w32.spybot.worm can't shake it. HELP

Discussion in 'malware problems & news' started by Astro, Aug 10, 2003.

Thread Status:
Not open for further replies.
  1. Astro

    Astro Registered Member

    Aug 10, 2003
    I have detectedw32.spybot.worm on my computer. I used Norton, but cannot quarrantine, repair or delete the sucker.

    I have gone through most of the recomendations, but my configsys will not run, and neither will regedit. Configsys will not come up at all and regedit will only flash for a second. Also, I cannot get the Auto protect or email scan to work on the Norton program.

    I've tried a trend microsystem cleaner and it didn't find or cure anything.

    I appreciate any help,

  2. Astro

    Astro Registered Member

    Aug 10, 2003
    highjack this system log

    Scan saved at 9:24:35 PM, on 8/9/2003
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\EPSON\EPSON PhotoStarter\EPSON_PhotoStarter.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.astros.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by PTI NET Alaska
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: CSBHO - {D14D6793-9B65-11D3-80B6-00500487BDBA} - C:\WINDOWS\SYSTEM\COMET\BIN\CSBHO.DLL (file missing)
    O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM32\NZDD.DLL
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [EPSON PhotoStarter] C:\Program Files\EPSON\EPSON PhotoStarter\EPSON_PhotoStarter.exe
    O4 - HKLM\..\Run: [TVTMD] C:\WINDOWS\TVTMD.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Startup: Camio Viewer 2.0.lnk = C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\E_SRCV03.EXE
    O4 - Global Startup: TFTP1116
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Yahoo! Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O12 - Plugin for .bat: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .frm: C:\PROGRA~1\INTERN~1\Plugins\npmfv.dll
    O12 - Plugin for .ufd: C:\PROGRA~1\INTERN~1\Plugins\npmfv.dll
    O12 - Plugin for .xfd: C:\PROGRA~1\INTERN~1\Plugins\npmfv.dll
    O12 - Plugin for .xfdl: C:\PROGRA~1\INTERN~1\Plugins\npmfv.dll
    O16 - DPF: Win32 Classes -
    O16 - DPF: Yahoo! Checkers - http://yog8.yahoo.com/yog/y/kk3_x.cab
    O16 - DPF: Yahoo! Hearts - http://yog6.yahoo.com/yog/y/hk2_x.cab
    O16 - DPF: Yahoo! Word Racer - http://yog20.yahoo.com/yog/y/wq0_x.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {06D5218D-079C-11D3-B2D1-00A0C98684AC} (McAfee Hardware Finder Control) - http://download.mcafee.com/molbin/clinic/hwf/mghwinfo.cab
    O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
    O16 - DPF: {0C98419E-324F-11D3-9A23-00C04FF40D52} (McAfee Clinic AV Installer Control) - http://download.mcafee.com/molbin/clinic/virusscan/mgavinst.cab
    O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
    O16 - DPF: {13E39F7E-FDA8-11D2-99DC-00C04FF40D52} (McAfee OilChange Multi-Product Support Filter) - http://download.mcafee.com/molbin/OilChange/MGOcFilt.cab
    O16 - DPF: {23047A90-8511-11D2-87A5-20C252C10000} (McAfee Clinic TreeView Class) - http://download.mcafee.com/molbin/Shared/MGTree.cab
    O16 - DPF: {2566E4F3-A47B-11D4-9B5D-0010A4F2D6BF} (QwCont Class) - http://www.quicken.com/qw2001/qcominst.cab
    O16 - DPF: {4AE3239D-18C5-11D3-9634-0060080A3AB6} (McAfee PC Clinic System Information Class) - http://download.mcafee.com/molbin/Clinic/sysinfo/sicomp.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -
    O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestation.com/common/classes/batchaxdwnl.cab?version=1,0,2,12011
    O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
    O16 - DPF: {9F0F185C-B50B-11D2-B53F-00A0C98684AC} (McAfee PC Clinic OilChange Class) - http://download.mcafee.com/molbin/OilChange/MGOcCtl.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37695.877037037
    O16 - DPF: {AFDBB6D0-6B96-419C-8BC6-FF0B99368C0B} - http://www.memorymeter.com/MemoryMeter.cab
    O16 - DPF: {BF31FA5E-AE8A-11D2-A1BD-0800300004C2} (McAfee PC Clinic Internet Class) - http://download.mcafee.com/molbin/Shared/MCInet.cab
    O16 - DPF: {CDB74794-A3BA-4733-B6F6-59BF16D6C15A} (McAfee Smart Shop - Update Class) - http://download.mcafee.com/molbin/mcaeng/mcsmtshp.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
    O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.microsoft.com/search/lobby/searchsettings.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{F006B340-E87B-4893-8A37-E074962E6036}: NameServer =
  3. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Apr 27, 2002
    Hi Astro,

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    O2 - BHO: CSBHO - {D14D6793-9B65-11D3-80B6-00500487BDBA} - C:\WINDOWS\SYSTEM\COMET\BIN\CSBHO.DLL (file missing)
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [TVTMD] C:\WINDOWS\TVTMD.exe
    O16 - DPF: Win32 Classes -
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -
    O16 - DPF: {AFDBB6D0-6B96-419C-8BC6-FF0B99368C0B} - http://www.memorymeter.com/MemoryMeter.cab

    Reboot after doing so, preferably into safe mode and delete:

    I don't see the Winsock2 driver startup, normally associated with the Spybot infection.
    The file you are looking for is probaly hidden:
    How to show Hidden Files in Windows Explorer


  4. Cookie

    Cookie Guest

    You will find your answer for removal on this site.

    http://securityresponse.symantec.com/avcenter/venc/data/w32.spybot.worm.html :)

    Having problems to stay logged in but it's Peaches4U that is posting.
  5. BWMerlin

    BWMerlin Registered Member

    Aug 11, 2003
    What u need to do is find were the virus is (norton should give u a file name, i was infected and mine was something like c:\windows\system32\xxxxxx were xxxxxx is the name of the infected file) then restart in safe mode and delete it, before restarting delete it from the rubbish bin. Once u have restated go into norton and the quaraintined section and delete the files there.
Thread Status:
Not open for further replies.