| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 79853 | 2007-06-03 08:04:00 | XP Home Registry seems to be fragile. | john r (782) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 555661 | 2007-06-03 08:04:00 | I have been working on friends HP ZE4315 laptop after it failed to boot with an error message (lsass.exe system error) saying file not found, this stops any sort of startup till fixed. I have searched the net and it points to an error with c: windows\system32\config\security being at fault. I have managed to restore it to normal by booting up with UBCD and restoring the registry to the last saved one. The problem is that this laptop has done this same thing 3 times now over 18 months, so I now need to find the cause of it before returning it to its owner. I have previously replaced the hard drive in case it was the problem, This time I have run virus and Adaware scans, and run windows scan disc. After running Memtest86 it also failed to boot, it was different with no error message, it just would not reach the desktop, it stalled on the second windows screen, the mouse was still working, even the screen saver kicked in but it still didn’t finish, I powered down and restored the registry backup again and it is now working perfectly. Is it possible the registry is fragile and easily upset on this laptop, it a shame as it runs really well when it’s behaving? Any ideas appreciated, Thanks, John. |
john r (782) | ||
| 555662 | 2007-06-03 18:51:00 | That is usually evidence of the Sasser worm...and you won't fix it by changing harddrives...etc...however, if you REALLY DO have a corrupted file, then you should try this first.... I wrote up some instructions that are based on other's instructions that I found online, and that are similar to Microsoft's instructions. Basically you need to do a manual system recovery, and restore five onfiguration files from the System Volume Information hidden folder. I think that your SAM file is corrupted, and you might get the same results as I couldn't get into the manual recovery because it wouldn't accept my administrator password. Fortunately there are many tools available to get around this problem. See "nordicgroup.us for detailed instructions. |
SurferJoe46 (51) | ||
| 555663 | 2007-06-03 20:23:00 | . . . some more info . . and it isn't good . . . you MIGHT just have to format and re-install if you cannot accomplish the repairs . . but here goes some of the info I have gathered over time: Sasser will jump the bones of an unprotected computer in a matter of seconds . . . it's because of sloppy firewalls and/or security that has lapsed in updates or scans . Sasser is "out there" and waiting to get ahold of your system over and over . It will hide in System Restore, which I HEARTILY RECOMMEND TURNING OFF! Leave it off . You should not need it . Just how do you know you have Sasser? Unfortunately, Sasser shares several behaviors common with other recent viruses . The most common sign is that your machine will indicate that there is a problem and will reboot in 60 seconds . . . or NOT . . depending on the particular strain of the virus . The message caused by Sasser should indicate that the problem is in LSASS . EXE . If you are getting constant reboots, you should be able to abort the shutdown within those first 60 seconds by doing the following: Press the Start button and then the Run menu item . Type shutdown -a . That's the "shutdown" command, with the "-a" option, which stands for "abort the pending shutdown" . Press OK . This doesn't fix anything; it just lets you get on with the business of disinfecting your computer . Then, take the following steps: Use a firewall . This can be as simple as turning on the Internet Connection Firewall included in Windows XP, or purchasing and installing hardware devices such as a NAT router . NAT routers ARE firewalls! Either of these solutions will likely protect you from Sasser and many other types of non e-mail based threats . Install the patch from M$ just for the Sasser problem . This patch for your operating system can be found with Microsoft Security Bulletin MS04-011 . Remove the virus using the M$ instructions from their site . There are several other Sasser removal tools floating around . Microsoft's What You Should Know About the Sasser Worm and Its Variants has one . Update and run your Anti-Virus software . Make sure that both of those steps happen automatically in the future as well . For example, my virus scanner is configured to check for updates and run a scan every morning . Stay up-to-date . There are several options but I am running Windows Automatic Update for Windows XP . I prefer to have it download and notify me of changes that are ready to install . In addition . . . . or, if you prefer, instead . . . . . you should also visit Windows Update on a regular basis for additional updates to your