w32.Spybot.Worm

[Gray]

Ick..

Dont know how long this thing has been quietly sitting around, but today i was having a few internet problems. It only came apparent when i was trying to access the tecnation/teczone thing for the picture thread in the General Forums.

Anyway, i remembered sometimes that my firewall (NIS 2004) would block certain sites for no reason, i left it as it was as it was only a few pics... I tried then to access my Gmail, "resolving host" and then the box saying i couldnt access the site.

I then got miffed, disabled the firewall, and attempted. Straight away i was able to access the Gmail, then the Teczone website. After i re-enabled it after the test, 2 virus' were detected on the system.

Win32.Spybot.Worm, and W32.Randex.gen. Each time they was auto deleted, i reset my PC to do a full system scan, went to access the net again, and my MSN wouldnt load up (Something about i have to connect to the internet). Then once again the problems started, as soon as i loaded up google it would say "Resolving host" but eventually get on.

I went to the Symantec site, did a search for both of those for removal tools, once it found suitable matches i clicked on the one with information regarding said virus, and *bing* it said i couldnt access the site. Lovely :/.

From the information i got, it was said the Spybot was from Kazaa/IRC. Having not downloaded anything from IRC since this reinstallation, i thought about Kazaa, but since i heard about the security problems ive been staying away from it. Havent touched it in months (But it was part of the system). Which is why im thinking how long this virus has been hiding.

If i disabled my firewall, i would be able to access anything, MSN, other websites etc. I did that and checked info on the virus' on Symantec. No information on removing it correctly tho. No removal tools. Go here, delete this, delete that, restart.

Did that, checked my registry and the file (winsysi.exe) was there again. Now, i asked and it was stated that WINSYS.exe is a virus, no news on Winsysi.exe tho. Anyway, i deleted it, and went thru the registry searching anf deleted the revelent ones.

Come to try it again, it didnt work. Gah. :/

Went into safe mode, did full scan (Norton), once again, nothing was found. Restarted went onto the net, *attempted* to download PestPatrol, Ad-Aware, and go onto some sites like McAfee, only for them to basically say "piss awf, ye not avin it!". So, turned off firewall (again) downloaded them. Did scans, they found pish also.

Here is a list of processes running in the background, which do seem a bit iffy, but dont wanna close em just incase. If i did searches on most of em, theyd just bring up forums regarding that HJT this.

NMain.exe (16,864k)
BTStac~1.exe (6,868k)
CCEVTMGR.exe (3,192k)
CCLGVIEW.exe (11,324k)
lsass.exe (904k)
PTSsvc.exe (1,304k)
spoolsv.exe (4,960k)

---

The files which was infected was, c:\win\sys32\TFTP<xxxx> (xxxx being random)

Someone pointed out i may have the Beagle too, so i downloaded as a precaution and did a scan. Didnt find anything :/.

I downloaded the latest virus definitions for Norton, but i was reading and found that norton may not correctly "see" the virus. Bollocks :/


Any help is gonna be reaaaalllyy wanted, ive done everything i can think of, and, got nowhere

 

[Miles_Binck]

NMain.exe - Symantec Integrator
CCEVTMGR.exe - Symantec Event Manager Service
CCLGVIEW.exe - Common Client Log Viewer
lsass.exe - click
spoolsv.exe - click
BTStac~1.exe - Something to do with BlueTooth
PTSsvc.exe - Service related to Kodak EasyShare software


W32.SpyBot.Worm Removal Instructions

W32.Randex.Gen Removal Instructions

Make sure you follow all the steps exactly, including disabling the system restore

Also download HijackThis (latest version 1.98.2) and run a scan and post log in here.

 

[Gray]

heh, just went to click them again and it said page couldnt be found straight away.

God this virus *rage*

Lets see

 

[gmloki]

Gray

I had the same problem with Win32.Spybot.Worm a few weeks ago. Running on Windows XP Pro I disabled system restore. Started in Safe Mode and then did an online scan from Panda.

Being a pesky little bugger the virus writes a peice of code stopping access to the more common anti virus sites. I am sure you knew that anyway.

Suffice it to say after a scan with Panda and another with TrendMicro Housecall it got rid of the virus and picked up another I hadn't even heard of. Hope this helps

 

[Gray]

right... it didnt get picked up by Norton. Ash, did it also affect accessing other things like MSN etc?

It seems like its a harmless virus, as in, not deleting files and stuff, but its just a pain in the arse finding it and getting rid of it.

