Infected with Sasser worm, Mitigation steps don't work

G

Guest

My computer is infected with the Sasser worm. I tried to follow the mitigation steps to clean up my computer, but my computer does not have the *_up.exe OR the avserve.exe file, nor are these files listed under system processes in the Task Manager! What should I do? Should I go ahead and install the patch, even though the worm may still be on my computer? I know that I have the worm, as I was getting the error message and my computer was shutting down every few minutes. Thanks.
 
C

Carey Frisch [MVP]

Check for viruses:

Symantec Security Check
http://security.symantec.com/sscv6/default.asp?langid=ie&venid=sym

Virus Removal Tools
http://securityresponse.symantec.com/avcenter/tools.list.html

Online Virus Removal Tutorials
http://www.symantec.com/techsupp/virusremoval/virusremoval_info_tutorial.html

And check for the presence of spyware:

Bazooka Adware and Spyware Scanner 1.12
http://download.com.com/3000-2144-10247783.html

3 Steps to Help Ensure your PC is Protected
http://www.microsoft.com/security/protect/

Frequently Asked Questions About Antivirus Software
http://www.microsoft.com/security/protect/antivirus.asp


--
Carey Frisch
Microsoft MVP
Windows XP - Shell/User

Be Smart! Protect your PC!
http://www.microsoft.com/security/protect/

----------------------------------------------------------------------------------------------------------


| My computer is infected with the Sasser worm. I tried to follow the mitigation steps to clean up my
computer, but my computer does not have the *_up.exe OR the avserve.exe file, nor are these files listed under
system processes in the Task Manager! What should I do? Should I go ahead and install the patch, even though
the worm may still be on my computer? I know that I have the worm, as I was getting the error message and my
computer was shutting down every few minutes. Thanks.
 
T

Trafton

Hi Luv,

First of all, it is not a good idea to post to these groups with a valid
email address, as a worm called W32/Swen gets addresses from here.

Secondly, how do you know you are infected? Did you receive a notification
of infection from some antivirus program? As Carey suggested, try scanning
your machine to verify you do or do not have the virus. Then go to Windows
Update (http://windowsupdate.microsoft.com/) and download the patch to
prevent further infection.

If you just have the symptom of it (LSASS.EXE shutdown notification), it is
possible that you are infected by one of the other worms that uses this
vulnerability.

Finally, please run this program:

http://www.spychecker.com/program/hijackthis.html

Generate a log by going to Options>Misc. Tools>Generate StartUpLog and then
post it here. We can isolate what worm is running on startup and then get
you disinfected from there.

Sincerely,
Benjamin "Trafton" Johnstone-Anderson
Microsoft MVP - Windows Security
Remove "SPAM" from email address to reply!
Security Manifest: www.msmvps.com/trafton/
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Sasser Worm 3
Sasser Worm 5
Problems with LSASS.EXE? You may have the sasser worm 2
Sasser Infection 6
what else?--sasser 1
Sasser worm and viruses 2
Sasser virus? 3
Sasser Worm 2

Top