Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

W32.spybot.worm Infection


  • Please log in to reply
6 replies to this topic

#1 Ras_Al_Ghul

Ras_Al_Ghul

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Brooklyn NY
  • Local time:03:23 AM

Posted 10 May 2006 - 12:57 PM

My computer is infected with the w32.Spybot.worm. I have run Norton antivirus scan in Safe Mode several times as well as Spybot, Adaware and Stinger.

I am plagued with pop-ups. I am hesitant to edit the system registry as recommended on SYMANTEC'S site.

I have norton antivirus and Kerio firewall engaged at all times.

Any help is appreciated.

Thanks

Steve
The most likely way for the world to be destroyed, most experts agree, is by accident. That's where we come in; we're computer professionals. We cause accidents. - Nathaniel Borenstein (1957 - )

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,139 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:23 AM

Posted 10 May 2006 - 01:41 PM

Download and scan with Sysclean Package in "SAFE MODE".
1. Create a new folder on drive "C:\" ("C:\New Folder") and rename it Sysclean.
2. Place the sysclean.com inside that folder.
3. Then download the latest Virus Pattern Files (lptXXX.zip).
4. Extract the lptXXX.zip pattern file into the same folder you created for sysclean.com.
5. Close all open applications and DISABLE your current anti-virus software. Some anti-virus programs such as Avast will alert you to a virus attack when running sysclean so it's best to disable them first.
6. Open the Sysclean folder and double-click on sysclean.com to run.
7. It will take some time to complete. Be patient and let it clean whatever it finds.
8. Exit when done and re-enable your anti-virus program.

Perform these online Virus scans:
[Watch the Address bar in IE. You may receive alerts that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then Click Install ActiveX component.]
Trend Micro Housecall Scan
Panda ActiveScan

BTW, are you having any problems with cmd, regedit and task manger not working? If so, do a search and check for the following file:
C:\Windows/system32/msconfig35.exe

You may need to look at the removal description from Trend Micro's homepage for info on killing the related process here. (click on the solution tab)

Edited by quietman7, 10 May 2006 - 02:02 PM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Ras_Al_Ghul

Ras_Al_Ghul
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Brooklyn NY
  • Local time:03:23 AM

Posted 12 May 2006 - 10:33 AM

Thanks, Quietman!

I was able to download and execute Sysclean Package. That seemed to work fine and deleted approx. 40+ bad objects. This was done in Safe Mode so no major problems occurred.

I moved on to step 2 to execute Trend Micro Housecall Scan. There were hundreds of pop-ups occurring at the time. Hose call got as far as the last step - deleting the selected files, but then the pop-ups froze everything.

Seems like as soon as I connect online, something attempts to open AOL Explorer multiple times, and I try to stop them using Task Manager. I am no sure how many bad objects Housecall was able to delete. (Do you know if these programs delete whatever they have reached, or only delete if the program fully executes. (In mainframe world, changes would not occur unless some sort of commit command was issued in the program, or the program terminated normally.)

Anyway, should I re-run House call or just move on to Panda ActiveScan?

It seems like there were many Trojans and malware and not just the W32.Spybot.worm I originally sited.

AOL Explorer is popping up with ads as I write. Not as bad as yesterday, but still occurring.

I also checked for msconfig35.exe but did not find any copies.

Thanks again for all of your help

-Steve
(aka Retired Mainframe Guy)
The most likely way for the world to be destroyed, most experts agree, is by accident. That's where we come in; we're computer professionals. We cause accidents. - Nathaniel Borenstein (1957 - )

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,139 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:23 AM

Posted 12 May 2006 - 10:55 AM

Well at least we're making some progress.

Download and scan with Ewido Anti-Malware v3.5 in "SAFE MODE".
Ewido Install and Scan Instructions.

Reboot to normal mode and then try running Housecall Again. If it fails, then try Panda's ActiveScan.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Ras_Al_Ghul

Ras_Al_Ghul
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Brooklyn NY
  • Local time:03:23 AM

Posted 13 May 2006 - 02:30 PM

[font=Tahoma]Thanks again, Quietman!

I downloaded and ran Ewido. I had a problem getting into safe mode so I ran it in Normal Mode. It detected 209 Infected Objects and cleaned 153. Hopefully running Ewido in normal mode was okay.

I am no re-attempting execution of Housecall. While it executes, some malware keeps launching AOL Explorer and pop-ups do occur. House call is still scanning, though. Hopefully it will complete.

Also, Kerio keeps citing an intrusion executable named oqomsg.exe. And in Task Manager, sometimes multiple iterations occur saying End Program, and also stopzilla attempts to launch. I keep manually ending these processes.

I'll let you know how this all plays out.

If Housecall fails at the delete phase, I will try Panda.

Thanks again for all of your help. You guys are the best.

-Steve [b]
The most likely way for the world to be destroyed, most experts agree, is by accident. That's where we come in; we're computer professionals. We cause accidents. - Nathaniel Borenstein (1957 - )

#6 Ras_Al_Ghul

Ras_Al_Ghul
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Brooklyn NY
  • Local time:03:23 AM

Posted 14 May 2006 - 02:04 PM

Housecall failed again.

Re-ran Ewido again in Safe Mode.

Tried to run Panda, but nothing seems to happen when I attempt the install.

Still have pop-ups, though I was able at least to get online again. Sometimes that was not even possible.


Thanks again.
The most likely way for the world to be destroyed, most experts agree, is by accident. That's where we come in; we're computer professionals. We cause accidents. - Nathaniel Borenstein (1957 - )

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,139 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:23 AM

Posted 14 May 2006 - 02:38 PM

Its time to have a deeper look as to what's going on with your system by creating a hijackthis log. I suggest you read and follow all instructions in the pinned topic titled Preparation Guide For Use Before Posting A Hijackthis Log.

When you have done that, post a log in the HijackThis Logs and Analysis Forum, not here, for assistance by the HJT Team Experts.

It may take a while to get a response because the HJT Team members are very busy. Please be patient as they are volunteers who will help you out as soon as possible. Once you have made your post, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have no replies as this makes it easier for them to identify those who have not been helped. If you post another response, a team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users