mjcandlec said:
Hi,
My desktop Dell was infected with the sasser virus. I am not able to start
it because it doesn't make it to the Windows log-on before it says
lsasser.exe Application error (0xc0000005). Click on OK to terminate this
application.
I tried downloading the "make 6 startup discs" from MS site onto my laptop.
I made the discs and tried them in the infected computer. It rejects the
third startup disc and only says "error 4". Now I'm not able to do anything.
Can someone please help. Thanks
You have plenty of options.
*******
This one is something I use from time to time. Products like this,
have their own OS, so that the user doesn't need any tricks to
run the software. The price to be paid for this approach, is
a relatively large download. This one is ~100MB in size. The
biggest minus of this package as it currently stands, is it
doesn't have a web browser on board. A web browser would be
convenient for the user, to keep them occupied while the
scan is running
To add your own web browser to this
environment, you'd need a browser that was statically compiled,
as there aren't the usual libraries on this CD, to run
ordinary software.
http://devbuilds.kaspersky-labs.com/devbuilds/RescueDisk/
What that is, is a self-booting product that is offered for free.
It uses Gentoo (a Linux distro) to build a AV scanning disc.
To use it, you need a second computer that has a CD burner.
And a CD burning program, that knows how to convert an ISO9660
file, into a bootable CD. I use Nero for that, but there
are other free programs for doing that.
http://en.wikipedia.org/wiki/Comparison_of_disc_authoring_software
http://en.wikipedia.org/wiki/List_of_optical_disc_authoring_software
You boot that 100MB CD, and it becomes your OS. Initially, the
virus database on the CD will be out of date. (They don't attempt
to keep the file updated on a daily basis.) Another little trick
the CD uses, is it uses the Windows pagefile for Linux swapspace,
so that the OS won't crash if it temporarily runs out of memory.
To reach the outside world, the CD will attempt to use DHCP, to get
an IP address for the computer. Your networking should already be
set up, for that to work. For example, I manually start my Internet
connection on my router, by using a web browser. In order for me
to use that CD, the router has to be started and running already.
If my connection is "down", then the Kaspersky disc can't fix that.
My router runs its own DHCP server, and the connected computers
can ask the DHCP server, for a (private) IP address. As in 192.168.1.2 .
As long as the Kaspersky CD can talk to some DHCP server, it
should be able to set up networking. It needs the networking,
so it can contact the Kaspersky Labs server and download
fresh virus definitions. The virus definitions on the CD
will already be out of date.
The download will take maybe five minutes. Once it is finished, you can
return to the "Scan" tab. There, you select partitions to be
scanned.
The Kaspersky disk is imaginative, in the labels it uses.
It shows
X Disk boot sectors
X C:
D:
E:
F:
Now, if I had a single disk, with four partitions on it,
Kaspersky may call them C,D,E,F. But in the "real world",
I may refer to them as C,K,R,W, or some other assignments.
Kaspersky tends to just enumerate them and give them drive
letters. It is up to you, to figure out what those
letters correspond to.
As an example, I have two Windows OSes on the computer. I was
able to figure out, that the one I wanted to scan, was actually
F:. So this is how I would set up the Scan window. My first bootable
OS is actually C:, while the second one is F:. If you're unsure,
you can tick *all* the boxes, but this scanner isn't the
speediest one in the world. Here, I'm scanning F:, as well
as the disk boot sectors on the hard drive.
X Disk boot sectors
C:
D:
E:
X F:
To test that the tool really works, you'd need to install
a virus file on the partition. There is a special file used
for the purpose, called EICAR (it is not a real virus). Its
main benefit, is to see the response of the AV program, to
a standardized fake virus. Either it will want to quarantine
the file in question, or even delete it. But at least you'll
see a notification on the window, when that file is detected.
(You won't really be able to use that now, but you can keep a
copy of this on your computer at some later date, as a way of
seeing whether the AV tools is working or not.) In my case,
what I found was, Kaspersky could find Eicar stored in a
System Restore point, but didn't appear to see it contained
in a ZIP file on C:. Maybe I just missed the notification prompt
or something. I doubt it really missed it.
http://en.wikipedia.org/wiki/Eicar
Now, you can start the Kaspersky scanner. The Linux environment
can mount FAT32 or NTFS partitions, and make changes if necessary
to them. I'm hoping in this case, that the tool will be able to
take care of Sasser for you, and anything else it runs into.
