mshackel
asked on
XP Computer infected with Spybot Worm Virus
Hello -
Please help! There is something wrong with my computer. I have tried so many programs in an attempt to fix the problem, but nothing is working. It had the spybot worm virus on it, so I did the following:
Ran "STINGER" - it detected the spybot worm virus & deleted it.
Updated Norton Virus Defintions, ran a scan, nothing came up.
Ran Spybot S & D, it detected a few items and removed them, but nothing changed.
Ran Ad Aware, which also detected a few problems, but nothing changed either.
I've tried several times to download the XP Service Pack 2 from Microsoft's website, but I am unable to because a message pops up stating I am not the administrator, even thought I am signed in as the administrator.
Finally, I ran Hijack This - the log is at the end of this message.
Please help me! This is my friend's computer...I have no idea what is wrong with it. She has been storing at my house...when I got it the virus definitions were expired. I did not realize this, so when I connected to the internet, it contracted several viruses, including the sasser worm. I thought I got rid of most of them, but now I have no idea what is wrong with it. Norton doesn't detect anything, but something must be wrong because it runs extremely slow.
THANK YOU!!!
Logfile of HijackThis v1.98.2
Scan saved at 11:46:22 AM, on 9/13/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\spools
C:\WINDOWS\System32\wuamgr
C:\WINDOWS\system32\cisvc.
C:\WINDOWS\System32\gearse
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\cidaem
C:\WINDOWS\system32\cidaem
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\faith christiansen\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [Microsoft DirectX] wuamgrd.exe
O4 - HKLM\..\RunServices: [Microsoft DirectX] wuamgrd.exe
O4 - HKCU\..\Run: [Microsoft DirectX] wuamgrd.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O16 - DPF: {74D05D43-3236-11D4-BDCD-0
O16 - DPF: {E77C0D62-882A-456F-AD8F-7
Please help! There is something wrong with my computer. I have tried so many programs in an attempt to fix the problem, but nothing is working. It had the spybot worm virus on it, so I did the following:
Ran "STINGER" - it detected the spybot worm virus & deleted it.
Updated Norton Virus Defintions, ran a scan, nothing came up.
Ran Spybot S & D, it detected a few items and removed them, but nothing changed.
Ran Ad Aware, which also detected a few problems, but nothing changed either.
I've tried several times to download the XP Service Pack 2 from Microsoft's website, but I am unable to because a message pops up stating I am not the administrator, even thought I am signed in as the administrator.
Finally, I ran Hijack This - the log is at the end of this message.
Please help me! This is my friend's computer...I have no idea what is wrong with it. She has been storing at my house...when I got it the virus definitions were expired. I did not realize this, so when I connected to the internet, it contracted several viruses, including the sasser worm. I thought I got rid of most of them, but now I have no idea what is wrong with it. Norton doesn't detect anything, but something must be wrong because it runs extremely slow.
THANK YOU!!!
Logfile of HijackThis v1.98.2
Scan saved at 11:46:22 AM, on 9/13/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\spools
C:\WINDOWS\System32\wuamgr
C:\WINDOWS\system32\cisvc.
C:\WINDOWS\System32\gearse
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\cidaem
C:\WINDOWS\system32\cidaem
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\faith christiansen\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [Microsoft DirectX] wuamgrd.exe
O4 - HKLM\..\RunServices: [Microsoft DirectX] wuamgrd.exe
O4 - HKCU\..\Run: [Microsoft DirectX] wuamgrd.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O16 - DPF: {74D05D43-3236-11D4-BDCD-0
O16 - DPF: {E77C0D62-882A-456F-AD8F-7
Hello mshackel =)
>> O4 - HKLM\..\Run: [Microsoft DirectX] wuamgrd.exe
>> O4 - HKLM\..\RunServices: [Microsoft DirectX] wuamgrd.exe
>> O4 - HKCU\..\Run: [Microsoft DirectX] wuamgrd.exe
these are the amin problems, this file is realted to WORM_AGOBOT.GY
so Fix the above lines and then try the removal instructions here >> http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_AGOBOT.GY
>> O4 - HKLM\..\Run: [Microsoft DirectX] wuamgrd.exe
>> O4 - HKLM\..\RunServices: [Microsoft DirectX] wuamgrd.exe
>> O4 - HKCU\..\Run: [Microsoft DirectX] wuamgrd.exe
these are the amin problems, this file is realted to WORM_AGOBOT.GY
so Fix the above lines and then try the removal instructions here >> http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_AGOBOT.GY
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I just ran Pest Scan, as instructed. It detected 23 pests...do I have to buy the program in order to fix these problems??? They were mostly tracking cookies, but they did detect the following:
Backdoor.Rbot.gen
Morpheus - P2P
KaZaA - P2P
Bonzi Buddy - Spyware
Virtual Bouncer - Adware
Backdoor.Rbot.gen
Morpheus - P2P
KaZaA - P2P
Bonzi Buddy - Spyware
Virtual Bouncer - Adware
ASKER
Please ignore my last post... I didn't realize people had responded yet. I'll follow the posted instructions and report back.
