Solved

XP Computer infected with Spybot Worm Virus

Posted on 2004-09-13
22
2,028 Views
Last Modified: 2010-04-11
Hello -

Please help!  There is something wrong with my computer.  I have tried so many programs in an attempt to fix the problem, but nothing is working.  It had the spybot worm virus on it, so I did the following:

Ran "STINGER" - it detected the spybot worm virus & deleted it.
Updated Norton Virus Defintions, ran a scan, nothing came up.
Ran Spybot S & D, it detected a few items and removed them, but nothing changed.
Ran Ad Aware, which also detected a few problems, but nothing changed either.
I've tried several times to download the XP Service Pack 2 from Microsoft's website, but I am unable to because a message pops up stating I am not the administrator, even thought I am signed in as the administrator.
Finally, I ran Hijack This - the log is at the end of this message.

Please help me!  This is my friend's computer...I have no idea what is wrong with it.  She has been storing at my house...when I got it the virus definitions were expired.  I did not realize this, so when I connected to the internet, it contracted several viruses, including the sasser worm.  I thought I got rid of most of them, but now I have no idea what is wrong with it.  Norton doesn't detect anything, but something must be wrong because it runs extremely slow.

THANK YOU!!!

Logfile of HijackThis v1.98.2
Scan saved at 11:46:22 AM, on 9/13/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\wuamgrd.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\faith christiansen\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe

O4 - HKLM\..\Run: [Microsoft DirectX] wuamgrd.exe
O4 - HKLM\..\RunServices: [Microsoft DirectX] wuamgrd.exe
O4 - HKCU\..\Run: [Microsoft DirectX] wuamgrd.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - http://www.symantec.com/techsupp/activedata/ActiveData.cab

0
Comment
Question by:mshackel
  • 9
  • 7
  • 3
  • +2
22 Comments
 
LVL 57

Expert Comment

by:Pete Long
ID: 12047306
Please don't "Gum up" the TA's here by posting Hijack This Logs
go here and have it analysed.
http://www.hijackthis.de/index.php?langselect=english
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12047341
Hello mshackel =)

>> O4 - HKLM\..\Run: [Microsoft DirectX] wuamgrd.exe
>> O4 - HKLM\..\RunServices: [Microsoft DirectX] wuamgrd.exe
>> O4 - HKCU\..\Run: [Microsoft DirectX] wuamgrd.exe

these are the amin problems, this file is realted to WORM_AGOBOT.GY
so Fix the above lines and then try the removal instructions here >> http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_AGOBOT.GY
0
 
LVL 65

Accepted Solution

by:
SheharyaarSaahil earned 250 total points
ID: 12047435
and once u have removed the virus from ur system,,, u need to get rid of this file manually, wuamgrd.exe from C:\Windows\System32 folder also :)

After cleaning the system from this virus, u canfollow these instructions to clean up the system a little more :)
Make sure u have all these tools installed on ur system :)
========================================================
AdAware ==> http://www.spychecker.com/program/adaware.html
SpyBot  ==> http://www.spychecker.com/program/spybot.html
SpySweeper >> http://www.spychecker.com/program/spysweeper.html
SpywareBlaster >> http://www.spychecker.com/program/spywareblaster.html
CoolWebShredder ==> http://www.spychecker.com/program/coolwebshredder.html
Stinger >> http://vil.nai.com/vil/stinger
========================================================

Then Disable ur Messenger Service if its running >> http://www.itc.virginia.edu/desktop/docs/messagepopup/
After that Follow these Instructions:

1. Restart ur machine in safemode and Login as Administrator
2. Run the AntiVirus tool and delete all viruses it found
3. Run the Spyware Removal tools and delete everything they detect
4. Then goto My Computer>Tools>Folder Options>View and turn on the feature of Show Hidden Files
5. Goto C:\Documents and Settings\ur usernmae\Local Settings\Temp and delete all files present here
6. Goto C:\Documents and Settings\ur usernmae\Local Settings\Temporary Internet Files, and delete the folder of ContentIE
7. Goto C:\Documents and Settings\ur usernmae\Cookies, and delete all cookies present here.
8. Goto C:\Windows\Temp and delete all files present here
9. Now perform an error checking(scandisk) on ur hard drive, and defrag it, also in safemode
10. After finishing ur work, Reboot back in Normal Mode and check if problems are gone or not

