Re: Virus?

From: kim (anonymous_at_discussions.microsoft.com)
Date: 10/06/04 

Date: Tue, 5 Oct 2004 18:25:48 -0700

Bruce,

Thanks for the reply, I rebuilt this system myself and
applied all patches defs etc to the system, it sits in a
school behind a firewall, so I am confused on how Sasser
got to this system if all was on the up and up.

The problem now is that I can not get to windows to stop
the shutdown sequence. I am aware of how to do that, but
can not get past the logon screen, (why it has that as it
was not set with a domain logon, and no admin password),
and has no "choice" to select any logon, it is like the
BSOD but instead states choose a logon, with the right
side all blue screen.......

I tried safe mode with command prompt thinking I might
bypass this to effectively diable the shutdown, but no
go.....

So how do I get past all this in order to repair it?

I have slaved it to another HD and ran fixsasser, but it
foubnd nothing and I do not believe this is truthful and
wondered if the tool was indicitive of the actual running
OS and not as a data disk?

Thanks for all your help,
Kim

>-----Original Message-----
>kim wrote:
>> I rebuilt a system for a staff member last week, XP
Pro,
>> all win updates (except SP2) Norton corp, all dat
files,
>> Office 2003 and all updates, ad aware and updates, and
>> ran scans for virus and apy/adware. returnd the system
>> and it ran fine for a week.
>>
>> Today the teacher called me back, said she updated new
>> windows updates, and the system now reboots with a
>> typical sasser message on start up. "The system is
>> shutting down,......." gives me 60 seconds countdown
and
>> the system process is C:\WINDOWS\system32\lsass.exe.
>>
>> I can not get past this to stop the timeout as the
system
>> gets to select the log on name to continue (with the
>> lsass.exe box in front of it) and there is no name in
>> which to choose to continue the log on. I have to
power
>> off to do anything except reboot when the system times
>> out.
>>
>> I tried safe mode, same thing, I tried safe mode with
>> command prompt, and can not get past that log on screen
>> with nothing to choose! I was hoping to get to the cmd
>> prompt to stop the timeout and then repair the system.
>>
>> I slaved the HD to another system and ran a sasser fix
>> tool, it found nothing.
>>
>> I am not really wanting to rebuild this system again,
it
>> is for a special needs teacher and she has tons of
>> programs for kids with special handicaps and needs.
>> Takes days to get it working.
>>
>> Any ideas or help greatly appreciated.
>>
>> Thank you in advance,
>> Kim
>
>
> You've apparently contracted the latest worm,
W32.Sasser.Worm,
>specifically designed to attack people who do not update
their
>computers promptly and who do not practice "safe hex."
In other
>words, like Blaster, this worm was developed and
distributed after a
>patch for the vulnerability was announced and made
publicly available.
>Further, and also like Blaster, this worm could not
affect any
>computer whose user had taken the basic precaution of
using a properly
>configured firewall.
>
> To stay on-line long enough to get the necessary
updates, patches,
>and removal tools, click Start > Run, and
enter "shutdown -a" when the
>next Shutdown countdown begins. This will abort the
shut down. Also,
>make sure you've enabled a firewall before starting, to
preclude any
>more intrusions while getting the updates/patches/tools.
>
>What You should Know about the Sasser Worm and its
Variants
>http://www.microsoft.com/security/incident/sasser.asp
>
>Microsoft Security Bulletin MS04-011
>http://www.microsoft.com/technet/security/bulletin/MS04-
011.mspx
>
>W32.Sasser.Worm
>http://www.symantec.com/avcenter/venc/data/w32.sasser.wor
m.html
>
>A tool is available to remove the Sasser worm variants
>http://support.microsoft.com/default.aspx?scid=kb;EN-
US;841720
>
>W32.Sasser.Worm Removal Tool
>http://securityresponse.symantec.com/avcenter/venc/data/w
32.sasser.removal.tool.html
>
>McAfee AVert Stinger Virus Removal Tool
>http://vil.nai.com/vil/stinger/
>
>--
>
>Bruce Chambers
>
>Help us help you:
>http://dts-l.org/goodpost.htm
>http://www.catb.org/~esr/faqs/smart-questions.html
>
>You can have peace. Or you can have freedom. Don't ever
count on
>having
>both at once. - RAH
>
>
>
>.
>

Relevant Pages

  • Re: Windows XP Product Activation
    ... application with current virus definition files, and before installing ... sure you've enabled a firewall before starting, ... What You Should Know About the Blaster Worm ... W32.Blaster.Worm Removal Tool ...
    (microsoft.public.windowsxp.setup_deployment)
  • Re: NT Authority System
    ... sure you've enabled a firewall before starting, ... What You Should Know About the Blaster Worm ... W32.Blaster.Worm Removal Tool ... firewall and WinXP's Internet Connection Sharing feature. ...
    (microsoft.public.windowsxp.general)
  • Re: remote procedure call
    ... sure you've enabled a firewall before starting, ... What You Should Know About the Blaster Worm ... W32.Blaster.Worm Removal Tool ... more intrusions while getting the updates/patches/tools. ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: System is shuttng down NT authority 60 seconds
    ... and removal tools, click Start> Run, and enter "shutdown -a" when the ... sure you've enabled a firewall before starting, ... What You Should Know About the Blaster Worm ... W32.Blaster.Worm Removal Tool ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Shut down in 60 secs...... HELP! Pls
    ... enabled a firewall, without having first installed an antivirus ... What You Should Know About the Blaster Worm ... W32.Blaster.Worm Removal Tool ... more intrusions while getting the updates/patches/tools. ...
    (microsoft.public.windowsxp.general)
Quantcast