Security Announcements
If your system is infected by MS Blaster worm, see as follows:
1.For running fixblast you should have atleast service pack 2.0 and above then only it will detect the worm/virus. If it runs without this then it won't show you the correct output.
2.If the machine is infected then we can make it out by seeing the network status and generally this virus is present in the c:/winnt/system32/wins. If you see DLLHOST.EXE and SVCHOST.EXE files in the above folder then this is worm/virus.
3.To get rid of the virus:
-
Disable the network
-
Rename the above two files.(as it won't allow you to remove)
-
Install service pack 2.0 or above
-
Run the patch for respective operating systems
-
Reboot the system
-
Then delete the above two files
-
Restart the network.
Note: after restarting the network you should not see these two files. generally svchost.exe is a system file which runs in the background so don't get confused
Patches for Sasser worm (Windows XP)
Sasser (A-D) Worm Removal Tool(KB841720)
This tool will help to remove the Sasser (A-D) worm from infected machines. Once the tool has run?after the End-User License Agreement (EULA) is accepted?it automatically checks for infection and removes any of the targeted worms that are found.
After running, the tool displays a message describing the outcome of the detection and removal process. The tool can be safely deleted after it has run. Also, the tool creates a log file named sasscln.log in the %WINDIR%\debug folder.
If your computer keeps shutting down see below:
Instructions for Windows 2000 Users: What to Do If Your Computer Has Been Infected by Sasser
If you are using Microsoft? Windows 2000 Service Pack 2 (SP2), Windows 2000 SP3, or Windows 2000 SP4 and your computer has been infected by the Sasser worm, you can take these steps to update your software, remove the worm, and help protect against future infections.
Step 1: Disconnect from the Internet
To avoid further problems, disconnect from the Internet.
Broadband connection users: Locate the cable that runs from your external DSL or cable modem and unplug that cable either from the modem or from the telephone jack.
Dial-up connection users: Locate the cable that runs from the modem inside your computer to your telephone jack and unplug that cable either from the telephone jack or from your computer.
Step 2: Mitigate the Vulnerability
You can temporarily remove the vulnerability that allows the worm to infect your computer by creating a log file.Create the log file.
On the taskbar at the bottom of your screen, click Start, and then click Run.
Type: cmd and then click OK.
At the command prompt, type: echo dcpromo >%systemroot%\debug\dcpromo.log and then press ENTER.
Make the log file read-only.
At the command prompt, type: attrib +R %systemroot%\debug\dcpromo.log and then press ENTER.
Step 3: Improve System Performance
If your computer is acting sluggish or if the Internet connection is slow, the worm may be flooding your local network connection. This may make it impossible for you to download and install the required software update. To improve system performance:
Press CTRL+ALT+DELETE, and then click Task Manager.
For each of the following tasks that may be listed, click the task to select it, and then click the End Task button to end it.
Any task ending with _up.exe (for example, 12345_up.exe).
Any task starting with avserve (for example, avserve.exe).
Any task starting with avserve2 (for example, avserve2.exe).
Any task starting with skynetave (for example, skynetave.exe).
hkey.exe
msiwin84.exe
wmiprvsw.exe
Note Do not end the wmiprvse.exe task; it is a legitimate system task.
Step 4: Enable a Firewall
A firewall is a piece of software or hardware that creates a protective barrier between your computer and the Internet. Microsoft does not manufacture stand-alone software firewalls.
Instructions for Windows XP Users: What to Do If Your Computer Has Been Infected by Sasser
If you are using Microsoft Windows XP or Windows XP Service Pack 1 (SP1) and your computer has been infected by the Sasser worm, you can take these steps to update your software, remove the worm, and help protect against future infections.
Step 1: Disconnect from the Internet
To avoid further problems, disconnect from the Internet.
Broadband connection users: Locate the cable that runs from your external DSL or cable modem and unplug that cable either from the modem or from the telephone jack.
Dial-up connection users: Locate the cable that runs from the modem inside your computer to your telephone jack and unplug that cable either from the telephone jack or from your computer.
Step 2: Stop the Shutdown Cycle
This worm may cause LSASS.EXE to stop responding, which forces the operating system to shut down after 60 seconds. If your computer starts to shut down, follow these steps to abort any system shutdown that may be in progress.
On the taskbar at the bottom of your screen, click Start, and then click Run.
Type: cmd and then click OK.
At the command prompt, type: shutdown.exe -a and then press ENTER.
Step 3: Mitigate the Vulnerability
You can temporarily remove the vulnerability that allows the worm to infect your computer by creating a log file.Create the log file.
On the taskbar at the bottom of your screen, click Start, and then click Run.
Type: cmd and then click OK.
At the command prompt, type: echo dcpromo >%systemroot%\debug\dcpromo.log and then press ENTER.
Make the log file read-only.
At the command prompt, type: attrib +R %systemroot%\debug\dcpromo.log and then press ENTER.
Step 4: Improve System Performance
If your computer is acting sluggish or if the Internet connection is slow, the worm may be flooding your local network connection. This may make it impossible for you to download and install the required software update. To improve system performance:
Press CTRL+ALT+DELETE, and then click Task Manager.
For each of the following tasks that may be listed, click the task to select it, and then click the End Task button to end it.
Any task ending with _up.exe (for example, 12345_up.exe).
Any task starting with avserve (for example, avserve.exe).
Any task starting with avserve2 (for example, avserve2.exe).
Any task starting with skynetave (for example, skynetave.exe).
hkey.exe
msiwin84.exe
wmiprvsw.exe
Note Do not end the wmiprvse.exe task; it is a legitimate system task.
Step 5: Enable a Firewall
A firewall is a piece of software or hardware that creates a protective barrier between your computer and the Internet. If your computer has been infected, a firewall will help limit the effects of the worm. Windows XP includes the Internet Connection Firewall (ICF). To turn on ICF:
On the taskbar at the bottom of your screen, click Start, and then click Control Panel.
Click the Network and Internet Connections category.(If the Network and Internet Connections is not visible, click Switch to Category View under Control Panel on the left side of the Control Panel window.)
Click Network Connections.
Right-click the Dial-up, LAN, or High-Speed Internet connection that you use to connect to the Internet, and then click Properties from the shortcut menu.On the Advanced tab, under Internet Connection Firewall, select Protect my computer and network, and then click OK. The Windows XP firewall is now enabled.
Step 6: Reconnect to the Internet
Plug the cable (referred to in Step 1) back into your computer, telephone jack, or modem.
Home