-
Stop Sasser or Similar by killing the source (Resolved)
Hello, I hadn't been here for a long time... But please let me explain what I am trying to do.
The problem is that there is an old computer with Windows 2000. The computer's hard disk has problems and it was divided in two partitions, the one that has the Operative System is not damaged and has 100 MB of free space, the other one is damaged and it won't allow to be formatted nor to install the OS on it.
This old computer doesn't have space for installing the second service pack and is needed to be on the net. Whenever it comes on-line it crashes because of a behavior that is similar to the Sasser virus: It generates a random IP and if the IP is valid it tries to connect using FTP. The computer has Antivir and ZoneAlarm to avoid viruses from stepping in and taking control.
I was wondering if there is a way to find the process that is generating the random IPs and stop it before it makes the computer crash (it makes lsass.exe come up with an error message and no internet activity will be able to be performed after this and then forces the computer to restart by shutting down the system)... Something like using the API to find a process and then force it to be closed.
Could you please help me with some suggestions? I was thinking to have a background program that would detect when cmd.exe is running and then force it to be closed... But I don't want the program to cause the computer to be slower to the point that nothing can be done with it.
Thanks for taking your time to read my problem and to all of you who would go further and try to help me.
-
Re: Stop Sasser or Similar by killing the source
It could be spyware rather than a virus. But what I would do is this. Ok first of all, do you have access to any programs that detect and control what programs autorun in your computer?
-
Re: Stop Sasser or Similar by killing the source
No, I don't have any. I have SpywareBlaster and SpyBot. I have checked the registry and there are some programs there in "Run"... WinSys32Firewall looks suspicious to me but I haven't been able to find it.
(Oh, and thank you for taking your time for trying to help me. I am right now using the computer I told you about. So if it takes me 15 minutes or more to answer is because I had to restart)
-
Re: Stop Sasser or Similar by killing the source
Then you do if you have Spybot Search & Destroy. Open the program. Click on the Tools button located in the bottom left hand side. Next click on System Startup. Those are your programs that autorun when you bootup windows. Depending on the program you click on, you will get an info window on that program that tells you if its suspicious or whether you need it or not. Then you can enabled/disable whatever programs you want to autorun, or even delete it.
The only program you need to autorun is Explorer.exe ;)
-
Re: Stop Sasser or Similar by killing the source
You forgot to tell me it needed to be in advanced mode. :p
Anyway, that's the same than messing with the registry, isn't it?
Do I need to click on "Export"?
-
Re: Stop Sasser or Similar by killing the source
Nope. Just enabled or disable what you want to autorun. Don't worry. This worked for me last time my computer was messed up ;)
-
Re: Stop Sasser or Similar by killing the source
Very good.. But I don't know if it will work or not until I spend more time on-line.
Thank you for your help and I hope this is the solution, because I am getting tired of restarting this computer.
-
Re: Stop Sasser or Similar by killing the source
Try NETSTAT /? It will list PID's of apps that are using ports. Try the -b option to show .exe names. The -an option is also good. XP SP2 has -o also.
Also, I have W2K Workstation, and think I'm up to SP6.
-
Re: Stop Sasser or Similar by killing the source
Anytime. If there's still a problem, let me know. I may have some ideas up my sleave. :)
-
Re: Stop Sasser or Similar by killing the source
Once you're online, go to www.trendmicro.com and use their Online Virus Checker.
-
Re: Stop Sasser or Similar by killing the source
Thank you, Jacob and David. I will try to see which exes are running and to know if I have a virus but so far, I did what Jacob told me to and I haven't had any problem so far.
But I can't say this problem has been solved yet...
-
Re: Stop Sasser or Similar by killing the source
It might be time to invest in another hard drive. If one partition falied, that could mean that the other is close to dying. Load W2K onto the new one, and then add the old drive to copy your data. Make sure that you have a few extra accounts with admin privileges so that you can get back into it.
-
Re: Stop Sasser or Similar by killing the source
Harddrives are pretty cheap these days. I think I saw a 250 Gig one for $80 over on www.tigerdirect.com
-
Re: Stop Sasser or Similar by killing the source
David, it seems i don't have -b option:
Displays protocol statistics and current TCP/IP network connections.
NETSTAT [-a] [-e] [-n] [-s] [-p proto] [-r] [interval]
-a Displays all connections and listening ports.
