Need help with a virus
04/30/04 08:06 PM
04/30/04 08:06 PM
Joined: Nov 2000
Posts: 8,657 Canada
BAAG Specialist
BAAG Specialist
Joined: Nov 2000
Posts: 8,657
I obviously have a virus on my computer, which is shutting me down like the blaster worm a few months ago.
My Norton seems to have been disabled - the icon is no longer on my desktop header, Liveupdate won't work, and automatic scanning has been disabled and I can't turn it back on. In fact, any time I try to do anything with Norton it just shuts off (Norton, I mean). Live update starts to run and then stops, and when I try to start it up again, I get a message saying it's already running, which it's not.
I have no idea what to do here. I have a link to the SYmantec website, but I get a page error when I try to connect to it. Anyone have any suggestions?
the shutdown message says system32\lass.exe
I think I'm quite ready for another adventure.
Re: Need help with a virus
04/30/04 08:49 PM
04/30/04 08:49 PM
Joined: Nov 2000
Posts: 8,657 Canada
BAAG Specialist
BAAG Specialist
Joined: Nov 2000
Posts: 8,657
Here's the kicker - my system restore point is gone. The only one in there is today.
I anyone can help me with this I would really appreciate it because I have no idea what to do. I don't even know where to start.
I think I'm quite ready for another adventure.
Re: Need help with a virus
04/30/04 10:12 PM
04/30/04 10:12 PM
Joined: Oct 2000
Posts: 40,644 southeast USA
GB Reviewer Glitches Moderator
GB Reviewer Glitches Moderator
Sonic Boomer
Joined: Oct 2000
Posts: 40,644
southeast USA
Re: Need help with a virus
05/01/04 12:54 AM
05/01/04 12:54 AM
Joined: Nov 2000
Posts: 8,657 Canada
BAAG Specialist
BAAG Specialist
Joined: Nov 2000
Posts: 8,657
Apparently not. My ability use the Internet is sporadic and the antivirus never loads so I guess I'm being blocked from doing that, too.
I think I'm quite ready for another adventure.
Re: Need help with a virus
05/01/04 01:52 AM
05/01/04 01:52 AM
Joined: Nov 2000
Posts: 8,657 Canada
BAAG Specialist
BAAG Specialist
Joined: Nov 2000
Posts: 8,657
I got the online antivirus working. It cleaned one file, and found two others, but it can't clean them and I cannot locate them to remove them. The virus shuts down the virus scan before it is completed, so I have not been able to use the "delete" function on these files. Also, unfortunately, the virus scan window shows you the general direction of the location of the viruses, but it's not wide enough to show the entire string showing the exact location, so I can't pinpoint them.
They are WORM NACHI.B ; somewhere in my system32 config files
DOS AGOBOT.HM; somewhere in my system32 drivers file.
The problem with my computer persists, so the cleaned file was not the answer.
Why can I not locate these files? I've done a thorough search of the system32 config and drivers folders, but there are no files by those names. I tried looking by date but nothing came up either.
I think I'm quite ready for another adventure.
Re: Need help with a virus
05/01/04 07:35 AM
05/01/04 07:35 AM
Joined: Sep 2002
Posts: 13,701 Virginia
Adept Boomer
Adept Boomer
Joined: Sep 2002
Posts: 13,701
hagatha, DOS AGOBOT.HM, or its relation WORM.AGOBOT.HM, is probably responsible for making Norton AntiVirus unusable, preventing you from connecting to any antiviral sites, deleting your System Restore files (with the exception of the one you mentioned which is more than likely infected), and possibly some other unpleasant things. First, you should do a search for the Hosts file (no extension, just Hosts). Open it in Notepad and look for entries like the following: localhost If they're there, delete all that begin except localhost - leave that one. Save the file and then close it. If you find more than one Hosts file, do the above for each one. Symantec recommends that System Restore be turned off until you've cleaned your system because any restore points that are created before then will be infected. I would think you should also delete the one you currently have. After cleaning out the Hosts file, you should be able to connect to the link Jenny100 gave and run a virus scan. Then follow the link kwbridge gave to TrendMicro's page about WORM NACHI.B. They also have a page for DOS AGOBOT.HM here with a link to their page on WORM AGOBOT.HM On either of TrendMicro's pages there's a cleanup tool you can download that to me reads like it will take care of both of these nasties, rather than having to do it manually. One other thing, on the page for WORM AGOBOT.HM, there's a link to a Microsoft program you can download to check whether or not all your services are protected. I'm assuming you're running Win2000, NT, or Xp because, from what I read, Agobot doesn't infect Win9X systems. Good luck.  Jema
Wouldn't that jar your mustard!