system . I visit once a month . The steps you take to protect yourself from becoming infected are much less onerous than the potential hassle of recovering from a destructive virus . Watch out for this though! . . . . Apparently the Sasser worm also modifies a configuration file that renders many Anti-Virus sites and the MicrosoftUpdate site unreachable . So if you can get to sites, but not your anti-virus vendor then this might be the problem . It's easy to check . Open the file "\windows\system32\drivers\etc\hosts" in Notepad . (Press the Start button, click onRun, type Notepad windows\system32\drivers\etc\hosts, and press OK . ) Normally, it will have one entry for something called "localhost" . If in addition you see a list of Anti-Virus sites such as Symantec, McAfee, and more, then the worm has struck . I would then take the following steps: Close Notepad . Open Windows Explorer on the directory containing the file "hosts" (A quick way to do this is to press the Start button, click on Run, type\windows\system32\drivers\etc, and press OK . ) Right Click on the file hosts and select Rename . Give it a new name, like "oldhosts" . Run the command "nbtstat -R" . (Press the Start button, click on Run, type nbtstat -R, and press OK . ) You should only see a window flash on the screen briefly, but this little bit of magic should force Windows to re-lookup any of those names it might be keeping in memory . Now you should be able to get to your anti-virus sites until you reboot . . . . apparently the Sasser worm will recreate these bogus host file entries each time you reboot . So download your updates and scan to clean up the virus right away . Update: As I figgured-predicted, follow-on viruses that exploit the same vulnerabilities that Sasser exploits are showing up . Sasser removal tools may not work because they are different viruses, even though they share some of the same symptoms . I cannot stress enough the importance of using a firewall, keeping your virus definitions up to date and running virus scans on a regular basis . Two current examples of similar viruses include Kibuv-B and Bobax, both of which have removal instructions up on various sites . I DO NOT trust McAfee, Norton or Symantec to protect anything I own . . . I find them all clumsy and generally RAM-suckers that makes things S L O W on your system . . |
SurferJoe46 (51) | ||
| 555664 | 2007-06-04 11:14:00 | Thankyou for going to so much trouble SurferJoe, I will work through your ideas,I am sure its not a worm but will confirm this with a scan, Cheers, John. |
john r (782) | ||
| 555665 | 2007-06-04 16:16:00 | Thankyou for going to so much trouble SurferJoe, I will work through your ideas,I am sure its not a worm but will confirm this with a scan, Cheers, John . Awww . . shucks, 'twaren't nothing! I am retired (forcefully . . and ENFORCED!) so I have a lot of time to do these things . I guess this is my "Great American Novel" that I have to write one chapter/verse/answer at a time . I get verbose . . just ask any F1-er . . . and sometimes I get to devote too much time to typing (no thanks to Mavis! . . . I still use one finger on the right hand, and two on the left) . I can get off 300wpm, but only I can read them . I keep on tripping the "Kitten-on-the-keys" program . . . nyuck, nyuck . :blush: |
SurferJoe46 (51) | ||
| 555666 | 2007-06-04 22:19:00 | Maybe it's faulty RAM? | Agent_24 (57) | ||
| 555667 | 2007-06-05 01:22:00 | Maybe it's faulty RAM? I thought about that too..but this is the worry: an error message (lsass.exe system error) saying file not found, this stops any sort of startup till fixed. ...that ALMOST always points to infectious activity..but this might be the one time it's an exception..... I think the RAM has already passed muster by that time in the boot-up. |
SurferJoe46 (51) | ||
| 555668 | 2007-06-05 01:41:00 | On second thoughts I think you're probably right, looks much like virus activity indeed ... | Agent_24 (57) | ||
| 555669 | 2007-06-05 02:37:00 | I'd like the original poster to get back to us and let us all know what he found and what repaired it..we all gotta learn here. | SurferJoe46 (51) | ||
| 555670 | 2007-06-05 10:14:00 | Thank you all, I have done a sasser scan with nothing found,also have done 2x different anti-virus and 2x different Adaware scans,nothing was found,I have run 10 hours of memtest86 twice with no errors. I have run SFC after rolling registry back to earier saved one. the PC is now working ok. Is it possible the recovery disc's I used have given me a bad install. The PC had operated fine for a couple of years with no problems with its first owner till I did a fresh install with the recocery discs that came from HP. Since then it has played up with this error 3 times now,the PC has always been fully patched and upto date with Anti-virus. cheers, John. |
john r (782) | ||
| 1 | |||||