How to remove the lssas virus

Most antivirus programs identify lssas.exe as malware—e.g. Kaspersky identifies it as Trojan.Win32.Buzus.dmok or Worm.Win32.VBNA.b, and Microsoft identifies it as Worm:Win32/Pushbot.gen!C or Trojan:Win32/Malagent.

The free file information forum can help you find out how to remove it. If you have additional information about this file, please leave a comment or a suggestion for other users.

Click to Run a Free Virus Scan for the lssas.exe malware

Lssas.exe file information

Windows Task Manager with lssas
Lssas.exe process in Windows Task Manager

The process known as 5WktcyYGQzKhA2mtD8qoJYoR3gdl17S6 or j`RJNo9ydJcYplG2nrGQ[b DakJzCS]7JQFhSftxro]LHdALAGjM9IE (version No0co[UZhVS68 QFiZ97:r[@Sb_0dE BhSoXYE7am5=...) or LSA Shell (Export Version)

appears to belong to software AcroRdWin or tKRtskjZPmnvJvCuCHGh or Microsoft Windows Operating System

by MS or Microsoft (

Description: Lssas.exe is not essential for Windows and will often cause problems. Lssas.exe is located in the C:\Windows\System32 folder—typically C:\Windows\ or C:\WINDOWS\system32\. Known file sizes on Windows 10/8/7/XP are 131,072 bytes (20% of all occurrences), 135,168 bytes, 60,416 bytes, 459,264 bytes or 424,960 bytes. 
It is not a Windows system file. The program has no file description. The program has no visible window. The file is located in the Windows folder, but it is not a Windows core file. The process uses ports to connect to or from a LAN or the Internet. The software starts when Windows starts (see Registry key: MACHINE\Run, Run, win.ini, Userinit). Lssas.exe is able to monitor applications and hide itself. Therefore the technical security rating is 88% dangerous, however you should also read the user reviews.

Recommended: Identify lssas.exe related errors

External information from Paul Collins:
There are different files with the same name:

Important: You should check the lssas.exe process on your PC to see if it is a threat. We recommend Security Task Manager for verifying your computer's security. This was one of the Top Download Picks of The Washington Post and PC World.


User Comments

This file can be closed without dammage
Windows NT4/2000/XP/2003 only. It verifies the validity of user logons to your PC/Server (in technical jargon : it generates the process that is responsible for authenticating users for the Winlogon service). An integral part of the operating system, leave alone provided that its full path as shown is either C:\WinNT\System32\LSASS.exe (Windows 2000) or C:\Windows\System32\LSASS.exe (Windows XP/2003). If the path is anything else then you may have a virus.
  Camilo Quemedigas Medaigual  
Possibly a virus as the real one is Lsass.exe
  Darren O'Brien   (further information)
I started to investigate what I have in the computer since I saw a non stop stream of information going out and coming in even when all progs were closed. No program I have could identify it (yet).
  Barak G.  
If you end task it, it auto restarts. LSSAS is malware, meant to be confused with the legitimate LSASS, pay attention!
On my system it (lssas.exe) locks up port 21 with a "Listening" status upon boot.
adds pop up ads related to the adware.easysearch browser hijacker which is a variant of the coolwebsearch and about:search hijacker. Very annoying and hard to get rid of!
  MagiDrum   (further information)
I can not get on internet when it is running. When I "kill" it I can acces the internet.
Without closing lssas.exe I can't run a ftp-server. I think it uses the same port 21
W32.AGOBOT.RL Trojan. Disable/Delete.
I cloned a (failing) drive last week and everything on the transfer was good. After, my neice downloaded several free screensavers and my new system started working differently. The hidden file LSSAS.EXE isn't on the old drive. If I turn the computer off, it restarts on its own within a few minutes. Now, there are a few other files trying to get past my firewall and I get a few pop-ups during the day. Several times when the computer was supposed to be idle, the DSL modem showed activity. Each time I disconnected the modem the computer went into a (countdown) shutdown mode.
cause that reboot "blue said need upgrade ati driver or Bios upgrade "
  crashed to blue text  
probably a virus / key logger. Do not confuse with lsass.exe. Check in windows/system32 for this file and a seperate file of same name without extension.
to remove it from my computer
Only thing I know about, it is give me 50 sec after connect to net via Win2003, then closing PC, restart. After re-connect to net, the same countdown message appears...
  Abu Salem  
It has been flagged the "sober worm" by many websites. It duplicates itself into several other directories and uses FTP to upload data of your activities to a webserver, hence the port 21 lockup. I consider it dangerous as i logged it uploading all data i entered into forms and all the websites i visited. If you have Mozilla Firefox and you find that the process is always running, this is a sure sign you have the "sober" worm.
  Necrotising Fasciitis  
I had once a Trojan wich runed shutdown -s -t 00 -c "something related to lssas.exe". All I needed to do is shutdown -a and then remove unknown startup registry key.
It's a worm: W32.Agobot.RL. Norton doesn't find it. AVG doesn't find it.
my kaspersky detected it as trojan.dropper.payload and this file was hidden in my system 32 it looks like a picture
I tried to end the process and a thing popped up and said it was a critical process that the taskmanager can not end it.
This file is malware. I had this before and it prevented me from accessing the Internet. It can easily be confused with the Windows system file lsass.exe.
  David   (further information)
It's the sasser worm. Remove immediatly!
lssas.exe is dangerous ther is a file Lsass.exe that is essential for windows

Rating chart

Summary: Average user rating of lssas.exe: based on 27 votes with 23 user comments. 2 users think lssas.exe is essential for Windows or an installed application. 4 users think it's neither essential nor dangerous. 5 users suspect danger. 16 users think lssas.exe is dangerous and recommend removing it. 3 users don't grade lssas.exe ("not sure about it").

Do you have additional information?
What do you know about lssas.exe:
How would you rate it:
Link for more info:
Your Name:

Best practices for resolving lssas issues

The following programs have also been shown useful for a deeper analysis: Security Task Manager examines the active lssas process on your computer and clearly tells you what it is doing. Malwarebytes' well-known anti-malware tool tells you if the lssas.exe on your computer displays annoying ads, slowing it down. This type of unwanted adware program is not considered by some antivirus software to be a virus and is therefore not marked for cleanup.

A clean and tidy computer is the key requirement for avoiding PC trouble. This means running a scan for malware, cleaning your hard drive using cleanmgr and sfc /scannow, uninstalling programs that you no longer need, checking for Autostart programs (using msconfig) and enabling Windows' Automatic Update. Always remember to perform periodic backups, or at least to set restore points.

Should you experience an actual problem, try to recall the last thing you did, or the last thing you installed before the problem appeared for the first time. Use the resmon command to identify the processes that are causing your problem. Even for serious problems, rather than reinstalling Windows, you are better off repairing of your installation or, for Windows 8 and later versions, executing the DISM.exe /Online /Cleanup-image /Restorehealth command. This allows you to repair the operating system without losing data.

Other processes

lssas.exe [all]