From: "Rick "Nutcase" Rogers" <rick@mvps.org>

| Hi,
|
| It's a worm. When the message appears, click start/run and type
| "shutdown -a" (without the quotes) to halt it and then download some up to
| date Antivirus scanning software.
|
| Free virus removal tools:
|
| http://vil.nai.com/vil/stinger/
| http://www.emsisoft.com/en/
| http://free.grisoft.com/doc/8/lng/us.../nid/3001#3001
| http://www.f-secure.com/download-purchase/tools.shtml
|
| Also, you may use this free on-line scanner:
| http://housecall.trendmicro.com/
|
| Symantec also distributes many free removal tools that are virus-specific:
| http://securityresponse.symantec.com...ools.list.html
|
| Many are best run in Safe mode to minimize interference. Most will resist
| removal in normal mode where they are active.
|
| How to start in Safe mode:
| http://www.rickrogers.org/fixes.htm#Safe%20mode
|
| Emergency system tools:
| http://www.dougknox.com/xp/utils/xp_emerutils.htm
|

Rick:

You have listed various AV software which may find such worms as; W32/Radebot.worm ,
W32/Plexus , W32/Gaobot.worm and W32/Reatle that Exploit the LSASS Buffer Overflow
Vulnberability via TCP port 445, but you left out the most important part. Exploitation
mitigation.

The patch associated with KB835732 is not mentioned. Nor is using either a software
FireWall or a NAT Router. If these are NOT used the user will just get re-infected or just
keep on getting the message...

NT AUTHORITY\SYSTEM
'c:\windows\system32\lsass.exe' terminated unexpectedly with status code -1073741819

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm