W32.Spybot.Worm

mjx · #31 07-30-2003, 11:05 PM

Ahhh indeed I also had that problem. My apologies for not addressing that before. What I did was to change the settings in explorer to be able to view hidden files. When u go into the folder containing that explorer.exe, u can manually delete that.

Another thing to note is that you will have a folder named something like kazaa backup or something similar. DELETE THAT ENTIRE FOLDER!

ils_fl · #32 07-31-2003, 03:15 PM

a few days ago i had this virus on my computer (win2k and nav) i had to format
now i have a different firewall, and it seems to detect it just fine and blocks it all the time, the interesting thing is, is that it tries to send a signal from 2 of my system files "servises.exe" and "rtvscan.exe" norton of course doesn;t pick up anything that is wrong with the files. now am i to assume that the following 2 files are infected and delete or
what should i do.

Musclehed · #33 07-31-2003, 07:41 PM

Actually....its my fault for not mentioning in my original post that I already did that. Someone had mentioned in an earlier post to make sure you check for hidden files and I did. I also checked with a dos window and still didn't see the file. I even changed the system files setting but I still didn't see the extra explorer.exe files in the specified directory.

As far as I can tell the virus should be gone but Norton seems confused. It cannot tell me that there is a virus on my system but it keeps bringing up the Quarantine window and disabling the email protection so that I can't receive emails.

I hope that helps clarify where I'm at in the investigation of this problem. Sorry for the omission.

pre · #34 08-05-2003, 04:42 PM

First of all, forget Norton. Go to http://www.kaspersky.com/download.html?id=25 and download the evaluation version of Kaspersky Anti-Virus. Install the software and reboot. The virus software will load upon startup and will detect all running processes that are infected with the virus. Delete all of these object. Next, run the Virus scanner and delete all objects found. I had the same problems you guys have had. I tried bit-defender and Trend and neither of them even recognized the worm. Kaspersky is by far one of the best av products out there.

Hope this helps...

-pre

crazy · #35 08-07-2003, 05:22 PM

well here i am posting on this forum after looking for a little more information on this worm...i know you all refer to this as a virus, it isn't it's a worm...the difference being it has a specific task, as a virus does, but it also attaches itself to other files, specificly in this case .EXE Files (more on this as you read)...thus the worm gets bigger...the solution is to stop it from spreading, if you are using NAV, i suggest getting the corporate edition and updating whenever possible... I had the same problem as someone else on this board, my laptop would restart or shutdown on its own, well frankly after the second time of this happening i didn't see any reason for it and i investgated.

now, ive been hacking/cracking for about 5 or 6 years now and programming for those same amount of years, and since I have only been hacked once...this is the second time...sadly by either a source code on pscode.com or by kazaa (sad isnt it?) but i refuse to format because of such a weak worm.

the break down... i first noticed suspicious activity with the second restart, then i looked around and decided to let it go for awhile (keep in mind i had no anti-virus software running at this time) finally in the middle of my programming my laptop turns off, frustrated and pissed i decided thats it...from that day forward (2 days ago) i have been monitoring all activity on my computer...not only have i found a few trojan droppers, but also w32.spybot.worm and w32.tzet.worm, since then ive deleted 25+ files and i have been keeping track of things...if you cant open TASKMGR.EXE (CTRL+ALT+DLT) because its closing then you most likely have this worm...first you should get a program that allows you to view running processes...i used the cleaner...from there i noticed 3 suspicious files...msconfig32.exe, webdav.exe, dcom.exe ...after ending all 3 i gained access to my computer again...i proceeded by going to start>run>msconfig

from there i ran through all the .ini, .bat and startup files i could look at, and i noticed those same files there. after unchecking them in startup i then looked at their location in registry

