Error lsass.exe at WinXP load *Fixed*

Ladron De La Noche on 3/11/2008 at 12:50

I have a hewlett packard pavillion laptop with an error at WinXP Home SP2 Windows load. Error is file "lssas.exe", once error displays it just reboots. Safe mode, debug mode and other modes results in same reboot. Possible virus or file corruption. Unknown procedure on how infection/corruption occured since it was given to me to fix, I've not seen this type of problem before.

Various boot utilities online, not sure which to use. What are your experiences with them? Proper procedure to fix?

My first question in the tech forum. Hooray! :)

I'm usually helping people online to fix comps but now I'm a bit stumped. Shame on me. :p

TBE on 3/11/2008 at 16:03

Lsass.exe is a legitimate windows program. It's the Local Security Authentication Server. There are some viruses that name themselves the same as that in alternate locations on your system or have variations on that name.

The legitimate one will be spelled lsass.exe and will be located in:

C:\WinNT\System32\LSASS.exe on Win2000

and

C:\Windows\System32\LSASS.exe on Win2003/WinXP

I had this one about 2 years ago, and it was a virus. I think I ended up just formatting. If you setup a Linux live CD to read NTFS partitions, you could see if this file was in the proper location. How about making a BartCD? It's kinda late in the game for that, but if you have your Windows install CD, you can make one on another computer.

In the future, I recommend (http://www.acronis.com/homecomputing/products/trueimage/) Acronis True Image. It takes a snapshot of your PC, and you'll never have to reinstall your OS or programs again. Just make a backup file about once a week and boot up their CD whenever your computer isn't like the way you like it. It goes back to the previous state. It's like system restore, but it's WAY better. Want to install a bigger drive? Just install it, and boom, put your image on there. It's an awesome program, you just have to remember to make backups, or have it automatically make backups.

TheOutrider on 3/11/2008 at 18:40

If the machine is connected directly to the internet (ie. not behind a router or firewall), you might be running into (http://en.wikipedia.org/wiki/Sasser_worm) Sasser or a variant of it. Enable Windows Firewall, do a virus scan with a decent software ((http://free.avg.com/) AVG serves me well usually), then download and install SP3.

Ladron De La Noche on 3/11/2008 at 20:20

Thanx for the replies. I'm using "Ultimate Boot CD" atm. Used the torrent to grab it, sure came in fast. :D
(http://www.ultimatebootcd.com/) http://www.ultimatebootcd.com/

I'll try a variety of tools, you all gave me a few ideas. Still can't seem to clean/fix it. I have a few linux live cds around, might try that as well. Not to familiar with the commands though. It belongs to a senior citizen, wonder how she got infected. :erg:

Lansing on 3/11/2008 at 22:12

I had exactly the same problem about a year ago or so. It's very likely that lsass has nothing to do with the boot problem - it's normally the last thing loaded before windows starts up its GUI phase and so a problem at that stage looks like lsass - even though it may be innocent.

In my case I had a problem with the partition table being corrupted. I found other similar problems being reported at the time and it looks like XP has a rare bug which can cause the corruption and reboots. Even booting from an XP CD failed as it caused a crash as soon as it tried to mount the partition table. It's quite possible that they did nothing wrong.

Fortunately, I was able to retrieve my files by using a live Linux CD and a USB hard drive as others have suggested (Xandros in my case). Without wanting to sound patronising it's usually just a case of mounting the internal and hard drive partitions then then copying what you can across.

TheOutrider on 4/11/2008 at 00:59

Does the machine BSOD on bootup, or does it throw up a Windows error message saying it's going to reboot because lsass has died? If the machine BSODs, the culprit is fairly likely to be some broken files. Viruses you can fix with a virus scanner, but if some files have just gotten broken this will likely only be fixed by running Windows' automated repair or reinstalling entirely.

For the repair, insert the XP CD and it should offer you to "repair" the existing installation. This leaves the users, files and settings on the computer intact, aside from the Windows system files. All of those are summarily overwritten with the ones on the CD. Once you've fixed it, install SP3 and all updates since and you should be good to go again.

If it's a virus, most Linux Live CDs should make it possible to "install" a virus scanner and run that. This will leave the computer unchanged (aside from any viruses you may find and remove); the virus scanner will only be installed into RAM.

bikerdude on 4/11/2008 at 18:35

Evening

You have a VIRUS, lssas.exe is a NOT a valid windows XP system file...!!! The actual file name is "lsass.exe". Note the spelling, there should only be one S after the L.

This is a (http://www.greatis.com/appdata/d/l/lssas.exe.htm) well know wormn, see the (http://www.symantec.com/security_response/writeup.jsp?docid=2005-050316-3722-99) this page for removal instructions.

I suggest buying Kaspersky antiVirus £29 its the best commercial AV software out there, as your current AV program is quite frankly, sh*t if it cant stop an old well known virus...!!!

biker

Lansing on 4/11/2008 at 23:15

True - but the thread subject clearly says "lsass", not "lssas". Until this ambiguity is resolved by the thread starter then it's difficult to suggest the best course of action.

bikerdude on 5/11/2008 at 00:40

er but then the thread body as per below...

Quote Posted by Ladron De La Noche

Error is file "lssas.exe", once error displays it just reboots.

biker

jtr7 on 5/11/2008 at 00:58

I'll take no "sass" from either of you!:mad:

I'm kidding! Lame joke, I know.:tsktsk: :cheeky: