VIRUS--please help!

[Egon's Dragon]

I have a virus/worm on my laptop (Dell Inspiron 3800, Windows 2000 Pro, Celeron, 296MB RAM). It came from a spam email, from a ZIP attachment that had an exe inside. Stupid, I know. It was from ...@cia.gov, and it went something like this: "Your IP address has been linked to 30 illegal websites" and said a questionnaire was attached. Of course most of you here would delete this as spam instantly, but just to let you know.

So here's what it's done: a folder was created inside WINNT called WinSecurity. Inside this folder are copies of 3 services: services.exe, lsass.exe, csrss.exe, maybe another one, and some other files like .dli or something. 2 registry keys have been created, one in Local Machine/Software/Microsoft/Current Version/Run, the other in Current User and same path. They are: run WINNT/WinSecurity/services.exe. If I delete these keys, they return immediately. Tiny Personal Firewall keeps popping up saying: "...Noticed that the file lsass.exe has been replaced. Do you accept this?" Over and over. And a window saying "Windows could not open the file LSASS.exe". I can operate the computer otherwise; I have to move these. In the task manager, I see "lsass.exe" and "LSASS.exe" and the same for the others. Which one is the fake one? One of them tried to connect to something in the UK but Tiny stopped it.

So, as Windows thinks these executables are services, I can't stop them via Task Manager and I can't delete them.

Antivirus: I have the Avast! free home version, latest virus updates 20.11 (Nov. 20th) and apparently this virus isn't in it, as it didn't pick it up in a scan.

I could wait until Avast updates next, which could a few days, or somehow remove these **** things manually, but I don't know how. Any advice would be greatly appreciated.

[Dr.God]

1. Load in Safe mode (F8).

2. Run... -> sfc /scannow (repair original system files);

3. Run -> msconfig.exe (or another utilities for autorun, I recommend Starter). Cut off all suspicious objects (especially from WinSecurity);

4. Check all services and turn off all left (not system). What system, but what no? Look this.

5. Now try delete "WinSecurity" folder.

6* If not help, act hard: sfc /scannow, reboot in DOS (not load system!) and delete "WinSecurity".

Edited November 22, 2005 by Dr.God

[Egon's Dragon]

So, after 2 days, Avast! has updated and I got rid of this **** thing. I've seen this article in PCWorld:

E-mail Scammers Pose as FBI, CIA

I guess it was the Sober worm. Sober worm 1, me, 0. A lapse in good judgment on my part.

Edited November 23, 2005 by Egon's Dragon