** note that in Startup (tab) in msconfig, under Location you'll see HKLM\ or HKCU\ these stand for HKLM = HKEY_LOCAL_MACHINE, HKCU = HKEY_CURRENT_USER, HKCR = HKEY_CLASSES_ROOT, HKU = HKEY_USERS, HKCC = HKEY_CURRENT_CONFIG

and i went to start>run>regedit ... found it in there and deleted its key. my next step was to go to C:\WINDOWS\Prefetch\ and i looked for these suspicious files (webdav.exe, dcom.exe, msconfig32.exe), sure enough, they were there, and so i deleted them...i then moved along to C:\WINDOWS\pss\ and i found win.ini.backup along with 2 others, i believe they were boot.ini and system.ini, but i also saw webdav.exeCommon Startup and msconfig32.exeCommon Startup.

after cleaning up these files i have been running realtime file scan with NAV (scans all files that run, copy, are being copied, moved, anything) and i have been running full C:\ scans almost every 5 hours...after rebooting i found a .sys infected along with a .ini in C:\WINDOWS\mm\, so i deleted those as well, though im still suspicious about that folder.

since then i have had no reports of the worm but i am sure ill come up on something soon...all i know is i will not give up this fight and give in to some worm after so many years...my suggestion for those of you reading this is to keep up to date and keep people informed of what you have done to overcome this...i think im catching up to it, but i dont think ive beat it yet...my next move which i will be taking after i post this, is to go to www.download.com and get a File Monitor, which will tell me all file activity, and if i do see an infected file on NAV, i can reference the source and destination with the file monitor...please keep up this post, dont let people format and give in to such a crappy worm...

best of luck

**************************
update: ive read along in the forum and followed through with Playboy's RPC solution, which I do occasionally get...I think that this worm is related to this error in some way...still looking into the matter

update: its now 6:22pm, i think ive beat the worm or stopped it atleast ... i have not gotten any signs of a worm and/or virus and i have run 2 full c:\ scans and nothing came up ... keep everybody posted if you know how to fix it in an easier fasion

EBGIRL · #36 08-07-2003, 08:48 PM

Thank you everyone. This just happened to me on my desktop, and I am glaD I have a laptop to be here. I am learning alot by your posts, and was in a quandry as to give in and wipe the slate...which I do NOT want to do!!! Or try to fight this thing out. I have alot of graphics, and haVE UPLOADED many files for PaintshopPro including plugins, fonts etc. Luckily I have and can save most. But what a nightmare to set paintshop pro baCK UP AGAIN THE WAY i HAD IT.

eVEN AFTER YOUR GREAT INFO, i CAN'T DECIDE WHAT TO DO. tHE VIRUS DISABLED MY ABILITY TO GET INTO REGISTRY. Sorry about cap locks.

Norton did not do its job, and I will try some features you have posted above.

I can not find the file either, mine saying C:\WINDOWS\SYSTEM\msconfig32.exe. But I did read somewhere that the reason we can't find all these files is because the worm discuises them with different names. So what I am wondering, is are any of you giving up? I don't want to mess with it all the time, and risk losing other important files. ??

One more question please, I do not have Kazza files and have not downloaded a song in 4 months, on WINMX. So I dont think its the problem for me. Could it be graphics or installing freeware for PaintshopPro thats the culprit?
ThaNKS~~!!!!

crazy · #37 08-07-2003, 09:17 PM

i think i've finally beat it... ive restarted mulitple times, been watching all the files that have been running and in my processes, and have been checking msconfig and regedit regularly... i also have run a few final scans and have yet to come up on any spybot.worm, so i think i got it, but who knows ... im not relaxing just yet

ebgirl...
i think you should first fix that rpc problem, which can be found on the microsoft page (its also somewhere here in the XP threads) ... after you fix that I think you should download TheCleaner... just do a google search for "TheCleaner" or even check download.com ...this will provide you with a process control taht will let you see what programs are running and if they are suspicious you can terminate their process...ebgirl, search the directories i told you to look at, make sure you select All Files (*.*) for file type when viewing these directories... also get that file monitor i was talking about, everything you do to watch your files will help ... write down all suspicious activity (ie. cant get to taskmgr.exe or msconfig because it is closing upon opening) ... list these things so other people can decide what could be the problem... but i really think you should get TheCleaner, even though its an evaluation version, you will still see all the active processes and will be able to terminate them if they are weird. after terminating them, check if you can access msconfig or taskmgr (ctrl+alt+dlt) and get back to the board

best of luck
-crazy

EBGIRL · #38 08-07-2003, 10:02 PM

Thanks so much. I have spent hours today looking for the files and am so tired of it all! I can't even find where the quarantined ones are, and it does not seem to be in Explorer files either. I can't even find one with a date after May 2003!

