As I mentioned in a post a few days ago, I was hit pretty badly with a virus infection on my Windows XP installation. One of the symptoms was Windows shutting down almost immediately after logging in. Once I recognized the problem as virus-caused, I set out to root it out. Here’s a log of my travails.
Trying to prevent Windows from shutting down immediately
One of the methods that’s worked for other people trying to avoid the shutdown caused by Sasser is to quickly type shutdown -a in a command window:
shutdown -a
The -a means abort.
But I never had enough time to open a command prompt to enter the command. Part of the reason for that might be the inordinate amount of time that my installation of Windows (which is the original manufacturer’s installation) takes to fully load, including all autorun programs and services.
So I went back to the Linux Live USB, and added a Windows batch file with the command already typed out, along with running the programs which would fix Sasser:
shutdown -a c:\sassgui.com c:\sasssfx.exe
So all I had to do was open up an Explorer window and type a.cmd in the location bar. (I kept the name intentionally short, “a.cmd” being easier to type than “stop-shutdown-fix-sasser.cmd”.)
The shutdown sequence was just too fast, though. So I had to find another way besides logging into the existing Windows installation.
Extracting Windows system files
That meant booting from Linux.
Complicating the situation was that the fact that the computer on which I have a CD/DVD burner was the infected one. Unfortunately, I didn’t have a Linux CD available, so plan B was booting off a USB flash device, of which I luckily had one with Linux installed (Ubunutu 8.10 Hardy Heron). This version of Ubuntu includes read/write drivers for the NTFS filesystem, which means that I can modify files on the Windows installation while in Linux.
My first line of attack was to replace the files (svchost.exe, rundll.exe, etc.) which are said to be affected by Sasser. I had a copy of the Windows XP installation files on the infected computer’s hard disk, so I wanted to copy those over to the Windows system directory (after making backups of the current system files).
It’s not quite that simple, though. The files on a Windows install disk (or directory) are saved in the so-called Microsoft cabinet format. Microsoft provides utilities for de-compressing such files, but, of course, they only run on Windows.
Thoughtfully, someone has created a program called cabextract to do just that on Linux systems. cabextract version 1.2-3 is included in the Ubuntu 9.10 (Karmic Koala) Universe repository.
After extracting the files, I saved them to the Windows directory and rebooted. It didn’t work though. The Sasser infection was quite deep, and just changing a few files didn’t work.
Ultimate Boot CD
Next try: the Ultimate Boot CD, a huge collection of various and sundry programs for doing surgery on your computer. I burned a copy of the Ultimate Boot CD, but while that has a few anti-virus options, some are woefully outdated, and others simply didn’t run. Basically, the Ultimate Boot CD is geared toward fixing or diagnosing any number of many different problems you might have that can’t be done while booted in the main operating system, including repartitioning, fixing the MBR, fixing registry, resetting passwords, etc.
Ultimate BootCD: Initial Menu
As such it has a complicated interface and long list of programs and options on startup. But it’s not very good or easy for virus removal. Download the Ultimate Boot CD here.
Kaspersky AntiVirus Rescue CD
Next, I tried the Kaspersky AntiVirus Rescue CD 2008 (kav_rescue_2008.iso). This is a lot easier to run than the Ultimate Boot CD. Kaspersky just loads automatically and you’re presented with a graphical Linux environment in which to run a scan. Kaspersky also provides a command shell in case you want to move files around or ssh into a remote computer. And there’s a file manager.
Kaspersky Rescue CD: Scanner, File Manager, and Shell
I started the scan, and let it run overnight, but it was still nowhere near finished the next morning. Kaspersky is too slow. It tells you how many files it’s processed, and the time it’s taken so far. Based on that, it was taking about a second per file, which would basically mean it would never finish.
So I cancelled out in favor of another option.
BitDefender Rescue CD 2009
After that, I tried Bit Defender Rescue CD 2009 (BitDefenderRescueCD_v2.0.0_3_08_2009.iso). This, like Kaspersky, also provides a graphical Linux environment and a command shell. But it also provides a lot more. You get Firefox, mail programs, network scanners, backup and partition imaging, text editors, a rootkit checker, even a picture viewer. So, if this is your only computer, at least you can surf the web and check e-mail while BitDefender works.
