Sasser question

sputkin

Member
Jul 23, 2003
69
0
0
Can the sasser worm survive a HD reformat? One of my computers was having some sasser type symptoms (60sec restart, IE and Firefox unexpectedly ending quite regularly), and as the computer's just about a month old, I don't have that much stuff on there so I figured I'd just reformat and be done with it.

So I reformatted about a week ago, made sure to install ZA and AntiVir before ever connecting network cable, worked just fine for a couple days, but now I've gotten the same 60sec shutdown a couple times, IE and FF will run for about 10 minutes and then either right after clicking on a link or using the scroll wheel the "We're sorry FF has unexpecedly closed" error reporting message comes up. And just a little while ago after rebooting I got a message saying "LSA Shell (Export Version)" has unepectedly shut down. I did a quick google and that's evidently a blatant sign of the sasser.

BUT, the odd thing is I've done virus scans with AntiVir, online virus scans with Panda, even downloaded the Norton sasser removal tool and it seems none of them detect a problem.

So.... Any suggestions? The symptoms I listed are the only ones I have, and the 60 sec restart doesn't happen very often at all, so it's like I'm not getting the full sasser symptoms. So do I even have it since none of the tools pick it up? And like I asked, can it survive a reformat? I'm going out for a couple hours so won't be able respond till about 6 or 7. And I'm typing this on a different computer btw. Thanks!!
 

Uncle Bob

Senior member
Oct 24, 2004
380
0
0
I wouldn't be so sure it's a worm

check the event log for the system and applications - see if anything strange is logged there.

 

mechBgon

Super Moderator<br>Elite Member
Oct 31, 1999
30,699
1
0
Are you patching Windows to eliminate the actual vulnerability? Is 100% of your software legit? ZoneAlarm by itself should be enough to keep the worms at bay, so maybe it's not what it looks like.

Other question: are there any other computers sharing your network there. If so, raise ZoneAlarm's Trusted-Zone setting to High.
 

sputkin

Member
Jul 23, 2003
69
0
0
Originally posted by: Uncle Bob
I wouldn't be so sure it's a worm

check the event log for the system and applications - see if anything strange is logged there.

I just now looked at it (I'm not sure I've ever looked in there before!) but I don't know what I should be looking for. Under system there's the occasional error (maybe 1 out of every 50 or so), mainly from NetBT, Browser, MrxSmb (which from a quick google seem to be kosher). Under Application there seem to be LOTS of errors, between 10-20% of the entries, and there are strings of 5 errors or more at a time. All of them seem to be from the "Application Error" source. Let me know if I can tell you anything else helpful...


Originally posted by: mechBgon
Are you patching Windows to eliminate the actual vulnerability? Is 100% of your software legit? ZoneAlarm by itself should be enough to keep the worms at bay, so maybe it's not what it looks like.

Other question: are there any other computers sharing your network there. If so, raise ZoneAlarm's Trusted-Zone setting to High.

Yes, yes, and yes. I updated it with all the windows update patches as soon as I first got it on the internet after this past reformat, and all the software is completely legit. I've got just a home network with 1 other desktop and 2 laptops (wireless router). I'll go ahead and set trusted zone to high.

.....So Like you say I'm set for security as far as any new worms or viruses go. But I still have to problem with IE and FF shutting down. I have Pegasus on there and it has shut down once in the last week. And now that I think of it, before I formatted last week, I had all the same problems, PLUS ZA was shutting down periorically as well. That hasn't happened (w/ ZA) since this current format however. So I've had problems ONLY from programs related to internet usage, if that means anything...

Let me know what other info I can give that might help troubleshoot. (would posting my system or application log help?). Thanks again!!

 

mechBgon

Super Moderator<br>Elite Member
Oct 31, 1999
30,699
1
0
If it were me, I'd start from the top with the network cable unplugged. Format, install Windows, patch it with SP2 from a CD, install ZoneAlarm if you like it better than Windows Firewall, set the Trusted Zone security to High, install your antivirus software...

and can I also suggest right-clicking My Computer, choose "Manage", go down to Users & Groups > Users, right-click each of the Administrator-class accounts and give them a strong password such as sputkin@AT. And fully enable Data Execution Prevention for all programs, I have some infos on that under Ongoing Prevention on this page.

Furthermore, check your other computers for infections and get them firewalled too. ZoneAlarm will tip you off if stuff is trying to get out, as well as in.

edit: also, since your router is wireless, realize that a worm-infected wireless-equipped computer in your neighbor's dorm room/apartment/house can infect your computer if it can get onto your WAP. Do you have all the router's security goodies cranked up to keep unauthorized systems off? because the router's firewall won't protect you against them, they'd be in the router's and ZoneAlarm's Trusted Zone since they're on your IP range.
 

sputkin

Member
Jul 23, 2003
69
0
0
Originally posted by: mechBgon
If it were me, I'd start from the top with the network cable unplugged. Format, install Windows, patch it with SP2 from a CD, install ZoneAlarm if you like it better than Windows Firewall, set the Trusted Zone security to High, install your antivirus software...

and can I also suggest right-clicking My Computer, choose "Manage", go down to Users & Groups > Users, right-click each of the Administrator-class accounts and give them a strong password such as sputkin@AT. And fully enable Data Execution Prevention for all programs, I have some infos on that under Ongoing Prevention on this page.

Well, looks like that'll be my best bet. I'll probably do that either this weekend or the beginning of next week. I'll report back after that whether it cleared it up or not...


edit: also, since your router is wireless, realize that a worm-infected wireless-equipped computer in your neighbor's dorm room/apartment/house can infect your computer if it can get onto your WAP. Do you have all the router's security goodies cranked up to keep unauthorized systems off? because the router's firewall won't protect you against them, they'd be in the router's and ZoneAlarm's Trusted Zone since they're on your IP range.

And yes, I believe I'm good to go with the router security. Oh, and add my name to the list of success stories using your guide, extremely helpful for builder-newbs like me!! This was my first build and it's gone flawlessly (apart from this problem :). One more question, does it sound like all this is completely software related? The only things I didn't buy new for this budget system were the vid card and a 20GB Maxtor HD I already had. Could the HD possibly be going bad and helping to cause some of these problems? I'm eventually going to get a new one anyway so would I do well to go ahead and do that now? Again, you guys are awesome!