Deleted Lsass.exe from System32: Is this a problem?

I suppose I'm just curious to know why the file was deleted? was it causeing problems or errors? more information would probably find more solutions.

1. Just rename inf en *.ex_ is not enough. You should decompress it with Winzip.

2. I believe (not sure) you can recover this file from windows/system32/dllcache

3. Is it possible to recover file with SFC /Scannow in command line? If you do this what's about all Windows Update files?

"Since the file was in correct directory, it is probably the legitimate lsass.exe and you need to replace it. You can copy the Lsass.exe file from your back up media into the C:\Windows\System32\ folder. "

Or...

He could opena Command window and run sfc.exe, no?

it would seem like the least complicated solution.

I continously get error that scripting is disabled on my browser whenever i try browsing secured sites....have tried running some scripting commands and deleting cache and cookies..still no go!!!

Help Me!!!!!!!!!!!!!!!
In november got a worm,virus it ate my taskbar and all of my icons on my desktop. All I have is my wallpaper.This is the one that I ve Sasser.E.Worm (Lsasss.exe)It all so doe's the 60 second count down to shutdown and restart.I tryed to install fixes but all i get is there was an error and window needs to shutdown if you continue to have this problem please contact window about the problem. Do I need to crash it, can i take the battery out of the computer to wipe everything out....
Denise.
I'm using my mother's computer, I need my computer back>>>>

DM, I'm sorry to say this, but it sounds like your computer is completely trashed, even to the point that I wouldn't trust any files at all (even word documents or spreadsheets). I hate to say it, but you need to do a complete system reformat and reinstall of the operating system, and you're probably going to lose everything currently on the computer (actually, you already HAVE lost everything on the system).

Then, first thing before you even go onto the Internet the first time, buy and install both a good antivirus and antispyware program. I recommend Norton Antivirus and Webroot's Spy Sweeper: both are available at retail stores like Target and CompUSA. Install them both BEFORE you go to any Web sites or even get your email.

Good luck!

D.M.Childs

Have no fear, there is hope.
start your comp in safe mode. goto start-->Run-->"enter"msconfig-->shut down all non essential apps running.
get antivir from http://www.majorgeeks.com/AntiVir_Personal_Edition_d955.html
get spysweeper from http://www.majorgeeks.com/Spy_Sweeper_d3263.html

Scan with both to get rid of all that. All is well :)

Every time I try to log on to my pc it logs me out and takes me back to the login screen. I have tryed logging in in safe mode but if dose the same thing. I have even tryed coping the usrinit.exe file to the wsaupdate.exe file, but that didn't work rom the command line. Reintsalling to OS (Windows XP) is not an option at this point. I have all conntacted Microsoft but they refuse to help me, saying call the OEM, and the OEM refuses to assist me saying that it is not a hardware issuse and that I should call Microsoft. At this point I think they are both full of it. Can someone please help me?

Sounds like some sort of spyware problem, Smitty. That's where I'd check first...

why would the lsass.exe program be trying to open a server connection to a mexico IP address (189.155.117.25) ??? trying to receive data.

If it's so harmless, and suppose to be part of windows XP Pro (SP2), why trying to server connect to a mexico IP address?

My Firewall (ZoneAlarm) showed me this, and I stopped it from allowing to connect there.

I traced the IP# using NeoTrace

Is it possible there's some other virus using this program in a stealth way? ... and the AntiVirus Program I have, Symantec AV version 9, isn't seeing it?

Symantec people don't know what to tell me.

I have the latest update DEF's from Symantec and the program shows me nothing infected in my system, but this is strange, as I also see many hits to my firewall of blocked attempts of access from many IP addresses showing in the Alerts & Logs of ZoneAlarm... every two seconds a new one shows in the log, with me just idle, watching the log fill up.

Should I be concerned? ... or just let ZoneAlarm continue to block everything nasty, and not worry?

OH ... By the way ... I also have Ad-Aware SE Pro build v1.06r1 with the latest DEF file too, and this also shows me no infection... or spyware.

I also want to give you a bit more info ...

I did a search of the lsass.exe file on my "C" drive and it's in three locations ...

it's in the expect location of
C:\WINDOWS\system32
as a 13 KB sized file
but also in two other places ...
C:\WINDOWS\$NtServicePackUninstall$
as a 12KB sized file, and at ...
C:\WINDOWS\ServicePackFiles\i386
as a 13 KB sized file.

Shouldn't they all be the same size?
or does that not matter?

Thanks for any "light" you can shine on this. :-)

well- I'm sure it's something strange, or some trojan using the lsass.exe, if the lsass.exe isn't the trojan itself, 'cause that same program, several days later, is now trying to get to some EDU IP in Africa (213.181.230.31) on port 447

The last time it was trying to connect to Port 500, trying go to that Mexico IP#

Well, the IP addresses you've tracked down certainly make it hard to imagine that it's anything benign. And your anti-virus app isn't even reporting a problem? I'd call them up and ask them what's up, personally.

:-)
I thought you were no longer monitoring this site, sorry, I guess you've also got a life away from this website. :-)

anyway, as for Symantec, they're just giving me blank looks, and stupid grins, regarding this, and can't tell me anything.

Their anti-virus software did't see two Trojans, in two files I had on my file storage hard drive partition, (unrelated to this problem, I think) that LavaSoft Ad-Aware (latest Version) did see and removed, so, I guess Symantec is waiting for others to find them first... :-/ ... , and report it to them, before THEY "notice" it.

I'm wondering though, the three places I mentioned I found the lsass.exe (shown above) with one of them 1kB smaller than the other two, is this normal?

If not, please let me know if I should delete the 13KB ones and replace them with the 12KB one, or the other way around.

Thanks, and this time I'll wait a bit longer before I think you're not answering... :-)

Until then, I guess I'll just have to rely on my Firewall to stop this whatever it is from going out.

William, I honestly can't advise you any further. All I can think is that if you can find a clean, uninfected computer, you could compare configurations...

O.K. but I was hoping at least you could compare the three locations it shows in mine, and the size stated, to the ones in yours...

it's in the expected location of
C:\WINDOWS\system32
as a 13 KB sized file
but also in two other places ...
C:\WINDOWS\$NtServicePackUninstall$
as a 12KB sized file, and at ...
C:\WINDOWS\ServicePackFiles\i386
as a 13 KB sized file.

and the "search" command in the start button location is automated... but,

I understand if you'd rather not.
thanks for your replies,
I really didn't expect even that much.
:-)
Thanks for your help thus far.

An update for anyone viewing this with the same issue as me.

I was able to solve this problem by just letting WinXP installation CD do a repair to my OS on the drive... it's not the repair console, but rather the CD checks for an already installed XP on the "C" drive and asks you if you want to repair it when you attempt to re-install the OS to the hard drive.

You'll have to make sure you have any special drivers (hard drive controller... etc) on your floppy to insert at the prompt, or you may not see all the Hard Drives or partitions if you use the default one on the XP CD, so be prepaired. Don't worry ... it only looks like it's re-writing the entire OS, but it's infact keeping all your original settings and programs as it was, just fixing any files that may have gotten corrupt.

This not only fixed the LSASS.EXE problem for me, but I also noticed some USB fixes with my network adapter, and other little OS "bugs" that are now fixed too.

YOU WILL have to re-download all the XP updates again with the auto-update in the browser, but for what it fixed, it's a small price to pay, time wise, to fix the OS back to "normal".

Thanks for trying to help Dave, I understand why you couldn't tell me anything, this was an ODD problem, not seen before... so I hope now others with this same issue have something to try, to fix it.

BYE! :-)

Wondering about lsass on one of the laptops. Noticed it was hitting the disk a lot, so I brought up taskmanager to see which process was offending - shows lsass doing several disk reads/writes per second. (after 48 hours, it was the top I/O process on the machine). This doesn't sound normal. Poking around looking for strings, etc, it showed "Export edition", and one of the verification tools said it was MS signed... My AV software (up-to-date norton) doesn't complain, etc... XP, current patches.

when i start my computer a dialog box appears which says "lsass.exe object not found" it has an OK button. after clicking on the OK button my computer reboots itself. it wont let me use my computer. how can i solve this problem?

I have the same problem: An anti virus deleted the lsass.exe file. What's bothering me the most is that, I don't have the installation CD anymore. This laptop was just given to me, and haven't even thought of including the necessary CDs.

I'm wondering if I could get the lsass.exe file from other people's installation CD

iass.exe & soundmix.exe are infected.NOD 32 cant clean & and only can delete them that is harmful.what can i do?

I have the same Isass.exe system error problem. It automatically resarts my laptop. I tried the different repairs from my xp CD and still comes on after login screen. Help Please..

Hi,
I am Ranjan from India,Hyderabad seeking ur help.
My system suddnly I found not accessing into my drives (such as local drives D/ drive E)
while trying to double click send and dont send option is coming .

Hope you kind enough to resolve it .
Supports will be appreciated.

i have worm in my computer i guess its nooh and it has disable task manager.wat shud i do?

I clicked on SYSTEM RESTORE, as usual, after a day of browsing and something odd happened. When I turned the pC back on, there was a suggested hard drive check, so I let it go ahead. I saw lots of "truncating" messages, then the PC started to initiate usual start-up, got to the point where it is about to start windows, and the now well known error message lsass.exe system error window appeared. Clicking on either OK or X closed that window and the PC shuts down. I could not enter safe mode, or any of the other failsafe options, so I could not type shutdown -a in a prompt box, I could not enter windows to re-set anything, I could not even use my Spotmau Power Suite Pro 2008! Oh it started-up fine, after I had re-ordered BIOS but after that none of its applications functioned from its so-called safe-boot! Talk about disappointing. I had spent 50 Dollars on this download, a disc and insurance cover for a 2nd download. After 3 days of hell, and little sleep, I gave up and the PC is now in 'hospital'. I have finished with windows. Linux is a mystery to me at this moment but after the last week I would rather learn Linux and move on stree-free than have that happen again. I had Avast and McAfee installed and updated. Neither stopped the problem. (Xp sp2 with patches ... useless. Useless!)

The info that RANDOM NERD posted is the solution.
I had two problems, (1)i had two OS on my system XP pro and XP home.xp pro error was "iertutil was missing" which cause explorer not to open.(2)this error with lsass is the one I got when I tryied to open xp home. So note: repairing with the original xp cd removes the errors without the loss of data.