w32.spybot.worm can't shake it. HELP

Discussion in 'malware problems & news' started by Astro, Aug 10, 2003.

Thread Status:
Not open for further replies.
  1. Astro

    Astro Registered Member

    Joined:
    Aug 10, 2003
    Posts:
    2
    I have detectedw32.spybot.worm on my computer. I used Norton, but cannot quarrantine, repair or delete the sucker.

    I have gone through most of the recomendations, but my configsys will not run, and neither will regedit. Configsys will not come up at all and regedit will only flash for a second. Also, I cannot get the Auto protect or email scan to work on the Norton program.

    I've tried a trend microsystem cleaner and it didn't find or cure anything.

    I appreciate any help,

    Astro
     
  2. Astro

    Astro Registered Member

    Joined:
    Aug 10, 2003
    Posts:
    2
    highjack this system log

    Scan saved at 9:24:35 PM, on 8/9/2003
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\EPSON\EPSON PhotoStarter\EPSON_PhotoStarter.exe
    C:\WINDOWS\TVTMD.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\PROGRA~1\WINZIP\winzip32.exe
    C:\unzipped\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.astros.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by PTI NET Alaska
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: CSBHO - {D14D6793-9B65-11D3-80B6-00500487BDBA} - C:\WINDOWS\SYSTEM\COMET\BIN\CSBHO.DLL (file missing)
    O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM32\NZDD.DLL
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [EPSON PhotoStarter] C:\Program Files\EPSON\EPSON PhotoStarter\EPSON_PhotoStarter.exe
    O4 - HKLM\..\Run: [TVTMD] C:\WINDOWS\TVTMD.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Startup: Camio Viewer 2.0.lnk = C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\E_SRCV03.EXE
    O4 - Global Startup: TFTP1116
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Yahoo! Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O12 - Plugin for .bat: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .frm: C:\PROGRA~1\INTERN~1\Plugins\npmfv.dll
    O12 - Plugin for .ufd: C:\PROGRA~1\INTERN~1\Plugins\npmfv.dll
    O12 - Plugin for .xfd: C:\PROGRA~1\INTERN~1\Plugins\npmfv.dll
    O12 - Plugin for .xfdl: C:\PROGRA~1\INTERN~1\Plugins\npmfv.dll
    O16 - DPF: Win32 Classes -
    O16 - DPF: Yahoo! Checkers - http://yog8.yahoo.com/yog/y/kk3_x.cab
    O16 - DPF: Yahoo! Hearts - http://yog6.yahoo.com/yog/y/hk2_x.cab
    O16 - DPF: Yahoo! Word Racer - http://yog20.yahoo.com/yog/y/wq0_x.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {06D5218D-079C-11D3-B2D1-00A0C98684AC} (McAfee Hardware Finder Control) - http://download.mcafee.com/molbin/clinic/hwf/mghwinfo.cab
    O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
    O16 - DPF: {0C98419E-324F-11D3-9A23-00C04FF40D52} (McAfee Clinic AV Installer Control) - http://download.mcafee.com/molbin/clinic/virusscan/mgavinst.cab
    O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
    O16 - DPF: {13E39F7E-FDA8-11D2-99DC-00C04FF40D52} (McAfee OilChange Multi-Product Support Filter) - http://download.mcafee.com/molbin/OilChange/MGOcFilt.cab
    O16 - DPF: {23047A90-8511-11D2-87A5-20C252C10000} (McAfee Clinic TreeView Class) - http://download.mcafee.com/molbin/Shared/MGTree.cab
    O16 - DPF: {2566E4F3-A47B-11D4-9B5D-0010A4F2D6BF} (QwCont Class) - http://www.quicken.com/qw2001/qcominst.cab
    O16 - DPF: {4AE3239D-18C5-11D3-9634-0060080A3AB6} (McAfee PC Clinic System Information Class) - http://download.mcafee.com/molbin/Clinic/sysinfo/sicomp.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/0603dec34f6b5ad46f06/netzip/RdxIE601.cab
    O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestation.com/common/classes/batchaxdwnl.cab?version=1,0,2,12011
    O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
    O16 - DPF: {9F0F185C-B50B-11D2-B53F-00A0C98684AC} (McAfee PC Clinic OilChange Class) - http://download.mcafee.com/molbin/OilChange/MGOcCtl.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37695.877037037
    O16 - DPF: {AFDBB6D0-6B96-419C-8BC6-FF0B99368C0B} - http://www.memorymeter.com/MemoryMeter.cab
    O16 - DPF: {BF31FA5E-AE8A-11D2-A1BD-0800300004C2} (McAfee PC Clinic Internet Class) - http://download.mcafee.com/molbin/Shared/MCInet.cab
    O16 - DPF: {CDB74794-A3BA-4733-B6F6-59BF16D6C15A} (McAfee Smart Shop - Update Class) - http://download.mcafee.com/molbin/mcaeng/mcsmtshp.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
    O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.microsoft.com/search/lobby/searchsettings.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{F006B340-E87B-4893-8A37-E074962E6036}: NameServer = 208.138.130.16 206.96.62.16
     
  3. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,440
    Location:
    Netherlands
    Hi Astro,

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    O2 - BHO: CSBHO - {D14D6793-9B65-11D3-80B6-00500487BDBA} - C:\WINDOWS\SYSTEM\COMET\BIN\CSBHO.DLL (file missing)
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [TVTMD] C:\WINDOWS\TVTMD.exe
    O16 - DPF: Win32 Classes -
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/0603dec34f6b5ad46f06/netzip/RdxIE601.cab
    O16 - DPF: {AFDBB6D0-6B96-419C-8BC6-FF0B99368C0B} - http://www.memorymeter.com/MemoryMeter.cab


    Reboot after doing so, preferably into safe mode and delete:
    C:\WINDOWS\TVTMD.exe

    I don't see the Winsock2 driver startup, normally associated with the Spybot infection.
    The file you are looking for is probaly hidden:
    How to show Hidden Files in Windows Explorer

    Regards,

    Pieter
     
  4. Cookie

    Cookie Guest

    You will find your answer for removal on this site.

    http://securityresponse.symantec.com/avcenter/venc/data/w32.spybot.worm.html :)

    Having problems to stay logged in but it's Peaches4U that is posting.
     
  5. BWMerlin

    BWMerlin Registered Member

    Joined:
    Aug 11, 2003
    Posts:
    71
    What u need to do is find were the virus is (norton should give u a file name, i was infected and mine was something like c:\windows\system32\xxxxxx were xxxxxx is the name of the infected file) then restart in safe mode and delete it, before restarting delete it from the rubbish bin. Once u have restated go into norton and the quaraintined section and delete the files there.
     
Loading...
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.