Earlier i did goto safemode, (with networking) but when i tried to access the net it mentioned RAS being not setup. So that threw THAT logic out the window. Also things like NIS dont run in safemode (properly) so is it safer to do such a thing?

Its my firewall causing the problems here, if i turn it off, it works a charm, if its enabled i cant do Jack :/

 

[Lazarus]

right... it didnt get picked up by Norton. Ash, did it also affect accessing other things like MSN etc?

It seems like its a harmless virus, as in, not deleting files and stuff, but its just a pain in the arse finding it and getting rid of it.

Earlier i did goto safemode, (with networking) but when i tried to access the net it mentioned RAS being not setup. So that threw THAT logic out the window. Also things like NIS dont run in safemode (properly) so is it safer to do such a thing?

Its my firewall causing the problems here, if i turn it off, it works a charm, if its enabled i cant do Jack :/

Why dont you get someone to slap the removal tool onto a CD/floppy?

 

[Gray]

There doesnt seem to be one available to download/run.

Just basically, disable system restore, safe mode, virus scan.

But nothing (Norton, Pest Patrol, Ad-Aware, Spy-Bot) find anything suspicious. I do a search for tftp. files, only find one which is legit.

 

[Gray]

Hmmm, ok... update on this

I noticed the large amount of "svchost.exe" running in the background (5 processes).

1) SYSTEM - 3k
2) SYSTEM - 16k
3) NETWORK SERVICES - 2k
4) LOCAL SERVICES - 3k
5) SYSTEM 0 2k

I closed down one, which was number 1. The system shutdown. oops.

I left 2), after the system restarted and removed 3. I loaded up my internet, *bam* MSN loads up straight away, and i dont get anymore "resolving host" problems.

I do a search on Symantec (It lets me now), and it says it could be the Wechia worm.

Hm. So, ive considered the Spybot, Randex, Beagle AND Nimda, so it may just be this worm. Whooo.

Gonna run the tool, then give you an update (again)

 

[gmloki]

Gray

It did slow down access to MSN Explorer

 

[phlash]

If you want to know what is running in the SVCHOST.EXE processes you can do this:

[1] Open a command prompt (as Administrator, or you don't get all the information you might need - use 'Run As..' option if necessary)
[2] Run: tasklist /svc

..this gets you a nice list of running processes, and identifies all those which contain registered services, here's mine as an example:

Image Name                   PID Services
========================= ====== =============================================
System Idle Process            0 N/A
System                         4 N/A
smss.exe                     488 N/A
csrss.exe                    544 N/A
winlogon.exe                 568 N/A
services.exe                 612 Eventlog, PlugPlay
lsass.exe                    624 PolicyAgent, ProtectedStorage, SamSs
ati2evxx.exe                 768 Ati HotKey Poller
svchost.exe                  804 RpcSs
svchost.exe                  856 AudioSrv, Browser, CryptSvc, Dhcp, dmserver,
                                 ERSvc, EventSystem,
                                 FastUserSwitchingCompatibility, helpsvc,
                                 lanmanserver, lanmanworkstation, Netman,
                                 Nla, Schedule, seclogon, SENS,
                                 ShellHWDetection, srservice, TermService,
                                 Themes, TrkWks, uploadmgr, W32Time, winmgmt,
                                 wuauserv, WZCSVC
svchost.exe                 1004 Dnscache
svchost.exe                 1032 LmHosts, SSDPSRV, WebClient
spoolsv.exe                 1220 Spooler
avgserv.exe                 1368 AvgServ
kpf4ss.exe                  1400 KPF4
svchost.exe                 1500 stisvc
timesync.exe                1524 TimeSync
kpf4gui.exe                 1708 N/A
ati2evxx.exe                2004 N/A
explorer.exe                 220 N/A
kpf4gui.exe                  264 N/A
avgcc32.exe                  512 N/A
atiptaxx.exe                 588 N/A
hpohmr08.exe                 932 N/A
MSIMN.EXE                   1920 N/A
msmsgs.exe                  1984 N/A
IEXPLORE.EXE                 828 N/A
msnmsgr.exe                 1800 N/A
cmd.exe                      988 N/A
tasklist.exe                1420 N/A
wmiprvse.exe                1364 N/A

You can use the PID column to reference back into taskmanager and see which user is running the process you are interested in..

For the paranoid, you can try 'tasklist /m', which will list all the DLLs attached to each processes... then start Googling and checking on Norton AV site etc.

 

[TdC]

that's handy, ta