Re: lsass/dcom problem - possible virus?
From: Jason Hall [MSFT] (v-jashal_at_online.microsoft.com)
Date: 05/03/04
- Next message: S.J.Haribabu: "RE: Domain Controller/Active Directory"
- Previous message: Doug: "Event logs not viewable (or, what is a "Hard Error"?)"
- In reply to: John: "Re: lsass/dcom problem - possible virus?"
- Messages sorted by: [ date ] [ thread ]
Date: Mon, 03 May 2004 18:14:55 GMT
--------------------
>Content-Class: urn:content-classes:message
>From: "John" <anonymous@discussions.microsoft.com>
>Sender: "John" <anonymous@discussions.microsoft.com>
>References: <709f01c42fa4$3c676e90$a101280a@phx.gbl>
<#MWUsf6LEHA.2456@TK2MSFTNGP12.phx.gbl>
>Subject: Re: lsass/dcom problem - possible virus?
>Date: Sat, 1 May 2004 13:14:13 -0700
>
>Windows patch seems to do the trick, but Stinger did not
>identify any virus - nor could I find any of the
>suspicious looking files on my PC. Given the number of
>complaints of this nature on this board, seems it isn't a
>simple error no my machine - Interesting - perhaps this
>this is a novel form of attack.
>
>
Sasser info:
====================
http://sarc.com/avcenter/venc/data/w32.sasser.worm.html
Sasser removal tool:
====================
http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.removal.t
ool.html
Manual Sasser removal:
=====================
Use the Task manager to kill the following processes:
*_up.exe
avserv*.exe
hkey.exe
msiwin84.exe
wmiprvsw.exe
Use Regedit from the command line to look for and remove any of the the
following keys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"avserve.exe" = C:\WINDOWS\avserve.exe
HLKM\Software\Microsoft\Windows\CurrentVersion\Run
"windows"="hkey.exe"
"Microsoft Update"="msiwin84.exe"
"System Updater Service"="wmiprvsw.exe"
"avserve2.exe = %WINDIR%\avserve2.exe"
Search for & delete the following files from the harddrive:
C:\WINDOWS\avserv*.exe
c:\WINDOWS\system32\*_up.exe
avserve*.exe
hkey.exe
msiwin84.exe
wmiprvsw.exe
-- ~~ JASON HALL ~~ ~ Performance Support Specialist, ~ Microsoft Enterprise Platforms Support ~ This posting is provided "AS IS" with no warranties, and confers no rights. ~ Use of included script samples are subject to the terms specified at http://www.microsoft.com/info/cpyright.htm ~ Note: For the benefit of the community-at-large, all responses to this message are best directed to the newsgroup/thread from which they originated.
- Next message: S.J.Haribabu: "RE: Domain Controller/Active Directory"
- Previous message: Doug: "Event logs not viewable (or, what is a "Hard Error"?)"
- In reply to: John: "Re: lsass/dcom problem - possible virus?"
- Messages sorted by: [ date ] [ thread ]
