Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

I keep being clobbered by SASSER 1

Status
Not open for further replies.
gizmo1973

gizmo1973

MIS
Aug 4, 2004
2,828
GB
But all removal tools say I'm not infected.
I have tried the SOPHOS removal tool, PANDA AVG and Microsofts patches.
Is this a new version or am I missing something?

Regards, Phil.

M.U.F.C. Show your true support here:
"Shares not Shirts
 
Sort by date Sort by votes
My personal preference in antivirus programs has always been Vet (or eTrust). They have an encyclopedia which helps you with specific viruses. Symantec have got one too. I'd always got to those sites to see what they have to say as the first step.

There is a very lengthy discussion on removing Sasser here:
Good luck.
 
Upvote 0 Downvote
Stupid question Phil, but how do you know you have the Sasser worm (being clobbered by it?) if nothing detects it?




Steve

Life is like a Grapefruit, sort of orangey-yellow and dimpled on the outside, wet and squidgy in the middle, it's got pips inside too. Oh and some people have half a one for breakfast. Ford Prefect.
 
Upvote 0 Downvote
Yeah. I'm curious as well. If you're running up to date AV, you should have no problems with this rather dated (at this point) virus. Please give more info.

Tired of waiting for an answer? Try asking better questions. See: faq222-2244
 
Upvote 0 Downvote
I keep seeing the "windows will be shut down" dialogue box, I beleive this to be SASSER as we had this at work.
I have now alos had a blue screen "windows has detected errors and will be shut down to avaoid damaage to this machine" malrky!
winXP pro O.S. and XP office
been fine till this last week!!!


Regards, Phil.

M.U.F.C. Show your true support here:
"Shares not Shirts
 
Upvote 0 Downvote
Sasser normally would only hit you while you are on the net. Get a fire wall installed and do all your windows updates. Doing Start run and trying shutdown -a will stop the shutdown then open Task Manager and see if Sasser or what is running that should not be.
 
Upvote 0 Downvote
This is the funny thing, I am firewalled (ZA and Windows) and on SP2 with full updates and patches.
Also run the full advice on the FAqs here i.e. Ad aware, CW shredder etc etc but I keep getting hit by this.
The start run shutwown -a is new to me so i will try this next time.

Regards, Phil.

M.U.F.C. Show your true support here:
"Shares not Shirts
 
Upvote 0 Downvote
Look in your system and application event logs, see if there is anything there (Start -> right click My Computer -> left click Manage -> Event Viewer).
This may give some clues as to what is causing the problem.

John
 
Upvote 0 Downvote
None in the security but loads in the Application and some in the system logs
What should i be looking for?
I've got

Error - True vector
Error - application error
Error - Event system

the list goes on and on!!!!

Regards, Phil.

M.U.F.C. Show your true support here:
"Shares not Shirts
 
Upvote 0 Downvote
Looking for anything that has changed significantly since when the PC was working properly. Are there any new information, warning or error items in the application or system logs?

John
 
Upvote 0 Downvote
OK, the main thing i am seeing after this problem started is an

Error - Microsoft Office 10

and property description of

Rejected safe mode action (also accepted safe mode action) Microsoft Outlook.

I have checked MS help and support but it is an unknown event.
I haven't had this event before so this could be it.
Now have I got a virus in my e-mails somewhere me thinks?
I'm gonna dump the majority of them now and we'll see how we go, anyone got anymore ideas about this?

Regards, Phil.

M.U.F.C. Show your true support here:
"Shares not Shirts
 
Upvote 0 Downvote
Ok now being driven completely round the bend.
The machine just goes into restart mode, no warnings at all, once restarting it will go to restart again, after 3 or 4 goes of this it will be stable (how long anyone’s guess, I'm typing rapidly here)
I am seriously thinking of taking it in to PC world for a virus health check, what’s anyone’s opinion of this? Or other PC shops?
I have tried the event viewer but all seems in order, also tired all the recommendations I can find on here and MS support
I have tried everything and have also put on Norton Antivirus but no joy anywhere HELPPPPPPPPPPPPPP!!!!!


Regards, Phil.

