1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

w32.spybot.worm problem

Discussion in 'Virus & Other Malware Removal' started by AussieJo, Sep 9, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. AussieJo

    AussieJo Thread Starter

    Joined:
    Aug 15, 2003
    Messages:
    23
    Hi

    My NAV has found two problems in my files. One it repaired and deleted (backdoor.litmus.203) and the other w32.spybot.worm it has not been able to fix or quarantine. At the end of the scan and fix mode the message is that my computer is still infected with a virus. I ran NAV in safe mode and had the same message regarding spybot.worm. I tried to run Hyjackthis from tomcoyote site and it wanted me to choose something to open with (this has not happened before) and not knowing what to choose I picked notepad. now everytime I try and use hyjack this I get a stack of weird symbols. Can someone tell me how to fix the hyjackthis problem so I can post a log for you to look at.

    Thanks Aussiejo
     
  2. putasolution

    putasolution

    Joined:
    Mar 20, 2003
    Messages:
    4,823
  3. AussieJo

    AussieJo Thread Starter

    Joined:
    Aug 15, 2003
    Messages:
    23
    I am using windows 98.

    thanks putasolution
     
  4. AussieJo

    AussieJo Thread Starter

    Joined:
    Aug 15, 2003
    Messages:
    23
    if you mean to run the scan in safe mode than I have already and received the same message.
     
  5. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    We do need to see a HijackThis Scanlog.

    When you download HijackThis it is in a zipped file. If you are being prompted for what to open it with at that stage it means you do not have an installed zip program or it is not automatically opening zip files.

    After you have unzipped HijackThis to its own folder and run it, you will see a "Scan" tab. When you click that the log displays in a "console" window with check boxes. You must save that log to the desktop. If you get prompted on what to open it with then, the proper response is Notepad. That is the log you need to copy/paste here.

    If you don't have a zip program, you can get the evaluation version of Winzip here, it does not expire:

    http://www.winzip.com/download.cgi?home

    Also, please tell us what the exact message is when you run NAV in Safe Mode. It should not have any problem deleting or quarantining files there unless they are in a Restore archive.

    If it cannot delete specific files, let us know the names and full paths to the files so we can determine what needs to be done with them.
     
  6. adambailey

    adambailey Guest

    or upgrade to nav 2003 or 2004
     
  7. AussieJo

    AussieJo Thread Starter

    Joined:
    Aug 15, 2003
    Messages:
    23
    Thank you for your replies.
    I am using nav 2003 and have been running it for a while. I have also finally managed to get a hijack this log. I am heading of to church soon so I do not have time to get the message and all that but I thought I would leave a hijack this log for someone to have a look at and then I can get back to the other problem when I get back.

    again thanks so much for any suggestions. I am comfortable with using computers until all this happens!
    ogfile of HijackThis v1.97.2
    Scan saved at 6:47:40 AM, on 14/09/03
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v5.00 (5.00.2919.6304)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\ADVTOOLS\NPROTECT.EXE
    C:\PROGRAM FILES\NORTON PERSONAL FIREWALL\NISUM.EXE
    C:\PROGRAM FILES\NORTON PERSONAL FIREWALL\CCPXYSVC.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\CAERE\OMNIPAGEPRO90\OPWARE32.EXE
    C:\PROGRAM FILES\CAERE\OMNIPAGEPRO90\opware16.exe
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
    C:\PROGRAM FILES\NIKON\NKVIEW4\NKVWMON.EXE
    C:\PROGRAM FILES\ACCESSORIES\SPYWAREGUARD\SGMAIN.EXE
    C:\PROGRAM FILES\INTERMUTE\SPYSUBTRACT\SPYSUB.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\ACCESSORIES\SPYWAREGUARD\SGBHP.EXE
    C:\PROGRAM FILES\TELSTRA\TELSTRA BIGPOND ADSL\APP\ENTERNET.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\MOZILLA.ORG\MOZILLA\MOZILLA.EXE
    C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
    C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
    C:\WINDOWS\TEMP\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com.au/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\ACCESSORIES\SPYWAREGUARD\DLPROTECT.DLL
    O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [OmniPage] C:\Program Files\Caere\OmniPagePro90\opware32.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~2\ADVTOOLS\ADVCHK.EXE
    O4 - HKLM\..\Run: [NPROTECT] C:\PROGRA~1\NORTON~2\ADVTOOLS\NPROTECT.EXE
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
    O4 - HKLM\..\RunServices: [NPROTECT] C:\PROGRA~1\NORTON~2\ADVTOOLS\NPROTECT.EXE
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunServices: [Nisum] C:\Program Files\Norton Personal Firewall\NISUM.EXE
    O4 - HKLM\..\RunServices: [ccPxySvc] C:\PROGRA~1\NORTON~1\CCPXYSVC.EXE
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo
    O4 - Startup: NkVwMon.exe.lnk = C:\Program Files\Nikon\NkView4\NkVwMon.exe
    O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\Accessories\SpywareGuard\sgmain.exe
    O4 - Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
    O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O9 - Extra button: RealGuide (HKLM)
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O12 - Plugin for .swf: C:\PROGRA~1\INTERN~1\PLUGINS\NPSWF32.dll
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37704.7041087963
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash5r42.cab
    O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = nsw.bigpond.net.au
     
  8. buckaroo

    buckaroo

    Joined:
    Mar 25, 2001
    Messages:
    3,334
    AJ, nothing jumps out with your log. I do see you have both NAV and AVG. As long as you're current with your NAV virus definitions, you should disable AVG. Not a good idea to have two AV programs running.

    :)
     
  9. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    What and where is the file that cannot be repaired? Usually these are non system files, probably created by the virus itself, which can just be deleted.
     
  10. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - spybot worm problem
  1. Olddog20
    Replies:
    0
    Views:
    378
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/163543

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice