SPY BOT WORM

Discussion in 'malware problems & news' started by Punkin_225, Aug 7, 2003.

Thread Status:
Not open for further replies.
  1. Punkin_225

    Punkin_225 Guest

    I have a virus on my computer called the W32spybot.worm.
    I cant not seem to get the virus out , I have done everything i know to do, could some one pleaseeeeeeeeeeeeeeeeeeeeeeeeeee, help me. Im at my wits end with this thing :mad: .

    Thank you so much,
    Robin Phillips
     
  2. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Hi punkin!

    Can you give us a bit more info such as what program/means did you use to determine that you were infected? (I am assuming here the clean/delet feature for the product wasn't sufficient to remove it)

    What OS are you running?

    Can you please download and run DCS's AutostartViewer from

    http://www.diamondcs.com.au/downloads/asviewer.zip

    Go to the "Main" menu and make sure that all three top options are selected and then press "Save" and then copy & paste the results here for us to review.

    also if you are running NT/2K/XP,

    Can you please download DCS's OpenPorts program from

    http://www.diamondcs.com.au/downloads/openports.zip

    Unzip openports.exe in your Windows directory, and open up your Command Prompt and type;

    openports > openports.txt

    and then press the Enter key

    Then type;

    openports.txt

    and press the Enter key again, and then copy the contents of the file in Notepad and paste it here for us to review.

    Thanks!

    Dan
     
  3. Prince_Serendip

    Prince_Serendip Registered Member

    Joined:
    Apr 8, 2002
    Posts:
    819
    Location:
    Canada
    :) Hello Punkin!

    Here is a link for Trend Micro's Virus Encyclopedia: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SPYBOT.A

    It will give you some more info and instructions on what to do about it. Bookmark it for the next time you need to find what you have got.

    (Note to Dan: I would have got here sooner but seems there are some network problems (mine) so I had to reboot. LOL.)

    Best regards from Larry :)
     
  4. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Lol, Thanks Larry! ;)
     
  5. Andrew B.

    Andrew B. Registered Member

    Joined:
    Jul 17, 2003
    Posts:
    34
    There is more than one spybot worm, and it could be this one:

    http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SPYBOT.GEN
     
  6. mictewall

    mictewall Guest

    i got this stupid worm also, is there a download available like the msblast.exe created by microsoft, please help, this thing is driving me crazy

    thanks, any help welcome
    mike
     
  7. AplusWebMaster

    AplusWebMaster Registered Member

    Joined:
    Jun 14, 2003
    Posts:
    239
    Location:
    Philadelphia, PA, USA
  8. Robert Kluck

    Robert Kluck Guest

    I also have the w32.spybot.worm in my iexplore.exe file. I have followed the Symantec instructions up to the point of starting the computer in safe mode, but then stopped because the next step is to delete the iexplore.exe file. If I do this, doesn't this disable my Internet Explorer? Please help. Thank you
     
  9. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    In the steps online i don't see the iexplorer.exe mentioned to be deleted?
    Or is it infected too?
    Can you in the find/search locate another clean copy of that file?
     
  10. Robert Kluck

    Robert Kluck Guest

    Hi Jooske,
    Thanks for the reply. When I said that the next step was to delete the iexplore.exe file, I guess I did not state that my Norton program told me that the infected file was the iexplore.exe file. Can I just find another file of this name from somewhere else and copy it to the same directory after deleting the infected one? Thanks
     
  11. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Thinking......... first of all try to locate if there are others on your system anyway.
    what you can do, a way for not losing the file altogether if it doesn't work, in windows explorer, go to that infected file and rename it, for instance into iexplorer.exe.bak
    so this disables it from functioning.
    You have system restore still disabled?
    Now first close all the av/at and other unnecessary stuff at this moment.
    Then go to the control panel > software > add/remove, find the microsoft internet explorer (your version)
    and click it one time; you should get a popup with an option for a repair install.
    After that you'll have to reboot.
    All security can be up again now.
    Then try if the IE functions fine on internet which i hope it does.
    If so, enable system restore and make now manually a new restore point!
    If IE keeps running fine please delete the infected iexplorer.exe.bak file.
    Fingers crossed!

    If the file was a 0 bytes copy of the original you can safely delete it without all this extra trouble, btw!
     
  12. Kendall

    Kendall Guest

    i have that dang thang too! emmm heres my report?
    c:\windows\system32\autoexec.nt
    C:\WINDOWS\system32\mscdexnt.exe
    C:\WINDOWS\system32\redir.exe
    C:\WINDOWS\system32\dosx.exe
    c:\windows\system32\config.nt
    C:\WINDOWS\system32\himem.sys
    c:\windows\wininit.ini [rename]
    NUL=C:\DOCUME~1\Owner\LOCALS~1\Temp\~ROKEN~1.GIF
    NUL=C:\DOCUME~1\Owner\LOCALS~1\Temp\~ORE_D~1.GIF
    NUL=C:\DOCUME~1\Owner\LOCALS~1\Temp\~H-MEM~1.GIF
    NUL=C:\DOCUME~1\Owner\LOCALS~1\Temp\~YSIRE~1.GIF
    NUL=C:\DOCUME~1\Owner\LOCALS~1\Temp\~LEIGH~1.MID
    NUL=C:\Program Files\earthlinkim\uninstll.exe
    NUL=C:\DOCUME~1\Owner\LOCALS~1\Temp\~edad.jpg
    NUL=C:\DOCUME~1\Owner\LOCALS~1\Temp\~edad3.jpg
    NUL=C:\WINDOWS\downlo~1\ymsgrins.exe
    c:\windows\system.ini [drivers]
    timer=timer.drv
    c:\windows\system.ini [boot]\shell
    C:\WINDOWS\Explorer.exe
    c:\windows\system.ini [boot]\scrnsave.exe
    C:\WINDOWS\System32\logon.scr
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
    C:\WINDOWS\Explorer.exe
    HKCU\Control Panel\Desktop\scrnsave.exe
    C:\WINDOWS\System32\logon.scr
    HKCR\vbsfile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\vbefile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\jsfile\shell\open\command\
    C:\Program Files\Macromedia\Dreamweaver MX\Dreamweaver.exe" "%1
    HKCR\jsefile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\wshfile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\wsffile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\IgfxTray
    C:\WINDOWS\System32\igfxtray.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\HotKeysCmds
    C:\WINDOWS\System32\hkcmd.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NAV Agent
    C:\PROGRA~1\NORTON~1\navapw32.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\LimeShop
    wjview /cp:p "C:\Program Files\LimeShop\System\Code" Main lp: "C:\Program Files\LimeShop"
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\mIRC32
    C:\WINDOWS\shostt.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\FullAudio
    C:\PROGRA~1\EARTHL~4\WMPImporter.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\zzzHPSETUP
    D:\Setup.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Share-to-Web Namespace Daemon
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\QuickTime Task
    C:\Program Files\QuickTime\qttask.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\mIRC32
    C:\WINDOWS\shostt.exe
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\IM
    C:\Program Files\earthlinkim\aim.exe -cnetwait.odl
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\E6TaskPanel
    C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
    C:\WINDOWS\system32\SHELL32.dll
    C:\WINDOWS\system32\SHELL32.dll
    C:\WINDOWS\System32\webcheck.dll
    C:\WINDOWS\System32\stobject.dll
    C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job
    C:\PROGRA~1\NORTON~1\NAVW32.exe
    C:\WINDOWS\Tasks\Symantec NetDetect.job
    C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
    C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
    autocheck autochk *
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
    C:\WINDOWS\system32\userinit.exe
    HKLM\System\CurrentControlSet\Control\WOW\cmdline
    C:\WINDOWS\system32\ntvdm.exe
    HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
    C:\WINDOWS\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
    C:\WINDOWS\system32\mswsock.dll
    C:\WINDOWS\system32\rsvpsp.dll
    HKLM\Software\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\
    C:\WINDOWS\inf\unregmp2.exe /ShowWMP
    HKLM\Software\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS\
    RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
    HKLM\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\
    C:\WINDOWS\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
    HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\
    %ProgramFiles%\Outlook Express\setup50.exe
    HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}\
    rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
    HKLM\Software\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}\
    rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.Install.PerUser
    HKLM\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\
    rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub
    HKLM\Software\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}\
    %ProgramFiles%\Outlook Express\setup50.exe
    HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\
    regsvr32.exe /s /n /i:U shell32.dll
    HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\
    C:\WINDOWS\System32\ie4uinit.exe
    HKLM\Software\Microsoft\Active Setup\Installed Components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}\
    C:\WINDOWS\System32\updcrl.exe -e -u %SystemRoot%\System32\verisignpub1.crl
    HKLM\Software\Microsoft\Active Setup\Installed Components\{ACC563BC-4266-43f0-B6ED-9D38C4202C7E}\
    rundll32 iesetup.dll,IEAccessUserInst
    HKLM\System\CurrentControlSet\Services\VxD\JAVASUP\
    C:\WINDOWS\system32\JAVASUP.VXD
    HKLM\System\CurrentControlSet\Services\AFD\
    C:\WINDOWS\System32\drivers\afd.sys
    HKLM\System\CurrentControlSet\Services\AudioSrv\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Browser\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\C-DillaSrv\
    C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
    HKLM\System\CurrentControlSet\Services\CryptSvc\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Dhcp\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Dnscache\
    C:\WINDOWS\System32\svchost.exe -k NetworkService
    HKLM\System\CurrentControlSet\Services\ERSvc\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Eventlog\
    C:\WINDOWS\system32\services.exe
    HKLM\System\CurrentControlSet\Services\helpsvc\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\lanmanserver\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\lanmanworkstation\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\LmHosts\
    C:\WINDOWS\System32\svchost.exe -k LocalService
    HKLM\System\CurrentControlSet\Services\Messenger\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\navapsvc\
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    HKLM\System\CurrentControlSet\Services\PlugPlay\
    C:\WINDOWS\system32\services.exe
    HKLM\System\CurrentControlSet\Services\PolicyAgent\
    C:\WINDOWS\System32\lsass.exe
    HKLM\System\CurrentControlSet\Services\ProtectedStorage\
    C:\WINDOWS\system32\lsass.exe
    HKLM\System\CurrentControlSet\Services\RpcSs\
    C:\WINDOWS\system32\svchost -k rpcss
    HKLM\System\CurrentControlSet\Services\SamSs\
    C:\WINDOWS\system32\lsass.exe
    HKLM\System\CurrentControlSet\Services\SBService\
    C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    HKLM\System\CurrentControlSet\Services\Schedule\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\seclogon\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\SENS\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\ShellHWDetection\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Spooler\
    C:\WINDOWS\system32\spoolsv.exe
    HKLM\System\CurrentControlSet\Services\srservice\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\stisvc\
    C:\WINDOWS\System32\svchost.exe -k imgsvc
    HKLM\System\CurrentControlSet\Services\SYMTDI\
    \??\C:\WINDOWS\System32\Drivers\SYMTDI.SYS
    HKLM\System\CurrentControlSet\Services\Themes\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\TrkWks\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\uploadmgr\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\W32Time\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\WebClient\
    C:\WINDOWS\System32\svchost.exe -k LocalService
    HKLM\System\CurrentControlSet\Services\winmgmt\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\wuauserv\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\WZCSVC\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
     
  13. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi Kendall,

    Did you have a look at the sites APlusWebMaster posted?

    Also, I´m by no means an expert in these logs, but these look suspicious to me:

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\mIRC32
    C:\WINDOWS\shostt.exe

    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\mIRC32
    C:\WINDOWS\shostt.exe

    Wait for the real experts to jump in.

    Regards,

    Pieter
     
  14. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    But you are: these are the same items as the "O4 - HKLM\..\Run" entries you'll find in a Hijack This log, and you're absolutely right to tag them as suspect.

    The fact that this shostt.exe file has not one, but two startup entries (one in Run, and the other in RunServices) only reinforces the suspicion it's up to no good at all.

    Kendall, would you please do the following:

    Go to http://tomcoyote.org/hjt/ , and download 'Hijack This!'.
    Unzip, doubleclick HijackThis.exe, and hit "Scan".

    When the scan is finished, the "Scan" button will change into a "Save Log" button.
    Press that, save the log somewhere, and please show us its contents.

    Most of what it lists will be harmless or even required, so do NOT fix anything yet.
    Someone here will be happy to help you analyze the results.
     
  15. happin  in

    happin in Guest

    Is this the same problem http://www.dslreports.c
    om/forum/remark,7770090~root=security,1~mode=flat
    http://www.wilderssecurity.com/showthread.php?t=13104





    Added URL tags
     
  16. naomi

    naomi Guest

    o_OI need help I have the spy bot worm. And I cant seem to work the problem out. I have done all that I know to do and I downloaded spywareblaster . I just dont know what to do and I dont know much about computers. If you can help me pleaaaaaaaaaaaaaassssssssssssssssssssseeeeeeeeeeeeeeee. thank you
    naomi
     
  17. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    Hi,

    Please do the following:

    Go to http://tomcoyote.org/hjt/ , and download 'Hijack This!'.
    Unzip, doubleclick HijackThis.exe, and hit "Scan".

    When the scan is finished, the "Scan" button will change into a "Save Log" button.
    Press that, save the log somewhere, and please show us its contents.

    Most of what it lists will be harmless or even required, so do NOT fix anything yet.
    Someone here will be happy to help you analyze the results.
     
