I obviously have a virus on my computer, which is shutting me down like the blaster worm a few months ago.

My Norton seems to have been disabled - the icon is no longer on my desktop header, Liveupdate won't work, and automatic scanning has been disabled and I can't turn it back on. In fact, any time I try to do anything with Norton it just shuts off (Norton, I mean). Live update starts to run and then stops, and when I try to start it up again, I get a message saying it's already running, which it's not.

I have no idea what to do here. I have a link to the SYmantec website, but I get a page error when I try to connect to it. Anyone have any suggestions?

the shutdown message says system32\lass.exe

Here's the kicker - my system restore point is gone. The only one in there is today.

I anyone can help me with this I would really appreciate it because I have no idea what to do. I don't even know where to start.

Are you able to use the online antivirus here
http://housecall.antivirus.com/housecall/start_frame.asp

Apparently not. My ability use the Internet is sporadic and the antivirus never loads so I guess I'm being blocked from doing that, too.

I got the online antivirus working. It cleaned one file, and found two others, but it can't clean them and I cannot locate them to remove them. The virus shuts down the virus scan before it is completed, so I have not been able to use the "delete" function on these files. Also, unfortunately, the virus scan window shows you the general direction of the location of the viruses, but it's not wide enough to show the entire string showing the exact location, so I can't pinpoint them.

They are WORM NACHI.B ; somewhere in my system32 config files

and

DOS AGOBOT.HM; somewhere in my system32 drivers file.

The problem with my computer persists, so the cleaned file was not the answer.

Why can I not locate these files? I've done a thorough search of the system32 config and drivers folders, but there are no files by those names. I tried looking by date but nothing came up either.

Here asre instuctions on how to get rid of each of these problems manually.

Worm Nachi.B is a virus
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_NACHI.B

Agobot.HM - is spyware and I think is a bigger problem than the virus
http://www.pestpatrol.com/pestinfo/b/backdoor_agobot.asp

Hope this helps.

hagatha,

DOS AGOBOT.HM, or its relation WORM.AGOBOT.HM, is probably responsible for making Norton AntiVirus unusable, preventing you from connecting to any antiviral sites, deleting your System Restore files (with the exception of the one you mentioned which is more than likely infected), and possibly some other unpleasant things.

First, you should do a search for the Hosts file (no extension, just Hosts). Open it in Notepad and look for entries like the following:

127.0.0.1 localhost

127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com

If they're there, delete all that begin 127.0.0.1 except 127.0.0.1 localhost - leave that one. Save the file and then close it.

If you find more than one Hosts file, do the above for each one.

Symantec recommends that System Restore be turned off until you've cleaned your system because any restore points that are created before then will be infected. I would think you should also delete the one you currently have.

After cleaning out the Hosts file, you should be able to connect to the link Jenny100 gave and run a virus scan.

Then follow the link kwbridge gave to TrendMicro's page about WORM NACHI.B. They also have a page for DOS AGOBOT.HM here with a link to their page on WORM AGOBOT.HM

On either of TrendMicro's pages there's a cleanup tool you can download that to me reads like it will take care of both of these nasties, rather than having to do it manually.

One other thing, on the page for WORM AGOBOT.HM, there's a link to a Microsoft program you can download to check whether or not all your services are protected. I'm assuming you're running Win2000, NT, or Xp because, from what I read, Agobot doesn't infect Win9X systems.

Good luck.

Jema

Once you did all the above and your system is clean and running and if it is XP you have check to make sure that your system files are not damaged.

You do this the following way:

Start>Run> on the command line type sfc /scannow(exactly)
> Ok

Follow instructions, you will be asked for your install disk put it in the drive, exit the menu and wait thill the computer does all the scanning and repair.

Update your virus protection and if it is not on turn on your built in firewall too.

Start>Network places> Local area connections> Properties >Advanced> Put a check-mark in the box for firewall.

Good advice, lasanidine.

hagatha, I just checked the TrendMicro pages again and I couldn't find the link to the MS program I mentioned in my previous post, so I must have seen it somewhere else. Anyhow, here's the link: Security Check

You can read about and download it there.

Jema

I'm having similar issues. I keep getting shut-down with the same error message as Hagatha (lsass.exe). I was able (after a gazillion failed attempts) to use the on-line anti-virus Jenny suggested. It found 2 files (nachi.b). I deleted them just as the evil timer wound down & booted me.

I did what lasanidine suggested afterward, although nothing happened....it scanned & then just went away, never asking me for a disc. I went back on-line & ran the virus-scan again & it said I was clean but soon after I was booted yet again. I'm clueless what to do. So far I'm okay, I've been online for awhile & no boot but I'm not entirely sure it's gone.

