My gf has a email virus that keeps trying to send emails constantly. She can't figure out what virus it is though. How can she tell. I'm running through all the system processes right now to see if anything unusual shows up.

Any ideas?

10/3/2006 9:18:56 PM

run antivirus maybe?

10/3/2006 9:23:07 PM

I'd suggest a thorough anti-virus scan in safe mode. That probably won't catch it, so you should also do an anti-spyware scan in safe mode as well.

If you're comfortable with checking over Windows processes, you may also want to see what things are automatically set to run upon startup/login. Use a tool like Autoruns to see what's set to launch automatically:
http://www.sysinternals.com/Utilities/Autoruns.html

If you can't find it easily with those tools, you're going to have to dig deep to find it. The amount of time necessary to do that may not outweigh a reformat in the end, so I'd start with the automated scanning stuff first.

10/3/2006 9:29:29 PM

google: combofix, aimfix, vundofix

if she lives on campus 515-help

10/3/2006 9:35:20 PM

thanks guys. I think I tracked it down. its the lsass.exe process that looks like its part of the sasser virus. I'm sending her to the removal tool, and I hope that works. It wouldn't let her delete it directly, even in safemode.

10/3/2006 9:42:13 PM

Quote :

"It wouldn't let her delete it directly, even in safemode."

probably because the original lsass.exe is...

Quote :

"a system process of the Microsoft Windows security mechanisms. It specifically deals with local security and login policies. This program is important for the stable and secure running of your computer and should not be terminated."

don't delete the one in system32

[Edited on October 3, 2006 at 9:58 PM. Reason : ]

10/3/2006 9:57:19 PM

be careful deleating things like that, I suggest backing up the really important stuff on your comp so that you can reformat if you fuck up.

10/3/2006 11:58:29 PM

1) Run Antivirus
2) Run Windows Updates
3) Run Anti-Spyware

Usually allowing 1+2 to happen automatically helps prevent the need for #3. I'd recommend calling the helpdesk ... this will take awhile to clean out.

10/4/2006 7:24:33 AM