What is lsass.exe?

“lsass.exe” is the Local Security Authentication Server. It verifies the validity of user logons to your PC or server. Lsass generates the process responsible for authenticating users for the Winlogon service. This is performed by using authentication packages such as the default, Msgina.dll. If authentication is successful, Lsass generates the user’s access token, which is used to launch the initial shell. Other processes that the user initiates then inherit this token.

Lsass.exe has been infected in the past

The Sasser worm exploited a vulnerability in LSASS  to spread via a remote buffer overflow in computers running Microsoft Windows XP and Windows 2000. The worm is particularly potent in that it can spread without any interaction with humans, nor does it ‘travel by email’ like many other worms.

Should the lsass.exe program end, for example, by the Sasser worm’s effects, then a countdown timer will appear on the screen, advising the user to save his work and close all programs before Windows shuts down.

When Is Lsass.exe dangourous?

The lsass.exe file is located in the folder C:\Windows\System32. In other cases, lsass.exe is a virus, spyware, trojan or worm!

What can I do to check Lsass.exe and stop my computer automatically rebooting?

Forcible termination of lsass.exe will result in the Welcome screen losing its accounts and you will be prompted to restart your computer.

In most cases, lsass.exe system error and lsass.exe application error make the computer unusable, because the user authentication token cannot be obtained from the server. In some cases, the error may be caused by a trojan, that camouflages itself as the lsass process. If the system is not infected, the error is caused by missing or corrupt configuration file and Registry entries. You can fix the Registry using the free Auslogics Registry Cleaner.

Malware often pretends to be lsass.exe. For example, the Sasser worm found a vulnerability in LSASS and spreads via a remote buffer overflow in Windows XP and Windows 2000 computers. This worm can spread without any interaction with humans, nor does it ‘travel by email’ like many other worms.

If your computer enters a reboot loop because of an lsass.exe error, you get an lsass.exe error when trying to change your password, or the errors are caused by an infections, do the following:

1. After booting into Windows quickly click Start and then Run
2. Type in shutdown -a and press Enter.

This will prevent your computer from restarting continuously.

Now try scanning your PC with an up-to-date anti-virus program in Safe Mode (tap F8 repeatedly during startup). Also make sure that you have all Windows updates installed. If this doesn’t help, you might need to do a Windows repair or a clean Windows install.

Note: The lsass.exe file should be in the C:\Windows\System32 folder. If you find it anywhere else, then lsass.exe is a virus, trojan, worm, or spyware!

Virus with same name:

W32.Nimos.Worm – Symantec Corporation
W32.Sasser.E.Worm (Lsasss.exe) – McAfee
W32.HLLW.Lovgate.C@mm – Symantec Corporation

The Conficker worm, sometimes called Downadup or Kido has managed to infect a large number of computers. Specifics are hard to come by, but some researchers estimate that millions of computers have been infected with this threat since January. If you are unable to reach certain web sites, you may be infected. In that case you will need to get to a computer that is not infected, download the Conficker removal tool and run it on the infected machine before new antivirus software. Symantec has created a detailed technical analysis of the threat here.

What does the Conficker worm do?

The Conficker worm has created secure infrastructure for cybercrime. The worm allows its creators to remotely install software on infected machines. What will that software do? We don’t know. Most likely the worm will be used to create a botnet that will be rented out to criminals who want to send SPAM, steal IDs and direct users to online scams and phishing sites.

The Conficker worm mostly spreads across networks. If it finds a vulnerable computer, it turns off the automatic backup service, deletes previous restore points, disables many security services, blocks access to a number of security web sites and opens infected machines to receive additional programs from the malware’s creator. The worm then tries to spread itself to other computers on the same network.

How does the worm infect a computer?

The Downadup worm tries to take advantage of a problem with Windows (a vulnerability) called MS08-067 to quietly install itself. Users who automatically receive updates from Microsoft are already protected from this. The worm also tries to spread by copying itself into shared folders on networks and by infecting USB devices such as memory sticks.

Who is at risk?

Users whose computers are not configured to receive patches and updates from Microsoft and who are not running an up to date antivirus product are most at risk. Users who do not have a genuine version of Windows from Microsoft are most at risk since pirated system usually cannot get Microsoft updates and patches.

More infomation is avalible on  Wikipedia.

The Fix

If you have a computer that is infected, you will need to use an uninfected computer to download a specialised Conficker removal tool from here.

FAQ
Q: What should I do if my PC is infected?

A: If you have a computer that is infected, you will need to use an uninfected computer to download a specialised Conficker removal tool from here.

Q: Am I safe if I don’t go to questionable web sites?

A: No. The Conficker worm seeks out computers on the same network. You can be in a coffee shop, an airport or in the office and the worm will quietly try to attach to your computer and run itself.

Q: How do I know if I am infected?

A: The best way to know if you are infected is to run a good antivirus product. One symptom that may indicate you are infected is finding that your computer is blocked from accessing the web sites of most security companies.

Trojan.Zlob.G is another invention of Perfect Defender 2009 developers, that helps them to scare computer users and trick into installing and purchasing licensed version of Perfect Defender 2009. In fact Trojan.Zlob.G is imaginary application, main purpose of which is to mislead computer users. Usually Zlob or Vundo Trojan displays security alerts stating that your computer is seriously infected with Trojan.Zlob.G and your data and privacy are in danger. If you click on that alert you will be redirected to Perfect Defender 2009 download page.

Download SUPERAntiSpyware from http://www.superantispyware.com/ or AdAware from http://www.lavasoft.com/products/ad_awar… both are best at removing these Trojans…

How to remove Trojan.Zlob.G manually:

It’s possible to remove Trojan.Zlob.G manually, but you have to be very experienced in dealing with registry entries, program files and .dll files.

The files to be deleted:

* pd.dll
* pdfndr.exe
* pdmonitor.exe
* PDInstall2009[1].exe
* %WINDOWS%\system32\drivers\svchost.exe
* %UserProfile%\Application Data\Google\ijdkq13324484.exe

Remove registry entries:

* HKEY_LOCAL_MACHINE\Software\Microsoft\Wi… Defender 2009

Please be careful because manual removal of Trojan.Zlob.G may seriously damage operational system and sensitive data. Also there is a big possibility of incomplete removal, because some files could be hidden and program could re-install itself after you delete files and registry entries. So I strongly recommend you to use automatic removal tool.