sasser_repair.asp

Quick Links:

Offices | Organizations | Information Technology | Directory | Search

Home : information technology : qucik fix : sasser

« GO BACK

Sasser Worm Repair

The latest computer infection to hit the campus has been identified as a Sasser worm variation.

To repair and remove the worm from your system

How to get rid of Sasser Worm:

If computer keeps shutting itself down:

To STOP the shutdown process in normal mode:

After restarting your PC, go to Start | Run and type cmd
Select OK button
In the cmd window (black window) type shutdown –a
only press the Enter key if the shutdown countdown begins. This command aborts the shutdown process.

If unable to work in normal mode, restart the PC in Safe mode:

Go into safe mode with networking

by restarting the computer and pressing the F8 key repeatedly

This will bring up a black menu with white letters

Select, using the arrow keys, Safe Mode With Networking

Press Enter

Select your operating system (usually only one choice), press Enter

Click yes, when it asks you if you want to run in Safe Mode.

In either mode:

Update your Window Operating System:

Install latest security patch

Open Internet Explorer to this website: http://lakernet.mercyhurst.edu

Click on “Virus Prevention and Removal” image

Depending on your operating system:

Download and install

Windows XP Sasser security patch

WindowsXP-KB835732-x86-ENU.EXE

Windows 2000 Sasser security patch

Windows2000-KB835732-x86-ENU.EXE

Do all windows updates, go to Tools on the top of Internet Explorer

Select Windows Updates (Instructions)

Remove the infected file:

Open Internet Explorer to: http://lakernet.mercyhurst.edu

Click on “Virus Prevention and Removal.”

Download and run one or all of the fix tools:

sassgui by Sophos Anti-Virus

stinger by McAfee

FxSasser by Symantec

Manual Removal option:

In Safe Mode (hitting the F8 key repeatedly when you start your computer - Choose Safemode from menu)

In either the C:\Windows folder or the C:\WINNT folder

Delete the file AVSERVE2.EXE

Edit the registry:

Start | Run and type regedit

Select the OK button

In the regedit window, select HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Delete the key “avserve2” by right clicking on it, and selecting delete from the menu.

Keeping Your System Safe

Make sure all of your Windows Updates are current - (Instructions)
Update and run your Virus software regularly

For more information from Sophos on the removal and disinfection of computer worms:

http://www.sophos.com/support/disinfection/worms.html