LSASS VIRUS

[Darrell]

Seems like the MSBlast thing modified by cunts - it's a lot stronger this time. I've just caught it, please tell me the code to type into RUN to stop it keep shutting down. I can't delete the file (lsass.exe in System32) or stop it in Task Manager.

I HATE THE INTERNET.

[El Unicornio, mang]

I was watching a thing on TV the other week about how virus makers could easily make a virus that totally wipes your hard drive, but they don't because that's not what they're interested in. The main reason virus makers make their viruses is to see how they work, and what damage they do. That's why there are always new, different ones, about.
They're utter cunts though, obviously.

[New World Order]

Go here chap.

http://www.microsoft.com/security/incident/sasser.asp

[Darrell]

Go here chap.

http://www.microsoft.com/security/incident/sasser.asp

This is of no use to me.

AND IT'S FUCKING SHUTTING DOWN AGAIN.

[gazzyk1ns]

This might work, I dunno anything about this new virus:

Start up your PC without connecting to the net and go start-run-sfc.exe (have yer Windows CD handy). This is the system file checker and it should replace the corrupted file - then obviously go to Windows Update immediately so you're immune to it.

lsass.exe should be there normally and will always be running when you have an active net connection in the background, incidentally, so don't panic when you think you're removed the virus but can still see it running. The virus just infects that file.

[DuncanC]

I was watching a thing on TV the other week about how virus makers could easily make a virus that totally wipes your hard drive, but they don't because that's not what they're interested in.

Surely a virus that does that would not be very successful, since it would totally incapacitate the computers stopping them from propogating the virus?

[gazzyk1ns]

Yeah most Viruses are written by Linux-lovers... well, Windows-haters, I suppose. The message is usually meant to be "Why pay for Windows when this sort of thing happens? Linux is free and it's immune...".

I like Linux but the people who write viruses are just bored, I33+ twats.

[@ssmaster]

Darrell, go here http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.worm.html follow the steps to remove it, Symantec say it is easy to remove and once you have done that go to http://windowsupdate.microsoft.com/ and update your critical patches as Microsoft released a fix for it on April the 13th the specific patch is MS04-11 or KB835732

There are advantages in working for a Microsoft Certified Partner after all.

[weekender]

That's not easy to do when your computer resets itself every 60 seconds.  I think the initial key was to do the following:

Start->Run
type "cmd"
type "shutdown -a"

This stops your computer shutting down and then you can follow the steps as outlined above.

[Darrell]

Right, hopefully fixed it with AVG now.

Fingers crossed.

Sorry for shouting and that, but viruses do that to people, y'know.

[untitled_london]

Right, hopefully fixed it with AVG now.

get that shit off your system to start with!

[Darrell]

Right, hopefully fixed it with AVG now.

get that shit off your system to start with!

Yeah, a free virus program that gets rid of viruses for me. What a piece of shit.

[New World Order]

a free virus program that gets rid of viruses

Like good bacteria?

[untitled_london]

yada yada yada

AVG blah blah blah zonealarm blah blah.

i've never been hit with anything more than a crappy w32-handy from filesharing. (and that was over two years ago).

however, i do know a whole bunch of ppl from both the AVG & zonealarm camps who have been been treated to a full range of tasty excerpts.

ymmv

for my part, i sugest syymatec corporate v.9.xxxx, to be used in conjunction with outpost firewall v.2.xxx.

(outpost is open source and so updates very rapidly, and the corporate version of symantec is very very light on resources and allows network scanning from a single client)

[weekender]

(outpost is open source and so updates very rapidly, and the corporate version of symantec is very very light on resources and allows network scanning from a single client)

I presume both cost money?  Please correct me if I'm wrong.

Let me introduce you to the cynical train of thought which suggests that viruses are part of a conspiracy designed to make money for the virus-protection companies.

[untitled_london]

I presume both cost money? Please correct me if I'm wrong

i appreciate the cycnicism and 'get' that train of thought, furthermore, i wouldn't put it past them either.

in terms of cost, i paid the same for my two tools as darrell paid for his AVG.

[Darrell]

This virus has returned. The Windows Updates aren't working for me, they just fail when they try to install.