Post Back and Good Luck :)
0
 

Author Comment

by:mshackel
ID: 12047530
I just ran Pest Scan, as instructed.  It detected 23 pests...do I have to buy the program in order to fix these problems???  They were mostly tracking cookies, but they did detect the following:

Backdoor.Rbot.gen
Morpheus - P2P
KaZaA - P2P
Bonzi Buddy - Spyware
Virtual Bouncer - Adware
0
 

Author Comment

by:mshackel
ID: 12047576
Please ignore my last post... I didn't realize people had responded yet.  I'll follow the posted instructions and report back.
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12047584
Pest Scan... i gave u the Removal Instructions from TrendMicro :-S
Have u carried out all the Removal Instructions and ran those tools to check if it can clean the system or not ??

Otherwise if u want, u can still Buy the software u want :)
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12047596
>> Please ignore my last post... I didn't realize people had responded yet.  I'll follow the posted instructions and report back.

oh OK then.... follow the instructions and keep us informed, if u feel any problem or confusion :)
0
 

Author Comment

by:mshackel
ID: 12047668
Dear Sheharyaar Saahil,

Thank you so much for you nice (and detailed) response.  I'm sorry if this is irritating, but I am not very computer saavy, so will you please instruct me how I go about "fixing the lines" you reference above?

Do I have to delete something BEFORE I follow the removal instructions put forth by trendmicro?  

I'm going to go ahead and download all the programs you reccomended, then I'll check back for instructions on what I should do before I download the removal tools by trendmicro.

Thank you so much!!
0
 

Author Comment

by:mshackel
ID: 12047699
Hi -

I posted a question a few days ago, before I had the hijack log, and the expert told me to run pest scan...sorry!  
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12047760
By fixing i mean.... Check those three lines in hijackthis after scanning and then clcik on Fix Checked :)

>> Do I have to delete something BEFORE I follow the removal instructions put forth by trendmicro?
Just Fix the lines and after that u can follow the instructions :)

anything else :)
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 2

Assisted Solution

by:yavooza
yavooza earned 250 total points
ID: 12047802
Hey bud...... try this it worked for meeee.....
the problem why your virus remains is because in win xp there is a feature know as System restore which is enabled by default .if you keep on removing the the software the worm gets removed for that instance and then when you reboot it comes back to the same mode due to the system restore mode.

So what you have to do is :

1. down load the software that shehyaar has said and install them.
2. Log into safe mode+ log as administrator
3. Right clik the My computer .
4. clik on properties.
5. Go to system restore tab.
6. disable system restore.
7. run all the software like antivirus ,spyware ,adware stinger etc as posted above.
8. delete the value from the registry:
     Click Start, and then click Run. (The Run dialog box appears.)
Type regedit

then click OK. (The Registry Editor opens.)

Navigate to the key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

In the right pane, delete any values that refer to the file name that was detected as infected with W32.Spybot.Worm.

Navigate to the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunOnce

In the right pane, delete any values that reference the file name in step d.

Navigate to the following key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunServices

In the right pane, delete any values that reference the file name in step d.

Navigate to the following key:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

In the right pane, delete any values that reference the file name in step d.

Exit the Registry Editor.

8. Delete the zero-byte files from the Startup folder
Follow the instructions for your version of Windows:

Note: There may be legitimate files on your system that start with "tftp." Delete only the zero-byte files from the Startup folder.

To delete zero-byte files in Windows 95/98/Me/NT/2000
On the Windows taskbar, click Start > Find (or Search) > Files or Folders.
Make sure that "Look in" is set to (C:) and that "Include subfolders" is checked.
In the "Named" or "Search for..." box, type, or copy and paste, the following file name:

tftp*.*

Click Find Now or Search Now.
Delete the files that are zero-bytes in size and contained within any folder whose name ends with "Startup."

