RE: XP rebooting

From: Harish.G [MSFT] (v-harig_at_online.microsoft.com)
Date: 05/25/04 

Date: Mon, 24 May 2004 23:09:11 GMT

Hi Kelvin,

Looking at the symptoms it is difficult to tell weather you have blaster
virus or sasser virus. I would recommend try following procedure for
resolving your issue. I am attaching link for both msblaster virus and
sasser virus as sasser is more prevalent these days.

Procedure for removal of MS blaster:-
http://www.microsoft.com/technet/security/alerts/msblaster.mspx

Procedure for remocal of Sasser virus:-
Windows XP Users: What to Do If Your Computer Has Been Infected by
Sasser
(Windows 2000 Instructions below)
Published: May 5, 2004 Version 1.1
If you are using Microsoft® Windows® XP or Windows XP Service Pack 1
(SP1) and your computer has been infected by the Sasser worm, you can
take these steps to update your software, remove the worm, and help
protect against future infections.
If your computer is infected with the Sasser worm, you may experience
one or more of the following symptoms:
· Your computer performance is decreased or your network
connection is slow.
· You may see a dialog box that contains text that refers to LSA
Shell.
· Your computer may restart every few minutes without user
input.
Step 1: Disconnect from the Internet
To avoid further problems, disconnect from the Internet:
Broadband connection users: Locate the cable that runs from your
external DSL or cable modem and unplug that cable either from the modem or
from the telephone jack.
Dial-up connection users: Locate the cable that runs from the modem
inside your computer to your telephone jack and unplug that cable either
from the telephone jack or from your computer.
Step 2: Stop the Shutdown Cycle
This worm may cause LSASS.EXE to stop responding, which forces the
operating system to shut down after 60 seconds. If your computer starts to
shut down, follow these steps to abort any system shutdown that may be
in progress.
On the taskbar at the bottom of your screen, click Start, and then
click Run.
Type: cmd and then click OK.
At the command prompt, type including spaces:
shutdown.exe -a
and then press ENTER.
Step 3: Mitigate the Vulnerability
You can temporarily remove the vulnerability that allows the worm to
infect your computer by creating a log file.
Create the log file
On the taskbar at the bottom of your screen, click Start, and then
click Run.
Type: cmd and then click OK.
At the command prompt, type including space:
echo dcpromo >%systemroot%\debug\dcpromo.log
and then press ENTER.
Make the log file read-only
At the command prompt, type, including spaces:
attrib +R %systemroot%\debug\dcpromo.log
and then press ENTER.
Step 4: Improve System Performance
If your computer is acting sluggish or if the Internet connection is
slow, the worm may be flooding your local network connection. This may
make it impossible for you to download and install the required software
update. To improve system performance:
On the taskbar at the bottom of your screen, click Start, and then
click Run.
Type taskmgr, then click OK
Select the Process tab
For each of the following tasks that may be listed, click the task to
select it, and then click the End Task button to end it.
Any task ending with _up.exe (for example, 12345_up.exe).
Any task starting with avserve (for example, avserve.exe).
Any task starting with avserve2 (for example, avserve2.exe).
Any task starting with skynetave (for example, skynetave.exe).
hkey.exe
msiwin84.exe
wmiprvsw.exe
***Note Do not end the wmiprvse.exe task; it is a legitimate system
task.
Step 5: Enable a Firewall
A firewall is a piece of software or hardware that creates a protective
barrier between your computer and the Internet. If your computer has
been infected, a firewall will help limit the effects of the worm.
Windows XP includes the Internet Connection Firewall (ICF). To turn on ICF:
On the taskbar at the bottom of your screen, click Start, and then
click Run.
Type ncpa.cpl, then click OK
Right-click the Dial-up, LAN, or High-Speed Internet connection that
you use to connect to the Internet, and then click Properties from the
shortcut menu.
On the Advanced tab, under Internet Connection Firewall, select Protect
my computer and network, and then click OK. The Windows XP firewall is
now enabled.
Step 6: Reconnect to the Internet
Plug the cable (referred to in Step 1) back into your computer,
telephone jack, or modem.
Step 7: Install the Required Update
To help protect your computer against this worm in the future, you must
download and install security update 835732, which was released with
Microsoft Security Bulletin MS04-011. To download security update 835732,
go to http://go.microsoft.com/?LinkID=526067
Step 8: Check For and Remove Sasser
After you have installed the 835732 (MS04-011) security update and
restarted your computer, the computer may continue to generate network
traffic and try to spread the worm infection to other vulnerable computers.
To check for and remove Sasser from your computer, go to the Web page
"What You Should Know About the Sasser Worm and Its Variants" at
http://www.microsoft.com/security/incident/sasser.asp. Use the Sasser
Worm Removal Tool to search your hard disk for and remove Sasser.A,
Sasser.B, Sasser.C, and Sasser.D.
About Internet Connection Firewall
The Windows XP Internet Connection Firewall can block useful tasks such
as sharing files or printers through a network, transferring files in
applications, or hosting multiplayer games. Nonetheless, Microsoft
recommends that you use a firewall to help protect your computer.
If you turn on the Internet Connection Firewall and find that you can't
perform some tasks you want to, read "How to Open Ports in the Windows
XP Internet Connection Firewall" at
http://www.microsoft.com/security/protect/ports.asp.
If you have more than one computer, want more technical information, or
want to learn more about firewalls, read "Frequently Asked Questions
About Firewalls" at
http://www.microsoft.com/security/protect/firewall.asp.
===============================================================
 
Windows 2000 Users: What to Do If Your Computer Has Been Infected by
Sasser
Published: May 4, 2004
If you are using Microsoft® Windows 2000 Service Pack 2 (SP2), Windows
2000 SP3, or Windows 2000 SP4 and your computer has been infected by
the Sasser worm, you can take these steps to update your software, remove
the worm, and help protect against future infections.
If your computer is infected with the Sasser worm, you may experience
one or more of the following symptoms:
· Your computer performance is decreased or your network
connection is slow.
· You may see a dialog box that contains text that refers to LSA
Shell.
· Your computer may restart every few minutes without user
input.
Step 1: Disconnect from the Internet
To avoid further problems, disconnect from the Internet:
Broadband connection users: Locate the cable that runs from your
external DSL or cable modem and unplug that cable either from the modem or
from the telephone jack.
Dial-up connection users: Locate the cable that runs from the modem
inside your computer to your telephone jack and unplug that cable either
from the telephone jack or from your computer.
Step 2: Mitigate the Vulnerability
You can temporarily remove the vulnerability that allows the worm to
infect your computer by creating a log file.
Create the log file
On the taskbar at the bottom of your screen, click Start, and then
click Run.
Type: cmd and then click OK.
At the command prompt, type including space:
echo dcpromo >%systemroot%\debug\dcpromo.log
and then press ENTER.
Make the log file read-only
At the command prompt, type, including spaces:
attrib +R %systemroot%\debug\dcpromo.log
and then press ENTER.
Step 3: Improve System Performance
If your computer is acting sluggish or if the Internet connection is
slow, the worm may be flooding your local network connection. This may
make it impossible for you to download and install the required software
update. To improve system performance:
On the taskbar at the bottom of your screen, click Start, and then
click Run.
Type taskmgr, then click OK
Select the Process tab
For each of the following tasks that may be listed, click the task to
select it, and then click the End Task button to end it.
Any task ending with _up.exe (for example, 12345_up.exe).
Any task starting with avserve (for example, avserve.exe).
Any task starting with avserve2 (for example, avserve2.exe).
Any task starting with skynetave (for example, skynetave.exe).
hkey.exe
msiwin84.exe
wmiprvsw.exe
***Note Do not end the wmiprvse.exe task; it is a legitimate system
task.
Step 4: Enable a Firewall
A firewall is a piece of software or hardware that creates a protective
barrier between your computer and the Internet. Microsoft does not
manufacture stand-alone software firewalls. The following resources provide
more information about some firewall options.
Hardware Firewalls
Hardware firewalls are a good choice for versions of the Windows
operating system prior to Windows XP. Some home-networking hardware, such
as
wireless access points and broadband routers, comes with built-in
hardware firewalls. These help protect most home networks.
Software Firewalls
Microsoft strongly recommends that all users obtain and install a
firewall before connecting to the Internet. However, we realize that some
users may find downloading software to be their only option. If you
choose to reconnect to the Internet to obtain a software firewall, here are
some options:
BlackICE PC Protection-Save 25% (http://blackice.iss.net/microsoft.php)
Computer Associates-12-month free trial
(http://www.my-etrust.com/microsoft/)
F-secure-6-months free trial (http://www.f-secure.com/protectyourpc/)
McAfee Security-save up to 35%
(http://us.mcafee.com/root/campaign.asp?cid=8437)
Panda Software-90-day free trial
(http://www.pandasoftware.com/microsoft/)
Symantec/Norton-90-day free trial
(http://www.symantecstore.com/dr/v2/ec_dynamic.main?sp=1&pn=46&sid=27674)
Tiny Software: Tiny Personal Firewall (http://www.tinysoftware.com)
ZoneAlarm-save $20
(http://download.zonelabs.com/bin/promotions/microsoftsecurity/)
Step 5: Reconnect to the Internet
Plug the cable (referred to in Step 1) back into your computer,
telephone jack, or modem.
Step 6: Install the Required Update
To help protect your computer against this worm in the future, you must
download and install security update 835732, which was released with
Microsoft Security Bulletin MS04-011. To download security update 835732,
go to http://go.microsoft.com/?LinkID=526386
Step 7: Check For and Remove Sasser
After you have installed the 835732 (MS04-011) security update and
restarted your computer, the computer may continue to generate network
traffic and try to spread the worm infection to other vulnerable computers.
To check for and remove Sasser from your computer, go to the Web page
"What You Should Know About the Sasser Worm and Its Variants" at
http://www.microsoft.com/security/incident/sasser.asp. Use the Sasser
Worm Removal Tool to search your hard disk for and remove Sasser.A,
Sasser.B, Sasser.C, and Sasser.D.

Harish.G

This posting is provided "AS IS" with no warranties, and confers no rights.

Loading