Pest Scan... i gave u the Removal Instructions from TrendMicro :-S
Have u carried out all the Removal Instructions and ran those tools to check if it can clean the system or not ??
Otherwise if u want, u can still Buy the software u want :)
Have u carried out all the Removal Instructions and ran those tools to check if it can clean the system or not ??
Otherwise if u want, u can still Buy the software u want :)
>> Please ignore my last post... I didn't realize people had responded yet. I'll follow the posted instructions and report back.
oh OK then.... follow the instructions and keep us informed, if u feel any problem or confusion :)
oh OK then.... follow the instructions and keep us informed, if u feel any problem or confusion :)
ASKER
Dear Sheharyaar Saahil,
Thank you so much for you nice (and detailed) response. I'm sorry if this is irritating, but I am not very computer saavy, so will you please instruct me how I go about "fixing the lines" you reference above?
Do I have to delete something BEFORE I follow the removal instructions put forth by trendmicro?
I'm going to go ahead and download all the programs you reccomended, then I'll check back for instructions on what I should do before I download the removal tools by trendmicro.
Thank you so much!!
Thank you so much for you nice (and detailed) response. I'm sorry if this is irritating, but I am not very computer saavy, so will you please instruct me how I go about "fixing the lines" you reference above?
Do I have to delete something BEFORE I follow the removal instructions put forth by trendmicro?
I'm going to go ahead and download all the programs you reccomended, then I'll check back for instructions on what I should do before I download the removal tools by trendmicro.
Thank you so much!!
ASKER
Hi -
I posted a question a few days ago, before I had the hijack log, and the expert told me to run pest scan...sorry!
I posted a question a few days ago, before I had the hijack log, and the expert told me to run pest scan...sorry!
By fixing i mean.... Check those three lines in hijackthis after scanning and then clcik on Fix Checked :)
>> Do I have to delete something BEFORE I follow the removal instructions put forth by trendmicro?
Just Fix the lines and after that u can follow the instructions :)
anything else :)
>> Do I have to delete something BEFORE I follow the removal instructions put forth by trendmicro?
Just Fix the lines and after that u can follow the instructions :)
anything else :)
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Dear Sheharyaar Saahil & Yavooza,
You guys are awesome!! Sorry it takes me so long to post my responses, this computer is painfully slow. I have made some progess though. Okay, so here's what I've done & what I'm about to start on:
System Restore is off (is that good?) I think so, just want to check with you two.
I tried to run the TrendMicro scan, but this message kept popping up that read
"Trend Micro Sysclean Package: Required File "C:/Documents and Settings/faith christiansen/desktop/TSC.B
SO I followed the instructions on Trend Micro's site on how to manually remove the WORM_AGOBOT.GV worm. Everything went okay, so far...I ended the wuamgrd program from windows task manager. Then did the regedit thing...I followed the instructions exactly, and deleted all the "wuamgrd.exe" entries as per the instructions.
Then, I ran Hijack again...the 3 lines that were detected above (the ones Sheharyaar told me to delete) were gone. So, that's good, right? I think that means I did everything correctly...
OKAY, so now I'm going to download all the programs Sheharyaar recommended. I'm going to follow both of your instructions. It will take me awhile because the computer is moving slowly, but I'm working on it. I will post my feedback as soon as I know more.
THANK YOU BOTH SOOOOOOOO MUCH!! You are both very nice & super intelligent. Thanks for your patience too, I'm more than a little computer-retarded.
One last question....when I opened windows task manager, I noticed the program "LSASS.EXE" was running. Is this connected with the sasser worm? I think it might be. This computer had the sasser worm a few months ago, so I'm wondering if I should do something about that too.
