W32.Spybot.worm , need help

Discussion in 'malware problems & news' started by Chronic, Jul 6, 2003.

Thread Status:
Not open for further replies.
  1. Chronic

    Chronic Registered Member

    Joined:
    Jul 6, 2003
    Posts:
    4
    This morning Norton Antivirus detected W32.Spybot.worm in C:\Documents and Settings\All Users\Documents\explore.exe. My anivirus is up to date and I ran a system scan and it didn't find it even though it detected it earlier in the activity list. I looked manually in the folder where it was detected but I don't see it. I downloaded Hijack this and ran it but I see don't see anything here eithier.

    Logfile of HijackThis v1.95.0
    Scan saved at 2:34:03 PM, on 7/6/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\Mixer.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Rage3DTweak\RegTwk.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\WeatherCast\Weather.exe
    C:\Program Files\rage3dtweak\gameutil.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Common Files\Symantec Shared\NMain.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Norton AntiVirus\QConsole.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\WINDOWS\system32\mspaint.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Windows XP Pro\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
    C:\WINDOWS\REGEDIT.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.yahoo.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\System32\blank.htm
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [WhenUSave] C:\Program Files\Save\Save.exe
    O4 - HKLM\..\Run: [RegTweak] C:\Program Files\Rage3DTweak\RegTwk.exe
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [WeatherCast] C:\Program Files\WeatherCast\Weather.exe /q
    O4 - Global Startup: gameutil.exe.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/302da0e4684fa8251103/netzip/RdxIE601.cab
    O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.140/code/PWActiveXImgCtl.CAB
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37738.9094328704
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    I ran Spybot seach & destroy and Ad-Aware but didn't see anything relating to this worm. How do I find it and delete it for good or I'm I out of luck?
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi Chronic,

    Welcome at Wilders. :)
    Sounds and looks to me like you already got rid of it.

    You can double-check by doing an online scan.
    Several are listed here: http://www.wilders.org/free_services.htm

    Did you choose to leave SaveNow aka WhenUSave installed when you ran AdAaware and Spybot?

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/302da0e4684fa8251103/netzip/RdxIE601.cab
    O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.140/code/PWActiveXImgCtl.CAB

    If you want to get rid of SaveNow, first look under Add/Remove Software if it is listed there and remove it.
    Then add these to the ones above:
    O4 - HKLM\..\Run: [WhenUSave] C:\Program Files\Save\Save.exe
    O4 - HKCU\..\Run: [WeatherCast] C:\Program Files\WeatherCast\Weather.exe /q

    HTH,

    Pieter
     
  3. Chronic

    Chronic Registered Member

    Joined:
    Jul 6, 2003
    Posts:
    4
    Thank you for helping Pieter_Arntz. I'm running some scans now, I'll post in just a little bit.
     
  4. Chronic

    Chronic Registered Member

    Joined:
    Jul 6, 2003
    Posts:
    4
    Well, I did more scans and still can't find it. I went ahead and reinstalled windows. Is it possible the virus is still there even after formatting the hard drive?
     
  5. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Hi Chronic,

    It doesn't appear as if that beastie attacks the MBR or other reserved sectors so as long as you did a format rather than install on top you should be good to go.

    HTH,

    Dan
     
  6. Chronic

    Chronic Registered Member

    Joined:
    Jul 6, 2003
    Posts:
    4
    Thanks Dan, I used a boot disk and formatted and also used fdisk to delete the old partition and create a new one. Then I installed Windows Xp. I think I heard somewhere that it's possible to retreive files even after formatting so I'm still worried. Do you think it's gone for good? I installed Pc cillin 2002 instead of NAV since it has a firewall (It came with my motherboard but never used it), Spybot S & D, and Ad-aware. Should I get more security or is what I have ok?
     
  7. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Well, this is always a difficult question to answer.

    I think that common requirements are

    Firewall

    Anti-Virus

    Anti-Trojan

    Spyware/Adware Protection

    Script Protection

    You are covered on the first two. With regard to Spyware/Adware I would add javacool's SpywareBlaster

    As far as the other needs, I would recommend the three-pack that DCS offers of their TDS (Anti-Trojan), WormGuard (Script Protection) and PortExplorer. The latter program allows you to see in real time all network connections (hidden or not), identify the endpoints, sniff the data being passed, interrupt incoming or outgoing streams on a per-socket basis, and lots more. All three products have a try before you buy arrangement. Unfortunately, the DCS website is down at the moment due to some issue they started having a short while ago. Once they are up you can visit them at

    http://www.diamondcs.com.au/

    Javacool's many great tools can be found at

    http://www.javacoolsoftware.com/ but that also appears to be down at the moment o_O

    HTH,

    Dan
     
  8. akcom

    akcom Registered Member

    Joined:
    Jul 14, 2003
    Posts:
    9
    you really didnt need to format, it doesnt do anything malicious (like deleting files), just an irc bot
     
  9. kat_vampire

    kat_vampire Registered Member

    Joined:
    Aug 7, 2003
    Posts:
    1
    i need help some one please i have the W32.Spybot.Worm an it copied a file msconfig.exe an so i cant get rid of it does any one know of anything i can do ?
     
  10. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Hi kat_vampire,

    Welcome to Wilders!

    I'm not sure if you are the same user as posted as punkin (using guest access) but as you have the same problem can you please go to this thread

    https://www.wilderssecurity.com/showthread.php?t=12191

    And follow the instructions in my first post.

    Thanks,

    Dan
     
  11. Andrew B.

    Andrew B. Registered Member

    Joined:
    Jul 17, 2003
    Posts:
    34
    It cannot come back from a formatting. The only way it might still be around is if you restore it from a backup. Do you happen to know how you set it off?

    Another thing to consider (besides running all the recommended protection) is that spybot worm can install a keystroke logger. Your fomatting would get rid of this if it were there, but think about whether you used passwords online while it was active. You might need to go change passwords.
     
  12. eyespy

    eyespy Registered Member

    Joined:
    Feb 20, 2002
    Posts:
    490
    Location:
    Oh Canada !!
    Chronic,
    if you did an F-Disk and Format, your Bot/Virus/Trojan/worm is gone.
    If your asking if information from your Hard Drive can be retrieved after you F-disk and Format your drive, Yes it can.

    regards,
    bill :)
     
Loading...
Thread Status:
Not open for further replies.