W32.Spybot.Worm

[wjack53]

Ok , I went several places to get rid of this worm. I found out my antivirus software could have gotten rid of it all along. I use e- Trust 6.1. When I tried to rid my computer of it before it didn`t see the files it was in. I contacted e-Trust and after a short e-mail session we were able to understand that my computer didn`t SEE the hidden files. Once that was changed GOOD BYE SPYBOT!

[w00t11]

THANK GOD I FOUND THIS FORUM! well, maybe just norton. i have had this spybot worm on my computer for some time now and norton JUST found it (as of today, september 3 2003 8:10). here's my story:

i had a weird problem with the taskmanager/ regedit/ msconfig as they would on show up for 2 secs and then, mysteriously, dissappear (this was about august 2 or so). i was sooo . then i knew it. must have been that warcraft3keygen.exe crack i tried to download from kazaa (i remembered that the crack would make my harddrive light, light up for a couple of secs, then no further action). i searched virtually EVERYWHERE for anybody with the signs of this virus. i scanned the warcraft3keygen.exe with norton. nothing happened (my virii defitions weren't updated at the time! stupid me). i decided to take desperate action, as it's a real pain in the arse without my handy taskmanager and my regedit utilities. so in the 2 secs the taskmanager would display, i quickly pressed the "Print Scrn" button to see what was wrong. i then loaded up ms paint and pressed paste. i saw that eveything was working normally except one peculiar app called Filecrack.exe that was under my username (Owner). i then posted the pictures i took on various forums, all didn't know my problem and the majority of the people there said that i had Blaster on my computer. i downloaded all the patches to blaster/ sobig/ welchia all of which didn't help my problem. until today, i had this backdoor/ virus on my computer.

i was planning to reformat soon until today.
those who need help or are unsure about what they have on their computer, go
here immediately.

on another note, i'm at the symantec website and i'm at step 6 of spybot removal (where it says:
6. Delete the zero-byte files from the Startup Folder) and i unsure of whether i should delete anything. i searched for tftp*.* and i got one 17 kb file. shouldi delete it?

now...am i in any danger of my personal stuff being shown to the world? i used amazon, newegg, ebay, etc all while i had this virus in my computer. i have had the windows firewall on for sometime now. does that help?

thanks

[VodkaRaptor]

I recieved this thing on 09.04.2003, I dont know how since I dont download anything with kazaa or other file sharing programs. Something from the newsgroups I suppose.

This place has been the only help but I still cant get rid of it. The little f!@#er is really pissing me off and I refuse to format.

Info:

Windows XP SP1 w/ all updates
Trend Office Scan client v5.5

Win32.SpyBot.Gen
HijackThis: O4 - HKLM\..\Run: [Wiinbllah] MSUPDT.EXE

Noticed something was wrong when I couldnt open regedit, taskmgr, msconfig...as everyone else. Trend didnt find anything, not even HouseCall. So far RAV online is the only thing that detects I have a virus.

Rav log: (part of it)

Scanning memory...
Scanning boot sectors...
Scanning files...
C:\WINDOWS\system32\msupdt.exe->(PeX) - Win32/SpyBot.gen!p2p -> Infected
C:\WINDOWS\system32\kazaabackupfiles\3DMark_2004_p review.exe->(PeX) - Win32/SpyBot.gen!p2p -> Infected

57 other files were infected in this same directory with a size of 29kb each

As I have said I dont even have kazaa on my system. In fact it's never been installed, I don't believe in it. I use agent and newsgroups. Whole other subject though!

What I've tried:

Ran Rav didnt clean or remove.
Removed registry settings while in safe mode (they immediately reappear if you do another search)
Removed startup settings in safe mode (reappear)
Cannot find the infected file to delete
Was able to delete the files in the kazaabackupfiles directory
Removed hard drive to scan and search for msupdt.exe in another system. cannot find the file.
Booted to DOS, also used Winternals ERD. cannot find the file.
Followed Nortons article on removing the file. tftp*.* search brought up one file that was 17kb in size (didn't delete - unsure since the article states a size of 0kb)

Basically this little f!@k head is still in my system. Any other suggestions on how to get rid of it?

Any help is greatly appreciated - thanks!

[w00t11]

did you read everything on this topic yet? if you didn't, now would be the appropriate time to do so. also, did you read my story about my encounter with spybot? i said that i used norton. i think norton is the best of antiviral software and if you live near a fry's electronics, Norton Antivirus Professional 2003 can go down to just $10 (after rebates) if there's a sale going on. after you get norton, try getting the LASTEST virus definitions it provides (updated on 9-4-03). go here for info on now to get rid of spybot. if you're too cheap to get norton, just go ahead and press F8 before windows starts up to go into safe mode. while in safe mode, just go to your virus scan program and do a scan. since spybot launches on startup and safe mode only loads the files that are necessary for boot up, removal of the virus/ back door should be possible. again, go to the link i gave you for info.

[Musclehed]

Definitely you will need to read the entire thread. Spybot is a worm that infects via a fault in Windows o/s that leaves port 135 and 4444 open.

Again, I suggest that you read the entire thread for more info and/or goto the windows update page for information on the virus and removal instructions. Once done you will need to run windows update for all critical patches.

[VodkaRaptor]

I noticed where people had talked about Kaspersky - I got the link for the download late after my post. Ran the program - removed the virus and everything is now good.

I had tried Norton's and others but Kaspersky is the only thing that worked for me anyways.

Thanks for reading and all the help!