  18. naomi

    naomi Guest

    Thank you for your help. Here is the logs you needed to help meto fix my problem.

    Logfile of HijackThis v1.97.2
    Scan saved at 1:15:27 PM, on 9/18/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\windows\system\hpsysdrv.exe
    C:\HP\KBD\KBD.EXE
    C:\Program Files\BroadJump\Client Foundation\CFD.exe
    C:\Program Files\Support.com\bin\tgcmd.exe
    C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
    C:\Program Files\Internet Optimizer\optimize.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\Yahoo!\browser\ybrwicon.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
    C:\PROGRA~1\Yahoo!\browser\ycommon.exe
    C:\Program Files\SBC\Connection Manager\CManager.exe
    C:\Program Files\Webshots\WebshotsTray.exe
    C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\Yahoo!\MESSEN~1\YPAGER.EXE
    C:\Program Files\Yahoo!\browser\ybrowser.exe
    C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.globalwebsearch.com/ie_search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.globalwebsearch.com/ie_search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.globalwebsearch.com/ie_search.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.globalwebsearch.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.globalwebsearch.com/ie_search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.globalwebsearch.com/ie_search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/ymsgr/defaults/su/*http://www.yahoo.com
    R3 - URLSearchHook: (no name) - _{DD1BCA06-F674-424D-A08E-42DA97C4D5DD} - (no file)
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O1 - Hosts: 217.116.231.7 aimtoday.aol.com
    O1 - Hosts: 217.116.231.7 aimtoday.aol.com
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
    O2 - BHO: (no name) - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem214.dll
    O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem214.dll
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb03.exe
    O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
    O4 - HKLM\..\Run: [HPGamesActiveMenu] C:\Program Files\WildTangent\ActiveMenu\HP\Games\ActiveMenu.exe
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [tgcmdprovidersbc] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [5-2-101-4] c:\windows\5-2-101-4.exe -m
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
    O4 - HKCU\..\Run: [Washer] c:\\Program Files\Washer\washer.exe /0
    O4 - Startup: Connection Manager.lnk = C:\Program Files\SBC\Connection Manager\CManager.exe
    O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
    O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
    O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O9 - Extra button: Yahoo! Login (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
    O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O12 - Plugin for .mpga: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/sbcy/yinst.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
    O17 - HKLM\System\CCS\Services\Tcpip\..\{7871D814-1F46-4E06-AEEB-0847B9EFB9C2}: NameServer = 151.164.1.8 151.164.11.201
     
  19. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi naomi,

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.globalwebsearch.com/ie_search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.globalwebsearch.com/ie_search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.globalwebsearch.com/ie_search.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.globalwebsearch.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.globalwebsearch.com/ie_search.html

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.globalwebsearch.com/ie_search.html

    R3 - URLSearchHook: (no name) - _{DD1BCA06-F674-424D-A08E-42DA97C4D5DD} - (no file)
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

    O2 - BHO: (no name) - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem214.dll
    O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem214.dll

    O4 - HKCU\..\Run: [5-2-101-4] c:\windows\5-2-101-4.exe -m

    O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
    O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe


    Reboot after doing so, preferably into safe mode and delete:
    C:\windows\5-2-101-4.exe

    Then download Spybot - Search & Destroy
    After installing, first press Online, and search for, put a check mark at, and install all updates.
    Next, close all IE windows, hit 'Check for Problems', and have SpyBot remove all it marks in red.

    Or, download Ad-Aware at lavasoft.usa.com
    After installing AAW, and before running the program, update by using the Globe icon.
    Shut down and restart Ad-Aware.
    Now press "Scan Now", "Select drives\folders to scan" and select the active partition (usually C: ), then 'next', and let Ad-Aware scan your drives.
    It will find a number of "bad" files and registry keys. Click 'Next' again.
    Rightclick in that pane and choose "select all" and click 'next'.
    It will ask you whether you'd like to remove all checked items. Click OK.
    Finally, close Ad-Aware, and reboot.

    Regards,

    Pieter
     
  20. naomi

    naomi Guest

    :D :D :D :D :D
    Thank you verey much that helped me out alot. And fixed my problem. I couldn't have done it with out you. Thank you again.
     
  21. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    My pleasure. :)
     
  22. Sharon Gano

    Sharon Gano Guest

    I purchased and ran McAfee. I scanned my system for viruses, it detected the same worm that you have in three separate files, and automatically cleaned them (a verification message displayed at the end of the process.) :-*
     
Loading...
Thread Status:
Not open for further replies.