Re: Need help with a virus
05/01/04 12:16 PM
05/01/04 12:16 PM
Joined: May 2001
Posts: 3,424 WA. USA
Addicted Boomer
Addicted Boomer
Joined: May 2001
Posts: 3,424
Once you did all the above and your system is clean and running and if it is XP you have check to make sure that your system files are not damaged.
You do this the following way:
Start>Run> on the command line type sfc /scannow(exactly) > Ok
Follow instructions, you will be asked for your install disk put it in the drive, exit the menu and wait thill the computer does all the scanning and repair.
Update your virus protection and if it is not on turn on your built in firewall too.
Start>Network places> Local area connections> Properties >Advanced> Put a check-mark in the box for firewall.
"I am not young enough to know everything."
Oscar Wilde
Re: Need help with a virus
05/01/04 04:30 PM
05/01/04 04:30 PM
Joined: Sep 2002
Posts: 13,701 Virginia
Adept Boomer
Adept Boomer
Joined: Sep 2002
Posts: 13,701
Good advice, lasanidine. hagatha, I just checked the TrendMicro pages again and I couldn't find the link to the MS program I mentioned in my previous post, so I must have seen it somewhere else. Anyhow, here's the link: Security Check You can read about and download it there.  Jema
Wouldn't that jar your mustard!
Re: Need help with a virus
05/01/04 04:36 PM
05/01/04 04:36 PM
Joined: Jun 2000
Posts: 3,171 an Illinois cornfield
Jen in Chgo
Addicted Boomer
Addicted Boomer
Joined: Jun 2000
Posts: 3,171
an Illinois cornfield
I'm having similar issues. I keep getting shut-down with the same error message as Hagatha (lsass.exe). I was able (after a gazillion failed attempts) to use the on-line anti-virus Jenny suggested. It found 2 files (nachi.b). I deleted them just as the evil timer wound down & booted me. I did what lasanidine suggested afterward, although nothing scanned & then just went away, never asking me for a disc.  I went back on-line & ran the virus-scan again & it said I was clean but soon after I was booted yet again. I'm clueless what to do. So far I'm okay, I've been online for awhile & no boot but I'm not entirely sure it's gone. Also, I disabled my system restore. Is it save to reactivate it or is it corrupt? If it's yucky, how do I clean it...or get a virus free restore? ARGH!!!  Love, Jen 
It's a hard-knock life. Wear wooden underwear.
Re: Need help with a virus
05/01/04 06:21 PM
05/01/04 06:21 PM
Joined: Sep 2002
Posts: 13,701 Virginia
Adept Boomer
Adept Boomer
Joined: Sep 2002
Posts: 13,701
Jen in Chgo, Since TrendMicro describes Worm Nachi.B as a memory-resident worm, if all you did was delete some files, I think it's safe to say you did not get rid of it. Every time you reboot Windows, the worm will reactivate. Click on the link that kwbridge posted and either download and use the cleanup tool or follow the instructions to manually get rid of it. Also check out the links there to some MS Security Patches - sounds like to me you need to apply one or more of those. I don't know whether or not this worm messes with the Hosts file but, if it were me, I'd check that file or files (per my earlier post). Better safe than sorry. After doing all of that, follow all of lasanidine's good advice. As for System Restore, if it were my system and since I couldn't be sure when it became infected, I'd delete all restore points. Then once my system was clean, patched, and updated, and after following lasanidine's advice, I'd reactivate System Restore and create a fresh restore point.  Jema
Wouldn't that jar your mustard!
Re: Need help with a virus
05/01/04 08:07 PM
05/01/04 08:07 PM
Joined: Nov 2000
Posts: 8,657 Canada
BAAG Specialist
BAAG Specialist
Joined: Nov 2000
Posts: 8,657
The Security Check link doesn't work. I get a timeout error.
Also, I'm really confused...I found the Hosts file and deleted the files, but ow I don't know what to do.