Any ideas wouold be appreciated. The virus has disabled my registry also. But I will try later to do what you suggested, although it might just be to the point of starting over. I think I have most all the programs, but alot of handwork will be needed with the PSP program. I help people learn graphics online for a support group, so I need to be more cautious than most, I think.

What do you think? Could it have come from a freeware download for PaintshopPro? Ot a GRPHIC OFF THE WEB? I guess I will have to scan everything from here on out....

Right now I'm more wiped out than my hard drive!

crazy · #39 08-07-2003, 10:09 PM

the best thing i can say to get passed that msconfig/regedit/taskmgr lock up is to get a active process viewer (i suggested thecleaner, but there are many out there) and to just terminate any weird processes...

as for keeping things, i suggest you scan those many many times before you put them back on your formated computer (if you decide to format) because if the worm is bound to one of those files itll just spread again when you place them back on your computer...

the main thing here is to gain free access to all your vital files...if you don't youre hard out of luck cause thats the only way to beat it...locating its startup source and removing it will need to be done through all those files... keep at it, or take a break and try again later.

pre · #40 08-08-2003, 09:54 AM

if you cant open taskmgr, click start->accessories->system tools->system information

when the window pops up, expand "Software Environment" select "Running Tasks"

You wont be able to stop any processes but you can view what is running on the system.

If you dont see the files in your drive, i.e. msconfig32.exe, make sure you have "Show hidden files and folders" selected.

To select the above, open windows explorer(my computer), select Tools->Folder Options. Click on the "View" tab and the option for hidden folders and files is in there.

angellust · #41 08-08-2003, 01:15 PM

mmmkay...lets see.

i have had a problem with this issue for the past 2 days or so. i finally decided that i wasn't getting anywhere (since then there have been alot more posts). but, the damage has already been done. i deleted msconfig32.exe and now my computer won't work. like, it will start up, but as soon as i double click, right click, or anything like that, my computer stops working. just shows the hourglass as my mouse icon and sits there, but i can still move the mouse. i've waited awhile, so i don't think that it's just slow.

anyways, is there a way that i can get that file back? cuz i think the virus is gone, but i just need msconfig32.exe to run my comp. (i'm on my old one now).

crazy · #42 08-08-2003, 04:14 PM

no you need msconfig.exe to run your comp, not msconfig32.exe ... msconfig32.exe is just the mask filename it decides to use to trick people into thinking it is a vital file...did you delete both msconfig32.exe and msconfig.exe?

soccerpunk_2 · #43 08-08-2003, 05:11 PM

NEED HELP!

Ok, I am running Windows XP. I had the w32.spybot.worm, NAV wasn't able to delete it, so I downloaded Kaspersky and it found it right away and I was able to delete the source file, which was located at c:/windows/system32/win32.exe. Is this a critical file (win32.exe) that I will have to find somewhere else and download, or what? If I do need to get it back, where can I find this file. Thank you.

Playboy™ · #44 08-08-2003, 06:02 PM

a few more files i have found ..

open_me.exe
something_campaign.vbs

look in c:\documents and settings\all users\documents\my pictures\

see if anything is in there if it is delete it, if u cant delete it go to your cmd.exe and manually delete it in dos

simple dos commands.

"cd" = change directory -----example "cd c:\windows"
"cd .." - up a directory
"dir" = list contents of directory "dir /p" list one page at a time
"del" = delete "del *.*" = delete everything in the directory

angellust · #45 08-08-2003, 06:41 PM

no...the only thing that i did was delete the infected file msconfig32.exe and now the computer will start up, but it will not do anything from there...would the windows xp CD help me out? like if i totally reinstalled windows? cuz i tried system restore and all that, even the "destructive" one, and it did absolutely nothing. it went thru the process, but nothing was changed/deleted...