Snooker.com.hk 桌球論壇 - W32.Sasser.B.Worm

United Athle T-Shirt, Polo, Sweatshirt And Jacket

All Forums

Snooker.com.hk 《桌球論壇》

波友吹水區

W32.Sasser.B.Worm

New Topic

Reply to Topic

Printer Friendly

arsir
上校級會員

Hong Kong

Posts 3303

Posted - 03.05.2004 : 17:47:18

W32.Sasser.B.Worm

有關資料
http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.b.worm.html
http://www.hkcert.org/valert/vinfo/w32.sasser.worm.html

Microsoft update patch (中左未中都安裝左佢)
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

W32.Sasser Removal Tool (用黎check 你部機有無中,要入safe mode 入面先scan)
http://securityresponse.symantec.com/avcenter/FxSasser.exe

若果已經中左, 可以試下以下方法:

Manual Removal Instructions
To remove this virus "by hand", follow these steps:

Reboot the system into Safe Mode (hit the F8 key as soon as the Starting
Windows text is displayed, choose Safe Mode.
Delete the file AVSERVE2.EXE from your WINDOWS directory (typically
c:\windows or c:\winnt)
Edit the registry
Delete the "avserve2" value from
HKEY_LOCAL_MACHINE\SOFTWARE\MicrosoftWindows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Reboot the system into Default Mode

跟住睇下上唔上倒網,快手去update左個microsoft patch 同用symantec Removal Tool scan 一次.

Scott Y
中校級會員

Hong Kong

Posts 1626

Posted - 03.05.2004 : 17:59:30

好猛呀，今日已經幫兩個朋友醫病喇。

不過呢個病毒有度好(!?)，佢會幫你洗左MSBLAST呢個病毒。

Scott Y
中校級會員

Hong Kong

Posts 1626

Posted - 04.05.2004 : 10:24:56

發現symantec(即係亞sir上面post果個)提供o既"人手解毒"方法未必得。因為佢好似會自動修復架。

所以未update就快手喇，唔係都幾麻煩。

arsir
上校級會員

Hong Kong

Posts 3303

Posted - 04.05.2004 : 10:52:11

[updated:LAST EDITED ON May-04-04 AT 10:55 AM (GMT)]尋晚幫jc 攪左,ok哂喎~

不過要留意,其實重有另外一個問題, 就係果d antivirus 既網頁俾人block 哂.

睇下面有解決方法.

1. 先拔掉網路線

2. 啟動電腦

3. 進入c:\windows\system32\drivers\etc\host

4. 雙點'hosts'

5. 以notepad開啟'hosts'

6. 除了'127.0.0.1 localhost'外, 刪掉其餘地址
(這些地址就是被封鎖的如沒有localhost一項那就在全刪後自己加上)

7. 離開並儲存修改

8. 再到c:\windows\system32
9. 找出名為wmiprvsw.exe or msiwin84.exe or hkey.exe or win32.exe or windrv32.exe
將之delete

(我沒有找到不過在我做完其他步驟後重新掃毒就沒有找到病毒了)

10. 到c:
11. 有可能出現約70個exe檔,
(假如你在1/5/2003感染病毒, 該70多個exe檔的建立日期就是1/5/2003),
事實上, 那70多個不尋常的執行檔很易被認出.

12. delete那70多個exe檔

13. (開始/執行，輸)入regedit

14. (進入登錄編輯程式)
進hkey_local_machine\software\microsoft\windows\currentversion\run,
delete 出現 wmiprvsw.exe or msiwin84.exe or hkey.exe or win32.exe or windrv32.exe的指令

15. 進
hkey_local_machine\software\microsoft\windows\currentversion\runservices,
delete 出現 wmiprvsw.exe or msiwin84.exe or hkey.exe or win32.exe or windrv32.exe

16. 離開並儲存regedit

17. 最後重新開機 and 接上網路線

Handy
中校級會員

Posts 1310

Posted - 06.05.2004 : 03:42:33

Really Thank you very much Arsir !!

My desktop at home infected this virus too ..it blocks me from Smantec liveupdate ...I was so confused until today I saw your post !!

I followed the steps and it does worked !!

Thanks very much again !

FairMan
初青會員

Posts 402

Posted - 06.05.2004 : 09:21:53

How about if I am not able to install Windows XP Service Pack 1? I did try many times to install that but the installation just terminated at some point.

lovermjj
初青會員

Hong Kong

Posts 153

Posted - 07.05.2004 : 00:09:13

我用W32.Sasser Removal Tool check部腦
佢check完之後話中左, 同埋已經幫我remove左
咁係咪真係剷走左架?

New Topic

Reply to Topic

Printer Friendly