Is this blaster or sasser

[antonyliu2002]

I noticed that hardly any web page loads, so I launched task manager
and viewed the processes.

I saw a bunch of processes svchost.exe, so I thought that I better end
them. The time I tried to end some of these svchost.exe, a window
pops up as shown in the image below.

http://farm1.static.flickr.com/148/417110866_b842e37e28_o.jpg

I had to do shutdown -a to abort the shutdown process.

I saws this before, it was from W32.Blaster.Worm or W32.Sasser.Worm,
or some names like these.

But, note that this window does not pop up itself, it pops up only if
I try to end some of these svchost.exe processes.

I googled out the Symantec FixBlaster and FixSasser removal tool, ran
them, but neither find anything. I ran these tools in safe mode,
still they reported nothing was found.

The problems remains, though. So, I backed up my C drive files and
put them on another partition of the hard drive and then clean-
installed XP SP2.

Guess what, the problem remains!

Hey, how do I get rid of this problem? Thanks.

BTW, I was using McAfee before the clean install, now I have Norton
Antivirus, AVG and McAfee.

 

[David H. Lipman]

From: <[email protected]>

| I noticed that hardly any web page loads, so I launched task manager
| and viewed the processes.
|
| I saw a bunch of processes svchost.exe, so I thought that I better end
| them. The time I tried to end some of these svchost.exe, a window
| pops up as shown in the image below.
|
| http://farm1.static.flickr.com/148/417110866_b842e37e28_o.jpg
|
| I had to do shutdown -a to abort the shutdown process.
|
| I saws this before, it was from W32.Blaster.Worm or W32.Sasser.Worm,
| or some names like these.
|
| But, note that this window does not pop up itself, it pops up only if
| I try to end some of these svchost.exe processes.
|
| I googled out the Symantec FixBlaster and FixSasser removal tool, ran
| them, but neither find anything. I ran these tools in safe mode,
| still they reported nothing was found.
|
| The problems remains, though. So, I backed up my C drive files and
| put them on another partition of the hard drive and then clean-
| installed XP SP2.
|
| Guess what, the problem remains!
|
| Hey, how do I get rid of this problem? Thanks.
|
| BTW, I was using McAfee before the clean install, now I have Norton
| Antivirus, AVG and McAfee.

The Sasser worm exploits the LSASS module not the RPC/RPCSS DCOM module so that's not it.

The Lovsan/Blaster worm generates a "Remote Procedure Call (RPC)" type message, not DCOM so
that's not it.

I want to point out that the Sasser and Lovsan/Blaster worms are pretty much dead. They
have been replaced by *mumerous* other Intern et worms that have added the RCP/RPCSS DCOM
and LSASS buffer overflow vulnerabilities in the arsenal of applicable infection vectors.

The problem is your IMPRIOPERLY shutting down the the processes of SVCHOST.EXE. You caused
a DCOM error and thus the shutdown.

It is NOT the number of SVCHOST.EXE processes that count. It is where SVCHOST.EXE is
executed from.

SVCHOST.EXE should only run from; %windir%\system32
Anywhere else it may be deemed malware.


In short -- Stop playing with the OS or you will corrupt it !

 

[antonyliu2002]

From: <[email protected]>

| I noticed that hardly any web page loads, so I launched task manager
| and viewed the processes.
|
| I saw a bunch of processes svchost.exe, so I thought that I better end
| them. The time I tried to end some of these svchost.exe, a window
| pops up as shown in the image below.
|
|http://farm1.static.flickr.com/148/417110866_b842e37e28_o.jpg
|
| I had to do shutdown -a to abort the shutdown process.
|
| I saws this before, it was from W32.Blaster.Worm or W32.Sasser.Worm,
| or some names like these.
|
| But, note that this window does not pop up itself, it pops up only if
| I try to end some of these svchost.exe processes.
|
| I googled out the Symantec FixBlaster and FixSasser removal tool, ran
| them, but neither find anything. I ran these tools in safe mode,
| still they reported nothing was found.
|
| The problems remains, though. So, I backed up my C drive files and
| put them on another partition of the hard drive and then clean-
| installed XP SP2.
|
| Guess what, the problem remains!
|
| Hey, how do I get rid of this problem? Thanks.
|
| BTW, I was using McAfee before the clean install, now I have Norton
| Antivirus, AVG and McAfee.

The Sasser worm exploits the LSASS module not the RPC/RPCSS DCOM module so that's not it.

The Lovsan/Blaster worm generates a "Remote Procedure Call (RPC)" type message, not DCOM so
that's not it.

I want to point out that the Sasser and Lovsan/Blaster worms are pretty much dead. They
have been replaced by *mumerous* other Intern et worms that have added the RCP/RPCSS DCOM
and LSASS buffer overflow vulnerabilities in the arsenal of applicable infection vectors.

The problem is your IMPRIOPERLY shutting down the the processes of SVCHOST.EXE. You caused
a DCOM error and thus the shutdown.

It is NOT the number of SVCHOST.EXE processes that count. It is where SVCHOST.EXE is
executed from.

SVCHOST.EXE should only run from; %windir%\system32
Anywhere else it may be deemed malware.

In short -- Stop playing with the OS or you will corrupt it !

Thanks, Dave.

I didn't play with XP OS, like moving OS files around, nope.

So, looks like my computers are fine according to what you said. I
thought that whenvever I see that scary shutdown popup window, then my
system is infected with some kind of worm.

Gosh, it took me a few hours to re-clean-install the entire system.