TechSpot

Sasser problem

By KnightRiderX
Feb 22, 2007
  1. Hi,

    I seem to have acquired the Win32/Sasser worm. Getting rid of it while in Windows is no problem for me. The problem I have is that the countdown to shutdown comes even before I have the opportunity to log in. The problem comes off the heels of just updating my Windows with the Febuary version of the Microsoft Malicious Tool. As of right now, I am posting on a fresh install of Windows on a different partition with an expired product key and I will prefer to keep my other Windows install intact. I hope there is someone here that can help shed some light into what it is that I have to do to resolve this. Thanks in advance.
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Take a look HERE for instructions.

    Regards Howard :)
     
  3. KnightRiderX

    KnightRiderX TS Rookie Topic Starter Posts: 36

    it doesn't help.
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Ok, try HERE instead.

    Regards Howard :)
     
  5. KnightRiderX

    KnightRiderX TS Rookie Topic Starter Posts: 36

    That also requires that I log in on the problematic Windows installation. For more clarity, it gives an error code: 1073741819 while counting down.
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    What happens if you try and boot into safe mode?

    Regards Howard :)
     
  7. KnightRiderX

    KnightRiderX TS Rookie Topic Starter Posts: 36

    same thing.
     
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Try this. Boot your computer and go into your bios. Change the system date to 22/02/06, which is obviously a year ago and save and exit bios. This might let you login to windows and run the sasser fix.

    Regards Howard :)
     
  9. KnightRiderX

    KnightRiderX TS Rookie Topic Starter Posts: 36

    nope. tried it in normal and safe mode. grrr this is so frustrating.
     
  10. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    What antivirus programme do you use? Could you not tell your antivirus programme to scan the partition that has the virus?

    Regards Howard :)
     
  11. jobeard

    jobeard TS Ambassador Posts: 9,351   +622

    fyi: origin of Sasser worm

    Distribution
    * Distribution Level: Medium
    * Ports: TCP 445, 5554, 9996
    * Target of Infection: Unpatched systems vulnerable to LSASS exploit - MS04-011.

    Port 445 is MS Filesharing port :(
     
  12. KnightRiderX

    KnightRiderX TS Rookie Topic Starter Posts: 36

    I use AVG. wouldn't that require me being able to log into windows first? Is there a way for me to tell the problematic installation, while i'm in this fresh installation, to bypass the password entry stage and just log in? cause if I'm able to do that, then I believe I will have enough time to take out the worm my typing "shutdown -a" in cmd.
     
  13. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Maybe I`m missing something, so to be clear. You`re using another Windows installation on a different partition on your hard drive?

    Do you have AVG antivirus installed on the partition you`re using at the moment?

    If so, you should be able to tell AVG to scan the driver letter that corresponds to the partition that has the virus and hopefully, AVG will kill it.

    Regards Howard :)
     
  14. cfitzarl

    cfitzarl TechSpot Chancellor Posts: 1,975   +9

    For clarification purposes, if anyone here is from the United States, it would be 2/22/06 for them :) .
     
  15. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    That`s quite funny. However, I actually prefer the date syntax I used.

    Regards Howard :)
     
  16. KnightRiderX

    KnightRiderX TS Rookie Topic Starter Posts: 36

    oh i see what u mean. I've already done a complete scan of the computer and nothing popped up.
     
  17. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Download the Avert Stinger programme from HERE. Tell the programme to scan your infected partition.

    Regards Howard :)
     
  18. KnightRiderX

    KnightRiderX TS Rookie Topic Starter Posts: 36

    ok I used the Stinger program and this is the result I received.
     
  19. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Ok, Stinger hasn`t found anything.

    It`s time to try a Windows repair as per this thread HERE. Let me know how it works out.

    Regards Howard :)
     
  20. KnightRiderX

    KnightRiderX TS Rookie Topic Starter Posts: 36

    but isn't that what i'm trying to prevent. I do not want to lose all of my windows configuration and installations.
     
  21. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    I know you don`t want to lose your configurations etc, but what other choice do you have? Since you can`t log on to windows in any mode, you`re going to have to try something. The scans you have run haven`t found anything, so we have to assume it`s not a sasser problem.

    A Windows repair shouldn`t cause you to lose any data, other than Windows updates/configurations etc, unlike a format would. However, if a repair doesn`t work, then maybe you`re going to have to contemplate backing up your important data and doing just that.

    Sadly, I don`t have any other ideas I`m afraid.

    Regards Howard :(
     
  22. KnightRiderX

    KnightRiderX TS Rookie Topic Starter Posts: 36

    ok BIG problem. everytime I try to repair the problematic installation, it does not show up on the list of installations to repair. only the one that I'm on right now. I tried booting into the problematic installation and it was still there.
     
  23. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Damn and bugger, that`s definitely not good.

    It looks like you`re going to have to backup your data and reformat. I just don`t have any other ideas and unless some one else can think of something, I think you`re screwed. :(

    I`m real sorry I couldn`t fix it for you.

    Regards Howard :(
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...