Problems after (I think) substantially clearing Sasser

Did you disable System Restore prior to removal? If not, do so, and then run the removal tool again.

breaker,  I am having precisely the same problem as you describe.   It involves a neighbor's computer.  I've run the Sasser fixes, but cannot access mcafee and symantec web sites.   Please advise if the stated solution works for you.                                Thanks, Stuart

If the AV's fixes are not working, please post a hijackthis log from the instructions below. We can help remove it manually. BUT please only the original poster in this thread - any others please start new messages with this link
http://forums.us.dell.com/supportforums/board/post?board.id=si_virus
==========================
A post of a hijackthis log for the experts to advise.
HijackThis From Here
or one of these other links:-
http://www.merijn.org/files/hijackthis.zip
http://www.aluriasoftware.com/tools/hijackthis.zip
http://mjc1.com/mirror/hjt/

Important: Create a folder on the C: drive called C:\HJT.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT.
Unzip HijackThis into this folder. When you run HijackThis from this folder and have it "Fixed checked" it will create a backup file of modifications to use if restore is necessary. Then run, scan, save log, then in notepad copy the FULL log by copy and paste as a reply to this post and an expert with HijackThis Knowldge, will have a go at giving advice. Please note the list of experts names below, very few forum regulars here have had this training.

DO NOT FIX ANYTHING WITH HIJACKTHIS WITHOUT EXPERT ADVICE, most of what it finds you need for normal MS Windows tasks.

Known Spyware HijackThis fighters in DellTalk - If you are, and are not on the list please PM Me.

TomCoyote (of http://tomcoyote.org/forums/index.php fame)
YoKenny (Accredited Expert at TomCoyotes)
baskar1234 (Teaching Assistant at TomCoyotes, Trusted Advisor Spywareinfo)
ChrisRLG (Classroom Coordinator at TomCoyotes, Trusted Advisor Spywareinfo)
Tuxedo Jack (Teaching Assistant at TomCoyotes, Trusted Advisor Spywareinfo)
Yellowhammer (Trusted Advisor at Net-Integration, First Responder at Computer Cops)
tashi (Helper at Spywareinfo, in training at TomCoyotes)
therock247uk (In Training at TomCoyotes and Spywareinfo)
irelynmisses (In Training at TomCoyotes and Spywareinfo)
Texruss (In Training at TomCoyotes and Spywareinfo)
PGPhantom (In Training at Spywareinfo)

You could also go to one of the more specalist forums where more experts will be able to help.
http://tomcoyote.com/forums/index.php
http://forums.spywareinfo.com/index.php
http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi (Home of Spybot S&D)
http://boards.cexx.org/index.php
http://www.wilderssecurity.com/index.php
Do read the sites FAQ before posting, and advise your problem and what steps you have already done to try to cure your problem.

I, and the other hijack experts mentioned above, are in all those sites (and more) with the same login names. You might get one of us at those sites also to anwser your log, but other experts will also be available.

Deleting the hosts file is something that we often advise, if it is badly infected, and will do no harm, if not used as a redirection for legit domains. Mostly work systems in internal intranets.

I disabled system restore before doing the fixes and did so again upon Jake's suggestion.  This time I ran stringer before deleting the HOSTS, Stringer caught the problem, called it a QHOSTS Trojan, and purported to have fixed.  However, problem still recurs upon reboot.  It now appears to me that Stuart and I have a separate problem for which Symantec has a removal tool.  Again, I am able to access Symantec and McAfee webpages after manually deleting C:Windows\System32\Drivers\Etc\Hosts.  I have done this several times with no noticeable side-effects.  However, CAUTION:  I am a mere stuggler learning from the school of hard knocks as I proceed.  You may want check with a real expert before you try the same to see if its advisable or if there are potential harmful side-effects.

If you are able to access Symantec, find the removal tool at http://securityresonse.symantec.com/avcenter/venc/data/trojan.qhosts.removal.tool.html

I am going to try this when I get home this afternoon.  If Stuart has an opportunity to try it sooner, please let me know how it goes.  Jake's suggestion did not fix me--But I credit him with ultimately getting me on the right track--Many Thanks!  Also, if this doesn't work, I will try Chris' suggestion.  This has been my first experiences with both viruses and forums.  Thanks all for your patience and assistance!  The forum is a wonderful concept!

breaker35-

I know I am not supposed to answer in the same message string, but I have the same problem on one of my computers.  Ran the updates early on after MS posted them, and KB835732 would never install.  I got hit first thing April 30th at 9:16 AM with Sasser.

