Free Republic
Browse · Search 		General/Chat
Topics · Post Article

To: don-o

Eject! Eject! Eject!

Sorry...I don't know how to fix your problem but it sounds bad. I have read that Sasser is a beast.


2 posted on 10/04/2005 4:58:51 PM PDT by IGOTMINE (Front Sight. Press. Follow Through. It's a way of life.)
[ Post Reply | Private Reply | To 1 | View Replies ]

To: IGOTMINE

Okay, remove the data drive, giving the system only one drive to install the OS on. After installing the OS, reinstall the data drive, make sure you've got the drive with the OS on it set as "master" and the data drive set as "slave."


3 posted on 10/04/2005 5:02:31 PM PDT by stylin_geek (Liberalism: comparable to a chicken with its head cut off, but with more spastic motions)
[ Post Reply | Private Reply | To 2 | View Replies ]
To: IGOTMINE
Thanks for the bump.

I know there are some pros here who know their bidness. They will come riding to the rescue.

5 posted on 10/04/2005 5:03:34 PM PDT by don-o (Don't be a Freeploader. Do the right thing and become a Monthly Donor!)
[ Post Reply | Private Reply | To 2 | View Replies ]
To: IGOTMINE
Preparation Removing Sasser is a multistep process, with the first problem being how to stop the computer from automatically rebooting long enough to download the patch and/or a removal tool.

Here is the process for all versions of Sasser from A through F as outlined by Symantec; bear in mind that you will only have about 20 seconds to complete the steps:

Disconnect from the Internet.

Restart.

As soon as possible in the boot process, click on Start, Run, and enter cmd to open the command line interface.

At the DOS prompt enter shutdown -i .

This opens the control panel for remote administration of other systems on the network but now you need to enter the name of your computer. Click Add, enter the name, and then click OK.

Now modify the warning message delay setting from the standard 20 (seconds) to a large number such as 9999. After patching you can reset the warning message delay if you wish.

That should temporarily disable the shutdown sequence long enough for you to log onto the Internet and download the patch.

It may come as a surprise to many users who aren't connected to a network that their system has a name, either assigned by someone with Administrator privileges or automatically generated. To find your computer's name, open the Control Panel and click on the System icon. Since you must complete all those bulleted steps within 20 seconds or less, you will need to locate your system's name before beginning this process.

Microsoft's instructions for stopping the reboot cycle on XP systems tells you to simply enter shutdown.exe –a at the command prompt. That aborts the shutdown process and is obviously much faster if and when it works.

The above steps aren't necessary if you can download and install the patch; they aren't technically part of the Sasser removal process, which is described next.

You can download a removal tool from Symantec, F-Secure, and other antivirus vendors. Microsoft also has detailed instructions and there is an automated test tool on that page that can show if you have a Sasser infection and remove it. The automated removal tools stop the process, remove the worm files, and clean the Registry—if at all possible you should obtain one of these tools and remove Sasser with it because the manual process is cumbersome, to say the least.

Some of the following manual removal steps (terminating the malicious processes) may be necessary even if you intend to use a removal tool because some systems will be so tied up with Sasser processes that you can't use the computer.

You can improve performance by opening the Task Manager and locating avserve2.exe, avserve.exe, skynetave, and any process having a name beginning with a short string of digits followed by _up.exe, (for example, XXXXX_up.exe) and then clicking on those process names and clicking End Process to stop them.

XP comes with an automatic system restore feature that should also be disabled before removing any worm or virus because this is a backup tool that may save a copy of the infection if left running. Symantec has a complete description of the steps required but the basic steps are to go to the Control Panel, System dialog and check the box by Turn Off System Restore.

Manual removal requires that you delete all files identified as part of Sasser by an antivirus program.

The Registry is altered by Sasser, which means you will want to remove: avserve2.exe"="%Windir%\avserve2.exe from:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run.

Variants continue

Newsfactor.com has reported that a new infection, Dabber (package.exe), attacks computers through Sasser, removing the Sasser worm and turning the PC into a server and planting a backdoor. Removal instructions for Dabber are found at Symantec, TrendMicro, Panda, and other AV vendor sites.

E Variant

Symantec reports that the E version of Sasser differs from the W32.Sasser.Worm in part as follows:

The process name is SkynetNotice, the file is lsasss.exe, and that name is used in the Registry line instead of avserve. You also need to block ports 1023 and 1022 at the firewall. And instead of XXXXX_up.exe, look for XXXXX_update.exe.

F Variant

The F version of Sasser also differs slightly from previous versions. The process name is billgate, the Sasser file name is napatch.exe, and that name is used in the Registry.

8 posted on 10/04/2005 5:06:38 PM PDT by xcamel (No more RINOS - Not Now, Not Ever Again.)
[ Post Reply | Private Reply | To 2 | View Replies ]

Free Republic
Browse · Search 		General/Chat
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson