Keep me posted.

Eagle

 

c:/windows/system32/lsass.exe

 

all that is the Windows Local Security Authority Server Process son! it handles Windows security mechanisms and verifies the validity of user logons to your computer. WHICH means all it does is  generates the process that is responsible for authenticating users for the Winlogon service.
It's not a virus, not spyware, adware, its PART OF THE SYSTEM!

 

OK , WHAT  HAPPENED WAS YOU HAVE ONE OF THE MOST VIRULENT/Violent VIRUSES ON THE INTERNET! THE NEW SASSER WORM HAS INFECTED YOUR lsass.exe file!  MAN THATS NOT COOL AT ALL..  THIS VIRUS IS LIKE THE LANCE ARMSTRONG OF 2004 VIRUSES! CUZ LIKE YOUR PC LIKES TO REBOOT EVERY 260 SECONDS WHEN IT HAS BEEN EFFECTED WITH THE SASSER WORM!

IF YOU HAVE THE SASSER WORM YOU WILL NEED TO GET ON ANOTHER COMPUTER TO READ THIS BUT ONCE YOUR COMPUTER HAS BEEN TURNED ON YOU HAVE A LITTLE OVER 260 SECONDS TO

Press the Start button, and then the Run menu item.

Type shutdown -a. That's the "shutdown" command, with the "-a" option, which stands for "abort the pending shutdown".

Press OK.

 

SO WHAT DOES THAT DO? IT STOPS YOUR PC FROM SHUTTIN DOWN EVERY ALMOST EVER 260 SECONDS... BUT DUDE THE VIRUS IS STILL THERE.. AND MAN.. ITS NOT A VIRUS TO BE RECKONED WITH.

 

THIS VIRUS IS SO SERIOUS YOU WOULDN'T KNOW! A F'KIN GENUIS VIRUS! This worm scans RANDOM, JUST RANDOM IP addresses for exploitable systems. When one is found, the worm exploits the vulnerable system, by overflowing a buffer in LSASS.EXE. It creates a REMOTE SHELL on TCP port 9996. Next it creates an FTP script named cmd.ftp on the remote host and executes it. This FTP script instructs the target victim to download and execute the worm (with the filename #_up.exe as aforementioned) from the infected host. The infected host accepts this FTP traffic on TCP port 5554. THEN THE worm TAKES ENDLESS VACATIONS on multiple threads, some of which scan the local class A subnet, others the class B subnet, and others completely random subnets (SOOOO GENUIS). The destination port is TCP 445

ITS DELETING/ADDING SPACE/....(basically its like you have a gurlfriend AND YOU LOVE HER ALOT and THIS VIRUS IS A GUY thats having sex with her and you cant do shit about it CUZ HES LOADED WITH 12 GUAGES, AK 47's, GRENADES AND HE AINT AFRAID TO USE IT)

 

IF YOU WANT 2 DELETE IT TAKE THESE FOLLOWIN STEPS

 

0.DOWNLOAD http://vil.nai.com/vil/stinger , RUN IT, and

Then Remove AS MUCH OF IT AS YOU CAN

1.TURN OFF SYSTEM RESTORE

2.RESTART IN SAFE MODE

3.Delete the file AVSERVE2.EXE from your WINDOWS directory FROM EITHER c:\windows or c:\winnt
4.THEN, HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>
Windows>CurrentVersion>Run

5.Delete the "avserve2" value

6. DELETE \windows\system32\*_up.exe .
Reboot the system into Default Mode

 

EDIT :

stay up man, this virus is fatal. Stay Up.

 

 

 

Post Edited (SClyde) : 7/28/2004 11:04:30 PM GMT

 

Its great to understand that way worked for you, but that way is far beyond my comprehension, cause when I JUST TRIED that now, there is over 50 keys linked to the sasser, and one being the system itself. So deleting that key would automatically cause my computer to not function.  Welp, i'm glad its so easy for you.  Just give me a email address to send it to, and It'll be there with the subject "Sasser -  Experimental Use"

Post Edited (SClyde) : 7/29/2004 10:35:38 PM GMT

I like to experiment on how viruses and how they function(I have a preety good selection),

so please send it and it would be more than appreciated.

 

Regards,

SClyde

    

         I've got this problem sorted now,by emptying temp and temporary files,thus getting rid of the trojan,and then downloading 2 webfixes from www.webfixes.co.uk. Rather than getting rid of kazaa,I'm probably just going to exit when I'm not using it,when I log or switch on.Also I've set the bullguard slightly to 1.clean and 2.delete the infected files,on their advice,as the trojans can't be disinfected only deleted,so cross fingers it should be ok.