SPY BOT WORM

I have a virus on my computer called the W32spybot.worm.
I cant not seem to get the virus out , I have done everything i know to do, could some one pleaseeeeeeeeeeeeeeeeeeeeeeeeeee, help me. Im at my wits end with this thing .

Thank you so much,
Robin Phillips

[Dan Perez]

Hi punkin!

Can you give us a bit more info such as what program/means did you use to determine that you were infected? (I am assuming here the clean/delet feature for the product wasn't sufficient to remove it)

What OS are you running?

Can you please download and run DCS's AutostartViewer from

http://www.diamondcs.com.au/downloads/asviewer.zip

Go to the "Main" menu and make sure that all three top options are selected and then press "Save" and then copy & paste the results here for us to review.

also if you are running NT/2K/XP,

Can you please download DCS's OpenPorts program from

http://www.diamondcs.com.au/downloads/openports.zip

Unzip openports.exe in your Windows directory, and open up your Command Prompt and type;

openports > openports.txt

and then press the Enter key

Then type;

openports.txt

and press the Enter key again, and then copy the contents of the file in Notepad and paste it here for us to review.

Thanks!

Dan

[Prince_Serendip]

Hello Punkin!

Here is a link for Trend Micro's Virus Encyclopedia: http://www.trendmicro.com/vinfo/viru...=WORM_SPYBOT.A

It will give you some more info and instructions on what to do about it. Bookmark it for the next time you need to find what you have got.

(Note to Dan: I would have got here sooner but seems there are some network problems (mine) so I had to reboot. LOL.)

Best regards from Larry

[Dan Perez]

Lol, Thanks Larry!

[Andrew B.]

There is more than one spybot worm, and it could be this one:

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SPYBOT.GEN

i got this stupid worm also, is there a download available like the msblast.exe created by microsoft, please help, this thing is driving me crazy

thanks, any help welcome
mike

[AplusWebMaster]

Reiteration for clarification:

W32.Spybot.Worm removal instructions:
http://securityresponse.symantec.com...alinstructions

W32.Blaster.Worm removal tool:
http://securityresponse.symantec.com...oval.tool.html

I also have the w32.spybot.worm in my iexplore.exe file. I have followed the Symantec instructions up to the point of starting the computer in safe mode, but then stopped because the next step is to delete the iexplore.exe file. If I do this, doesn't this disable my Internet Explorer? Please help. Thank you

[Jooske]

In the steps online i don't see the iexplorer.exe mentioned to be deleted?
Or is it infected too?
Can you in the find/search locate another clean copy of that file?

Hi Jooske,
Thanks for the reply. When I said that the next step was to delete the iexplore.exe file, I guess I did not state that my Norton program told me that the infected file was the iexplore.exe file. Can I just find another file of this name from somewhere else and copy it to the same directory after deleting the infected one? Thanks

[Jooske]

Thinking......... first of all try to locate if there are others on your system anyway.
what you can do, a way for not losing the file altogether if it doesn't work, in windows explorer, go to that infected file and rename it, for instance into iexplorer.exe.bak
so this disables it from functioning.
You have system restore still disabled?
Now first close all the av/at and other unnecessary stuff at this moment.
Then go to the control panel > software > add/remove, find the microsoft internet explorer (your version)
and click it one time; you should get a popup with an option for a repair install.
After that you'll have to reboot.
All security can be up again now.
Then try if the IE functions fine on internet which i hope it does.
If so, enable system restore and make now manually a new restore point!
If IE keeps running fine please delete the infected iexplorer.exe.bak file.
Fingers crossed!

If the file was a 0 bytes copy of the original you can safely delete it without all this extra trouble, btw!

