lsass2 virus/spyware ???

Discussion in 'malware problems & news' started by fire, Feb 1, 2005.

Thread Status:
Not open for further replies.
  1. fire

    fire Registered Member

    Joined:
    Jan 3, 2005
    Posts:
    8
    Location:
    WA state
    is there a fast solution (tool available) for removing the mentioned virus/spywareo_O I'm not personally "infected"...I'm asking for someone in Europe that needs help.... thanks...for any replies....with any info.....
     
  2. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    There is a link here on removing Lsass2.exe

    Hope this help...

    Cheers :D
     
  3. Sweetie(*)(*)

    Sweetie(*)(*) Registered Member

    Joined:
    Aug 10, 2004
    Posts:
    419
    Location:
    Venus
    Hi, the process lsass2.exe is added by the Agobot/Gaobot worm, unfortunately there are over 1000 variants of this worm, some examples exploited holes in windows so make sure that they have all the updates.

    I don’t think there is a stand alone removal tool.

    This is what I recommend;

    (Take care while editing the windows registry, it is recommended to back it up before deleting anything.)

    1. Boot into safe mode.

    2. Run scan with AV, take note of processes started by the worm and their location

    3. Open task manager; kill the processes identified in step 2,
    Close task manager, re-open it, and make sure they have stopped.

    4. You may need to delete the auto start entries from the registry;

    A. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>Run

    In the right panel, locate and delete the entry or entries whose data value (in the rightmost column) is the Malware file(s) detected earlier.


    A. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>RunServices

    In the right panel, locate and delete the entry or entries whose data value (the rightmost column) is the Malware file(s) detected earlier.


    5. Restart in normal mode, scan again. If the problem is still there you may need to edit the host file to remove entries placed by the worm.


    I know this isn't a quick fix, and caution needs to be taken while editing the registry, but this has worked for me before. The main problem is that there are so many variants of this worm, thay all have different reg entries, files etc.

    Good luck.
     
  4. fire

    fire Registered Member

    Joined:
    Jan 3, 2005
    Posts:
    8
    Location:
    WA state
    thanks so much for your replies....i'll pass the info along... many thanks, again!!!
     
Loading...
Thread Status:
Not open for further replies.