The lower left of the desktop window, has a menu. From it, you
can launch a "Terminal" window. This is similar to the
Command window in WinXP. In there, you can use text commands to
do various things.
For example, I can do this to see all the mounted partitions.
# df
/dev/hda1 1233456 2345 1002345 21% /discs/C:
That tells me that what Kaspersky calls C: is /dev/hda1 or the
first partition of disk "hda".
Next, I change directory, to have a look in there.
# cd /discs/C:
Now, I can list the contents of the so-called C: drive.
# ls -al
rwxr-xr-x 1 root root 1207959552 2009-10-26 17:14 pagefile.sys
In that case, I'm seeing the pagefile at the top level of
one of my operating system disks. By looking at some of the
other files I have stored on C: at the top level (which
I placed on there on purpose as a fingerprint), I'm able
to tell which partition /discs/C: actually corresponds to.
When you click the "Start Scan" triangle, the AV scan will begin.
In the terminal window, I can use the following command, to watch
the resources used by the scanning program.
# top
To quit that "top" program, you can type the letter "q". It
displays memory usage and CPU usage, and is how I keep track
of what's up.
Another useful command to use in the Terminal window, is this.
This is how I figured out what file the virus scanner uses.
# ps aguwwwx | grep kav
/bin/sh /usr/bin/kav.exe
The reason I'm curious about that, has to do with scanning speed,
and the performance of the scanner. The scanner starts off quick
enough, so fast in fact, that you'll hear a bit of rattling of
the hard drive. But as time passes, the scan slows down. Eventually,
it is only scanning a couple of files per second.
To fix the performance issue, you can stop the scan. Kaspersky
seems to remember where it left off. If you stop the scan, then
click the "X" in the upper right corner. the scanner will exit.
Now, go back to the Terminal window. You can use this command to
start the scanner again. The "&" forks the executable and frees
the Terminal window to accept another command.
# /usr/bin/kav.exe &
That will "fork" a copy of kav.exe, and the scanner window will
reappear. Click the "Start Scan" triangle. A prompt will appear,
something like "do you want to resume the current scan". Answer
yes. After a pause, where the tool figures out what files it has
scanned, it will start scanning again. The scanning speed will
be much faster than it was, just before you exited the previous
scan window. I use that trick, if I'm sick of waiting for it
to finish. I might let the first scan run for an hour, before
stopping and starting it again.
On a long scan, the sound of the constantly rotating CD can be
annoying. There is a fix for that.
When the CD first starts to boot, a "boot prompt" will appear.
You have to press at least one letter on the keyboard quickly
(within a couple of seconds), so that the CD will not race
onwards and finish booting. At the boot prompt, type
rescue docache
That will store the entire CD into system memory. As long as
the computer has perhaps 512MB or more of memory, you should be
able to manage that. Once done, the Linux operating system
will no longer have a dependency on the CD remaining in
the optical drive.
Then, once the scan window is present on the desktop, open
a Terminal window and unmount the CD. (The "#" character, is
the prompt in the Terminal window.)
# umount /mnt/cdrom
Then, when you press the button on your CD drive tray, the
media should eject. Normally, it would not eject if the Linux
OS is using it. I use that trick, so I don't wear out my
CD drive.
When the tray opens, you have very little time to extract the
CD. The stupid Linux OS seems to check the status of the
drive after some number of seconds, and will attempt to close
the tray. You may just want to observe it the first time,
to see how much time elapses between pressing the button, and
the tray closing on its own again. Since you have a laptop, it is
possible your tray is a "manual operation" type, in which case
there is little risk of you crushing the CD in the process of
pulling it from the tray. Some other Linux operating systems
don't have this quirky behavior, and will allow you to finish
removing the CD without crushing the CD or your fingers.
For an orderly shutdown of the special environment when the
scan is finished, the lower-left menu has a "logout" option.
Eventually, it will say something like "press control-D".
Once you do that, the computer may shut off. If you don't want
that CD to boot again, then you need to arrange for its
removal, before you can boot back into Windows.
HTH,
Paul