BitDefender Rescue CD: Initial Screen
Unlike Kaspersky, BitDefender works on many tens of files per second, which one would expect of a C-based program. I don’t know what was wrong with Kaspersky. Anyway, it finished scanning in less than a day. Instead of just deleting all infected files, I manually specified which ones to delete and which ones to leave alone.
Rebooting to Windows
After the BitDefender cleaning, I was at least able to boot to Windows. Since I had lost the Task Manager and Command Shell, I decompressed the following files from the Windows installation files to the Windows directory:
- taskmgr.exe (the Task Manager)
- taskmgrw.chm (help file for Task Manager)
- cmd.exe (Command Shell)
- command.com (old Command Shell)
- msconfig.exe
- msiexec.exe (installer runner)
- appwiz.cpl (Add/Remove Applications Control Panel Wizard)
- regedit.exe (Registry Editor)
- rundll32.exe (DLL function executor)
- taskkill.exe
I still wasn’t quite confident that all remnants of all viruses had been removed. In fact, I still couldn’t reach microsoft.com, which indicated that a virus was still present.
McAfee Stinger
I downloaded a free tool that McAfee provides called Stinger. It doesn’t do constant scanning of files as they are downloaded, but it can scan existing files on a hard disk.
It found a Conficker file which it deleted:
C:\WINDOWS\system32\vkaxt.dll Found the W32/Conficker.worm.gen.a virus !!! C:\WINDOWS\system32\vkaxt.dll has been deleted.
But it also found a bad svchost.exe, which it couldn’t delete:
C:\WINDOWS\System32\svchost.exe Found the W32/Conficker!mem trojan !!! C:\WINDOWS\System32\svchost.exe could not be repaired.
Windows XP Service Pack 2
So I re-installed Windows XP Service Pack 2. I also applied a Hot Fix (WindowsXP-KB958644-x86-ENU.exe) which is meant to prevent vulnerabilities leading to Conficker contamination. After a reboot, I could finally access microsoft.com. I thought I was OK, but after a while, I lost microsoft.com access again!
Conciller.exe
After some more research, I discovered that Conficker actually patches into system files in such a way as to re-emerge later even after a Service Pack install.
The files are packed and encrypted on the hard disk, and are only unpacked while running. The Communication Systems work group at the Institute of Computer Science at the University of Bonn has created a scanner called conciller.exe which scans every running process for Conficker and removes it without disturbing the original process. Direct download here.
When I ran it, I actually got a few hits, which means Conficker was still active. Only after disinfecting memory with conciller.exe, and then re-installing the Service Pack and the Hot Fix, was I finally able to rid the computer of the Conficker mess.
Postscript
While I was finally able to clean the computer, it came at the loss of many days of non-productivity and frustration. I decided I’d had enough of Windows, and didn’t particularly care to get on the buggy and non-compatible bandwagon called Windows Vista. So I resolved to start researching the suitability of Ubuntu as a replacement for my main operating environment. I’ll post updates on that in other blog posts.
If you liked this article
If you liked this article, don’t forget to subscribe for updates!
Get updates by RSS (What’s RSS?)
