As I write this, my good computer is out cold. It was attacked around 5pm yesterday (Friday). I had the latest window updates on it, XP firewall and the latest NOD32. It comes up with "c:\windows\system32\sass.exe.status code-1073741819" which is exactly what the old sass virus said.

I should not have this! Anyone else encountered this? Any suggestions on how to fix it? My NOD32 has been infected and I can not reinstall it as the comp is offline because of the attack. The computer I am using to type this is much older but it is all I have until I can fix the other.

The NOD32 installer unpacks the files necessary to reinstall to C:\Program Files\ESET\Install so see if they are still there.

Given the name of the executable running, I have a feeling it should have a chance of picking it up.

Since you have access on your old computer, head over to Eset (http://www.eset.com/home/home.htm). On the homepage, there are free downloadable cleaners, including one for Sasser.A-F.worm. It's a zipfile less than 300 kb in size. If this is sasser, it should deal with it.

Blue

The point is! He shouldn't have it! How did it get by!

jemmajam

Do you have all the security updates provided by Microsoft for your operating system?

remember,Microsoft release one patch only for sassers worms,you may not up to date,orrrr you or someone of your family open somewhat dangerous,who knows

{QUOTE-> The point is! He shouldn't have it! How did it get by! <-QUOTE}The point is the poster may not have their system up to date, and we are yet to learn what security if any they are using.

Cheers ;D

{QUOTE-> The point is! He shouldn't have it! How did it get by! <-QUOTE}On a fully patched system, with Windows ICF, it won't get in natively. If it got in, and NOD was working, it should have been flagged. Let's see what a cleaner can do. If it does not work, maybe this is something altogether different.

It's a bit early to make assumptions on either side of the fence. Too little firm information. For example, is the behavior classical Sasser? There's another PC available. Is the location NAT'ed? If so, what's the vector? We could spend a lot of effort developing a lot of extraneous information. If it's Sasser, the best course would seem to be to deal with it and spend some quality effort on the event post mortem.

Blue

Hi Jemmajam, welcome to Wilders.

Are you able to boot into Safe Mode and run Nod32 that way?

Further instructions on booting into Safe Mode can be found in post number 2 HERE. (http://www.wilderssecurity.com/showthread.php?t=47830)

Hope this helps...

Let us know how you go.

Cheers ;D

{QUOTE-> jemmajam

Do you have all the security updates provided by Microsoft for your operating system? <-QUOTE}As I stated in my origional post, Yes windows XP was the latest with all live updates installed. NOD32 was also the latest with all live updates (hourly).

I have tried scanning in safe mode. I tried this before I made my first post. It can not open NOD32. I have also tried using shutdown -a in run but the comp still shutsdown before I can do too much.

edit: ok I got NOD32 to work and do a full scan before the computer crashed. It says there are no virus's but it could not open about 20 files. All of these files were in a file called $NtUninstallKB835732$
I tried to find this file to delete it with BCWipe, but it is not showing. It is in the windows file.

My suggestion at this point would be to slave the infected drive off a clean machine and have Nod32 run a scan on the infected drive.

Cheers ;D

Hi jemmajam,

I wonder if you could clarify why you think your pc is infected with Sasser. It's a quite old worm so no doubt it must be detected by NOD32 (unfortunately, I can't confirm now whether it was detected by AH or not as I'm writing from home).

If you encounter reboots with a prior pop-up window refering to lsass.exe it may not be (and most likely is not) caused by Sasser. A reboot takes place if the Remote Procedure Call (RPC) service encounters an error while the action to take upon a failure is to reboot the machine (default setting).

Have you got the beta installed? If not, I wonder if you could install it, just in case (http://www.eset.com/download/downbeta.htm). NB: a newer beta version (probably Release Candidate) is going to be released shortly.

{QUOTE-> NB: a newer beta version (probably Release Candidate) is going to be released shortly. <-QUOTE}
Great to hear. :)