|
|
 | | From: | peter | | Subject: | lsass | | Date: | Sun, 23 Jan 2005 18:22:44 +1300 |
|
|
 | A mate was visiting sites he shouldn't have and probably downloaded some
software without knowing it. So now when he boots, the bios runs fine,
widows xp start page loads then an error window opens regarding lsass
passwords, window closes after about 5 secs then pc reboots.
I got into safe mode but when it restarts in safe mode the same error msg
comes up and then reboots.
He has no hard copy of win xp, as its on the hard disc, and I can't seem to
get into dos to check out the dir.
Any clues,
Thanks.
Peter.
|
|
| | From: | Mr Scebe | | Subject: | Re: lsass | | Date: | Sun, 23 Jan 2005 19:16:14 +1300 |
|
|
|
"peter" wrote in message
news:_vGId.10614$mo2.807386@news.xtra.co.nz...
>A mate was visiting sites he shouldn't have and probably downloaded some
> software without knowing it. So now when he boots, the bios runs fine,
> widows xp start page loads then an error window opens regarding lsass
> passwords, window closes after about 5 secs then pc reboots.
> I got into safe mode but when it restarts in safe mode the same error msg
> comes up and then reboots.
> He has no hard copy of win xp, as its on the hard disc, and I can't seem
> to
> get into dos to check out the dir.
> Any clues,
Sounds like a variant of the Sasser worm
http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.worm.html
Should be able to find a cure easily enough.
> Thanks.
No worries
--
Mr Scebe
Losersh always whine about their 'besht'.
Winnersh go home and fuck the prom queen".
~Sean Connery in "The Rock"
|
|
| | From: | Adder | | Subject: | Re: lsass | | Date: | Sun, 23 Jan 2005 20:52:51 +1300 |
|
|
| In article <_vGId.10614$mo2.807386@news.xtra.co.nz> in nz.comp on Sun, 23
Jan 2005 18:22:44 +1300, peter says...
> A mate was visiting sites he shouldn't have and probably downloaded some
> software without knowing it. So now when he boots, the bios runs fine,
> widows xp start page loads then an error window opens regarding lsass
> passwords, window closes after about 5 secs then pc reboots.
> I got into safe mode but when it restarts in safe mode the same error msg
> comes up and then reboots.
> He has no hard copy of win xp, as its on the hard disc, and I can't seem to
> get into dos to check out the dir.
Windows xp does not use dos.
Boot from a setup CD - any XP CD, and then choose recovery console - this
should get you to a command prompt if you need one.
You could also try repairing the installation
another option is to make a BartsPE CD and then boot the system off that
then run one of the supported Virus scanners or adaware etc to check the
system out and then run XP setup repair.
|
|
| | From: | Gurble | | Subject: | Re: lsass | | Date: | Sun, 23 Jan 2005 19:32:54 +1300 |
|
|
| On Sun, 23 Jan 2005 18:22:44 +1300, "peter"
had this to say:
>A mate was visiting sites he shouldn't have and probably downloaded some
>software without knowing it. So now when he boots, the bios runs fine,
>widows xp start page loads then an error window opens regarding lsass
>passwords, window closes after about 5 secs then pc reboots.
>I got into safe mode but when it restarts in safe mode the same error msg
>comes up and then reboots.
>He has no hard copy of win xp, as its on the hard disc, and I can't seem to
>get into dos to check out the dir.
>Any clues,
>Thanks.
>Peter.
>
Hi, Peter.
Firstly, this is NOT the SASSER worm as per Mr Scebe's reply - that is
a red herring (the SASSER worm effects LSASS, but with different
symptoms).
The problem you are having is usually caused by a corrupted password
file.
Firstly, have you tried "Last Known Good Configuration"? This might
replace the corrupt password file, and resolve your problem.
Secondly, when you logged in to Safe Mode, which user did you use? If
it was the standard user account, try using "Administrator" (try with
no password if you are unsure what the password is).