The links get me to pages that don't explicitly say that they take care of these specific problems...not sure what to look for partly because I have to rush before I get shut down. So I can't find a trendmicro page about AGOBOT B. The trendmicro cleanup tool I used only deletes the files but the problem is still there.
There is a way to manaully delete the AGOBOT files but Task Manager doesn't show any of those files running and anyway I don;t know what the instuctions mean when they say "kill" the files with Task Manager. And then I am supposed to delete them
So to recap - I have removed the Hosts files but don't know what to do next. The security check link does not work. I will try the link to pest patrol again but it only has an automatic removal for AGOBOT A, not B, as far as I can tell.
I think I'm quite ready for another adventure.
Re: Need help with a virus
05/01/04 08:35 PM
05/01/04 08:35 PM
Joined: Nov 2000
Posts: 8,657 Canada
BAAG Specialist
BAAG Specialist
Joined: Nov 2000
Posts: 8,657
Ok. I've gone to the trendmicro place where there is a dowload for AGoBOT but I cannot use it unless I also download something called a pattern file.
It gives a location to get the pattern file from, but I still can't do it:
1. The pattern file is called lpt$ and I am to save it as a zip file as
a)I have no idea what those xxx's mean.
b)Also, there IS no file by the above name on the pattern page, so I don't know which one to download.
2. Assuming that I can work out which pattern file to download, where do I download it to on my computer?
3. How do I save it as a zip file?
I think I'm quite ready for another adventure.
Re: Need help with a virus
05/02/04 12:30 AM
05/02/04 12:30 AM
Joined: Sep 2002
Posts: 13,701 Virginia
Adept Boomer
Adept Boomer
Joined: Sep 2002
Posts: 13,701
hagatha, First, the Security Check link works fine for me, so you may be getting the timeout error because your system is infected. Second, if you've rebooted your system after cleaning out the Hosts file, since your system is infected, those files may be back in there and you'll have to delete them again so you can stay connected to TrendMicro's site long enough to download the files you need for the cleanup. Make sure you save the Hosts file after you delete the files so the changes take effect. Now, for some explanations. Norton calls their virus updates "definitions". Apparently, TrendMicro calls theirs "patterns". The xxx in stands for whatever the number is of their latest pattern download. At the moment, that number is 881, so the file you want to download is The actual pattern file, lpt$vpn.881, is within the .zip file. Following the instructions in the readme file at TrendMicro, this is how to use the cleanup tool. 1. Create a new folder on your hard disk. You can call it anything you want; for this, I'm going to call it Sysclean. 2. Download the cleanup tool, which consists of one file,, and save it to the Sysclean folder. 3. Download and save it to your desktop or any folder of your choice. Unzip its contents into the Sysclean folder. Note: To do this, use whatever zip/unzip utility you have installed. 4. Now, you should have these three files in the Sysclean folder:, lpt$vpn.881, and whatsnew.txt. 5. Close all applications running on your system, INCLUDING any antivirus software. 6. Double click on to do the cleanup. 7. After does its thing, enable your antivirus software and perform a manual scan of your system. 8. You should now have a fourth file in the Sysclean folder: Sysclean.log. Hope this answers your questions.  Jema
Wouldn't that jar your mustard!
Re: Need help with a virus
05/02/04 09:02 AM
05/02/04 09:02 AM
Joined: Jun 2000
Posts: 3,171 an Illinois cornfield
Jen in Chgo
Addicted Boomer
Addicted Boomer
Joined: Jun 2000
Posts: 3,171
an Illinois cornfield
Jema, I did download the tool to "get rid of it". It was a zip file & I unzipped it & ran it. The log came out bad files.  I also updated my MS security patches. Like I said, I tried to do what lasanidine suggested but I'm not certain it worked....never asked me to insert a disc, just ran for a few seconds & then back to desktop. I'll check those HOST files per your suggestion. I seem to be okay & am not being shut down anymore. I'm not technically proficient so could you (or anyone) please give me step-by-step instructions on how to clean/fix my system restore?  Love, Jen 
It's a hard-knock life. Wear wooden underwear.
