Posted on 10/04/2005 4:57:39 PM PDT by don-o
Here is where I am. Running XP Home.
Was surfing a sports board. Got a BSOD. And since then cannot boot at all.
lsass.exe system error invalid parameter
Did enough searching to convince me I got the Sasser worm or some variation thereof.
Booted from CD; tried repair console. No success. So I am ready to hopefully reinstall. I want to save my programs. Data I need is backed up on a second hard drive.
So when I get to the point of selecting which drive to install on. I get the message that I will lose data, apps, etc. My OC is on an unpartitioned 156 gig HD.
The message says hit C to partition. Nothing happens.
My second HD is a 76 gig:
Partition 1: FAT 39 MB
Partition 2: NFTS 76 MB
Unpartitioned: 8 MB
Questions:
1. Can I partition my primary drive without reformatting it?
2. If I do the install on the secondary, will my apps on the primary work, so maybe I can get rid of the worm I think I have?
Sucks, cause I have AVG running, set for auto updates. Cannot imagine how I caught it.
Spent too much time at work looking for solutions. I'm pretty sure a reinstall is my only one. But hoping for some direction to make it as painless as possible.
Thanks on advance.
Eject! Eject! Eject!
Sorry...I don't know how to fix your problem but it sounds bad. I have read that Sasser is a beast.
Okay, remove the data drive, giving the system only one drive to install the OS on. After installing the OS, reinstall the data drive, make sure you've got the drive with the OS on it set as "master" and the data drive set as "slave."
yes you can install on the second one- but before I did that I would boot from a CD-ROM and see if you can fix it before doing something that drastic
start the operating system with network support and go to www.avast.com - they have a free anti-virus
I know there are some pros here who know their bidness. They will come riding to the rescue.
Repair console did not work. Have booted from CD. I do not understand how to get net support booting from CD.
Yeah, but you can't make the partition larger than the total amount of used filespace currently on the drive. For example, if you have 10 gigs of data on a 80 gig hard drive, you cannot make the second partition larger than 70 gigs.
Here is the process for all versions of Sasser from A through F as outlined by Symantec; bear in mind that you will only have about 20 seconds to complete the steps:
Disconnect from the Internet.
Restart.
As soon as possible in the boot process, click on Start, Run, and enter cmd to open the command line interface.
At the DOS prompt enter shutdown -i .
This opens the control panel for remote administration of other systems on the network but now you need to enter the name of your computer. Click Add, enter the name, and then click OK.
Now modify the warning message delay setting from the standard 20 (seconds) to a large number such as 9999. After patching you can reset the warning message delay if you wish.
That should temporarily disable the shutdown sequence long enough for you to log onto the Internet and download the patch.
It may come as a surprise to many users who aren't connected to a network that their system has a name, either assigned by someone with Administrator privileges or automatically generated. To find your computer's name, open the Control Panel and click on the System icon. Since you must complete all those bulleted steps within 20 seconds or less, you will need to locate your system's name before beginning this process.
Microsoft's instructions for stopping the reboot cycle on XP systems tells you to simply enter shutdown.exe –a at the command prompt. That aborts the shutdown process and is obviously much faster if and when it works.
The above steps aren't necessary if you can download and install the patch; they aren't technically part of the Sasser removal process, which is described next.
You can download a removal tool from Symantec, F-Secure, and other antivirus vendors. Microsoft also has detailed instructions and there is an automated test tool on that page that can show if you have a Sasser infection and remove it. The automated removal tools stop the process, remove the worm files, and clean the Registry—if at all possible you should obtain one of these tools and remove Sasser with it because the manual process is cumbersome, to say the least.
Some of the following manual removal steps (terminating the malicious processes) may be necessary even if you intend to use a removal tool because some systems will be so tied up with Sasser processes that you can't use the computer.
You can improve performance by opening the Task Manager and locating avserve2.exe, avserve.exe, skynetave, and any process having a name beginning with a short string of digits followed by _up.exe, (for example, XXXXX_up.exe) and then clicking on those process names and clicking End Process to stop them.
XP comes with an automatic system restore feature that should also be disabled before removing any worm or virus because this is a backup tool that may save a copy of the infection if left running. Symantec has a complete description of the steps required but the basic steps are to go to the Control Panel, System dialog and check the box by Turn Off System Restore.
