| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 45232 | 2004-05-15 00:02:00 | Page cannot be displayed after Sasser infection | noel251 (5640) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 236680 | 2004-05-15 00:02:00 | I have recently had the Sasser Worm infect my computer. I followed the steps and got rid of it. My laptop is running XP, and I now cannot get the browser to open any of the antivirus pages (so that I can update NAV). I keep getting the Page Cannot be displayed message. It doesn't affect other sites. In addition, when I now try to open either AVG or NAV the programme is immediately shut off. It doesn't appear to affect anything other programmes. Have I still got some latent Sasser infection? Any advice would be welcome |
noel251 (5640) | ||
| 236681 | 2004-05-15 00:27:00 | Are you using IE? If so try another web browser-Mozilla, Firebird or Opera- to acces the sites. | mark.p (383) | ||
| 236682 | 2004-05-15 00:36:00 | See if you can load this page (http://housecall.trendmicro.com/) and try the free online scanner to confirm you are virus free at the moment. Otherwise, depending on how recent your last NAV or AVG updates are, boot into safemode and try running the AV program there. You shouldn't have both NAV and AVG running at the same time as they can cause conflicts with each other. | Jen C (20) | ||
| 236683 | 2004-05-15 00:49:00 | Download and scan your computer with HijackThis ( . majorgeeks . com/download . php?det=3155" target="_blank">www . majorgeeks . com) . After it has scanned your PC save the logfile and post the results here for help with analysis . Do not fix anything without advice as your computer may stop working . Reboot your computer in safe mode . In safe mode ensure that hidden files and folder are visible (in Windows Explorer go to Tools > Folder Options > View, tick "Show hidden files and folders") and also untick "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders" Click "Apply" then "OK" . Now find and delete: The C:\WINDOWS\System32\scvhost . exe file Note: Be careful to watch the spelling - there is a legitimate windows file in the C:\Windows\System32 folder called svchost . exe . DO NOT delete that one . ONLY DELETE scvhost . exe . Also in safe mode go to C:\Windows\Temp folder . Open the Temp folder and go to Edit>Select All then Edit>Delete to delete the entire contents of the Temp folder (not the folder itself) . Empty the Recycle Bin Now navigate to the C:\Windows\System32\drivers\etc folder . Locate the HOSTS file . Open the HOSTS file in notepad by clicking on it to open it then tick "Select the program from a list" > choose Notepad . Look for entries like this: 127 . 0 . 0 . 1 www . symantec . com 127 . 0 . 0 . 1 securityresponse . symantec . com 127 . 0 . 0 . 1 symantec . com 127 . 0 . 0 . 1 www . sophos . com 127 . 0 . 0 . 1 sophos . com 127 . 0 . 0 . 1 sophos . com 127 . 0 . 0 . 1 www . mcafee . com 127 . 0 . 0 . 1 mcafee . com 127 . 0 . 0 . 1 liveupdate . symantecliveupdate . com 127 . 0 . 0 . 1 www . viruslist . com 127 . 0 . 0 . 1 viruslist . com 127 . 0 . 0 . 1 viruslist . com 127 . 0 . 0 . 1 f-secure . com 127 . 0 . 0 . 1 www . f-secure . com 127 . 0 . 0 . 1 kaspersky . com 127 . 0 . 0 . 1 www . avp . com 127 . 0 . 0 . 1 www . kaspersky . com 127 . 0 . 0 . 1 avp . com 127 . 0 . 0 . 1 www . networkassociates . com 127 . 0 . 0 . 1 networkassociates . com 127 . 0 . 0 . 1 www . ca . com 127 . 0 . 0 . 1 ca . com 127 . 0 . 0 . 1 mast . mcafee . com 127 . 0 . 0 . 1 my-etrust . com 127 . 0 . 0 . 1 www . my-etrust . com 127 . 0 . 0 . 1 download . mcafee . com 127 . 0 . 0 . 1 dispatch . mcafee . com 127 . 0 . 0 . 1 secure . nai . com 127 . 0 . 0 . 1 nai . com 127 . 0 . 0 . 1 www . nai . com 127 . 0 . 0 . 1 update . symantec . com 127 . 0 . 0 . 1 updates . symantec . com 127 . 0 . 0 . 1 us . mcafee . com 127 . 0 . 0 . 1 liveupdate . symantec . com 127 . 0 . 0 . 1 customer . symantec . com 127 . 0 . 0 . 1 rads . mcafee . com 127 . 0 . 0 . 1 trendmicro . com 127 . 0 . 0 . 1 www . trendmicro . com Delete all those lines leaving only this one: 127 . 0 . 0 . 1 localhost Now close the file and answer Yes to save the changes . Turn off System Restore: Right-click My Computer on the Desktop>Properties>System Restore tab . Tick Turn off System Restore . Restart your computer . Go here and do an online virus scan: http://housecall . trendmicro . com/ Be sure and put a check in the box by "Auto Clean" before you do the scan . If it finds anything that it cannot clean have it delete it or make a note of the file location so you can delete it yourself . When you are sure you are clean you can go back and turn System Restore back on and create a restore point . IMPORTANT!: It is highly recommend that you go to Windows update and install all "Critical Updates and Service Packs" . This will patch numerous security holes in IE and Windows . This worm got on your machine by taking advantage of one of those vulnerabilities . |
tommy (2826) | ||
| 236684 | 2004-05-15 00:52:00 | Back up important data. Have you run Spybot and Adaware (Spybot can fix basic registry left-overs). Clean out your temp files, cache and history from IE. Right click your hard drives in My Computer > Properties > Disk Cleanup button and choose to delete temp files, empty recycle bin, etc (make sure there is nothing in the recycle bin you want to keep). Make sure no strange activeX controls are left in > C:\WINNT\Downloaded Program Files. Right click the objects in there and select properties. They should only have info in the General tab, Dependencies, etc, relating to Sun Java, Windows Update, etc. Anything that totally hides it's properties or has unfamilier names, just numbers, is probably unwelcome. Post back here if in doubt before deleting anything. If you have a registry cleaner, give it a run too. Back up your registry first and/or make sure System restore is set. Uninstall your anti-virus programmes. Choose only one to reinstall as anti-virus app's don't usually reside happily together on the same system. Get a firewall, if you don't already have one. XP's only stops inbound traffic, turn it off when the new one is installed. Try a different browser, as per Mark's advice. Come back with any queries. Cheers Murray P |
Murray P (44) | ||
| 236685 | 2004-05-21 23:32:00 | Thanks for all your help. Trend-Micro found, amongst other things, sdbot.kw worm and I have been able to remove it manually using their advice. Now with all updates and firewall in place. | noel251 (5640) | ||
| 1 | |||||