M.U.F.C. Show your true support here:
"Shares not Shirts
 
Upvote 0 Downvote
Hit F8 at startup (when the coloured dots go across the screen), choose Safe Mode.
When in Safe mode, Start -> right click My Computer -> Properties -> Advanced Tab -> Startup and Recovery...

In the System Failure box, Untick "Automatically reboot".
Restart into normal mode, then when it bluescreens, post here what the error message is.

John
 
Upvote 0 Downvote
Phil,

Before I start I know the problem - your a Man U supporter and it's a well documented fact that Sasser loves to infect Man U supporters PC's - Just Kidding,

All I can suggest is:

Get ready with the [shutdown -a] command (Abort Shutdown)
This cancels the countdown. You could also create a notepad file with the following copied into it:
_______________
@echo off
shutdown -a
_______________

Change "Save As Type" from "Text Documents" to "All Files" then save this notepad file as "Cancel Shutdown.bat" onto your desktop - now when it starts to countdown just double click the icon to cancel shutdown.

Now goto:

Start>Programs>Accessories>System Tools and click on System Restore. Disable this - it stores loads of historical crap such as past viruses and spyware which can still be "live" even though it is archived in a restore file.

Download the following to a folder on your C: drive -

Microsoft Patches:
KB823980
KB824146
KB835732

McAfee AVERT Stinger from:


Spybot S&D
Lavasoft AdAware
Hijack This

After you have downloaded the above software disconnect your internet connection (either disable the connection or simply unplug your cable) and run stinger.exe, this will scan your machine with an up-to-date removal tool to make sure there is no malicious software on your machine. Then run Spybot - just agree with all the options on startup - if your not happy with any changes it makes you can uninstall it at a later date also install AdAware ready for use after.

When stinger has finished running (it may take a while depending on the size of your hard drive - also it will auto delete any malicious software found).
Now run Spybot and when the scan has finished the scan then click on "fix selected problems", you may find it has at least one entry that it can't fix which will be a "DSO Exploit" this is just a Microsoft entry in the registry.

For safe measure run Lavasoft AdAware and see if it finds any other spyware.

Once you have cleared all the crap off your machine then go ahead and install the 3 patches I mentioned. Even if they are already there or you have auto updates on and you think they have downloaded still reinstall - I don't trust auto updates.

Say no to all requests for a reboot and then reboot when the last patch is installed.

Now in theory (oh what a good thing theory is !) this should have sorted your problems and you can reconnect your net connection and Bob's your Uncle and Fannys your live-in Aunt all is well again.

If not then run Hijack This - run a scan with a log and post the log on to the forum (copy n paste) and someone may be able to spot something...

Hope this helps mate,

Chris.

Man United are short sited tra la la la laaa la laa laa laaaaaa ;o)
 
Upvote 0 Downvote
Chris,

Thanks for that I have tried most of the above with the exception of stinger and unplugging from the net and the patches as mentioned.
The only problem is that I don't actually get a countdown or a warining anymore.
I did at first get a SASSER type box, after that I started getting the Blue Screen of Death but now nothing, it just goes, no warnings, no change, no packdrill!!!!!
I am going to change the settings as per John's post and will report back after I have tried another load of everything!!!

P.S. Chelsea, Arsenal or Liverpool!!

Regards, Phil.

M.U.F.C. Show your true support here:
"Shares not Shirts
 
Upvote 0 Downvote
The North End matey

Yes a lowly crappy team like Preston

Can't really mock you ;)
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

shivajiboss
  • Locked
  • Question
I am getting a problem while opening up my windows
Replies
1
Views
268
2ffat
2ffat
Mike Lewis
  • Locked
  • Question
MsMpEng.EXE in MSE: necessary? desirable?
Replies
3
Views
251
Mike Lewis
Mike Lewis
2ffat
  • Locked
  • News
Audacity is Spyware?
Replies
2
Views
243
2ffat
2ffat
ChrisOfOz
  • Locked
  • Question
Lenovo startup problem please any ideas? 2
Replies
10
Views
775
Yoko Littner
Yoko Littner
iambob
  • Locked
  • Question
Avast Anti-Virus is.. a virus?! 3
Replies
5
Views
299
Oorde
Oorde

Part and Inventory Search

Sponsor

Back
Top