XP Computer infected with Spybot Worm Virus

Hello -

Please help!  There is something wrong with my computer.  I have tried so many programs in an attempt to fix the problem, but nothing is working.  It had the spybot worm virus on it, so I did the following:

Ran "STINGER" - it detected the spybot worm virus & deleted it.
Updated Norton Virus Defintions, ran a scan, nothing came up.
Ran Spybot S & D, it detected a few items and removed them, but nothing changed.
Ran Ad Aware, which also detected a few problems, but nothing changed either.
I've tried several times to download the XP Service Pack 2 from Microsoft's website, but I am unable to because a message pops up stating I am not the administrator, even thought I am signed in as the administrator.
Finally, I ran Hijack This - the log is at the end of this message.

Please help me!  This is my friend's computer...I have no idea what is wrong with it.  She has been storing at my house...when I got it the virus definitions were expired.  I did not realize this, so when I connected to the internet, it contracted several viruses, including the sasser worm.  I thought I got rid of most of them, but now I have no idea what is wrong with it.  Norton doesn't detect anything, but something must be wrong because it runs extremely slow.


Logfile of HijackThis v1.98.2
Scan saved at 11:46:22 AM, on 9/13/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\faith christiansen\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

O4 - HKLM\..\Run: [Microsoft DirectX] wuamgrd.exe
O4 - HKLM\..\RunServices: [Microsoft DirectX] wuamgrd.exe
O4 - HKCU\..\Run: [Microsoft DirectX] wuamgrd.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - http://www.symantec.com/techsupp/activedata/ActiveData.cab

Who is Participating?
and once u have removed the virus from ur system,,, u need to get rid of this file manually, wuamgrd.exe from C:\Windows\System32 folder also :)

After cleaning the system from this virus, u canfollow these instructions to clean up the system a little more :)
Make sure u have all these tools installed on ur system :)
AdAware ==> http://www.spychecker.com/program/adaware.html
SpyBot  ==> http://www.spychecker.com/program/spybot.html
SpySweeper >> http://www.spychecker.com/program/spysweeper.html
SpywareBlaster >> http://www.spychecker.com/program/spywareblaster.html
CoolWebShredder ==> http://www.spychecker.com/program/coolwebshredder.html
Stinger >> http://vil.nai.com/vil/stinger

Then Disable ur Messenger Service if its running >> http://www.itc.virginia.edu/desktop/docs/messagepopup/
After that Follow these Instructions:

1. Restart ur machine in safemode and Login as Administrator
2. Run the AntiVirus tool and delete all viruses it found
3. Run the Spyware Removal tools and delete everything they detect
4. Then goto My Computer>Tools>Folder Options>View and turn on the feature of Show Hidden Files
5. Goto C:\Documents and Settings\ur usernmae\Local Settings\Temp and delete all files present here
6. Goto C:\Documents and Settings\ur usernmae\Local Settings\Temporary Internet Files, and delete the folder of ContentIE
7. Goto C:\Documents and Settings\ur usernmae\Cookies, and delete all cookies present here.
8. Goto C:\Windows\Temp and delete all files present here
9. Now perform an error checking(scandisk) on ur hard drive, and defrag it, also in safemode
10. After finishing ur work, Reboot back in Normal Mode and check if problems are gone or not

Post Back and Good Luck :)
Pete LongTechnical ConsultantCommented:
Please don't "Gum up" the TA's here by posting Hijack This Logs
go here and have it analysed.
Hello mshackel =)

>> O4 - HKLM\..\Run: [Microsoft DirectX] wuamgrd.exe
>> O4 - HKLM\..\RunServices: [Microsoft DirectX] wuamgrd.exe
>> O4 - HKCU\..\Run: [Microsoft DirectX] wuamgrd.exe

these are the amin problems, this file is realted to WORM_AGOBOT.GY
so Fix the above lines and then try the removal instructions here >> http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_AGOBOT.GY
Increase Security & Decrease Risk with NSPM Tools