Follow me on Twitter
![[del.icio.us]](http://digitivity.org/blog/wp-content/plugins/bookmarkify/delicious.png)
![[Digg]](http://digitivity.org/blog/wp-content/plugins/bookmarkify/digg.png)
![[dzone]](http://digitivity.org/blog/wp-content/plugins/bookmarkify/dzone.png)
![[Facebook]](http://digitivity.org/blog/wp-content/plugins/bookmarkify/facebook.png)
![[LinkedIn]](http://digitivity.org/blog/wp-content/plugins/bookmarkify/linkedin.png)
![[Reddit]](http://digitivity.org/blog/wp-content/plugins/bookmarkify/reddit.png)
![[Slashdot]](http://digitivity.org/blog/wp-content/plugins/bookmarkify/slashdot.png)
![[StumbleUpon]](http://digitivity.org/blog/wp-content/plugins/bookmarkify/stumbleupon.png)
![[Technorati]](http://digitivity.org/blog/wp-content/plugins/bookmarkify/technorati.png)
![[Twitter]](http://digitivity.org/blog/wp-content/plugins/bookmarkify/twitter.png)
![[Yahoo!]](http://digitivity.org/blog/wp-content/plugins/bookmarkify/yahoo.png)
![[Email]](http://digitivity.org/blog/wp-content/plugins/bookmarkify/email.png)
Top Incoming Search Terms
"conciller.exe" "leave a reply" site:http://digitivity.org/ a problem had been detected and windows has been shutdown to prevent damage to your computer antivurus boot conficker bitdefender kaspersky bitdefender live abort bitdefenderrescuecd_v2.0.0_3_08_2009 bitdefenderrescuecd_v2.0.0_3_08_2009.iso boot cd +sasser boot disk to remove conficker boot iso to remove conficker bootable cd to remove conficker bootable sasser removal disk bootable sasser remove bootable sasser scanner c:\windows\system32\svchost.exe w32/conficker!mem(trojan) c:\windows\system32\svchost.exe w32 conficker! mem (trojan) cabextract dll windows xp cd linux cabextract.dll can ubuntu remove virus on windows xp can ultimate boot cd remove sasser cd antivirus bootable conficker cd booteable antivirus sasser conchiller.exe conciler.exe conciller conciller conficker conciller exe conciller,exe conciller. exe conciller.exe conciller.exe download conciller.exe download conficker conciller.exe switches conficker boot disk conficker boot from cd conficker bootex remove conficker linux boot conficker live cd conficker live cd removal conficker livecd conficker mem svchost.exe conficker rescue windows xp boot conficker stinger svchost.exe could not be repaired conficker svchost "could not be repaired" conficker svchost.exe could not be repaired conficker taskmgr.exe conficker.cd confiker conciller.exe cosmetic surgery pittsburgh dreamhost mastercard securecode dreamhost vbv fix sasser disk fix sasser with ubuntu live cd how can i fully remove bitdefender from my vista computer without rebooting only how to remove sasser ubcd http://digitivity.org/329/removing-conficker-and-sasser-viruses-from-windows-xp-with-kaspersky-and-bitdefender-rescue-cd-linux-ubcd http://digitivity.org/tag/security http://digitivity.org/tag/virus i can't run bitdefender rescue cd kaspersky sasser linux, sasser mcafee conciller msiexec conficker remove conficker +linux remove conficker from boot cd remove conficker from xp remove conficker in windows with ubuntu remove conficker mem linux remove conficker windows xp remove conficker with cd boot disk remove conficker with linux tools remove conficker without reboot remove confickerkaspersky remove sasser remove sasser before logging into windows remove sasser boot xp remove sasser from linux live cd remove sasser linux remove sasser live cd removing conficker linux removing conficker using linux removing securecode virus rescue xp in cmd prompt sasser boot disk removal sasser bootcd sasser fix rootkit sasser from boot cd sasser linux sasser patch for windows xp sasser patch xp sasser patchnxp sasser removal bootable sasser removing tool boot disk sasser svchost sasser virus boot sasser virus bootable removal tool sassgui.exe sasssfx.exe site:http://digitivity.org/ site:http://digitivity.org/ antivirus stinger conficker svchost could not be repaired stinger svchost could not be repaired stinger svchost.exe could not be repaired stop svchost.exe duplicating conficker svchost conficker svchost xp sp2 conficker svchost.exe affected by w32 conficker mem svchost.exe conficker windows xp patch svchost.exe could not be repaired conficker system files affected by sasser to remove conficker virus from windows xp ubcd sasser ubuntu bitdefender restart ubuntu live disk and sasser ultimate boot cd conficker remover using ubuntu to rescue xp virus sasser.exe w32 conficker mem removal w32/conficker!mem w32/conficker!mem windows xp update what does conciller.exe scan what does w32/conficker!mem mean what hotfix removes conficker what is conciller.exe what window files does bitdefender delete? will any rescue disc remove sasser will service pack 2 stop sasser windows 2003 sasser cmd doesn't work windows updates crashing xp windows xp and force reboot and sasser and wvchostRelated posts:
- My Windows XP Gets Virus Infected I got hit badly with some nasty viruses which ultimately...
- Latest Windows XP Update Crashes Computers There are reports that Microsoft's latest update for Windows XP...
- What’s Good Podcast about Why Macs Are Better Than PCs The John Chow blog featured a guest article by the...
