Re: XP rebooting

From: kmesse (kmesse_at_lycos.com)
Date: 05/25/04 

Date: 25 May 2004 05:34:38 -0700

Problem with both of these fixes obviously - I CAN'T GET INTO WINDOWS.
I thought I made that clear. Not even in safe mode.
I took the desktop drive out, scanned it with another machine, and NAV
quarrantined Blaster in DLLHOST.EXE and teekids.exe.
It sill won't boot but at least I can get to the data. The laptop is
corrupted. I hit f1 to get into the bios and I get random characters
and colors, but I can boot from a floppy fine. Who knows. I'll drop
that one off somewhere.

I found this
http://www.aumha.org/win5/a/blaster.php
So I guess I'll work thru it. thanks.

v-harig@online.microsoft.com (Harish.G [MSFT]) wrote in message news:<NXw4uQeQEHA.1516@cpmsftngxa10.phx.gbl>...
> Hi Kelvin,
>
> Looking at the symptoms it is difficult to tell weather you have blaster
> virus or sasser virus. I would recommend try following procedure for
> resolving your issue. I am attaching link for both msblaster virus and
> sasser virus as sasser is more prevalent these days.
>
> Procedure for removal of MS blaster:-
> http://www.microsoft.com/technet/security/alerts/msblaster.mspx
>
> Procedure for remocal of Sasser virus:-
> Windows XP Users: What to Do If Your Computer Has Been Infected by
> Sasser
> (Windows 2000 Instructions below)
> Published: May 5, 2004 Version 1.1
> If you are using Microsoft® Windows® XP or Windows XP Service Pack 1
> (SP1) and your computer has been infected by the Sasser worm, you can
> take these steps to update your software, remove the worm, and help
> protect against future infections.
> If your computer is infected with the Sasser worm, you may experience
> one or more of the following symptoms:
> · Your computer performance is decreased or your network
> connection is slow.
> · You may see a dialog box that contains text that refers to LSA
> Shell.
> · Your computer may restart every few minutes without user
> input.
> Step 1: Disconnect from the Internet
> To avoid further problems, disconnect from the Internet:
> Broadband connection users: Locate the cable that runs from your
> external DSL or cable modem and unplug that cable either from the modem or
> from the telephone jack.
> Dial-up connection users: Locate the cable that runs from the modem
> inside your computer to your telephone jack and unplug that cable either
> from the telephone jack or from your computer.
> Step 2: Stop the Shutdown Cycle
> This worm may cause LSASS.EXE to stop responding, which forces the
> operating system to shut down after 60 seconds. If your computer starts to
> shut down, follow these steps to abort any system shutdown that may be
> in progress.
> On the taskbar at the bottom of your screen, click Start, and then
> click Run.
> Type: cmd and then click OK.
> At the command prompt, type including spaces:
> shutdown.exe -a
> and then press ENTER.
> Step 3: Mitigate the Vulnerability
> You can temporarily remove the vulnerability that allows the worm to
> infect your computer by creating a log file.
> Create the log file
> On the taskbar at the bottom of your screen, click Start, and then
> click Run.
> Type: cmd and then click OK.
> At the command prompt, type including space:
> echo dcpromo >%systemroot%\debug\dcpromo.log
> and then press ENTER.
> Make the log file read-only
> At the command prompt, type, including spaces:
> attrib +R %systemroot%\debug\dcpromo.log
> and then press ENTER.
> Step 4: Improve System Performance
> If your computer is acting sluggish or if the Internet connection is
> slow, the worm may be flooding your local network connection. This may
> make it impossible for you to download and install the required software
> update. To improve system performance:
> On the taskbar at the bottom of your screen, click Start, and then
> click Run.
> Type taskmgr, then click OK
> Select the Process tab
> For each of the following tasks that may be listed, click the task to
> select it, and then click the End Task button to end it.
> Any task ending with _up.exe (for example, 12345_up.exe).
> Any task starting with avserve (for example, avserve.exe).
> Any task starting with avserve2 (for example, avserve2.exe).
> Any task starting with skynetave (for example, skynetave.exe).
> hkey.exe
> msiwin84.exe
> wmiprvsw.exe
> ***Note Do not end the wmiprvse.exe task; it is a legitimate system
> task.
> Step 5: Enable a Firewall
> A firewall is a piece of software or hardware that creates a protective
> barrier between your computer and the Internet. If your computer has
> been infected, a firewall will help limit the effects of the worm.
> Windows XP includes the Internet Connection Firewall (ICF). To turn on ICF:
> On the taskbar at the bottom of your screen, click Start, and then
> click Run.
> Type ncpa.cpl, then click OK
> Right-click the Dial-up, LAN, or High-Speed Internet connection that
> you use to connect to the Internet, and then click Properties from the
> shortcut menu.
> On the Advanced tab, under Internet Connection Firewall, select Protect
> my computer and network, and then click OK. The Windows XP firewall is
> now enabled.
> Step 6: Reconnect to the Internet
> Plug the cable (referred to in Step 1) back into your computer,
> telephone jack, or modem.
> Step 7: Install the Required Update
> To help protect your computer against this worm in the future, you must
> download and install security update 835732, which was released with
> Microsoft Security Bulletin MS04-011. To download security update 835732,
> go to http://go.microsoft.com/?LinkID=526067
> Step 8: Check For and Remove Sasser
> After you have installed the 835732 (MS04-011) security update and
> restarted your computer, the computer may continue to generate network
> traffic and try to spread the worm infection to other vulnerable computers.
> To check for and remove Sasser from your computer, go to the Web page
> "What You Should Know About the Sasser Worm and Its Variants" at
> http://www.microsoft.com/security/incident/sasser.asp. Use the Sasser
> Worm Removal Tool to search your hard disk for and remove Sasser.A,
> Sasser.B, Sasser.C, and Sasser.D.
> About Internet Connection Firewall
> The Windows XP Internet Connection Firewall can block useful tasks such
> as sharing files or printers through a network, transferring files in
> applications, or hosting multiplayer games. Nonetheless, Microsoft
> recommends that you use a firewall to help protect your computer.
> If you turn on the Internet Connection Firewall and find that you can't
> perform some tasks you want to, read "How to Open Ports in the Windows
> XP Internet Connection Firewall" at
> http://www.microsoft.com/security/protect/ports.asp.
> If you have more than one computer, want more technical information, or
> want to learn more about firewalls, read "Frequently Asked Questions
> About Firewalls" at
> http://www.microsoft.com/security/protect/firewall.asp.
> ===============================================================
>
> Windows 2000 Users: What to Do If Your Computer Has Been Infected by
> Sasser
> Published: May 4, 2004
> If you are using Microsoft® Windows 2000 Service Pack 2 (SP2), Windows
> 2000 SP3, or Windows 2000 SP4 and your computer has been infected by
> the Sasser worm, you can take these steps to update your software, remove
> the worm, and help protect against future infections.
> If your computer is infected with the Sasser worm, you may experience
> one or more of the following symptoms:
> · Your computer performance is decreased or your network
> connection is slow.
> · You may see a dialog box that contains text that refers to LSA
> Shell.
> · Your computer may restart every few minutes without user
> input.
> Step 1: Disconnect from the Internet
> To avoid further problems, disconnect from the Internet:
> Broadband connection users: Locate the cable that runs from your
> external DSL or cable modem and unplug that cable either from the modem or
> from the telephone jack.
> Dial-up connection users: Locate the cable that runs from the modem
> inside your computer to your telephone jack and unplug that cable either
> from the telephone jack or from your computer.
> Step 2: Mitigate the Vulnerability
> You can temporarily remove the vulnerability that allows the worm to
> infect your computer by creating a log file.
> Create the log file
> On the taskbar at the bottom of your screen, click Start, and then
> click Run.
> Type: cmd and then click OK.
> At the command prompt, type including space:
> echo dcpromo >%systemroot%\debug\dcpromo.log
> and then press ENTER.
> Make the log file read-only
> At the command prompt, type, including spaces:
> attrib +R %systemroot%\debug\dcpromo.log
> and then press ENTER.
> Step 3: Improve System Performance
> If your computer is acting sluggish or if the Internet connection is
> slow, the worm may be flooding your local network connection. This may
> make it impossible for you to download and install the required software
> update. To improve system performance:
> On the taskbar at the bottom of your screen, click Start, and then
> click Run.
> Type taskmgr, then click OK
> Select the Process tab
> For each of the following tasks that may be listed, click the task to
> select it, and then click the End Task button to end it.
> Any task ending with _up.exe (for example, 12345_up.exe).
> Any task starting with avserve (for example, avserve.exe).
> Any task starting with avserve2 (for example, avserve2.exe).
> Any task starting with skynetave (for example, skynetave.exe).
> hkey.exe
> msiwin84.exe
> wmiprvsw.exe
> ***Note Do not end the wmiprvse.exe task; it is a legitimate system
> task.
> Step 4: Enable a Firewall
> A firewall is a piece of software or hardware that creates a protective
> barrier between your computer and the Internet. Microsoft does not
> manufacture stand-alone software firewalls. The following resources provide
> more information about some firewall options.
> Hardware Firewalls
> Hardware firewalls are a good choice for versions of the Windows
> operating system prior to Windows XP. Some home-networking hardware, such
> as
> wireless access points and broadband routers, comes with built-in
> hardware firewalls. These help protect most home networks.
> Software Firewalls
> Microsoft strongly recommends that all users obtain and install a
> firewall before connecting to the Internet. However, we realize that some
> users may find downloading software to be their only option. If you
> choose to reconnect to the Internet to obtain a software firewall, here are
> some options:
> BlackICE PC Protection-Save 25% (http://blackice.iss.net/microsoft.php)
> Computer Associates-12-month free trial
> (http://www.my-etrust.com/microsoft/)
> F-secure-6-months free trial (http://www.f-secure.com/protectyourpc/)
> McAfee Security-save up to 35%
> (http://us.mcafee.com/root/campaign.asp?cid=8437)
> Panda Software-90-day free trial
> (http://www.pandasoftware.com/microsoft/)
> Symantec/Norton-90-day free trial
> (http://www.symantecstore.com/dr/v2/ec_dynamic.main?sp=1&pn=46&sid=27674)
> Tiny Software: Tiny Personal Firewall (http://www.tinysoftware.com)
> ZoneAlarm-save $20
> (http://download.zonelabs.com/bin/promotions/microsoftsecurity/)
> Step 5: Reconnect to the Internet
> Plug the cable (referred to in Step 1) back into your computer,
> telephone jack, or modem.
> Step 6: Install the Required Update
> To help protect your computer against this worm in the future, you must
> download and install security update 835732, which was released with
> Microsoft Security Bulletin MS04-011. To download security update 835732,
> go to http://go.microsoft.com/?LinkID=526386
> Step 7: Check For and Remove Sasser
> After you have installed the 835732 (MS04-011) security update and
> restarted your computer, the computer may continue to generate network
> traffic and try to spread the worm infection to other vulnerable computers.
> To check for and remove Sasser from your computer, go to the Web page
> "What You Should Know About the Sasser Worm and Its Variants" at
> http://www.microsoft.com/security/incident/sasser.asp. Use the Sasser
> Worm Removal Tool to search your hard disk for and remove Sasser.A,
> Sasser.B, Sasser.C, and Sasser.D.
>
>
> Harish.G
>
> This posting is provided "AS IS" with no warranties, and confers no rights.