i have that dang thang too! emmm heres my report?
c:\windows\system32\autoexec.nt
C:\WINDOWS\system32\mscdexnt.exe
C:\WINDOWS\system32\redir.exe
C:\WINDOWS\system32\dosx.exe
c:\windows\system32\config.nt
C:\WINDOWS\system32\himem.sys
c:\windows\wininit.ini [rename]
NUL=C:\DOCUME~1\Owner\LOCALS~1\Temp\~ROKEN~1.GIF
NUL=C:\DOCUME~1\Owner\LOCALS~1\Temp\~ORE_D~1.GIF
NUL=C:\DOCUME~1\Owner\LOCALS~1\Temp\~H-MEM~1.GIF
NUL=C:\DOCUME~1\Owner\LOCALS~1\Temp\~YSIRE~1.GIF
NUL=C:\DOCUME~1\Owner\LOCALS~1\Temp\~LEIGH~1.MID
NUL=C:\Program Files\earthlinkim\uninstll.exe
NUL=C:\DOCUME~1\Owner\LOCALS~1\Temp\~edad.jpg
NUL=C:\DOCUME~1\Owner\LOCALS~1\Temp\~edad3.jpg
NUL=C:\WINDOWS\downlo~1\ymsgrins.exe
c:\windows\system.ini [drivers]
timer=timer.drv
c:\windows\system.ini [boot]\shell
C:\WINDOWS\Explorer.exe
c:\windows\system.ini [boot]\scrnsave.exe
C:\WINDOWS\System32\logon.scr
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
C:\WINDOWS\Explorer.exe
HKCU\Control Panel\Desktop\scrnsave.exe
C:\WINDOWS\System32\logon.scr
HKCR\vbsfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\vbefile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\jsfile\shell\open\command\
C:\Program Files\Macromedia\Dreamweaver MX\Dreamweaver.exe" "%1
HKCR\jsefile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\wshfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\wsffile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\IgfxTray
C:\WINDOWS\System32\igfxtray.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\HotKeysCmds
C:\WINDOWS\System32\hkcmd.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NAV Agent
C:\PROGRA~1\NORTON~1\navapw32.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\LimeShop
wjview /cp:p "C:\Program Files\LimeShop\System\Code" Main lp: "C:\Program Files\LimeShop"
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\mIRC32
C:\WINDOWS\shostt.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\FullAudio
C:\PROGRA~1\EARTHL~4\WMPImporter.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\zzzHPSETUP
D:\Setup.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Share-to-Web Namespace Daemon
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\QuickTime Task
C:\Program Files\QuickTime\qttask.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\mIRC32
C:\WINDOWS\shostt.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\IM
C:\Program Files\earthlinkim\aim.exe -cnetwait.odl
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\E6TaskPanel
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\System32\webcheck.dll
C:\WINDOWS\System32\stobject.dll
C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job
C:\PROGRA~1\NORTON~1\NAVW32.exe
C:\WINDOWS\Tasks\Symantec NetDetect.job
C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
autocheck autochk *
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
C:\WINDOWS\system32\userinit.exe
HKLM\System\CurrentControlSet\Control\WOW\cmdline
C:\WINDOWS\system32\ntvdm.exe
HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
C:\WINDOWS\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\system32\rsvpsp.dll
HKLM\Software\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\
C:\WINDOWS\inf\unregmp2.exe /ShowWMP
HKLM\Software\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS\
RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
HKLM\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\
C:\WINDOWS\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\
%ProgramFiles%\Outlook Express\setup50.exe
HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}\
rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
HKLM\Software\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}\
rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.Install.PerUser
HKLM\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\
rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub
HKLM\Software\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}\
%ProgramFiles%\Outlook Express\setup50.exe
HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\
regsvr32.exe /s /n /i:U shell32.dll
HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\
C:\WINDOWS\System32\ie4uinit.exe
HKLM\Software\Microsoft\Active Setup\Installed Components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}\
C:\WINDOWS\System32\updcrl.exe -e -u %SystemRoot%\System32\verisignpub1.crl
HKLM\Software\Microsoft\Active Setup\Installed Components\{ACC563BC-4266-43f0-B6ED-9D38C4202C7E}\
rundll32 iesetup.dll,IEAccessUserInst
HKLM\System\CurrentControlSet\Services\VxD\JAVASUP\
C:\WINDOWS\system32\JAVASUP.VXD
HKLM\System\CurrentControlSet\Services\AFD\
C:\WINDOWS\System32\drivers\afd.sys
HKLM\System\CurrentControlSet\Services\AudioSrv\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Browser\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\C-DillaSrv\
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
HKLM\System\CurrentControlSet\Services\CryptSvc\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Dhcp\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Dnscache\
C:\WINDOWS\System32\svchost.exe -k NetworkService
HKLM\System\CurrentControlSet\Services\ERSvc\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Eventlog\
C:\WINDOWS\system32\services.exe
HKLM\System\CurrentControlSet\Services\helpsvc\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\lanmanserver\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\lanmanworkstation\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\LmHosts\
C:\WINDOWS\System32\svchost.exe -k LocalService
HKLM\System\CurrentControlSet\Services\Messenger\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\navapsvc\
C:\Program Files\Norton AntiVirus\navapsvc.exe
HKLM\System\CurrentControlSet\Services\PlugPlay\
C:\WINDOWS\system32\services.exe
HKLM\System\CurrentControlSet\Services\PolicyAgent\
C:\WINDOWS\System32\lsass.exe
HKLM\System\CurrentControlSet\Services\ProtectedStorage\
C:\WINDOWS\system32\lsass.exe
HKLM\System\CurrentControlSet\Services\RpcSs\
C:\WINDOWS\system32\svchost -k rpcss
HKLM\System\CurrentControlSet\Services\SamSs\
C:\WINDOWS\system32\lsass.exe
HKLM\System\CurrentControlSet\Services\SBService\
C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
HKLM\System\CurrentControlSet\Services\Schedule\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\seclogon\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\SENS\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\ShellHWDetection\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Spooler\
C:\WINDOWS\system32\spoolsv.exe
HKLM\System\CurrentControlSet\Services\srservice\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\stisvc\
C:\WINDOWS\System32\svchost.exe -k imgsvc
HKLM\System\CurrentControlSet\Services\SYMTDI\
\??\C:\WINDOWS\System32\Drivers\SYMTDI.SYS
HKLM\System\CurrentControlSet\Services\Themes\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\TrkWks\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\uploadmgr\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\W32Time\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\WebClient\
C:\WINDOWS\System32\svchost.exe -k LocalService
HKLM\System\CurrentControlSet\Services\winmgmt\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\wuauserv\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\WZCSVC\
C:\WINDOWS\System32\svchost.exe -k netsvcs

[Pieter_Arntz]

Hi Kendall,

Did you have a look at the sites APlusWebMaster posted?