Post again with a reply to the above, and I'll try to get it sorted
for you.
|
|
| | From: | Gurble | | Subject: | Re: lsass | | Date: | Sun, 23 Jan 2005 19:34:51 +1300 |
|
|
| On Sun, 23 Jan 2005 19:32:54 +1300, Gurble had this to
say:
>On Sun, 23 Jan 2005 18:22:44 +1300, "peter"
>had this to say:
>
>>A mate was visiting sites he shouldn't have and probably downloaded some
>>software without knowing it. So now when he boots, the bios runs fine,
>>widows xp start page loads then an error window opens regarding lsass
>>passwords, window closes after about 5 secs then pc reboots.
>>I got into safe mode but when it restarts in safe mode the same error msg
>>comes up and then reboots.
>>He has no hard copy of win xp, as its on the hard disc, and I can't seem to
>>get into dos to check out the dir.
>>Any clues,
>>Thanks.
>>Peter.
>>
>Hi, Peter.
>
>Firstly, this is NOT the SASSER worm as per Mr Scebe's reply - that is
>a red herring (the SASSER worm effects LSASS, but with different
>symptoms).
>
>The problem you are having is usually caused by a corrupted password
>file.
>
>Firstly, have you tried "Last Known Good Configuration"? This might
>replace the corrupt password file, and resolve your problem.
>
>Secondly, when you logged in to Safe Mode, which user did you use? If
>it was the standard user account, try using "Administrator" (try with
>no password if you are unsure what the password is).
>
>Post again with a reply to the above, and I'll try to get it sorted
>for you.
Oh, and the other thing is to try simply doing a system restore from
the command line.
Details --> http://support.microsoft.com/kb/304449
|
|
| | From: | peter | | Subject: | Re: lsass | | Date: | Sun, 23 Jan 2005 21:34:32 +1300 |
|
|
| thanks,
my problem is that I can't get to a start page, I only get the screen to
turn blue,(the start of the normal desktop) but then the error msg appears
and then it reboots
I tried "last known good config" but to no avail, and the same as the sys
restore
|
|
| | From: | Gurble | | Subject: | Re: lsass | | Date: | Sun, 23 Jan 2005 22:11:48 +1300 |
|
|
| On Sun, 23 Jan 2005 21:34:32 +1300, "peter"
had this to say:
>thanks,
>my problem is that I can't get to a start page, I only get the screen to
>turn blue,(the start of the normal desktop) but then the error msg appears
>and then it reboots
>I tried "last known good config" but to no avail, and the same as the sys
>restore
>
Ok, what is the exact error message?
Is it "When trying to update a password the return status indicates
that the value provided as the current password is not correct."?
Are you using XP Home or XP Pro?
Also, have you tried FIXBOOT and FIXMBR from the recovery console?
|
|
| | From: | peter | | Subject: | Re: lsass | | Date: | Sun, 23 Jan 2005 22:19:08 +1300 |
|
|
| that looks like it, it only stays for about a second , he's using xphome and
I can't get to the recovery console yet, but will try again 2morow with a
blaster worm removal disc and then that link you gave to the ms sys restore
site.
Thanks for your help will keep informed 2morow
Peter.
|
|
| | From: | Gurble | | Subject: | Re: lsass | | Date: | Sun, 23 Jan 2005 22:34:03 +1300 |
|
|
| On Sun, 23 Jan 2005 22:19:08 +1300, "peter"
had this to say:
>that looks like it, it only stays for about a second , he's using xphome and
>I can't get to the recovery console yet, but will try again 2morow with a
>blaster worm removal disc and then that link you gave to the ms sys restore
>site.
>Thanks for your help will keep informed 2morow
>Peter.
>
No worries.
It is not the Blaster worm (the symptoms are similar, but different).
Other thing to try is to remove the hard drive, pop it in a different
computer, backup the files in x:/Windows/System32/config, then
overwrite them with those in x:/Windows/repair (x being their drive).
You'll need to do it from another machine, as the security files will
not be able to be overwritten whilst the machine is running.
(Alternatively, you could use a BartsPE or Knoppix CD).
Let us know how you get on.
|
|
| | From: | Steve Marshall | | Subject: | Re: lsass | | Date: | Sun, 23 Jan 2005 19:50:44 +1300 |
|
|
| Sounds like Sasser:
http://www.microsoft.com/security/incident/sasser.mspx
|
|
|
