1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

W32.Spybot.Worm

Discussion in 'Virus & Other Malware Removal' started by cdplayer, Sep 2, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. cdplayer

    cdplayer Thread Starter

    Joined:
    Sep 2, 2004
    Messages:
    8
    I am using Windows XP SP1. Norton discovered a few weeks ago that I have the W32.Spybot.Worm. It was unable to do anything with it except to tell me.

    I followed Symantec's Security Response to the W32.Spybot.Worm to the letter.

    I have been hit twice with this worm and have removed it. After I removed the W32.Spybot.Worm the second time I installed an NAT router, updated Norton (it was using the latest version of the definitions at the time) and installed Ad-aware SE.

    This morning I discovered that I have been hit again. Is there any logical way to attack this beast?

    I am going to use Symantec's Security Response to rid me of the W32.Spybot.Worm again. (I hope)

    Maybe what I am doing is not enough……………………….

    What should I be looking at next?

    Thanks!
     
  2. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    114,886
    Hi and welcome to TSG,

    Please do this. Click here: http://www.majorgeeks.com/download3155.html to download Hijack This. It’s very important that you save it to its own folder on your hard drive, such as program files (not temporary files or the desktop), so that it can create proper back-ups and be able to restore them if necessary.

    Close all open windows and open Hijack This. Click “Scan”. When the scan is finished (it only takes a second), the scan button will change to “Save Log”. Click on “Save Log” and then save it to NotePad. Click on “Edit” – “Select all” – “copy” and then “paste” into the thread.

    DO NOT FIX ANYTHING YET, most items that appear in the log are harmless or even needed.
     
  3. cdplayer

    cdplayer Thread Starter

    Joined:
    Sep 2, 2004
    Messages:
    8
    Thanks Cookie for the information.
    What I have done is run the automatic removal by Trend Micro System Cleaner (http://www.trendmicro.com/download/tsc.asp). Boy did it do a house cleaning! Take a look at the log file:
    Damage Cleanup Engine (DCE) 3.6(Build 1120)
    Windows XP(Build 2600: Service Pack 1)

    Start time : Thu Sep 02 2004 21:49:00

    Load Damage Cleanup Template (DCT) "C:\Documents and Settings\LENK\Desktop\sysclean\tsc.ptn" (version 415) [success]
    WORM_SPYBOT.BA[virus found]
    -->delete registry data("HKEY_LOCAL_MACHINE","Software\Microsoft\Windows\CurrentVersion\Run","SYSCFG32.EXE") success
    WORM_SDBOT.MY[virus found]
    -->delete registry data("HKEY_CURRENT_USER","Software\Microsoft\Windows\CurrentVersion\Run","wuamgrd.exe") success
    WORM_SDBOT.JG[virus found]
    -->delete registry data("HKEY_CURRENT_USER","Software\Microsoft\Windows\CurrentVersion\Run","wuamgrd.exe") success
    WORM_SDBOT.L[virus found]
    -->delete registry data("HKEY_CURRENT_USER","Software\Microsoft\Windows\CurrentVersion\Run","wuamgrd.exe") success
    WORM_SDBOT.ZY[virus found]
    -->delete registry data("HKEY_CURRENT_USER","Software\Microsoft\Windows\CurrentVersion\Run","WUAMGRD.EXE") success
    -->modify registry data("HKEY_LOCAL_MACHINE","SOFTWARE\Microsoft\Ole","EnableDCOM") success
    WORM_RBOT.AE[virus found]
    -->delete registry data("HKEY_CURRENT_USER","Software\Microsoft\Windows\CurrentVersion\Run","wuamgrd.exe") success
    WORM_RBOT.CA[virus found]
    -->delete registry data("HKEY_CURRENT_USER","Software\Microsoft\Windows\CurrentVersion\Run","wuamgrd.exe") success
    WORM_RBOT.HB[virus found]
    -->delete registry data("HKEY_CURRENT_USER","Software\Microsoft\Windows\CurrentVersion\Run","wuamgrd.exe") success
    -->modify registry value("HKEY_LOCAL_MACHINE","SYSTEM\CurrentControlSet\Control\Lsa","restrictanonymous") success
    WORM_RBOT.JS[virus found]
    -->delete registry data("HKEY_CURRENT_USER","Software\Microsoft\Windows\CurrentVersion\Run","wuamgrd.exe") success
    -->modify registry value("HKEY_LOCAL_MACHINE","SYSTEM\CurrentControlSet\Control\Lsa","restrictanonymous") success
    -->modify registry value("HKEY_LOCAL_MACHINE","Software\Microsoft\Ole","EnableDCOM") success

    Complete time : Thu Sep 02 2004 21:49:11
    Execute pattern count(1170), Virus found count(9), Virus clean count(9), Clean failed count(0)

    If this does not work then I will use Hijack This. I have already downloaded it and reviewed the tutorial.

    I just hope I have not missed something else that I as suppose to do....
    Wish me luck and thanks!
     
  4. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    114,886
    I would still recommend posting the log as there may be other things that require our attention.
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/269298

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice