double reboot, now i cant get antivirus update

zip22 · 05-03-04, 11:19 PM

a very strange thing happened to me this evening. i was sitting watching tv, and my roomates computer rebooted. i thought it was strange, but funny nontheless.

then after about 5 min it did it again....

i thought a few things:
a) malicious worm
b) crappy computer
c) ghosts

then, about 30 min later, i sit down at my computer to do the usual forum browsing. im chillin, kinda working on some homework, and BAM! i get rebooted.

this caught me off guard. my temps are fine, i have a corporate symantec antivirus with the latest file from 4/30, i have windows sp2 with the latest updates and firewall running, i have adaware and spyware and run them regularly, i keep tabs on every running process. i told myself its alright, but then it happened again!!!! after a few minutes back up it did it again!

now im confused, afraid, and kinda glad i have something to mess with instead of my homework.

so now that im back, i havent restarted, everything seems to be running correctly, i checked the XP setting to not restart if there is an error, and i tried to update my symantec virus definitions, but i cant. i searched the forums for any recent worms, but only found old ones. my roomates setup is way different from mine. he doesnt have sp2, and probably doesnt keep his computer so tidy.

my suspicions now are:
-i am on a university network, can someone maliciously go onto the network, and randomly reboot peoples computers? is there any way through a lan to get my computer to restart?
-could this be a warning sign from the university that i suck up too much bandwidth

-could this be a power surge of somesort? none of the lights (which are plugged into the same surge protectors) flickered or anything.

im just really confused as to why something like this would happen. thaks for any help

zip22 · 05-03-04, 11:44 PM

IT RESTARTED AGAIN!!!!!!!

i saw the thing on the Sasser worm, and ran the sasser scan from symantec website, but it found nothing. any one? ? ?

the thing that scares me the most, is that i cant do the live update, that has to be something bad. it sounded something like a variation of the sasser worm, but is it possible that there are newer versions that wouldnt be detected by the symantec tool?

zip22 · 05-04-04, 01:05 AM

alright, it must be a worm of some sort, all of my friends are having the same problem. some of them are getting the popup that says something about an error and then restarts in a minute. i still cant live update. would it be good to use a linux boot cd for a while? can the worm do anything to my files (namely my music collection)? also any info on this worm would be nice. it doesnt seem to be the sasser one, the symantec tool doesnt catch anything, could it be a variant?

Kendan · 05-04-04, 01:16 AM

Run an online scanner like the one at www.sarc.com and turn on a firewall

zip22 · 05-04-04, 01:31 AM

Quote:

Originally posted by zip22
i have a corporate symantec antivirus with the latest file from 4/30, i have windows sp2 with the latest updates and firewall running, i have adaware and spyware and run them regularly, i keep tabs on every running process.

the firewall has never been off
where is the online scanner?

CrazyP · 05-04-04, 02:00 AM

I got hit with a virus the other day that edited my host file and added all the websites for antivirus updates to it. needless to say, once a website is in your host file point to the loopback adress you can't go to the site unless you delete the entries.

the host file is in the windows/system32/drivers/etc folder

now this virus caught me by surprise also because I had installed a clean install of winxp on my friends computer, but because of problems I had to bring it to my house to fix. as soon as I hooked it up to my network it infected 3 of my computers, I nosticed when norton freaked out. thats when I tried to udate my virus defintitions and it wouldn't work.
go and use the panda antivirus free online scanner, that should get rid of it. btw, I can remeber the name of the virus, but the exe that it was running was called nwiz.exe.

Kendan · 05-04-04, 02:00 AM

here is the exact link: http://security.symantec.com/sscv6/d...d=ie&venid=sym

jajmon · 05-04-04, 06:26 AM

This sounds like the gaobot virus.

Rastion Signe · 05-04-04, 06:58 AM

probably the sasser virus, if a little message popups with about a 1:00 min countdown, mine said lsass.exe crashed and the system had to be rebooted, something like that. When I was checking out my procesess's I noticed something new called avserve.exe, this is basically the worm I found out, I found all instances of it and deleted it, unfortunately I didn't disable system restore so I either got it again from myself or off the net. I know how to get rid of it, its the permenant fix i'm lacking.

jajmon · 05-04-04, 08:53 AM

Quote:

Originally posted by Rastion Signe
probably the sasser virus, if a little message popups with about a 1:00 min countdown, mine said lsass.exe crashed and the system had to be rebooted, something like that. When I was checking out my procesess's I noticed something new called avserve.exe, this is basically the worm I found out, I found all instances of it and deleted it, unfortunately I didn't disable system restore so I either got it again from myself or off the net. I know how to get rid of it, its the permenant fix i'm lacking.

You have to do the windows updates that addresses the vulnerability.
http://www.microsoft.com/technet/sec.../MS04-011.mspx

zip22 · 05-04-04, 09:06 AM

alright, thanks for the replies. after thinking about, i realised when i first suspected it, i had turned on the highest security setting in the firewall, thus blocking live update. i fixed that and now i have the latest virus definition from 5/3. the sasser scanner still finds nothing, and ive scanned for a virus twice and found nothing. i ran spybot, it picked up a few things, i didnt look that closly.

do you think i had it? everything seems fine now. i am almost sure my friends have it.

MRD · 05-04-04, 09:14 AM

You might want to try:

http://securityresponse.symantec.com...oval.tool.html

Norton gives out these nice little freebie antivirus tools, IF you know which virus you want to remove.

Rastion Signe · 05-04-04, 10:17 AM

Try running a search and look for avserve if you see any instances of it might as well delete it. I suppose I should go update my version of windows, keep getting reinfected....

electromagnetic · 05-04-04, 11:44 AM

Quote:

Originally posted by zip22
alright, thanks for the replies. after thinking about, i realised when i first suspected it, i had turned on the highest security setting in the firewall, thus blocking live update. i fixed that and now i have the latest virus definition from 5/3. the sasser scanner still finds nothing, and ive scanned for a virus twice and found nothing. i ran spybot, it picked up a few things, i didnt look that closly.

do you think i had it? everything seems fine now. i am almost sure my friends have it.

These are the intructions to remove it manually, I had it on a work computer after being connected w/o firewall for no more than 15 mins, nasty bug. Reminds me of the MSBlaster worm.

Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
Delete the file AVSERVE.EXE from your WINDOWS directory (typically c:\windows or c:\winnt)
Edit the registry
Delete the "avserve" value from
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Reboot the system into Default Mode

diehrd · 05-04-04, 06:02 PM

Quote:

Originally posted by electromagnetic

These are the intructions to remove it manually, I had it on a work computer after being connected w/o firewall for no more than 15 mins, nasty bug. Reminds me of the MSBlaster worm.

Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
Delete the file AVSERVE.EXE from your WINDOWS directory (typically c:\windows or c:\winnt)
Edit the registry
Delete the "avserve" value from
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Reboot the system into Default Mode

"Ditto" just be sure to turn off System restore before making those changes....

Kendan · 05-04-04, 07:12 PM

There are at the minimum 4 versions of Sasser around right now

The removal tool does not recognize all of them by what I have read. Good luck.

zip22 · 05-04-04, 07:57 PM

does spybot get rid of worms like sasser? thats the only thing i ran, and it got rid of about 30 things, but i was too agravated to see what they were. i cant find any remnants of a worm. spybot was the only thing that i ran that caught anything.

Kendan · 05-05-04, 01:20 AM

Quote:

Originally posted by zip22
does spybot get rid of worms like sasser? thats the only thing i ran, and it got rid of about 30 things, but i was too agravated to see what they were. i cant find any remnants of a worm. spybot was the only thing that i ran that caught anything.

Not as far as I know.

zip22 · 05-06-04, 12:25 AM

on a similar note:
http://www.newscientist.com/news/news.jsp?id=ns99994955

glad i could contribute to the success

belorsch · 05-06-04, 12:58 PM

I've seen and heard about this virus with a few users.
Also look for avserve2.exe and skynetave.exe. It seems like the rebooting starts whenever you have a network connection.
You can try McAfee's stinger tool here . It will fit on a floppy so you can dl off another pc if yours won't stay online long enough to dl it.
You may have a new variation though.
We had one person that has looked for the different files and ran scans with the latest dat files and it is still going undetected. Another thing might be to try and close off the ports using your firewall. Good Luck.

MS site link to dl sec patch. If it is sasser the patch should keep your pc from being re-infected.

Edit: Sorry about the disjoined thoughts but its the way my head works.

05-03-04, 11:19 PM	Thread Starter #1
zip22 Member Join Date: Nov 2003	double reboot, now i cant get antivirus update a very strange thing happened to me this evening. i was sitting watching tv, and my roomates computer rebooted. i thought it was strange, but funny nontheless. then after about 5 min it did it again.... i thought a few things: a) malicious worm b) crappy computer c) ghosts then, about 30 min later, i sit down at my computer to do the usual forum browsing. im chillin, kinda working on some homework, and BAM! i get rebooted. this caught me off guard. my temps are fine, i have a corporate symantec antivirus with the latest file from 4/30, i have windows sp2 with the latest updates and firewall running, i have adaware and spyware and run them regularly, i keep tabs on every running process. i told myself its alright, but then it happened again!!!! after a few minutes back up it did it again! now im confused, afraid, and kinda glad i have something to mess with instead of my homework. so now that im back, i havent restarted, everything seems to be running correctly, i checked the XP setting to not restart if there is an error, and i tried to update my symantec virus definitions, but i cant. i searched the forums for any recent worms, but only found old ones. my roomates setup is way different from mine. he doesnt have sp2, and probably doesnt keep his computer so tidy. my suspicions now are: -i am on a university network, can someone maliciously go onto the network, and randomly reboot peoples computers? is there any way through a lan to get my computer to restart? -could this be a warning sign from the university that i suck up too much bandwidth -could this be a power surge of somesort? none of the lights (which are plugged into the same surge protectors) flickered or anything. im just really confused as to why something like this would happen. thaks for any help
	QUOTE Thanks

05-03-04, 11:44 PM	Thread Starter #2
zip22 Member Join Date: Nov 2003	IT RESTARTED AGAIN!!!!!!! i saw the thing on the Sasser worm, and ran the sasser scan from symantec website, but it found nothing. any one? ? ? the thing that scares me the most, is that i cant do the live update, that has to be something bad. it sounded something like a variation of the sasser worm, but is it possible that there are newer versions that wouldnt be detected by the symantec tool?
	QUOTE Thanks

05-04-04, 01:05 AM	Thread Starter #3
zip22 Member Join Date: Nov 2003	alright, it must be a worm of some sort, all of my friends are having the same problem. some of them are getting the popup that says something about an error and then restarts in a minute. i still cant live update. would it be good to use a linux boot cd for a while? can the worm do anything to my files (namely my music collection)? also any info on this worm would be nice. it doesnt seem to be the sasser one, the symantec tool doesnt catch anything, could it be a variant?
	QUOTE Thanks

05-04-04, 01:16 AM	#4
Kendan Senior Punk Join Date: Aug 2001 Location: Dark side of hell	Run an online scanner like the one at www.sarc.com and turn on a firewall __________________ Hello:sn:
	QUOTE Thanks