I noticed it when I booted into Windows and my Norton Antivirus Auto-Protect was GONE from sys tray.  In NAV, my email status was showing Error and could not be changed.

Every reboot undid my autoprotect in Norton.  Monday, I was able to get theKB835732 installed and also ran the Microsoft tool to rid of Sasser. 

I still show avserve2.exe in my msconfig files, but it stays unchecked.  I am unable to update my virus definitions and cannot access Symantecs site. 

I have the same File: C:\Windows|System32\Drivers\etc\hosts on my system.  It is only a 2 KB file.  I have not deleted as yet.  Kind of waiting to hear of your outcome.  (My file says date modified 4/30/2004   9:16 AM.  Guess that is when Sasser took control of MY system.

I have since uninstalled NAV and installed a brand new copy of NAV PRO 2004.  Same thing happens.  Although, NOW my virus definitions only go as far as 8/2003 (right out of the box), since I cannot do the live update.

So, I will be anxiously awaiting to hear how you fare on this, and hope that you post you success and what to do.

Edit:  I am not acessing the internet on my same computer since Sasserr took it over and I have no updated virus definitions.  I am typing here on an old WIN98 computer, but at least it is free of Sasser!

Sorry, I had to edit this again- where I posted "My file says date modified..." s/b 4/30 instead of 4/20, as I originally typed incorrectly

Message Edited by Wrenda on 05-05-2004 02:40 PM

Message Edited by Wrenda on 05-05-2004 02:42 PM

 

 

 

 

 

 

 

 

Message Edited by Wrenda on 05-05-2004 11:15 PM

I tried Symantec's QHOSTS Trojan removal tool and it does not even recognize that I have a problem.  I plan to try Chris' Highjack suggestion as soon as I get anti virus protection reinstalled.  I uninstalled Norton's earlier because an error message kept recurring upon rebooting regarding Symantec.  Now I am considering whether to keep the same AV product.  As for Wrenda's concern about live updates, I was able to get live updates after removing sasser and deleting the HOSTS.  But I have not found a Symantec scan that recognizes my problem including the full system scan with my AV program.

At \Drivers\etc  in addition to HOSTS, I also find these four other things:  LMHOSTS, PROTOCOL, NETWORKS, AND SERVICES.  Is this significant.  Could I delete some or all of these without bringing even greater chaos into my life.  I saw at www.trendmicro.com that this SERVICES file may also be associated with the QHOSTS Trojan problem.  That's what the Stringer Sasser removal tool says I have--but who knows.  I definitely started out with Sasser symptoms and files associated with Sasser.  But I essentially had to manually rid myself of the problem before downloading the fixes.

Just a thought, but is it possible that I got rid of enough of Sasser that the removal tools no longer recognize it, but I'm left with remnants of the problem?

I appreciate everyone participation in helping me sort through this.

Edit:  The Sasser Worm is what started the Symantec error message.  I did not uninstall until after I had acquired Sasser and thought that I had pretty much cleared it.

Message Edited by breaker35 on 05-05-2004 11:01 PM

breaker, sorry to hear that this did not fix it, although I have to admit it didn't sound likely that it would.  I am not a Windows guru, but I doubt those other files you mention have any bearing on the problem. 

This would seem a particularly unique category of problem for McAfee and Norton, as it appears to be a virus specifically designed to disable their virus protection programs.  I find I am unable to communicate with either of these companies about this without paying them for the privilege. 

run stinger which would detect bot the qhost and sasser if they are present

http://vil.nai.com/vil/stinger/

also try another antivirus like

NOD32 Antivirus System has been the only product in the world that has not missed a single “In the Wild” virus in the rigorous testing conducted by the antivirus industry ‘bible', the Virus Bulletin ( www.virusbulletin.com )
http://www.nod32.com/download/trial.htm

or

vexira

http://www.centralcommand.com/downloads.html