Also, I disabled my system restore. Is it save to reactivate it or is it corrupt? If it's yucky, how do I clean it...or get a virus free restore?
ARGH!!!

Love, Jen

Jen in Chgo,

Since TrendMicro describes Worm Nachi.B as a memory-resident worm, if all you did was delete some files, I think it's safe to say you did not get rid of it. Every time you reboot Windows, the worm will reactivate.

Click on the link that kwbridge posted and either download and use the cleanup tool or follow the instructions to manually get rid of it.

Also check out the links there to some MS Security Patches - sounds like to me you need to apply one or more of those.

I don't know whether or not this worm messes with the Hosts file but, if it were me, I'd check that file or files (per my earlier post). Better safe than sorry.

After doing all of that, follow all of lasanidine's good advice.

As for System Restore, if it were my system and since I couldn't be sure when it became infected, I'd delete all restore points. Then once my system was clean, patched, and updated, and after following lasanidine's advice, I'd reactivate System Restore and create a fresh restore point.

Jema

The Security Check link doesn't work. I get a timeout error.

Also, I'm really confused...I found the Hosts file and deleted the files, but ow I don't know what to do.

The links get me to pages that don't explicitly say that they take care of these specific problems...not sure what to look for partly because I have to rush before I get shut down. So I can't find a trendmicro page about AGOBOT B. The trendmicro cleanup tool I used only deletes the files but the problem is still there.

There is a way to manaully delete the AGOBOT files but Task Manager doesn't show any of those files running and anyway I don;t know what the instuctions mean when they say "kill" the files with Task Manager. And then I am supposed to delete them

So to recap - I have removed the Hosts files but don't know what to do next. The security check link does not work. I will try the link to pest patrol again but it only has an automatic removal for AGOBOT A, not B, as far as I can tell.

Ok. I've gone to the trendmicro place where there is a dowload for AGoBOT but I cannot use it unless I also download something called a pattern file.

It gives a location to get the pattern file from, but I still can't do it:

1. The pattern file is called lpt$svpn.xxx and I am to save it as a zip file as lptxxx.zip

a)I have no idea what those xxx's mean.

b)Also, there IS no file by the above name on the pattern page, so I don't know which one to download.

2. Assuming that I can work out which pattern file to download, where do I download it to on my computer?

3. How do I save it as a zip file?

hagatha,

First, the Security Check link works fine for me, so you may be getting the timeout error because your system is infected.

Second, if you've rebooted your system after cleaning out the Hosts file, since your system is infected, those files may be back in there and you'll have to delete them again so you can stay connected to TrendMicro's site long enough to download the files you need for the cleanup. Make sure you save the Hosts file after you delete the files so the changes take effect.

Now, for some explanations. Norton calls their virus updates "definitions". Apparently, TrendMicro calls theirs "patterns". The xxx in lptxxx.zip stands for whatever the number is of their latest pattern download. At the moment, that number is 881, so the file you want to download is lpt881.zip. The actual pattern file, lpt$vpn.881, is within the .zip file.

Following the instructions in the readme file at TrendMicro, this is how to use the cleanup tool.

1. Create a new folder on your hard disk. You can call it anything you want; for this, I'm going to call it Sysclean.

2. Download the cleanup tool, which consists of one file, sysclean.com, and save it to the Sysclean folder.

3. Download lpt881.zip and save it to your desktop or any folder of your choice. Unzip its contents into the Sysclean folder. Note: To do this, use whatever zip/unzip utility you have installed.

4. Now, you should have these three files in the Sysclean folder: sysclean.com, lpt$vpn.881, and whatsnew.txt.

5. Close all applications running on your system, INCLUDING any antivirus software.

6. Double click on sysclean.com to do the cleanup.

7. After sysclean.com does its thing, enable your antivirus software and perform a manual scan of your system.

8. You should now have a fourth file in the Sysclean folder: Sysclean.log.

Hope this answers your questions.

Jema

Jema, I did download the tool to "get rid of it". It was a zip file & I unzipped it & ran it. The log came out clean....no bad files. I also updated my MS security patches. Like I said, I tried to do what lasanidine suggested but I'm not certain it worked....never asked me to insert a disc, just ran for a few seconds & then back to desktop. I'll check those HOST files per your suggestion.

I seem to be okay & am not being shut down anymore. I'm not technically proficient so could you (or anyone) please give me step-by-step instructions on how to clean/fix my system restore?

Love, Jen