Link to home
Start Free TrialLog in
Avatar of dfranklin80
dfranklin80

asked on

Spybot - Can't remove virus

We are experiencing a problem with a virus.  It is a SPYBOT.32.WORM virus.  It adds entries to the host file (basically for all related virus companies so you can't get to their site).  It disables the Symantec Antivirus services.  When detected by the antivirus, it asks if you want to remove it, if you say "yes" it reboots your PC.  If you boot up in safe mode, it will remove the virus, but will then become infected again so the latest Symantec does not appear to be working.

Files that are effected are c:\windows\winins.exe and c:\windows\eraseme_###### (various numbers).  Symantec has been less than helpful ... including telling us to call back if that didn't work (5 minutes before they cut off coverage for the night).

We are on the latest antivirus version (10.1.6.6000) and the virus defs for today (7.24.2007 rev16).

Impact: PC rebooting and causing excessive network traffic that appears to be overloading the print servers.
Avatar of WistfulWhims
WistfulWhims

I feel your pain my friend.  Let's see if we can get this fixed.  Let me first explain that I am no fan of symantec.  I have seen symantec products and Norton Utilities specifically cause more problems over the years than the solutions they offer.  It's like a virus you have to pay for....Anyway...off my soapbox...

First, I would go to Trend Micro and do their online scan.

http://housecall.trendmicro.com/

Second, Go to the following link and download the free version of AVG Anti-virus (version 7.5 now I think), then install it, and do the updates it recommends before running a scan.

http://free.grisoft.com/doc/5390/us/frt/0?prd=aff

I'll do some more digging on the virus itself.  It's quite possible that if trend micro catches it, it will either fix it or tell you how to.  AVG will just make the repair itself.  







I think I may have found something related to your problem.  Try this link and follow the solution suggestions.

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FSPYBOT%2EDC&VSect=Sn

Let me know how it goes.
Avatar of rpggamergirl
Can we look at a Hijackthis log first? Or you can run the tools below(SDFix or Combofix)
http://danborg.org/spy/hjt/alternativ.exe
Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything yet.


1.  Download SDFix and save it to your desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.zip

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
*  Instead of Windows loading as normal, a menu with options should appear;
*  Select the first option, to run Windows in Safe Mode, then press "Enter".
*  Choose your usual account.

*  Open the extracted folder and double click "RunThis.bat" to start the script.
*  Type "Y" to begin the script.
*  It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
*  Press any Key and it will restart the PC.
*  Your system will take longer that normal to restart as the fixtool will be running and removing files.
*  When the desktop loads the Fixtool will complete the removal and display "Finished", then press any key to end the script and load your desktop icons.
*  Finally open the SDFix folder on your desktop and copy and paste the contents of the results file "Report.txt" back


2.  Download ComboFix to your Desktop, from either of these locations:
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Double click "combofix.exe" and follow the prompts.
When finished, it shall produce a log for you.
Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall


Avatar of dfranklin80

ASKER

While we have been able to "remove" the virus via a couple of tools (Symantec and Trendmicro's Housecall), they become infected again when exposed to the network.  In theory, we can shut down the network and sweep all of the PC's, it doesn't prevent the same thing from happening the following day if someone re-exposes the network to the virus via a laptop, usb drive or what ever.  Removing it is 1/2 of it, preventing it is the bigger concern.
Preventing viruses, worms, trojans and spyware/adware are what resident programs like Norton Anti-virus, Mcafee Anti-Virus and AVG Anti-virus are all about.  The idea is that they will let you know when something malicious climbs into your computer and takes up residence.  Having said that, none of them are foolproof, and they never will be.  There are people out there creating new malware everyday and all of these companies are in competition to be the first to solve the latest infection.

Programs like Limewire, Kazaa and any other peer to peer file sharing program should be immediately removed.  They are just hotbeds for viruses and malware, and more than once I've had to reformat someone's hard drive because they weren't willing to pay 10 cents for a song that they wanted.  In addition, make sure everyone on the network understands the dangers of opening email that comes from an unknown source, no matter how tempting the subject line may be.

Personally, I run AVG Antivirus, Windows Defender, and Windows Firewall in a 9 computer network, and we have very few problems.  I wish I could tell you that there was some foolproof way to guard your network, but there is none that I know of other than keeping it from connecting to the internet.

I know from experience that this isn't what you wanted to hear, but that's been my experience.  If everyone on the network is just a bit careful with their surfing and email habits, you'll have very few issues to contend with.
Just an FYI - one thing you can do that will help a lot on virus spread (and help prevent initial infection of virii and spy/adware) is to give your personnel User permissions only.  No Power User, and no Administrator permissions.  

Also, the specific worm you have spreads via Kazaa and mIRC.  Ensure your users know that installing and using file sharing networks such as Kazaa is not permissible in a work environment.  You may want to consider updating your personnel policies to give you a bit of authority when it comes to enforcement.  Same with mIRC.  Unless there is some reason they need a chat program to do their daily work, uninstall them.  Set them to User permissions, and they won't be able to install unauthorized software on the work desktops.

Here a few links to locking down Windows domains and desktops.  I don't know if you're on a domain or a workgroup configuration, so provided you with some links that will cover both scenarios.
http://blogs.technet.com/asiasupp/archive/2006/09/19/457423.aspx
http://www.windowsitpro.com/Windows/Article/ArticleID/39772/39772.html
http://www.microsoft.com/technet/technetmag/issues/2005/05/LockDown/
Please download and unzip
About:Buster to a folder. Inside the folder is a readme file that has instructions on the use of the program.
AboutBuster MUST be updated before you use it.
Start AboutBuster, click the update button, check for updates. Please don't run it yet.

Please download and install AD-Aware.

Check Here on how setup and use it - please make sure you update it first.

Download and unzip HSfix to your desktop :
HSRegFix

Download and install CleanUp! Here*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.

Download CWShredder here to its own folder.

Update CWShredder

    * Open CWShredder and click I AGREE
    * Click Check For Update
    * Close CWShredder

We will be using this program later.

Download the Host Here
Please do not use program yet



THE FIX
Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

1. Click this link to be sure you can view hidden files.

2. Ensure you are NOT connected to the internet.

3. Open up the Host program.

    * Make sure that the "make hosts writable?" button in the upper right corner is enabled.
    * Click back up Host files
    * then click Restore orginal host files
    * close program

4. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

5. Go to Start->Run and type in services.msc and hit OK. Then look for Network Security Service (NSS) and double click on it. Click on the Stop button and under Startup type, choose Disabled.

6. Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about. Reboot your computer into normal windows.

7. Close all browsers, windows and unneeded programs.

8. Open HiJack and do a scan.

9. Put a Check next to the following items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\pfdvk.dll/sp.html#22776
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\pfdvk.dll/sp.html#22776
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\pfdvk.dll/sp.html#22776
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {81EDCC5B-FEB9-6F3B-4CB7-4D767A1A3655} - C:\WINDOWS\ntsy32.dll
O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [System Support] system32.exe
O4 - HKLM\..\RunServices: [System Support] system32.exe
O4 - HKCU\..\Run: [Ztlcpu] C:\WINDOWS\System32\lfmj.exe
O4 - HKCU\..\Run: [System Support] system32.exe
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\crvj.exe

10. click the Fix Checked box

11. Please remove these entries from Add/Remove Programs in the Control Panel(if present):

WildTangent

12. Please remove the following folders using Windows Explorer (if present):

C:\Program Files\WildTangent

13. Please remove just the files from the following paths using Windows Explorer (if present):

C:\WINDOWS\system32\pfdvk.dll
C:\WINDOWS\ntsy32.dll
C:\WINDOWS\System32\lfmj.exe
C:\WINDOWS\crvj.exe
C:\WINDOWS\system32\ipds32.exe
C:\WINDOWS\system32\mscp32.exe
C:\WINDOWS\system32\msop.exe
C:\WINDOWS\system32\addtx32.exe
system32.exe <======Start>Search for this one

14. Please run about:buster by RubbeRDuckY:

    * Click Begin Removal.
    * It will begin to check your computer for malicious files.
    * AboutBuster will finish and open a new page. Follow the instructions for protection on that page.
    * Shut down AboutBuster. A log should have been created.Please Save this log and copy it in your next post.

15. Scan with AdAware and let it remove any bad files found.

16. Run the program CleanUp! (do not reboot yet)

17. Double click on the HSFix and when asked to merge say yes.

18. Reboot into normal mode and please run this online virus scan: ActiveScan - Save the results from the scan!

19. Please post an Active scan log and a fresh HiJackThis log. Let me know how your computer is running.
Hello,

I can understand what is the problem that you are experiencing.
You have two options for your problem.
1. Download NOD32AV (you will find it on www.eset.com).
2. Unlikely, if that AV cannot remove the virus from your system try to format (unlikely)  your PC.
OK,  Here's the solution.  It turned out to be a new variance of a virus that Symantec had not yet seen.  Here's what it did:

It disabled the antivirus, wrote over your hosts table so if you tried to access any antivirus site, it redirected you to no mans land, spawned several processes (as many as 200 on one PC) and each of the processes would send 15,000 pings out over the network to 1.1.1.1 thus clogging our network.  While several of the recommended solutions did appear to remove the virus, either it didn't totally remove it or it became re-infected within minutes.  Symantec did eventually come up with a new update that cleaned our PC's and has kept them clean.

We are still persuing Symantec to get us an escellating list of numbers so we can reach someone 7x24.  They claim that is their norm, and we just happened to hit them when they were experiencing a problem with ALL of their domestic US phones .... perhaps a virus ???

Thanks for your help.

Dave
ASKER CERTIFIED SOLUTION
Avatar of Computer101
Computer101
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial