Poor Guy

got these files on my PC. seems to have happened to friends in area on btbroadband too.

delete files in title and they some back and keep closing my computer


now ive got a NT/AUTHORITY/SYSTEM shutdown im being shutdown



help

mark_h

W32.Sasser.Worm
There's removal instructions, and a link to a removal tool there.

Poor Guy

page expired

Poor Guy

help. Before im shut down again

milo

like most good(!) viruses, they'll have modified a registry setting to re-establish themselves at start-up.

look in:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run in your registry and REMOVE any reference to these, and indeed anything that you DONT want to run at start-up.

it's good practice to back-up your registry just incase of course

specifically for said virus, look on anti-virus software websites as they'll say how to remove this one exactly.

and do the following:
* get anti-virus software
* get a decent firewall
* look on microsoft's site for security updates as often as possible - REGULARLY check windowsupdate.

mark_h

Still works for me

Poor Guy

http://msn.mcafee.com/virusInfo/defa...virus_k=125007

This is the Stinger and has detected and deleted the worm.
http://vil.nai.com/vil/stinger/

must say im impressed with it.

CHEERS GUYS!!!!

PS. have BLACKICE firewall

Poor Guy

its bloody back

Poor Guy

System Idle Process is taking 85+% CPU usage which looks very shifty

whats happening?!

dba

sounds like your firewall is letting another one in everytime you go online? get another firewall,on cd,load it,and run a full virus scan,assuming you have an antivirus programme? if you have port open,they will find it everytime i think

mark_h

And run Windows Update and get all the critical patches.

ajm

Reboot in safe mode (hold down F8 as the computer starts to boot). This will make sure the virus won't run at startup. If it is running then it will just undo any changes you make.

Next either do what milo suggested, or run "msconfig" and under the "Startup" tab untick any suspicous looking files. E.g. anything to do with avserve*.exe

Reboot

Then, as Mark suggested, update windows.

dowser

Stinger is the best tool to completely remove the worm. But unless you've patched against MS04-011, or have updated your virus definition files, you'll quickly get re-infected.....very quickly

Imagine a world where everyone patched against latest vulnerabilities and ran auto-update on their AV software. Interent access would be much faster for everyone

Richard

Poor Guy

for gods sake. Its like putting on riot gear to go to the shops!

dowser

Correct, but most of it can (indeed, should) be automated.

Richard

R1916v

I'm afraid I find blackice useless, get something like outpost firewall.

And gods sake get some AV software (!) and make sure windows is update ok.

giblet

just a small part of the problem is the autoreboot caused by the LSASS crashing. On XP at least you can give yourself time - when you get notification of an impending reboot got to Start-Run and enter "shutdown /a" and hit return. This will at least abort the scheduled reboot and give you a chance...

Muffleman

I spent most of yesterday afternoon pi**ing around with this little virus, it's a right pain !

Does wind me up that some people have the time, inclination and ability to create such viruses.

Matt