- How to Change the Background Image of the Windows Desktop Windows displays a background image on the desktop display if...
- How to Manually Add Hosts in Windows, Linux, and OS/X Normally when you want to access a server on the...
Explore related content: antivirus, BitDefender, cabextract, conciller.exe, conficker, Kaspersky, malware, McAfee Stinger, rescue CD, Sasser, security, Ultimate Boot CD, virus, Windows XP
[...] Regarding #1, that, of course, is the reason I moved to Ubuntu (after cleaning a virus infection on Windows). [...]
Great site Very Informative. Thank you.
Thanks for visiting. Be sure to subscribe to the Digitivity RSS Feed for more articles like this.
Thanks for this cool post. Anyway i found your blog on google and find it very useful. I’ll be sure to come back again for more!
@Rosenda
Thanks. I wrote the post so that people who are struggling with Conficker and Sasser on Windows could have a chance of removing those viruses. I don’t think it’s possible to fully remove them without Conciller.exe.
Be sure to subscribe to the Digitivity RSS feed.
Great posting, I share the same views. I wonder why this amazing entire world genuinely does not believe just like us and also the internet page owner
Great post. I hope far more folks had straightforward and focused posts such as the ones you have. Cheers
There is nothing that can be as stressful as the Trojan virus today to a computer end user. There are many tried and tested tools on how to remove a Trojan virus in the market today. With these tools how to remove a Trojan virus from your computer’ operating system is a do it yourself thing that calls for no particular expertise. Trojans are so painful and they can be very annoying. My guide can help you out.
It?s really a nice and helpful piece of info. I am satisfied that you just shared this useful information with us. Please keep us up to date like this. Thank you for sharing.
We’re a group of volunteers and opening a brand new scheme in our community. Your site offered us with valuable info to work on. You’ve done an impressive task and our whole neighborhood will likely be grateful to you.
My brother suggested I might like this web site. He was totally right. This post truly made my day. You cann’t consider just how a lot time I had spent for this info! Thank you!
fabuleusa entos mi artos te estara napodet istro. deira te ligunoibo ncespel nos esquerd o furga dotav cunco bien.
I am not sure where you’re getting your info, but good topic. I needs to spend some time learning more or understanding more. Thanks for magnificent information I was looking for this info for my mission.
Hello.This post was really interesting, especially because I was browsing for thoughts on this matter last week.
You completed a number of nice points there. I did a search on the topic and found the majority of persons will agree with your blog.
obviously like your website but you have to test the spelling on several of your posts. Many of them are rife with spelling issues and I to find it very troublesome to tell the reality nevertheless I will certainly come again again.
I just could not depart your web site prior to suggesting that I really enjoyed the usual info a person supply in your guests? Is going to be again regularly to inspect new posts
Thanks giving those words I send comment in with my tongue Alors nous dirons que la reparation et le depannage informatique des ordinateurs PC represente un bel avantage indiscutable l’ensemble des informaticiens de PC fixe pationnes de micro auront la possibilite d’acquerir des reparations aux problemes techniques relatif a windows XP, aux appz et au routeur commpe pour le web et les imprimantes WIFI, la cam comme pour la clef usb et la pluspart du materiel electronique
Hmm it looks like your site ate my first comment (it was super long) so I guess I’ll just sum it up what I submitted and say, I’m thoroughly enjoying your blog. I as well am an aspiring blog writer but I’m still new to the whole thing. Do you have any tips for beginner blog writers? I’d definitely appreciate it.
Hello, i think that i saw you visited my web site so i got here to return the prefer?.I’m attempting to to find issues to enhance my web site!I suppose its adequate to use some of your ideas!!
Referencement site-web fournit le referencement naturel pour votre site internet, l’optimisation de vos pages web grace au Consultant referencement et l’intendance de votre groupe sur Twitter, Facebook, Scoop-it. Pour la elevation de votre commerce et de votre site web nous proposons un ensemble de forumles avantageuses
Very neat blog post. Really thanks! Maintain composing.
Its like you read my thoughts! You seem to understand so much approximately this, such as you wrote the e book in it or something. I think that you just could do with some p.c. to force the message house a bit, however other than that, this is great blog. An excellent read. I’ll certainly be back.
I believe this do contribute to preventing windows from shutting down immediately.