To delete zero-byte files in Windows XP
On the Windows taskbar, click Start > Search.
Click "All files and folders."
In the "All or part of the file name" box, type, or copy and paste, the following file name:

tftp*.*

Verify that "Look in" is set to "Local Hard Drives" or to (C:).
Click "More advanced options."
Check "Search system folders."
Check "Search subfolders."
Click Search.
Delete the files that are zero-bytes in size and contained within any folder whose name ends with "Startup."

please give your FEEDBACK


0
 

Author Comment

by:mshackel
ID: 12048627
Dear Sheharyaar Saahil & Yavooza,

You guys are awesome!!  Sorry it takes me so long to post my responses, this computer is painfully slow.  I have made some progess though.  Okay, so here's what I've done & what I'm about to start on:

System Restore is off (is that good?)  I think so, just want to check with you two.
I tried to run the TrendMicro scan, but this message kept popping up that read
"Trend Micro Sysclean Package:  Required File "C:/Documents and Settings/faith christiansen/desktop/TSC.BIN" is missing"

SO I followed the instructions on Trend Micro's site on how to manually remove the WORM_AGOBOT.GV worm.  Everything went okay, so far...I ended the wuamgrd program from windows task manager.  Then did the regedit thing...I followed the instructions exactly, and deleted all the "wuamgrd.exe" entries as per the instructions.

Then, I ran Hijack again...the 3 lines that were detected above (the ones Sheharyaar told me to delete) were gone.  So, that's good, right?  I think that means I did everything correctly...

OKAY, so now I'm going to download all the programs Sheharyaar recommended.  I'm going to follow both of your instructions.  It will take me awhile because the computer is moving slowly, but I'm working on it.  I will post my feedback as soon as I know more.  

THANK YOU BOTH SOOOOOOOO MUCH!!  You are both very nice & super intelligent.  Thanks for your patience too, I'm more than a little computer-retarded.  

One last question....when I opened windows task manager, I noticed the program "LSASS.EXE" was running.  Is this connected with the sasser worm?  I think it might be.  This computer had the sasser worm a few months ago, so I'm wondering if I should do something about that too.  

Thank you both again...I'm so stoked to finally get this computer functioning again!!!
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12048692
well its good that u got rid of WORM_AGOBOT.GY.... good job !!  :)

and NO lsass.exe is not related to sasser, its a completely valid windows process >> http://www.liutilities.com/products/wintaskspro/processlibrary/lsass/

the Sasser problem arises, only when u start getting the error, the lsass.exe process terminated unexpectidly, ur computer will start in 60 seconds and blah blah.... !!

so this is not the case with u... right :)
Post Back and Good Luck =)
0
 
LVL 17

Expert Comment

by:Jared Luker
ID: 12051060
You can do a free online scan from both mcafee and trendmicro.

www.mcafee.com
housecall.trendmicro.com

Jared
0
 
LVL 2

Expert Comment

by:yavooza
ID: 12056471
hey buddy givw us the points we would love to help you in the future
0
 
LVL 2

Expert Comment

by:yavooza
ID: 12056495
also dont forget to post your feedbackon our reply so that we can improve next time
0
 

Author Comment

by:mshackel
ID: 12089828
Is there anyway for me to give points to both Yavooza & SheharyaarSaahil?  You two were both SO incredibly helpful.  I am very impressed with both of you.  You guys are awesome.  My computer is stored at the moment, so I still haven't had a chance to follow-up on all the tips/instructions posted by both of you.  I will be able to work on it in a couple weeks (I'm out of town).  Hopefully everything will go okay...I'll follow your instructions step-by-step and post back if I run into any other problems.  I'll be working on it the first weekend in October.

Again...you both are the best!!  

Thanks again!!  Maggie
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12089922
well u cud Split the points by clicking the Split Points link above the box u can see where u type ur message,,,,, but u hae already closed this question by Accepting the commnet from yavooza :)

So if u want, u can goto Support area >> http://www.experts-exchange.com/Community_Support/
and post a question asking a moderator to reopen this question, so that u can again reward the points by Splitting points =)
for more info. on how to close a Question, plzz refer here >> http://www.experts-exchange.com/help.jsp#hs5
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12089961
and remeber.... u shud always choose that\those commnet(s) as ur Answer which actually helped u to solve ur problem, dont accept the random comments, as these questions will be seen by other visitors and they shud get the right idea abt the Answer\Solution ...... ok :)
0
 

Author Comment

by:mshackel
ID: 12136176
A big "thank you" to all of you.  You've been very helpful.  Very impressed with experts exchange!
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12136180
^_^
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
Big data transfers via information superhighways require special attention and protection. Learn more about the IT-regulations of the country where your server is located. Analyze cloud providers and their encryption systems for safe data transit. S…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now