Lsass.exe - operation failed

hi guys, its been a while but all's been sweet in the land of the saiyan! no tinkering, no problem!!

until now..!!:suspiciou

used the laptop last night, no probs. tried to start it this morning - "lsass.exe - operation failed" or something like that.

i've had a quick look through a few forums & stuff, some reckon its a virus, some not.

some recommend a full format, others suggest simply replacing the 'system' file in sys32 with the one from the recovery folder, have a look.

http://www.computing.net/security/wwwboard/forum/16358.html

i'm pretty much backed up so losing anything on my hard drive is not an issue.. i'd just rather not start pissing about with drivers and email settings, you know?

the above fix is a cinch, but it seems to me that the file size in "windows\system32\config\system" is around 6MB but the one in "windows\repair\system" seems to only be around 1.5MB.

so i suppose i'm asking if this is a legit fix or not.

you could be infected by the sasser worm if your registry is not corrupted in a normal way.

so...?? where to from here?

are you there~ kimsland..?

Go to the Virus & Malware removal forum and read the second and third sticky by Julio.

thanx Route44.

i'm pretty good with the virus & malware removal steps.

only problem here is that the OS doesnt even start, so those steps wont do me any good until the computer actually boots up.

i run SAS & MBAM fairly regularly and i'm not even sure this is a virus issue, but this is what i get..

http://i32.tinypic.com/2ik6scp.jpg

i had seen a relatively simple fix on the web and was really just wondering if its a worthwhile fix..

http://www.computing.net/security/wwwboard/forum/16358.html

it basically involves replacing the file named 'system' in sys32 with the one from the recovery folder.

but since there is a discrepancy in file size, i wonder... hmmm

I posted about a similar (not exactly similar, but it will help) issue here: http://www.techspot.com/vb/showpost.php?p=694541&postcount=4

I would suggest you do all recommendations (to replace your present one)
Let me know if this helps :grinthumb

thanx Kimsland. another great post as usual. but i just couldnt get the command to work. i put it in as this:

extract d:\i386\lsass.ex_ c:\windows\system32\lsass.exe

but i was a little worried about the underscore after the first lsass.ex_

and then a space before the c: ~but thats how you wrote it so thats how i typed it.

but it came back with and unrecognised command, seemingly the 'extract' part.

i then tried it without the word extract but that didnt work either. basically i tried a few things with the command line but it wouldnt work.

so i'm gonna get the lsass.exe of my xp pro disk. put it on a usb and then boot into ubuntu and replace the apparently broken lsass.exe that way. thats how i fixed my partition magic calamity last time!!

i'll post back and let you know how it goes.

just for clarity, the purpose of this is to replace the original lsass.exe in system32 with a new one, isnt it?

OK. so replacing the lsass.exe file hasnt worked and the problem is still the same. (the way i replaced it anyway ~ access via ubuntu, removed original file and replaced with lsass.exe from another xp pro machine).

so, before i go getting too involved with the further steps outlined in:

http://www.techspot.com/vb/showpost.php?p=694541&postcount=4

i just wonder if a repair install is worth a crack..

http://www.techspot.com/vb/topic8356.html

what thinketh you?

Yes Repair is an excellent idea

Microsoft's Windows XP Professional Repair Install step by step
http://www.windowsxpprofessional.windowsreinstall.com/sp2sp3installxpcdrepair/indexfullpage.htm

Microsoft's Windows XP Home Repair Install step by step
http://www.windowsxphome.windowsreinstall.com/sp2sp3installxpcdrepair/indexfullpage.htm

-------------------------

Microsoft's Windows XP Professional Repair Install step by step (* Including Delete Partition)
http://www.windowsxpprofessional.windowsreinstall.com/sp2sp3installxpcdoldhdd/indexfullpage.htm

Microsoft's Windows XP Home Repair Install step by step (* Including Delete Partition)
http://www.windowsxphome.windowsreinstall.com/sp2sp3installxpcdoldhdd/indexfullpage.htm

* Warning deleting the Partition will remove all User data and Windows system files

-------------------------

Vista Repair:
http://www.windowsreinstall.com/winvista/index.htm (index page)
http://vistahomepremium.windowsreinstall.com/repairstartup/repairstartup.htm (guide)

ok, tried the repair install. no change.

still getting the same message after the splash screen, "lsass.exe - operation failed" (http://i32.tinypic.com/2ik6scp.jpg).

i will give the more complicated steps a try before i give up but if theres some way i can retrieve my email settings (*.iaf), emails (dbx) and address books (wab) then i'll be happy to just burn the mofo to the ground.

any ideas?

all my files are on an external drive but in my rookie-ness i didnt back up emails and email settings, D'ooH!!

Here's the next step (um steps)
http://support.microsoft.com/default.aspx?scid=kb;en-us;307545&sd=tech
Which is basically this: http://www.techspot.com/vb/post694541-4.html

Actually it may be best to backup with UBCD and then either do a full Virus\Malware scan, or just re-install clean

thanx kim. i've printed out those instructions so i cant get em wrong!

just in the meantime. if i were running xp pro on another computer and connected this [affected] drive to it as an external drive (via usb), would i be able to run outlook express from there?

No Outlook Express is not portable, meaning you cannot run it from another computer
Although you can certainly backup your DBX files (ie Inbox.dbx) just do a search for all files and folders (including hidden and system files) for *.DBX

The backed up DBX files can then be used to overwrite (ie remove) the present DBX files in the other computer, which will then allow you to open Outlook Express on the other cmputer, seeing your old Inbox.DBX file, as an example

I hope that's clear
Normally you use the Export function in a working Outlook Express computer to do all this manual work, automatically

CRIKEY!! how many times can i say thanx!??

actually i had a little win this afternoon.

since i dont have another pc, i was using UBUNTU (live CD) to browse my broken windows. but for some reason ubuntu wouldnt find the dbx files.

so i hopped on this afternoon with BackTrack3 and found the dbx files fine. also found the wab files too!! so i'm stoked to say the least. couldnt get the iaf files but i've got a workaround for that.

once they are copied off safely somewhere else i'm just gonna open up a can of whup-*** on the unsuspecting lsass.exe!

the weird thing was that on the day preceeding this failure i hadnt really gone to any dark places and the missus was the last to use it, and she only ever uses msn.jp... its got me well weirded-out!

It's just Windows normal corruption
Not sure if you ever had a chance of running a full malware scan (possibly not) but that could have been it too

I suspect you're now trying to backup, and re-install all fresh again, if so, this is possibly the best option.

the way you wrote 'normal' is really scary. without backup, ppl could simply lose it all, and probably do, every day.

i didnt have the chance to do the malware scan because even safe-mode wouldnt boot up. but i was still doing regular scans with SAS & MBAM.

this is starting to get a bit old now (SORRY!) since i have a way of fixing it now..

but actually, could i do the scans with the drive connected externally to a pc with SAS & MBAM? would it fix the rego?

It's worth a go :grinthumb I'd do it

By the way it's not that scary, 99% of faults are fixable.
Really the only one that's bad is Harddrive fail.

i also read something about a stand-alone utility from mcafee called 'stinger.'

i'll give that a try too.. do you know anything about it?

http://vil.nai.com/vil/stinger/

Yes I've used Stinger before, it is good
This one is better (as standalone malware removal program) http://www.techspot.com/downloads/4210-norman-malware-cleaner.html

Are you sure it's not Lssass with 4 s's? Lsass is a Nvidia display driver related file if I remember correctly. Lssass.exe is a worm file.