Jerome

How do you get into a laptop that has been hit by the Sasser virus which, upon logging on, immediately reboots?

When it first got hit the countdown was 5 minutes. The user (the sister of my boss) ignored each countdown and reboot until the up time was less than 30 seconds(!). By the time my boss got to look at it, it was too late - he didn't have enough time to fix it. Now the countdown time is zero seconds.

One of the support guys at work has looked at the machine and can't even get in via safe mode and/or via the admin account. Booting via a floppy or CD doesn't work either.

Other than wiping the hard drive, is there a way of fixing this machine?

The machine is running XP.

ChrisB

Remotely edit the registry to remove the keys from \Run?

suba

and the reg key to delete is...

HKLM\software\microsoft\windows\currentversion\run

on the right pane, there should be something "uncheck.... %..." sorry i cant remember the exact line but it's something like in the quote.

Jerome

How do you edit the registry if you can't get into the system?

Can you edit the registry from BIOS?

ChrisB

From another PC over the network (assuming you have a network and a second PC!)

That's presuming the shut down countdown starts when you log on, not as the system boots.

Jerome

The shutdown is immediate - the moment you hit return after typing your password in, it reboots.

Sounds like it needs to b e wiped.

bioforger

iTrader: (1)

y doesnt bootin from floppy or CD work?

Then u could use recovery console and ASR to restore a backup of your registry, u do have a backup right?

Boro

iTrader: (1)

I thought the Sasser worm only executed on starting windows?

Jerome

No backup of any sort. Glad it's not my PC.

bioforger

iTrader: (1)

You are SOL then. Reinstall required.

ChrisB

Hang on, you don't need to log onto the machine to remotely edit the registry.

Get the PC to the CTRL-ALT-DELT screen and leave.

Fire up RegEdit on another PC on the LAN.

On the Registry menu, choose "Connect Network Registry"

Find the infected PC or type in it's name.

Navigate to the key suba posted and delete it.

That should do the trick.

greasemonkey

Assuming of course the PC is networked.

If it's not, have you tried starting the PC in Safe Mode Jerome? (repeatedly hit F8 as the POST sequence ends, when the startup menu shows select Safe Mode).

Jerome

I should have mentioned the PC isn't networked.

In safe mode it still reboots.

I think it's fecked.

greasemonkey

Yep, you're in trouble there. Have a look at Microsoft.com and the antivirus provider sites to see if there's a patch you can apply via a command prompt.

If not you're probably going to have to run a reinstall/repair.

ChrisB

No network. ERD Commander will let you boot from a CD and access the registry to edit out the keys.

If the machine config isn't that valuable, slave the HD up to another PC or do a parallel install of Windows to copy the data off. Then blow it away and rebuild.

ajm

Is it definately the virus causing this then? Because the reg key HKLM\software\microsoft\windows\currentversion\run should not run in safe mode!