Analyst firm, Enterprise Management Associates (EMA) reveals significant benefits to enterprises when using Network Security Policy Management (NSPM) solutions, while organizations without, experienced issues including non standard security policies and failed cloud migrations

mshackelAuthor Commented:
I just ran Pest Scan, as instructed.  It detected 23 pests...do I have to buy the program in order to fix these problems???  They were mostly tracking cookies, but they did detect the following:

Morpheus - P2P
KaZaA - P2P
Bonzi Buddy - Spyware
Virtual Bouncer - Adware
mshackelAuthor Commented:
Please ignore my last post... I didn't realize people had responded yet.  I'll follow the posted instructions and report back.
Pest Scan... i gave u the Removal Instructions from TrendMicro :-S
Have u carried out all the Removal Instructions and ran those tools to check if it can clean the system or not ??

Otherwise if u want, u can still Buy the software u want :)
>> Please ignore my last post... I didn't realize people had responded yet.  I'll follow the posted instructions and report back.

oh OK then.... follow the instructions and keep us informed, if u feel any problem or confusion :)
mshackelAuthor Commented:
Dear Sheharyaar Saahil,

Thank you so much for you nice (and detailed) response.  I'm sorry if this is irritating, but I am not very computer saavy, so will you please instruct me how I go about "fixing the lines" you reference above?

Do I have to delete something BEFORE I follow the removal instructions put forth by trendmicro?  

I'm going to go ahead and download all the programs you reccomended, then I'll check back for instructions on what I should do before I download the removal tools by trendmicro.

Thank you so much!!
mshackelAuthor Commented:
Hi -

I posted a question a few days ago, before I had the hijack log, and the expert told me to run pest scan...sorry!  
By fixing i mean.... Check those three lines in hijackthis after scanning and then clcik on Fix Checked :)

>> Do I have to delete something BEFORE I follow the removal instructions put forth by trendmicro?
Just Fix the lines and after that u can follow the instructions :)

anything else :)
Hey bud...... try this it worked for meeee.....
the problem why your virus remains is because in win xp there is a feature know as System restore which is enabled by default .if you keep on removing the the software the worm gets removed for that instance and then when you reboot it comes back to the same mode due to the system restore mode.

So what you have to do is :

1. down load the software that shehyaar has said and install them.
2. Log into safe mode+ log as administrator
3. Right clik the My computer .
4. clik on properties.
5. Go to system restore tab.
6. disable system restore.
7. run all the software like antivirus ,spyware ,adware stinger etc as posted above.
8. delete the value from the registry:
     Click Start, and then click Run. (The Run dialog box appears.)
Type regedit

then click OK. (The Registry Editor opens.)

Navigate to the key:


In the right pane, delete any values that refer to the file name that was detected as infected with W32.Spybot.Worm.

Navigate to the following key:


In the right pane, delete any values that reference the file name in step d.

Navigate to the following key:

In the right pane, delete any values that reference the file name in step d.

Navigate to the following key:


In the right pane, delete any values that reference the file name in step d.

Exit the Registry Editor.

8. Delete the zero-byte files from the Startup folder
Follow the instructions for your version of Windows:

Note: There may be legitimate files on your system that start with "tftp." Delete only the zero-byte files from the Startup folder.

To delete zero-byte files in Windows 95/98/Me/NT/2000
On the Windows taskbar, click Start > Find (or Search) > Files or Folders.
Make sure that "Look in" is set to (C:) and that "Include subfolders" is checked.
In the "Named" or "Search for..." box, type, or copy and paste, the following file name:


Click Find Now or Search Now.
Delete the files that are zero-bytes in size and contained within any folder whose name ends with "Startup."

