I've read a lot of the threads about possible viruses and am now wondering if a new-ish variant of W32spybot isn't just getting started. I was hit with W32.Spybot.Worm after doing a very foolish thing. Three days ago I downloaded -but didn't install- a replacement Beta MicrosoftAntiSpy. This was after reformatting my laptop hard drive, reinstalling Win XP, setting the Norton firewall and AV configs, downloading updates, and installing other clean programs. In my haste to get my computer back up to speed I didn't go directly to MS for the antispy program... I know, shame on me... a first in 24 years of computing, and a big oops, as it turns out.
I unzipped and ran the setup for the program this AM and was immediately alerted to the presence of this worm. A NAV scan found 24 instances of it, 23 of them in the Microsoft Antispy program folder. I followed Symantec's recommendations for deleting the files and registry entries, got rid of the program, re-scanned and found only the one file still intact. It traces to WINDOWS/lsass.exe, and can't be fixed. My online research finds no references to the worm identified by this exact filename. I have found, on this site and others, several mentions of attacks tracked to lsasss.exe (an extra s), lsassz.exe (an added z), and saw both spellings with and without the capital L, but I find absolutely nothing about the worm masquerading as lsass.exe. Symantec's instruction for deleting registry entries for the lsasss and lsassz (and other w32spybot variants) don't jive with my Service registry folders, so I stopped to research it more. I've already had to reboot from Safe once, and revert another time to an earlier config that was more stable.
Forgive my lengthy post but it seems from all I've read that this strain, whether it's new or not, is quite resistant, and the more information we share, the sooner a fix is possible. Unlike others posting on this site about a similar problem, I CAN access Task Manager (so far) but of course can't delete the lsass.exe processing. I've rebooted twice and won't do it again until I move intact zipped programs and files to an external hard drive for safekeeping. The lsass file size doubled almost right away after I highlighted it in TM and clicked delete; it's humming right along, gulping CPU and memory. I may have TM available whereas other people don't but I do experience two things that others aren't writing about. At startup, as fast as Windows opens I get a 'Network Connection' notice (definitely not a Norton alert) that 'you or a program has requested to connect to h.animeteam.net', and 'which connection do you want to use'. Action choices are 'connect' and 'cancel', along with a box I can check that says 'don't ask again until the next startup'. The second thing that happens immediately after startup is a Norton Firewall alert asking if I want to allow WINDOWS/lsass.exe to access the internet; the threat risk is LOW. Fortunately my firewall is set to block all outgoing and incoming on all ports until I temporarily unblock a program for use and plug in the modem. I was suspicious when an executable file that I'd twice set at 'always block' was somehow unblocking its setting and trying to connect again.
I'll continue reading your advise to other posters and try those solutions. But I do want to say that this doesn't seem like the good-old W32.spybot.Worm that we've heard about. Something is just too weird, considering it isn't recognized by AV programs yet. Any feedback is welcome!
-Biscuit-
I unzipped and ran the setup for the program this AM and was immediately alerted to the presence of this worm. A NAV scan found 24 instances of it, 23 of them in the Microsoft Antispy program folder. I followed Symantec's recommendations for deleting the files and registry entries, got rid of the program, re-scanned and found only the one file still intact. It traces to WINDOWS/lsass.exe, and can't be fixed. My online research finds no references to the worm identified by this exact filename. I have found, on this site and others, several mentions of attacks tracked to lsasss.exe (an extra s), lsassz.exe (an added z), and saw both spellings with and without the capital L, but I find absolutely nothing about the worm masquerading as lsass.exe. Symantec's instruction for deleting registry entries for the lsasss and lsassz (and other w32spybot variants) don't jive with my Service registry folders, so I stopped to research it more. I've already had to reboot from Safe once, and revert another time to an earlier config that was more stable.
Forgive my lengthy post but it seems from all I've read that this strain, whether it's new or not, is quite resistant, and the more information we share, the sooner a fix is possible. Unlike others posting on this site about a similar problem, I CAN access Task Manager (so far) but of course can't delete the lsass.exe processing. I've rebooted twice and won't do it again until I move intact zipped programs and files to an external hard drive for safekeeping. The lsass file size doubled almost right away after I highlighted it in TM and clicked delete; it's humming right along, gulping CPU and memory. I may have TM available whereas other people don't but I do experience two things that others aren't writing about. At startup, as fast as Windows opens I get a 'Network Connection' notice (definitely not a Norton alert) that 'you or a program has requested to connect to h.animeteam.net', and 'which connection do you want to use'. Action choices are 'connect' and 'cancel', along with a box I can check that says 'don't ask again until the next startup'. The second thing that happens immediately after startup is a Norton Firewall alert asking if I want to allow WINDOWS/lsass.exe to access the internet; the threat risk is LOW. Fortunately my firewall is set to block all outgoing and incoming on all ports until I temporarily unblock a program for use and plug in the modem. I was suspicious when an executable file that I'd twice set at 'always block' was somehow unblocking its setting and trying to connect again.
I'll continue reading your advise to other posters and try those solutions. But I do want to say that this doesn't seem like the good-old W32.spybot.Worm that we've heard about. Something is just too weird, considering it isn't recognized by AV programs yet. Any feedback is welcome!
-Biscuit-
