I have a machine with sasser on it. I have the removal tool but that requires me to be logged into the computer to run the file. I am unable to log into the computer because this sasser/variant shows up immediately as the login screen appears and I am not able to log in in time in normal or safemode. I have scanned the drive via slaving it but the scanners came up with nada. Anyone have a dos based tool that is missing from my toolbox?

How do you know it's sasser if the scans came up with nothing?

lsass.exe error upon bootup. error code 1073741819 NT Authority\system than the time counts down from 60 seconds to zero and reboots the machine.

I am running the sasser tool using ubcd hopefully it finds something or I am misdiagnosing it.

bah the sasser tool found nothing...

Can you get as far as looking into msconfig and check the startup items? Also, if it's XP, check the startup folder in the start menu / all programs.

Maybe enable safeboot ?

Sasser bypasses safe mode restrictions, so a safe mode boot will do nothing...

Hmm, you're really in a pickle here. Perhaps load linux or slave the drive and try to remove key parts of the virus, that might buy you enough time to remove it.

Otherwise, back up all the data and drivers, a reformat might be your only option.

before you do a nuke, do you have a recent system state backup?

boot and nuke is my last option and only reserved for some ridiculous thing that I can't fix or find a fix for or I have exhausted every option.

googled the heck out of the error code and everyone thinks its sasser but the sasser tool says there is no sasser found back to square one.

I haven't seen this sasser variant, but all the other ones could be prevented from shutting down the system by running the command "shutdown -h". Perhaps when you logon, while it's counting down, you can run this command from task manager (if it'll come up, that is)

If that doesn't work, boot to a PE disk of some kind, load the registry and run Autoruns against it, disabling the relevant entries.

Hi Seedubya,

Was that an undocumented switch or a typo? Isn't it: shutdown -a
:)

-- Patrick B.

Hi Seedubya,

Was that an undocumented switch or a typo? Isn't it: shutdown -a
:)

-- Patrick B.

He's obviously a linux user, as the -h is for a HALT command. If he would have slipped up more and typed "shutdown -h now" I would have lost it while I rolled around on the floor!

@PatrickB
you are entirely correct of course. Grey matter is not what it once was.
....drops walking stick, bend over to pick up, glasses fall of, now can't stand up ;(

solved after some research

the problem is 104xxxx mentioned was infact not sasser...it turned out to be a MS issue. The client had xp pro sp2 on the machine and he never did the updates so this KB835732 patch was never installed to prevent the issue from happening in the first place. I simply took his xp pro sp2 install disc slipstreamed sp3 into it and did a repair install which installed the needed patch and the problem is solved.

thanks again guys

my first xp machine had this same bug i used to love reinstalling the os to deal with this