A friend of mine has a box running XP that he is certain is infected with the Sasser virus. He claims that he saw something in task manager that indicates that the virus is present.
I know that the virus causes machines to shut down frequently and they need to be restarted. However, my friends machine will not reboot. After going through most of the boot-up the screen goes blank and it locks up. I’ve tried to restart the machine in safe mode, but it always hangs as well, on a driver that ends with .agp. There may be an issue with this driver or his video card, but I can see things upto the windows splash screen.
Any ideas? Should I try a more generic video card and see if that lets me get the machine running? Is there a bootable fix for the sasser virus?
I was also recently hit with the Sasser Virus. I’m not sure, but when you say your friend’s computer locked up, it may just be taking an incredibly long time to load. For me, when I would re-boot my computer, after I entered my password and hit enter to log-in, the “loading personal settings” screen would just sit there. I waited for about 5 minutes then manually rebooted again. After a few cycles of this, I just let it sit there. And, lo-and-behold, after about 10 or so minutes, it logged in.
Also, it seems the Sasser virus comes with an .exe that takes up A LOT of cpu usage. With no applications running after a clean reboot, my CPU usage was up at around 95% (it is usually at <5% even with a number of applications running). After I ran the Sasser removal tool, in the log file read “process: avserve2.exe (terminated)”. That little bastard was causing my computer, and your friends as well I think, to run at a terribly slow speed. Just tell him to have patience when trying to log in, then send him or have him dl the removal tool and he should be fine.
This registry key should make it clear whether the system is actually infected. Even if you can’t get into Windows to check the registry, the worm creates a text file in C:\ called ‘win2.log’ that contains the number of computers it has successfully infected.
Last weekend I fixed someone else’s computer with this problem. I diagnosed it by noting that avserve.exe was chewing up 50% of the CPU. Killing it and renaming it allowed me to download virus updates. Many of the antirvirus vendors have a removal tool.
This person had dialup, and for some reason the win2.log file was not created. Looking to see what process is chewing up all the time is a good way of identifying the problem - there are so many variants that the bad executible is hard to keep track of.
I just came back from my friends place. His machine will not boot up. At the Windows XP splash screen that blue things goes across a few times and then the screen goes black. Left it that way for about an hour. The machine never completed the boot-up and it didn’t shut itself back down. Granted, I am going on the basis that my friend did in fact see a sasser process in the task manager, when the machine was still running.
Try booting in safe mode. Hold down the F8 key during startup and you should get a startup menu with the safe mode option. That should start Windows with a minimum of devices running. I’m guessing Sasser won’t be started in safe mode. Worth a shot, anyway.
BTW, I removed Sasser from my neighbor’s computer last weekend. I discovered the program “avserve.exe” was taking up an increasing portion of system resources (until it crashed) and first disabled it by running “msconfig” immediately after startup and unchecking it under the startup tab. Then I was able to reboot normally and delete it for good.
I tried that the first time (I did mention it in the OP). Given fact that the screen goes black after the splash screen and the location where it hangs on booting in safe-mode, I wonder if the problem is, at least partially, a faulty video card?
Tell your friend, and you should know this too, that he should always keep his computer updated with the latest critical updates as they become available. Don’t ever put one of these off until a later date. DO IT NOW!
Good advice, but it is no guarantee you won’t get hit. Updates only happen when the new virus has been identified, which means people have gotten hit alreay. The best things to do are not to use Outlook, not to use IE, and, if you can, not to use Windows at all. (This last is too hard for most, the first two are easy.)
Untrue. Critical updates are issued when Microsoft is made aware of security issues. They are always announced in advance of any virus that might exploit them (though the time between the announcement and the development of the virus is shrinking).
Further, Sasser virus has nothing to do with Outlook or Internet Explorer; you’d still get it even if you don’t use it.
Funny how the rabid Windows haters always pull out this “advice” even when it has nothing to do with the situation at hand. :rolleyes:
I keep getting these popups (purportedly from Microsoft) saying “Sasser Virus detected!!! Do you want to SCAN?” or some such, and I just X it out. Has anyone gotten these popups, and do they bear any legitimacy?