Is this blaster or sasser

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I noticed that hardly any web page loads, so I launched task manager
and viewed the processes.

I saw a bunch of processes svchost.exe, so I thought that I better end
them.  The time I tried to end some of these svchost.exe, a window
pops up as shown in the image below.

http://farm1.static.flickr.com/148/417110866_b842e37e28_o.jpg

I had to do shutdown -a to abort the shutdown process.

I saws this before, it was from W32.Blaster.Worm or W32.Sasser.Worm,
or some names like these.

But, note that this window does not pop up itself, it pops up only if
I try to end some of these svchost.exe processes.

I googled out the Symantec FixBlaster and FixSasser removal tool, ran
them, but neither find anything.  I ran these tools in safe mode,
still they reported nothing was found.

The problems remains, though.  So, I backed up my C drive files and
put them on another partition of the hard drive and then clean-
installed XP SP2.

Guess what, the problem remains!

Hey, how do I get rid of this problem?  Thanks.

BTW, I was using McAfee before the clean install, now I have Norton
Antivirus, AVG and McAfee.


Re: Is this blaster or sasser


| I noticed that hardly any web page loads, so I launched task manager
| and viewed the processes.
|
| I saw a bunch of processes svchost.exe, so I thought that I better end
| them.  The time I tried to end some of these svchost.exe, a window
| pops up as shown in the image below.
|
| http://farm1.static.flickr.com/148/417110866_b842e37e28_o.jpg
|
| I had to do shutdown -a to abort the shutdown process.
|
| I saws this before, it was from W32.Blaster.Worm or W32.Sasser.Worm,
| or some names like these.
|
| But, note that this window does not pop up itself, it pops up only if
| I try to end some of these svchost.exe processes.
|
| I googled out the Symantec FixBlaster and FixSasser removal tool, ran
| them, but neither find anything.  I ran these tools in safe mode,
| still they reported nothing was found.
|
| The problems remains, though.  So, I backed up my C drive files and
| put them on another partition of the hard drive and then clean-
| installed XP SP2.
|
| Guess what, the problem remains!
|
| Hey, how do I get rid of this problem?  Thanks.
|
| BTW, I was using McAfee before the clean install, now I have Norton
| Antivirus, AVG and McAfee.

The Sasser worm exploits the LSASS module not the RPC/RPCSS DCOM module so
that's not it.

The Lovsan/Blaster worm generates a "Remote Procedure Call (RPC)" type message,
not DCOM so
that's not it.

I want to point out that the Sasser and Lovsan/Blaster worms are pretty much
dead.  They
have been replaced by *mumerous* other Intern et worms that have added the
RCP/RPCSS DCOM
and LSASS buffer overflow vulnerabilities in the arsenal of applicable infection
vectors.

The problem is your IMPRIOPERLY shutting down the the processes of SVCHOST.EXE.
You caused
a DCOM error and thus the shutdown.

It is NOT the number of SVCHOST.EXE processes that count.  It is where
SVCHOST.EXE is
executed from.

SVCHOST.EXE should only run from;  %windir%\system32
Anywhere else it may be deemed malware.


In short  --  Stop playing with the OS or you will corrupt it !

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: Is this blaster or sasser

wrote:
Quoted text here. Click to load it
Davehttp://www.claymania.com/removal-trojan-adware.htmlhttp://www.ik-cs.com/got-a-virus.htm

Thanks, Dave.

I didn't play with XP OS, like moving OS files around, nope.

So, looks like my computers are fine according to what you said.  I
thought that whenvever I see that scary shutdown popup window, then my
system is infected with some kind of worm.

Gosh, it took me a few hours to re-clean-install the entire system.


Site Timeline