Author Topic: WIN32:sasser..HELP! (Read 5082 times)

justFil · « **on:** December 23, 2006, 10:36:34 AM »

Since I got this trojan I restored the full system but it s still there, or at least that's what it says on avast.com , I even tried the AVAST CLEANER but it doesnt detect anything, same thing with the regular Avast anti virus...what should I do???

thanks

DavidR · « **Reply #1 on:** December 23, 2006, 01:46:28 PM »

What Operating System are you using ? is it up to date ?
I doubt that it is up to date because the sasser worm exploits a vulnerability, long since patched by MS. http://www.avast.com/eng/win32sasser.html
What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?
What actions have you taken to try and resolve the problem ?

What is your firewall ?

avast! and the avast! cleaner should both be able to detect and remove sasser, but if your operating system is out of date and or you don't have a firewall then it will be back very quickly.

Have you done a google search for sasser removal tool (?) there are tens of thousands of hits http://www.google.com/search?q=sasser+removal+tool

justFil · « **Reply #2 on:** December 23, 2006, 02:03:28 PM »

I am using a Windows XP but it s updated, anyways I ve alreadt tried the Avast! cleaner and antivirus updated but they didnt detect anything. then I restored my pc but still if I go to avast.com it says the sasser is still there...I m trying some removal tools now, let s see what happens...

DavidR · « **Reply #3 on:** December 23, 2006, 02:10:03 PM »

What version of XP, SP2 with full updates ?

What told you you were infected with sasser avast.com doesn't do system scans ?
If avast detected it it should be able to deal with it and if not you would have got an error message (?) the more details you can provide the easier it may be to offer detailed help.

What about the other questions I asked, file name and location, firewall, actions you have taken, etc.

justFil · « **Reply #4 on:** December 23, 2006, 02:40:36 PM »

In the meantime I ve tried 3 different removal tool but they all didnt detect anything!!! I do have XP sp2 full updated, dont know if it was full updated at the time I got the sasser but it s a pc 2 months old! In fact the only place that says I have it it s when I open Avast!.com on the top page it says INFECTED Win32:sasser......

DavidR · « **Reply #5 on:** December 23, 2006, 03:24:48 PM »

That is why I asked the questions about file name and location as this doesn't appear to be on your system, I trust you now see why we ask questions to get at the full facts. This is basically confirmed by avast 4.7, the avast cleaner and these other tools not finding anything.

I have visited the avast.com home page and there is nothing at the top of the page Infected or otherwise, see image.

Try this link, http://67.18.159.242/index.html it is a different way of saying avast.com/index.html if you don't see the Infected, then your DNS or possibly HOSTS file might be compromised.

justFil · « **Reply #6 on:** December 24, 2006, 12:47:17 AM »

Even with that link it still says I m infected...I ve tried few removal tools...but nothing happened

DavidR · « **Reply #7 on:** December 24, 2006, 01:27:27 AM »

Because as I've said I don't think it is on your system and it would appear something seems to be trying to make it look like the avast page is Infected or Hacked, neither of which would seem correct or my image would alos show the Infected that you talk of. Can you post a screenshot of the page, shrink it to a similar size as I have.

Check the c:\windows\HOSTS file, there is no file type after it and you can open it with a text editor like notepad. What are the contents, anything with avast.com or the IP address I gave in the link ?

You don't happen to mean this (see image), which relates to the avast cleaner and isn't an indication you are infected ?

justFil · « **Reply #8 on:** December 24, 2006, 01:35:47 AM »

I think u r trying to say that what I see on the Avast page is not what I have and I keep seeing it because it didnt refresh the page, is that correct???

DavidR · « **Reply #9 on:** December 24, 2006, 02:41:40 AM »

That was to a degree what I was saying was a possibility and or the HOSTS file or dns cache was the issue.

However, now that you have posted a screenshot, which it is basically the same as mine and that isn't an indication that you are infected.

It is effectively marketing blurb (excuse the technical terms). If you were infected you would hear an alert and see a clear visual alert not like this. Try this harmless test - Web Shield Test - http://www.eicar.org/download/eicar.com and you will see what an avast alert is like.

justFil · « **Reply #10 on:** December 24, 2006, 02:54:35 AM »

hmm so I guess u r right since I ve tried already 5 or 6 removal tools and none of them detected the virus, plus I ve seen it s like a 2 years old virus so it should be easy to detect. here is a question: with the total restore of the system do u always get rid of viruses???

well when I got the virus I didnt have Avast! but McFee and it did say I had a virus WIn32 sasser. Then I tried to get rid of it with Spybot and ADaware and then with Avast removal tool. after all didnt work I restored the full system but after the first McFee alarm the only place where it said I had it it was the avast.com

DavidR · « **Reply #11 on:** December 24, 2006, 02:31:08 PM »

Using system restore (I assume this it what you used and not a format) and going back to a date where you were infected could reintroduce the virus. System Restore tries to help by giving you a second chance if you delete files in the system folders, unfortunately malware often installs itself in the system folders and when you delete it it could end up as a restore point waiting to bite you in the rear. So depending on the location of the infection it is often recommended you disable system restore and reboot.

You say various programs didn't work in getting rid of it, now without any information on why they didn't get rid of it (avast is good in giving an error message like file in use, etc.) I can't hazard a guess as to why, but it is usually location (and at no time have you mentioned that) or in use. In which case you can use the avast boot-time scan that runs before windows starts.

It is better to stop malware getting into the system folders and creating registry entries, etc.

You might also consider proactive protection, in order to place files in the system folders and create registry entries you need permission. Prevention is much better and theoretically easier than cure.

Whilst browsing or collecting email, etc. if you get infected then the malware by default inherits the same permissions that you have for your user account. So if the user account has administrator rights, the malware has administrator rights and can reap havoc. With limited rights the malware can't put files in the system folders, create registry entries, etc. This greatly reduces the potential harm that can be done by an undetected or first day virus, etc.

Check out the link to DropMyRights (in my signature below) - Browsing the Web and Reading E-mail Safely as an Administrator. This obviously applies to those NT based OSes that have administrator settings, winNT, win2k, winXP.

justFil · « **Reply #12 on:** December 26, 2006, 07:01:12 AM »

maybe I explained myself wrong, what i did is a total reboot, like reinstalled windows XP etc etc...

Author Topic: WIN32:sasser..HELP! (Read 5082 times)

justFil

WIN32:sasser..HELP!

DavidR

Re: WIN32:sasser..HELP!

justFil

Re: WIN32:sasser..HELP!

DavidR

Re: WIN32:sasser..HELP!

justFil

Re: WIN32:sasser..HELP!

DavidR

Re: WIN32:sasser..HELP!

justFil

Re: WIN32:sasser..HELP!

DavidR

Re: WIN32:sasser..HELP!

justFil

Re: WIN32:sasser..HELP!

DavidR

Re: WIN32:sasser..HELP!

justFil

Re: WIN32:sasser..HELP!

DavidR

Re: WIN32:sasser..HELP!

justFil

Re: WIN32:sasser..HELP!