To delete zero-byte files in Windows XP
On the Windows taskbar, click Start > Search.
Click "All files and folders."
In the "All or part of the file name" box, type, or copy and paste, the following file name:


Verify that "Look in" is set to "Local Hard Drives" or to (C:).
Click "More advanced options."
Check "Search system folders."
Check "Search subfolders."
Click Search.
Delete the files that are zero-bytes in size and contained within any folder whose name ends with "Startup."

please give your FEEDBACK

mshackelAuthor Commented:
Dear Sheharyaar Saahil & Yavooza,

You guys are awesome!!  Sorry it takes me so long to post my responses, this computer is painfully slow.  I have made some progess though.  Okay, so here's what I've done & what I'm about to start on:

System Restore is off (is that good?)  I think so, just want to check with you two.
I tried to run the TrendMicro scan, but this message kept popping up that read
"Trend Micro Sysclean Package:  Required File "C:/Documents and Settings/faith christiansen/desktop/TSC.BIN" is missing"

SO I followed the instructions on Trend Micro's site on how to manually remove the WORM_AGOBOT.GV worm.  Everything went okay, so far...I ended the wuamgrd program from windows task manager.  Then did the regedit thing...I followed the instructions exactly, and deleted all the "wuamgrd.exe" entries as per the instructions.

Then, I ran Hijack again...the 3 lines that were detected above (the ones Sheharyaar told me to delete) were gone.  So, that's good, right?  I think that means I did everything correctly...

OKAY, so now I'm going to download all the programs Sheharyaar recommended.  I'm going to follow both of your instructions.  It will take me awhile because the computer is moving slowly, but I'm working on it.  I will post my feedback as soon as I know more.  

THANK YOU BOTH SOOOOOOOO MUCH!!  You are both very nice & super intelligent.  Thanks for your patience too, I'm more than a little computer-retarded.  

One last question....when I opened windows task manager, I noticed the program "LSASS.EXE" was running.  Is this connected with the sasser worm?  I think it might be.  This computer had the sasser worm a few months ago, so I'm wondering if I should do something about that too.  

Thank you both again...I'm so stoked to finally get this computer functioning again!!!
well its good that u got rid of WORM_AGOBOT.GY.... good job !!  :)

and NO lsass.exe is not related to sasser, its a completely valid windows process >> http://www.liutilities.com/products/wintaskspro/processlibrary/lsass/

the Sasser problem arises, only when u start getting the error, the lsass.exe process terminated unexpectidly, ur computer will start in 60 seconds and blah blah.... !!

so this is not the case with u... right :)
Post Back and Good Luck =)
Jared LukerCommented:
You can do a free online scan from both mcafee and trendmicro.


hey buddy givw us the points we would love to help you in the future
also dont forget to post your feedbackon our reply so that we can improve next time
mshackelAuthor Commented:
Is there anyway for me to give points to both Yavooza & SheharyaarSaahil?  You two were both SO incredibly helpful.  I am very impressed with both of you.  You guys are awesome.  My computer is stored at the moment, so I still haven't had a chance to follow-up on all the tips/instructions posted by both of you.  I will be able to work on it in a couple weeks (I'm out of town).  Hopefully everything will go okay...I'll follow your instructions step-by-step and post back if I run into any other problems.  I'll be working on it the first weekend in October.

Again...you both are the best!!  

Thanks again!!  Maggie
well u cud Split the points by clicking the Split Points link above the box u can see where u type ur message,,,,, but u hae already closed this question by Accepting the commnet from yavooza :)

So if u want, u can goto Support area >> http://www.experts-exchange.com/Community_Support/
and post a question asking a moderator to reopen this question, so that u can again reward the points by Splitting points =)
for more info. on how to close a Question, plzz refer here >> http://www.experts-exchange.com/help.jsp#hs5
and remeber.... u shud always choose that\those commnet(s) as ur Answer which actually helped u to solve ur problem, dont accept the random comments, as these questions will be seen by other visitors and they shud get the right idea abt the Answer\Solution ...... ok :)
mshackelAuthor Commented:
A big "thank you" to all of you.  You've been very helpful.  Very impressed with experts exchange!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.