-e Displays Ethernet statistics. This may be combined with the -s
option.
-n Displays addresses and port numbers in numerical form.
-p proto Shows connections for the protocol specified by proto; proto
may be TCP or UDP. If used with the -s option to display
per-protocol statistics, proto may be TCP, UDP, or IP.
-r Displays the routing table.
-s Displays per-protocol statistics. By default, statistics are
shown for TCP, UDP and IP; the -p option may be used to specify
a subset of the default.
interval Redisplays selected statistics, pausing interval seconds
between each display. Press CTRL+C to stop redisplaying
statistics. If omitted, netstat will print the current
configuration information once.
-
Re: Stop Sasser or Similar by killing the source
Thank you, guys... But I can't get a new hard drive for this computer because it is a laptop. I am thinking about buying a new one but that would have to be until next month when I get paid, so I need to deal with this right now until then.
-
Re: Stop Sasser or Similar by killing the source
The -a option should show what you need. Try them out. It may take a second or two, but none will cause harm.
NETSTAT is Network Statistics
-
Re: Stop Sasser or Similar by killing the source
thank you.. but sadly i still have the same problem.. :( what can I do?
-
Re: Stop Sasser or Similar by killing the source
What does NETSTAT tell you? Something is using the port.
-
Re: Stop Sasser or Similar by killing the source
this is what it tells me:
D:\>netstat -a
Active Connections
Proto Local Address Foreign Address State
TCP lonewolf:ftp lonewolf:0 LISTENING
TCP lonewolf:http lonewolf:0 LISTENING
TCP lonewolf:epmap lonewolf:0 LISTENING
TCP lonewolf:https lonewolf:0 LISTENING
TCP lonewolf:microsoft-ds lonewolf:0 LISTENING
TCP lonewolf:1025 lonewolf:0 LISTENING
TCP lonewolf:1026 lonewolf:0 LISTENING
TCP lonewolf:1028 lonewolf:0 LISTENING
TCP lonewolf:1031 lonewolf:0 LISTENING
TCP lonewolf:1032 lonewolf:0 LISTENING
TCP lonewolf:1801 lonewolf:0 LISTENING
TCP lonewolf:3372 lonewolf:0 LISTENING
TCP lonewolf:18350 lonewolf:0 LISTENING
TCP lonewolf:1028 lonewolf:18350 ESTABLISHED
TCP lonewolf:1030 lonewolf:0 LISTENING
TCP lonewolf:2103 lonewolf:0 LISTENING
TCP lonewolf:2105 lonewolf:0 LISTENING
TCP lonewolf:2107 lonewolf:0 LISTENING
TCP lonewolf:18350 lonewolf:1028 ESTABLISHED
TCP lonewolf:netbios-ssn lonewolf:0 LISTENING
UDP lonewolf:epmap *:*
UDP lonewolf:snmp *:*
UDP lonewolf:microsoft-ds *:*
UDP lonewolf:1027 *:*
UDP lonewolf:1029 *:*
UDP lonewolf:3456 *:*
UDP lonewolf:3527 *:*
UDP lonewolf:netbios-ns *:*
UDP lonewolf:netbios-dgm *:*
UDP lonewolf:isakmp *:*
-
Re: Stop Sasser or Similar by killing the source
Here is my system for
Quote:
netstat -a
Active Connections
Proto Local Address Foreign Address State
TCP piii550:epmap piii550:0 LISTENING
TCP piii550:microsoft-ds piii550:0 LISTENING
TCP piii550:1025 piii550:0 LISTENING
TCP piii550:1026 piii550:0 LISTENING
TCP piii550:netbios-ssn piii550:0 LISTENING
UDP piii550:microsoft-ds *:*
UDP piii550:netbios-ns *:*
UDP piii550:netbios-dgm *:*
UDP piii550:isakmp *:*
UDP piii550:4500 *:*
It is a clean system with NAV running, and it is connected to my laptop as a wireless print server.
-
Re: Stop Sasser or Similar by killing the source
Then what do you suggest me to do?
-
Re: Stop Sasser or Similar by killing the source
Did you try the online virus checker at trendmicro.com? It is pretty good.