Also, I´m by no means an expert in these logs, but these look suspicious to me:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\mIRC32
C:\WINDOWS\shostt.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\mIRC32
C:\WINDOWS\shostt.exe

Wait for the real experts to jump in.

Regards,

Pieter

[TonyKlein]

Quote:

quoting: Pieter_Arntz link=board=31;threadid=12191;start=0#msg83914 date=1062274642]
Also, I´m by no means an expert in these logs....

But you are: these are the same items as the "O4 - HKLM\..\Run" entries you'll find in a Hijack This log, and you're absolutely right to tag them as suspect.

The fact that this shostt.exe file has not one, but two startup entries (one in Run, and the other in RunServices) only reinforces the suspicion it's up to no good at all.

Kendall, would you please do the following:

Go to http://tomcoyote.org/hjt/ , and download 'Hijack This!'.
Unzip, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log somewhere, and please show us its contents.

Most of what it lists will be harmless or even required, so do NOT fix anything yet.
Someone here will be happy to help you analyze the results.

Is this the same problem http://www.dslreports.c<br /> om/fo...ty,1~mode=flat
http://www.wilderssecurity.com/showthread.php?t=13104





Added URL tags

I need help I have the spy bot worm. And I cant seem to work the problem out. I have done all that I know to do and I downloaded spywareblaster . I just dont know what to do and I dont know much about computers. If you can help me pleaaaaaaaaaaaaaassssssssssssssssssssseeeeeeeeeeeeeeee. thank you
naomi

[TonyKlein]

Hi,

Please do the following:

Go to http://tomcoyote.org/hjt/ , and download 'Hijack This!'.
Unzip, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log somewhere, and please show us its contents.

Most of what it lists will be harmless or even required, so do NOT fix anything yet.
Someone here will be happy to help you analyze the results.

Thank you for your help. Here is the logs you needed to help meto fix my problem.

Logfile of HijackThis v1.97.2
Scan saved at 1:15:27 PM, on 9/18/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\SBC\Connection Manager\CManager.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YPAGER.EXE
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.globalwebsearch.com/ie_search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.globalwebsearch.com/ie_search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.globalwebsearch.com/ie_search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.globalwebsearch.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.globalwebsearch.com/ie_search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.globalwebsearch.com/ie_search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/ymsgr/defaults/su/*http://www.yahoo.com
R3 - URLSearchHook: (no name) - _{DD1BCA06-F674-424D-A08E-42DA97C4D5DD} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O2 - BHO: (no name) - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem214.dll
O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem214.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb03.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [HPGamesActiveMenu] C:\Program Files\WildTangent\ActiveMenu\HP\Games\ActiveMenu.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmdprovidersbc] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [5-2-101-4] c:\windows\5-2-101-4.exe -m
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [Washer] c:\\Program Files\Washer\washer.exe /0
O4 - Startup: Connection Manager.lnk = C:\Program Files\SBC\Connection Manager\CManager.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpga: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/sbcy/yinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{7871D814-1F46-4E06-AEEB-0847B9EFB9C2}: NameServer = 151.164.1.8 151.164.11.201

[Pieter_Arntz]

Hi naomi,

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.globalwebsearch.com/ie_search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.globalwebsearch.com/ie_search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.globalwebsearch.com/ie_search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.globalwebsearch.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.globalwebsearch.com/ie_search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.globalwebsearch.com/ie_search.html

R3 - URLSearchHook: (no name) - _{DD1BCA06-F674-424D-A08E-42DA97C4D5DD} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O2 - BHO: (no name) - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem214.dll
O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem214.dll

O4 - HKCU\..\Run: [5-2-101-4] c:\windows\5-2-101-4.exe -m

O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe


Reboot after doing so, preferably into safe mode and delete:
C:\windows\5-2-101-4.exe

Then download Spybot - Search & Destroy
After installing, first press Online, and search for, put a check mark at, and install all updates.
Next, close all IE windows, hit 'Check for Problems', and have SpyBot remove all it marks in red.

Or, download Ad-Aware at lavasoft.usa.com
After installing AAW, and before running the program, update by using the Globe icon.
Shut down and restart Ad-Aware.
Now press "Scan Now", "Select drives\folders to scan" and select the active partition (usually C: ), then 'next', and let Ad-Aware scan your drives.
It will find a number of "bad" files and registry keys. Click 'Next' again.
Rightclick in that pane and choose "select all" and click 'next'.
It will ask you whether you'd like to remove all checked items. Click OK.
Finally, close Ad-Aware, and reboot.

Regards,

Pieter

Thank you verey much that helped me out alot. And fixed my problem. I couldn't have done it with out you. Thank you again.

[Pieter_Arntz]

My pleasure.

I purchased and ran McAfee. I scanned my system for viruses, it detected the same worm that you have in three separate files, and automatically cleaned them (a verification message displayed at the end of the process.)