Author Topic: U.exe and Sasser-like behaviour  (Read 15995 times)

0 Members and 1 Guest are viewing this topic.

mauserme

  • Guest
Re: U.exe and Sasser-like behaviour
« Reply #30 on: April 10, 2007, 11:46:54 PM »
So many computers ... So little time ...

I think deleting from safe mode might have worked as they wouldn't have loaded into memory but I understand  the constraints you're under.  I will miss the challenge :)

ymai

  • Guest
Re: U.exe and Sasser-like behaviour
« Reply #31 on: April 10, 2007, 11:58:56 PM »
So many computers ... So little time ...

I think deleting from safe mode might have worked as they wouldn't have loaded into memory but I understand  the constraints you're under.  I will miss the challenge :)
Mmmmhhhh.... You'd better bet on a good horse.
I'll try, but if the Windows update doesn't work, I'm afraid the worm will come back at the first boot on the LAN.
I shall come back.

mauserme

  • Guest
Re: U.exe and Sasser-like behaviour
« Reply #32 on: April 11, 2007, 12:00:25 AM »
Keep the computers isolated - all turned off except the one you are working on.

ymai

  • Guest
Re: U.exe and Sasser-like behaviour
« Reply #33 on: April 17, 2007, 11:37:45 PM »
For all those who are still interested for this topic...
We found that the
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5
subdirectories of the infected computers contains plenty of copies of the mpn.exe file. We just Shift+Deleted them.

We have been working one day and a half with a professional tech to cure about 30 computers. For some of them, it was rather difficult to eliminate the mpn.exe file. Coming back again and again and again.
The advices of Mauserme work (For he's a jolly good fellow).  :)

At the present moment, the mpn.exe doesn't seem to come back after:
- kill mpn.exe in the task manager
- shift+delete mpn.exe in the system32 directory
- when present, shift+delete U.exe file in the c:\ directory
- eliminate mpn.exe in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run key of the registry
- shift+delete the subdirectories of C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5
- reboot
- update Windows

Still superinfection problems (DriveCleaner or other commercial popups) on some computers. But I think this will be rather easy to eliminate.

mauserme

  • Guest
Re: U.exe and Sasser-like behaviour
« Reply #34 on: April 18, 2007, 02:19:20 AM »
Thanks for the update ymai.  I wish I was able to be there helping  :)

When you have things well under control you may want to try running Rogue Remover against your Drive Cleaner problem.  It may help

http://www.malwarebytes.org/rogueremover.php