-
Re: Stop Sasser or Similar by killing the source
yes, but it told me i couldn't do it if my IE wasn't 5.5 (and sadly, it isn't ever since i had to restore).. i tried to update to 6.0 but last time i did it told me the program was too big to fit the memory.
-
Re: Stop Sasser or Similar by killing the source
I think I would attempt a repair, and if that didn't work, a reinstall of Windows
-
Re: Stop Sasser or Similar by killing the source
I have tried that 6 times this month. Also, I downloaded a tool that is supposed to get rid of the sasser and it says I don't have it. I also checked which were the sympthoms and the program that is the root of it. However, the problem is that there might be a virus that acts in a similar way...
-
Re: Stop Sasser or Similar by killing the source
I don't know. I have a W2K machine that is getting pretty full. Only 1/4 left on the only drive. Going to have to do something pretty soon.
Try Avast! virus protection. I use it on my laptop. It is much quicker than NAV
-
Re: Stop Sasser or Similar by killing the source
Thank you, David.. I have been trying to download avast! but i haven't had good luck so far.
-
Re: Stop Sasser or Similar by killing the source
I had a similiar problem a few months ago. It wasnt the sasser, but another common one that I cant remeber what it was called.
It was a program that kept redirecting my links, wouldnt let me update NAV, or let me view any virus protection web page. While I was or wasnt seaching the Internet, explorer would pop up at random times on different web pages. Running NAV and Spyware removal programs didnt detect it. Looking for running processes showed nothing suspecious.
It ended up being several malicious programs. One of which job was to hide all the files that were mailicious from view, process list and from being seen in registery editor. It included a backdoor trojan that installed new malware and added it to the hidden process/file list.
This one program hider was effective in stopping NAV from finding and removing the malware. This could be what is going on your computer.
Sasser may indeed be there, if another program is hiding it then nothing you run will dected it.
I had to use the Ultimate Boot CD, (google UBCD).
Run registery editor from the CD and load the registery hives from the window2k root partition on C. I then found a few entries in the run key that were not there while the OS was running from C. Once these were removed, NAV was able to detect and remove most of the malware.
Not sure that this is going to help you much unless you have XP CD, a requirement to build the UBCD. Maybe a friend that has XP can make one and come over to help you out?
packetvb
-
Re: Stop Sasser or Similar by killing the source
So it was a stealth virus. I've heard of these.
-
Re: Stop Sasser or Similar by killing the source
Jacob Roman,
Yes. Ive ran across this one other time since then but it was not as effective as the one incident I described. Ive sent both to NAV.
The problem is that these things are installed without the user knowing because of security holes in software. Most of the ones I have seen are by exploits in IExplorer.
NAV and spyware removal programs cant catch them all because they rely on updated definitions and once the malware has launched that there is no definition for, then its too late.
So I decided to create my own software to stop this kinda crap. I have created software that will alert the user any time any new executable tries to start up and lets the user decide whether to allow it to continue.
Later I will have it look at the executables and notify the user if it look like a malicious program, based on what API's the program wants to call. Like an executable that has 2 or 3 api's only with one being GetProcAddress is a dead give away that its malicious.
Wow Im rambling.
:)
-
Re: Stop Sasser or Similar by killing the source
thank you for your help Jacob, packetVB and David. i still have problems and i can't get Windows XP to be installed in this computer due to the restrictions of the OS.. do you have any version of the program you are talking about packetVB?
i use AntiVir and not NAV.
-
Re: Stop Sasser or Similar by killing the source
Tec-Nico,
It does seem odd that the computer acts like sasser is on it but cant remove it. I bet that its being hidden
Your not installing XP on the computer. Your using UBCD, which is a bootable XP cd with tools on it, then running from there. To burn the UBCD you need the XP cd so the software can copy files from the XP cd to create the bootable UBCD cd.
Or, do you have the option of putting the hard disk in a second machine that already has a clean OS? If so you can run regedt32 and load the hive from the infected disk.
let me think more about it.
-
Re: Stop Sasser or Similar by killing the source
Thank you for your help, guys. PacketVB, I am sorry but I don't have anyone who could lend me that CD... And I can't place my hard-drive in a second machine with a clean OS.
However, I found a way to prevent this behavior until I get a new machine. I developed a little program that would not let the computer deal with that kind of problems... If anyone is interested, I will post the code.
I appreciate the time all of you took to try to help me... Thank you VERY much :)