error is in task manager (lsass.exe)-----SOS----- I ALREADY PREVIOUSLY HAD TO RESTORE ALL MY DRIVERS BECAUSE THEY WENT MIA NEED MAJOR ASSISTANCE ASAP
Posted by: rowl at December 3, 2008 3:28 PM