Fucking hell, anybody who writes a virus should be forced to eat their own skin, be bathed in salt and then drowned in a pond of piss.

EDIT: And AVG is claiming the virus isn't there anymore, when it obviously is.

I feel like smashing this fucking computer up, I've had nothing but problems with it and it's only a fucking year old.

[untitled_london]

i'll say it again - get rid of AVG.

it doesn't work.

.....

have you got a firewall?

[Purple Tentacle]

Darrell: is your copy of XP a, ahem, "less than genuine" copy?  If you can't install updates, service packs etc and it's that one with the "FCY..." key, then you need to change the serial number on XP to install patches.


Can't remember how to do this though, although someone else will know....

[untitled_london]

what did the removal tool say?

[Darrell]

Darrell: is your copy of XP a, ahem, "less than genuine" copy?  If you can't install updates, service packs etc and it's that one with the "FCY..." key, then you need to change the serial number on XP to install patches.


Can't remember how to do this though, although someone else will know....

That's the thing - it's a bona fide version of Windows that came pre-installed onto the machine. I can't think what's going wrong.

I'm going to spend today backing everything up onto CD, make sure I can recover everything that needs to be recovered, and format the podgy fucker. I've been meaning to do it for a while anyway and this is the perfect opportunity.

Oh, here's something - does anybody know how I can back up all my Outlook Express emails? I would like to keep lots of those, they're full of lists and addresses and stuff.

[Darrell]

Have backed up all my files, computer is going absolutely fucking insane still.

It won't let me speak to anyone on MSN now, lovely thing.

I'll be offline for a few days now.

[Darrell]

Oh - one more thing. My blueyonder email address is as of this moment now invalid. Please direct your correspondence to my sirkobble {at} themailthatishot account.

[Detective John Kimble]

I don't know if you've already gone off on the format, but have you tried running the Anti-Virus process without System Restore?  (That is if you have it.  Or perhaps it says in the removal guide.)  

Worth a try if not.

[JesusAndYourBush]

Oh, here's something - does anybody know how I can back up all my Outlook Express emails? I would like to keep lots of those, they're full of lists and addresses and stuff.

I can help with that, as I recently reinstalled everything (it took me 3 days).

Don't bother trying to export from Outlooks menus, as it doesn't work (or doesn't even let you do it).

go to Tools  Accounts   and export each of your email accounts
then you need to find the directory that OE is active for the mailbox
go to   Tools    Options    Maintenance    and then
click on the   Store Folder   button
export all from \Microsoft\Outlook Express\
everything in that folder

Then reverse the process with a new copy of Outlook (do a windows update first to get all the patches and stuff.)

[weekender]

Heh, I did a reformat in three hours yesterday.

I need to do it again though, because I forgot to burn off the patches for the virus, and got hit within one minute of starting up.  I am a fool.

[untitled_london]

and got hit within one minute of starting up. I am a fool

heh, been there done that.

as soon as you have it set up nice & tight burn off a gohst image, then in future re-installs will only take 20 mins.

(of course i have never followed that advice myself - but the theory holds water)

[Crazy Penis]

I'm confused.
When untitled_london posted the link to symantec there wasn't a link for the removal tool on that day. The page showed only how to remove it with NAV or manually.
It was the day after that the page was changed to show instructions on how to delete it with the removal tool.
That could be why Darrell hasn't answered the "what did the removal tool say?" question because it wasn't there when he went to the page.
And so he has taken to reformatting his computer instead of using the removal tool which would have deleted the virus.
I hope I'm wrong because he might be awful pissed at me for not saying something sooner.
Someone tell me I'm right, or better still make me stand corrected like a man with an orthopedic shoe.

This tool.
http://securityresponse.symantec.com/avcenter/FxSasser.exe

[gazzyk1ns]

Nah you've clearly made him ruin his computer, you might as well kill yourself now.

[JesusAndYourBush]

Heh, I did a reformat in three hours yesterday.

I need to do it again though, because I forgot to burn off the patches for the virus, and got hit within one minute of starting up.  I am a fool.

http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.worm.html[/url]"]Attempts to connect to randomly-generated IP addresses on TCP port 445.

So after a reinstall if you block port 445 with your firewall before connecting to the net you shouldn't get hit by it again, right?