Manual removal requires that you delete all files identified as part of Sasser by an antivirus program.
The Registry is altered by Sasser, which means you will want to remove: avserve2.exe"="%Windir%\avserve2.exe from:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run.
Variants continue
Newsfactor.com has reported that a new infection, Dabber (package.exe), attacks computers through Sasser, removing the Sasser worm and turning the PC into a server and planting a backdoor. Removal instructions for Dabber are found at Symantec, TrendMicro, Panda, and other AV vendor sites.
E Variant
Symantec reports that the E version of Sasser differs from the W32.Sasser.Worm in part as follows:
The process name is SkynetNotice, the file is lsasss.exe, and that name is used in the Registry line instead of avserve. You also need to block ports 1023 and 1022 at the firewall. And instead of XXXXX_up.exe, look for XXXXX_update.exe.
F Variant
The F version of Sasser also differs slightly from previous versions. The process name is billgate, the Sasser file name is napatch.exe, and that name is used in the Registry.
When you do the set up, XP should ask you how large you want the partition. Normally, the default is the maximum partition size the drive will take.
I can do that. Will I lose my apps when I do that? What diff does it make, removing the secondary? I can select the primary for the install where I am now.
Thanks for ALL suggestions. I want to make my best move and not take it to the shop.
That's for pros. If you have to ask don't even think about partitioning an active primary.
2. If I do the install on the secondary, will my apps on the primary work, so maybe I can get rid of the worm I think I have?
Not without reinstalling them.
_________________
Download this into a folder: Sysclean.com
Then this, to the same folder: Virus Definitions
Go to the folder and unzip the virus definitions you downloaded.
Reboot the computer in safe mode and run Sysclean.com
This is a free virus removal tool that Trend Micro makes for Network Administrators. It won't install anything on your drive, it just scans and repairs.
If your second hard drive has windows installed, I'd use that one alone to go online and find a fix for Sasser or make sure that you have all virus updates. I'd then scan that drive and make sure everything is clean. Next, I'd make your original drive the slave to the clean one and then scan all files. If problems are found and fixed, I'd then make the original drive the master again and try rebooting. It's a pain, but I've rescued several drives which others have given up on by using this method without any loss of data other than the infected files.
This is tricky, and involves the Windows Registry (which stores valuable information on Windows settings, and related programs installed on the machine). Windows requires most DLL's to be installed in a specific place (usually x:\WINDOWS\SYSTEM or x:\WINDOWS\SYSTEM32 [x = the drive letter of the hard drive windows is installed on, assuming Windows is on C:, then substitute x: for c:].
But it is possible to run Windows in one partition and installed applications in another. Most often, savvy and advanced users use a second or third partition for the Windows swap file (virtual memory), because the swap file will grow and shrink depending on the number of applications you run at any given time. The swap file is used by Windows when the total amount of RAM (Random Access Memory) is exceeded.
I never get to a start / run screen.
I gotta go get my boys, but will check back later.
You probably already did this, but also Google search for "how to remove sasser worm" which will bring up several links to specific instructions on how to remove this worm.
Can you reboot into Safe Mode? Press F8 repeatedly during the early boot sequence, two or three times a second, and it should come up with a archaic looking text menu offering such choices as Safe Mode. I haven't looked, but the removal instructions seem to assume you can boot the system, and perhaps if you can't boot to a normal Windows, booting to Safe Mode would be sufficient for the cleanup.
I would have thought you could reinstall Windows on the C drive without erasing it. But I am not sure of this, and always get confused on these sorts of points.
Yes, you can modify your disk partitions, if you have a tool such as Partition Magic, or my preferred Partition Manager (downloadable from 7tools.com). I always keep a bootable CD with Partition Manager on hand, just for such fun and games.
I would imagine that reinstalling on the secondary would confuse some apps, if they have drive specific settings in the Windows Registry. Simpler apps will work just fine.
I believe you can press and hold "F4" during boot, right after the "beep"
You click the start button, then click "Run". In that box you type cmd to enter command line mode.
Good suggestion. Partition Magic is a Godsend, and easy to use for just about any skill level. I use the old DOS standby "FDISK", but then again, I've used computers for ages. LMAO
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.