StarDestroyer.Net BBS

I cannot get rid of these viruses/spyware! I've run Spybot, AVG, posted the HJT log and deleted the obvious ones (see the thread up top), ended the processes I *know* are worms/spyware, but nothing is working! What the fuck is going on here? All the while my internet has slowed to a crawl.

[/rant off]

According to your HJT log file, you've got the Sasser worm. Hit this link for advice and removal instructions. You need to apply a patch, remove the virus (I recommend Stinger for this), and then run HJT again. If it doesn't find "lsass.exe" you're clean.

Thank you!

Gerard_Paloma wrote:According to your HJT log file, you've got the Sasser worm. Hit this link for advice and removal instructions. You need to apply a patch, remove the virus (I recommend Stinger for this), and then run HJT again. If it doesn't find "lsass.exe" you're clean.

Is lsass.exe the sasser virus? Because I have it running in my processes.

Well, I'm pretty sure I got it, no longer dling things at 2.5kb/s.

Praxis wrote:

Gerard_Paloma wrote:According to your HJT log file, you've got the Sasser worm. Hit this link for advice and removal instructions. You need to apply a patch, remove the virus (I recommend Stinger for this), and then run HJT again. If it doesn't find "lsass.exe" you're clean.

Is lsass.exe the sasser virus? Because I have it running in my processes.

Indeed it is. Get rid of it.

Gerard_Paloma wrote:

Praxis wrote:

Gerard_Paloma wrote:According to your HJT log file, you've got the Sasser worm. Hit this link for advice and removal instructions. You need to apply a patch, remove the virus (I recommend Stinger for this), and then run HJT again. If it doesn't find "lsass.exe" you're clean.

Is lsass.exe the sasser virus? Because I have it running in my processes.

Indeed it is. Get rid of it.

Gah, I can't end task it. It claims it is a critical system process and will not die...

Ok, I installed some windows updates, etc, rebooted the comp, and...internet is moving like molasses. I have no clue whats going on, and I'm at my wits end after working all day to get this damn thing working. If push comes to shove, I'm reformatting AGAIN on the morrow.
To top it off for the night, here is El Finale Logo:

Logfile of HijackThis v1.99.1
Scan saved at 5:31:00 PM, on 2/23/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\csrssp.exe
C:\WINDOWS\System32\wuamgrd.exe
C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
C:\WINDOWS\System32\cmutil44.exe
C:\PROGRA~1\Toolbar\TBPS.exe
C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Toolbar\PIB.exe
c:\PROGRA~1\Toolbar\radio.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\Toolbar\TBPSSvc.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Alex\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50245
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50245
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NAV Auto Updates] csrssp.exe
O4 - HKLM\..\Run: [nkv] C:\WINDOWS\nkv.exe
O4 - HKLM\..\Run: [Microsoft Updates] wuamgrd.exe
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [316c6ca13891] C:\WINDOWS\System32\cmutil44.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\RunServices: [NAV Auto Updates] csrssp.exe
O4 - HKLM\..\RunServices: [Microsoft Updates] wuamgrd.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [NAV Auto Updates] csrssp.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{F9244F37-7012-446F-8E9F-21E659DD95D1}: NameServer = 209.143.0.10 209.143.22.182
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WebSeach Toolbar support NT service (TBPSSvc) - Unknown owner - C:\PROGRA~1\Toolbar\TBPSSvc.exe
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe

Night all, I'm going to bed....

Gerard_Paloma wrote:

Praxis wrote:

Gerard_Paloma wrote:According to your HJT log file, you've got the Sasser worm. Hit this link for advice and removal instructions. You need to apply a patch, remove the virus (I recommend Stinger for this), and then run HJT again. If it doesn't find "lsass.exe" you're clean.

Is lsass.exe the sasser virus? Because I have it running in my processes.

Indeed it is. Get rid of it.

Stinger is not finding it on my computer. . . yet it's sitting there mocking me. . . what the heck am i doing wrong? I don't think the version of stinger I have has it on there.

entfern wrote:

Gerard_Paloma wrote:

Praxis wrote:
Is lsass.exe the sasser virus? Because I have it running in my processes.

Indeed it is. Get rid of it.

Stinger is not finding it on my computer. . . yet it's sitting there mocking me. . . what the heck am i doing wrong? I don't think the version of stinger I have has it on there.

Same here, nothing found.

If the "lsass.exe" file is located in the "c:\windows\System32" then it is a core system file, getting rid of it will nuke your computer.

The sasser virus infects the legitimate lsass.exe file due to a security flaw in it.

ggs wrote:If the "lsass.exe" file is located in the "c:\windows\System32" then it is a core system file, getting rid of it will nuke your computer.

Meaning if it shows up in task manager it is ok and I should not freak out? Better yet, I should freak out when I see _______?