Please bear with me. I know I've got a virus of sorts. But what I can't understand is how this happened. I formatted my pc yeaterday and haven't used mt dialup untill an hour ago (it is Friday night 21:45). Almost the instant when I connected and made Google my homepage I got this message from my AV PCCillin (see pic). I couldn't have contaminated my system because I haven't copied any of my backuped stuff on to my pc yet. All that is on the pc is some stuff I installed like - see pic. I've got another pc on a LAN that has Internet through ICS. So it must have gotten it from there but I can't understand why that AV on that pc haven't picked it up. It has basically the same stuff on it as my pc and the AV is updated.

Does anybody recognize these viruses and know what they do? I've followed up the links of the viruses but even though I know a little bit about computers I can't get to point where I understand exactly what the virus is.

I'm busy updating Windows but the yellow sign in my systray has been on 2% downloaded for the last hour and a half. My dialup is running at normal speed so it is the dialup. And I'm also updating my AV now. Do you think that this AV will be able to remove the virus.

LSASS is a network based exploit, unless you've patched the system that you're connecting to the Internet with it's vulnerable. LSASS is an old exploit, I believe ~2005, which exploits TCP 445.

If you're connected to the Internet with an unpatched box without a firewall then:

1) Get a firewall.
2) Patch your box.

If your machine is already patched it's likely you're firewall isn't function and Trend/Petercillin is reporting a block on the incoming network-based exploit.

I wouldn't freak out, you're not infected.

LSASS is a network based exploit, unless you've patched the system that you're connecting to the Internet with it's vulnerable. LSASS is an old exploit, I believe ~2005, which exploits TCP 445.

If you're connected to the Internet with an unpatched box without a firewall then:

1) Get a firewall.
2) Patch your box.

If your machine is already patched it's likely you're firewall isn't function and Trend/Petercillin is reporting a block on the incoming network-based exploit.

I wouldn't freak out, you're not infected.

I'm honestlly surprised that you didn't bash MS ONCE in this reply.

I'm proud of you, evilghost!!! :D

I'm honestlly surprised that you didn't bash MS ONCE in this reply.

I'm proud of you, evilghost!!! :D

It was tough....I had a slurry of inflamatory statements to make but I opted fo helping out instead.

I did flame PCillin calling it "Petercillin" because it's worthless software (much like all Microsoft products) :p

Pseudo-security; it makes you feel better.

It was tough....I had a slurry of inflamatory statements to make but I opted fo helping out instead.

I did flame PCillin calling it "Petercillin" because it's worthless software (much like all Microsoft products) :p

Pseudo-security; it makes you feel better.

How is Norton 2005? What AV would you recommend?

I've updated everything and haven't seen the warnings since. I were just shocked for seeing those warnings so quickly after I formatted and then connected

You should slipstream Service Pack 2 into your XP installation CD to avoid problems like this in the future. I'd also recommend integrating RyanVMs update pack as well.

You should slipstream Service Pack 2 into your XP installation CD to avoid problems like this in the future. I'd also recommend integrating RyanVMs update pack as well.

My CD does have SP2.

Does PCCillin have built in firewall?

Does PCCillin have built in firewall?

Yes

How is Norton 2005? What AV would you recommend?

I've updated everything and haven't seen the warnings since. I were just shocked for seeing those warnings so quickly after I formatted and then connected
NOD32
.

Yes

Ah, yes that confirms it then. It was merely blocking the LSASS worm, as evilghost suspected.

Ah, yes that confirms it then. It was merely blocking the LSASS worm, as evilghost suspected.

But the thing is, although I'm not 100% sure, I think I had the firewall off at that time because I were setting up internet connection sharing between my two pc's, but I still got the warnings like in the pictures in my first post. I'm using windows firewall now because that, seemingly, doesn't block the network traffic. As is obvious I don't know enough to go and manually block or unblock certain ports, so I just have to do with the standard configurations.

Everything is updated now (windows and AV) and I've run a scan and found nothing.

But if I were infected, what would the symptoms be.

Forgive me if my knowledge about this isn't quite accurate, but I believe the LSASS exploit is a hole through which other viruses, like Sasser, can get through; just having the vulenerability by itself won't affect your computer.

Forgive me if my knowledge about this isn't quite accurate, but I believe the LSASS exploit is a hole through which other viruses, like Sasser, can get through; just having the vulenerability by itself won't affect your computer.

Okay. That's good news for me so far. :)

Well according to Microsoft, Service Pack 2 is not vulnerable.

See Microsoft Security Bulletin MS04-011 (http://www.microsoft.com/technet/security/Bulletin/MS04-011.mspx).

I think that was the famous Sasser worm, or some variant of it. I remember when my pc got infected by this on my college network. It happened in the process of reinstalling Windows. Being that Windows XP Service Pack 1 had no firewall running by default, it got infected as soon as Windows was done installing and connected itself to the network.

As far as I remember, the symptom of the virus was the PC randomly rebooting itself. A message would pop up saying computer was about to reboot.

How is Norton 2005? What AV would you recommend?


AVG free is a good AV, and there isnt anything wrong with using the built in FW in XP afaik, I use the intergrated nv firewall on my mb.

I use zonealarm as it blocks both incoming and outgoing traffic, but is super easy to configure. Last I read some reviews nortons av was considered very good if not a little annoying. I usually dl the latest versions and burn em prior to a format, plus my boxes never even get plugged in to the hub til they're as protected as possible. Almost forgot, I think you can run nortons av right from the disk on boot to scan, not sure.