Thank you both again...I'm so stoked to finally get this computer functioning again!!!
You guys are awesome!! Sorry it takes me so long to post my responses, this computer is painfully slow. I have made some progess though. Okay, so here's what I've done & what I'm about to start on:
System Restore is off (is that good?) I think so, just want to check with you two.
I tried to run the TrendMicro scan, but this message kept popping up that read
"Trend Micro Sysclean Package: Required File "C:/Documents and Settings/faith christiansen/desktop/TSC.B
SO I followed the instructions on Trend Micro's site on how to manually remove the WORM_AGOBOT.GV worm. Everything went okay, so far...I ended the wuamgrd program from windows task manager. Then did the regedit thing...I followed the instructions exactly, and deleted all the "wuamgrd.exe" entries as per the instructions.
Then, I ran Hijack again...the 3 lines that were detected above (the ones Sheharyaar told me to delete) were gone. So, that's good, right? I think that means I did everything correctly...
OKAY, so now I'm going to download all the programs Sheharyaar recommended. I'm going to follow both of your instructions. It will take me awhile because the computer is moving slowly, but I'm working on it. I will post my feedback as soon as I know more.
THANK YOU BOTH SOOOOOOOO MUCH!! You are both very nice & super intelligent. Thanks for your patience too, I'm more than a little computer-retarded.
One last question....when I opened windows task manager, I noticed the program "LSASS.EXE" was running. Is this connected with the sasser worm? I think it might be. This computer had the sasser worm a few months ago, so I'm wondering if I should do something about that too.
Thank you both again...I'm so stoked to finally get this computer functioning again!!!
well its good that u got rid of WORM_AGOBOT.GY.... good job !! :)
and NO lsass.exe is not related to sasser, its a completely valid windows process >> http://www.liutilities.com/products/wintaskspro/processlibrary/lsass/
the Sasser problem arises, only when u start getting the error, the lsass.exe process terminated unexpectidly, ur computer will start in 60 seconds and blah blah.... !!
so this is not the case with u... right :)
Post Back and Good Luck =)
and NO lsass.exe is not related to sasser, its a completely valid windows process >> http://www.liutilities.com/products/wintaskspro/processlibrary/lsass/
the Sasser problem arises, only when u start getting the error, the lsass.exe process terminated unexpectidly, ur computer will start in 60 seconds and blah blah.... !!
so this is not the case with u... right :)
Post Back and Good Luck =)
You can do a free online scan from both mcafee and trendmicro.
www.mcafee.com
housecall.trendmicro.com
Jared
www.mcafee.com
housecall.trendmicro.com
Jared
hey buddy givw us the points we would love to help you in the future
also dont forget to post your feedbackon our reply so that we can improve next time
ASKER
Is there anyway for me to give points to both Yavooza & SheharyaarSaahil? You two were both SO incredibly helpful. I am very impressed with both of you. You guys are awesome. My computer is stored at the moment, so I still haven't had a chance to follow-up on all the tips/instructions posted by both of you. I will be able to work on it in a couple weeks (I'm out of town). Hopefully everything will go okay...I'll follow your instructions step-by-step and post back if I run into any other problems. I'll be working on it the first weekend in October.
Again...you both are the best!!
Thanks again!! Maggie
Again...you both are the best!!
Thanks again!! Maggie
well u cud Split the points by clicking the Split Points link above the box u can see where u type ur message,,,,, but u hae already closed this question by Accepting the commnet from yavooza :)
So if u want, u can goto Support area >> https://www.experts-exchange.com/Community_Support/
and post a question asking a moderator to reopen this question, so that u can again reward the points by Splitting points =)
for more info. on how to close a Question, plzz refer here >> https://www.experts-exchange.com/help.jsp#hs5
So if u want, u can goto Support area >> https://www.experts-exchange.com/Community_Support/
and post a question asking a moderator to reopen this question, so that u can again reward the points by Splitting points =)
for more info. on how to close a Question, plzz refer here >> https://www.experts-exchange.com/help.jsp#hs5
and remeber.... u shud always choose that\those commnet(s) as ur Answer which actually helped u to solve ur problem, dont accept the random comments, as these questions will be seen by other visitors and they shud get the right idea abt the Answer\Solution ...... ok :)
ASKER
A big "thank you" to all of you. You've been very helpful. Very impressed with experts exchange!
^_^
go here and have it analysed.
http://www.hijackthis.de/index.php?langselect=english