Re: Need help with a virus
05/02/04 10:31 AM
05/02/04 10:31 AM
Joined: Dec 2000
Posts: 4,516 North aurora IL
Addicted Boomer
Addicted Boomer
Joined: Dec 2000
Posts: 4,516
North aurora IL
I'm ready to cry after reading this post. I just got back from a week's vacation and checked my email and visited my 3 favorite sites. While responding to an email I got the NT authority system [url=C://windows/system32/lsass.exe][url=C://windows/system32/lsass.exe][url=C://windows/system32/lsass.exe]C://windows/system32/lsass.exe[/url][/url][/url] shutdown message. I can't be on the internet long enough to fix anything. Right now I'm on my old W98. I've have visted this Symantec site: I don't know if this is the same thing. QUESTION: how do I get into the Host file area? Is doing that so that the virus checker will work? Would I need to do that if my McAfee is working ok?
Re: Need help with a virus
05/02/04 10:45 AM
05/02/04 10:45 AM
Joined: Mar 2002
Posts: 3,004 USA
Addicted Boomer
Addicted Boomer
Joined: Mar 2002
Posts: 3,004
If you know which files to delete, try booting XP in safe mode by pressing the f8 key when windows first starts to load. It may not load the virus in memory in this mode.
Banana phone!
Re: Need help with a virus
05/02/04 05:05 PM
05/02/04 05:05 PM
Joined: Sep 2002
Posts: 13,701 Virginia
Adept Boomer
Adept Boomer
Joined: Sep 2002
Posts: 13,701
Jen in Chgo, Click Here to read about how to disable/enable System Restore in XP. Disabling it will purge all your restore points. Then, when you enable it, it begins monitoring your system again. If scannow didn't ask you to insert your install disk, I would think that means it didn't find any files that needed to be repaired/replaced. I'm not familiar with scannow, so maybe lasanidine can tell you if that's true.  Jema
Wouldn't that jar your mustard!
Re: Need help with a virus
05/02/04 05:40 PM
05/02/04 05:40 PM
Joined: Sep 2002
Posts: 13,701 Virginia
Adept Boomer
Adept Boomer
Joined: Sep 2002
Posts: 13,701
burpee, The Hosts file can be used to list sites the user doesn't want to connect to. Unfortunately, it is also used by certain viruses/worms to prevent the user from connecting to any site of its choice - including all or most of the sites that have anything to do with virus protection. looney's suggestion to reboot into Safe Mode is a good one. I've never tried it but it may be that if your computer is infected and your antivirus software won't work in Standard Mode, it will in Safe Mode. To find the Hosts file, click on Start, go to Find and click on Files and Folders. In the Named field type Hosts, make sure Look in has your primary drive and that Include subfolders is checked, and then click on Find now. Open the Hosts file in Notepad (making sure always use this program is unchecked). Once you delete the offending entries, save the file and close Notepad. If theres's more than one Hosts file, do the same thing for each of them.  Jema
Wouldn't that jar your mustard!
Re: Need help with a virus
05/02/04 07:17 PM
05/02/04 07:17 PM
Joined: Jun 2002
Posts: 5,766 FT. Worth ....Where the West b...
The Radiant Moderator Staff Reviewer
The Radiant Moderator Staff Reviewer
BAAG Specialist
Joined: Jun 2002
Posts: 5,766
FT. Worth ....Where the West b...
is Hagatha and Hagathaone the same Boomer?
Watching: Dark Shadows Reading: Angelique's Descent Playing: WoW and living in Kil' Jaeden
Re: Need help with a virus
05/02/04 08:11 PM
05/02/04 08:11 PM
Joined: Jun 2002
Posts: 5,766 FT. Worth ....Where the West b...
The Radiant Moderator Staff Reviewer
The Radiant Moderator Staff Reviewer
BAAG Specialist
Joined: Jun 2002
Posts: 5,766
FT. Worth ....Where the West b...
|! Don't give up... I'm working on it. Hagatha... Take a break... Mix up a pitcher up Margaritas and drink one for me while your at it. (I'm not allowed to take alcohol because of the "Grave's" but you can drink one for me, I'm only allowed to write about it.)
Give me about an hour and then check back here. Do nothing to your XP just yet. There's got to be a way to fix it... we'll find it. Check back here for updates. I know your upset but remember this if nothing else; I'm here for you and so are all the other Boomies reading and watching this thread as well as your other one. We're all holding your hand.
We'll get through this.......together.
Watching: Dark Shadows Reading: Angelique's Descent Playing: WoW and living in Kil' Jaeden