05-04-04, 02:00 AM	#6
CrazyP Member Join Date: Nov 2002	I got hit with a virus the other day that edited my host file and added all the websites for antivirus updates to it. needless to say, once a website is in your host file point to the loopback adress you can't go to the site unless you delete the entries. the host file is in the windows/system32/drivers/etc folder now this virus caught me by surprise also because I had installed a clean install of winxp on my friends computer, but because of problems I had to bring it to my house to fix. as soon as I hooked it up to my network it infected 3 of my computers, I nosticed when norton freaked out. thats when I tried to udate my virus defintitions and it wouldn't work. go and use the panda antivirus free online scanner, that should get rid of it. btw, I can remeber the name of the virus, but the exe that it was running was called nwiz.exe.
	QUOTE Thanks

double reboot, now i cant get antivirus update

Internet Services

Website Development

Tech Hardware

05-04-04, 06:26 AM	#8
jajmon Member Join Date: Apr 2002 Location: Burnsville, Minnesota	This sounds like the gaobot virus.
	QUOTE Thanks

05-04-04, 06:58 AM	#9
Rastion Signe Member Join Date: Mar 2004	probably the sasser virus, if a little message popups with about a 1:00 min countdown, mine said lsass.exe crashed and the system had to be rebooted, something like that. When I was checking out my procesess's I noticed something new called avserve.exe, this is basically the worm I found out, I found all instances of it and deleted it, unfortunately I didn't disable system restore so I either got it again from myself or off the net. I know how to get rid of it, its the permenant fix i'm lacking.
	QUOTE Thanks

05-04-04, 09:06 AM	Thread Starter #11
zip22 Member Join Date: Nov 2003	alright, thanks for the replies. after thinking about, i realised when i first suspected it, i had turned on the highest security setting in the firewall, thus blocking live update. i fixed that and now i have the latest virus definition from 5/3. the sasser scanner still finds nothing, and ive scanned for a virus twice and found nothing. i ran spybot, it picked up a few things, i didnt look that closly. do you think i had it? everything seems fine now. i am almost sure my friends have it.
	QUOTE Thanks

05-04-04, 09:14 AM	#12
MRD Senior Member Join Date: Feb 2003 Location: CT	You might want to try: http://securityresponse.symantec.com...oval.tool.html Norton gives out these nice little freebie antivirus tools, IF you know which virus you want to remove.
	QUOTE Thanks

05-04-04, 10:17 AM	#13
Rastion Signe Member Join Date: Mar 2004	Try running a search and look for avserve if you see any instances of it might as well delete it. I suppose I should go update my version of windows, keep getting reinfected....
	QUOTE Thanks

05-04-04, 07:12 PM	#16
Kendan Senior Punk Join Date: Aug 2001 Location: Dark side of hell	There are at the minimum 4 versions of Sasser around right now The removal tool does not recognize all of them by what I have read. Good luck. __________________ Hello:sn:
	QUOTE Thanks

05-04-04, 07:57 PM	Thread Starter #17
zip22 Member Join Date: Nov 2003	does spybot get rid of worms like sasser? thats the only thing i ran, and it got rid of about 30 things, but i was too agravated to see what they were. i cant find any remnants of a worm. spybot was the only thing that i ran that caught anything.
	QUOTE Thanks

05-06-04, 12:25 AM	Thread Starter #19
zip22 Member Join Date: Nov 2003	on a similar note: http://www.newscientist.com/news/news.jsp?id=ns99994955 glad i could contribute to the success
	QUOTE Thanks

05-06-04, 12:58 PM	#20
belorsch Folding Monk Join Date: Nov 2001 Location: Maryland	I've seen and heard about this virus with a few users. Also look for avserve2.exe and skynetave.exe. It seems like the rebooting starts whenever you have a network connection. You can try McAfee's stinger tool here . It will fit on a floppy so you can dl off another pc if yours won't stay online long enough to dl it. You may have a new variation though. We had one person that has looked for the different files and ran scans with the latest dat files and it is still going undetected. Another thing might be to try and close off the ports using your firewall. Good Luck. MS site link to dl sec patch. If it is sasser the patch should keep your pc from being re-infected. Edit: Sorry about the disjoined thoughts but its the way my head works. __________________ My Heatware Last edited by belorsch; 05-06-04 at 01:22 PM.
	QUOTE Thanks

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search