Re: Is this blaster or sasser
- From: "antonyliu2002@xxxxxxxxx" <antonyliu2002@xxxxxxxxx>
- Date: 11 Mar 2007 13:32:22 -0700
On Mar 11, 9:03 am, "David H. Lipman" <DLipman~nosp...@xxxxxxxxxxx>
wrote:
From: <antonyliu2...@xxxxxxxxx>
| I noticed that hardly any web page loads, so I launched task manager
| and viewed the processes.
|
| I saw a bunch of processes svchost.exe, so I thought that I better end
| them. The time I tried to end some of these svchost.exe, a window
| pops up as shown in the image below.
|
|http://farm1.static.flickr.com/148/417110866_b842e37e28_o.jpg
|
| I had to do shutdown -a to abort the shutdown process.
|
| I saws this before, it was from W32.Blaster.Worm or W32.Sasser.Worm,
| or some names like these.
|
| But, note that this window does not pop up itself, it pops up only if
| I try to end some of these svchost.exe processes.
|
| I googled out the Symantec FixBlaster and FixSasser removal tool, ran
| them, but neither find anything. I ran these tools in safe mode,
| still they reported nothing was found.
|
| The problems remains, though. So, I backed up my C drive files and
| put them on another partition of the hard drive and then clean-
| installed XP SP2.
|
| Guess what, the problem remains!
|
| Hey, how do I get rid of this problem? Thanks.
|
| BTW, I was using McAfee before the clean install, now I have Norton
| Antivirus, AVG and McAfee.
The Sasser worm exploits the LSASS module not the RPC/RPCSS DCOM module so that's not it.
The Lovsan/Blaster worm generates a "Remote Procedure Call (RPC)" type message, not DCOM so
that's not it.
I want to point out that the Sasser and Lovsan/Blaster worms are pretty much dead. They
have been replaced by *mumerous* other Intern et worms that have added the RCP/RPCSS DCOM
and LSASS buffer overflow vulnerabilities in the arsenal of applicable infection vectors.
The problem is your IMPRIOPERLY shutting down the the processes of SVCHOST.EXE. You caused
a DCOM error and thus the shutdown.
It is NOT the number of SVCHOST.EXE processes that count. It is where SVCHOST.EXE is
executed from.
SVCHOST.EXE should only run from; %windir%\system32
Anywhere else it may be deemed malware.
In short -- Stop playing with the OS or you will corrupt it !
--
Davehttp://www.claymania.com/removal-trojan-adware.htmlhttp://www.ik-cs.com/got-a-virus.htm
Thanks, Dave.
I didn't play with XP OS, like moving OS files around, nope.
So, looks like my computers are fine according to what you said. I
thought that whenvever I see that scary shutdown popup window, then my
system is infected with some kind of worm.
Gosh, it took me a few hours to re-clean-install the entire system.
.
- References:
- Is this blaster or sasser
- From: antonyliu2002@xxxxxxxxx
- Re: Is this blaster or sasser
- From: David H. Lipman
- Is this blaster or sasser
- Prev by Date: Re: Veevo
- Next by Date: Re: SpywareBlaster and Spybot Search & Destroy.
- Previous by thread: Re: Is this blaster or sasser
- Next by thread: Re: Trend Micro's Customer Service?
- Index(es):
Relevant Pages
|
