Please Help!!

Ok, heres the thing..

Im not sure how i got this worm/virus becasue i use Norton AVand AVG.

Norton keeps throwing up these alerts that a virus has been detected, the name is W32.Spybot.worm , I have try using the information on the symantec website.. It gives info on removal of this virus/worm, but i have followed everything on that site and it isnt doing me any favors!

I just want to know how to get rid of this virus for good.

The strange thing is that the path of where the virus is Changes every time Norton give me an alert.. Most of the time the path is C:/WINDOWS/Temp/ but them the name of the file after /Temp changes every time.

If it where in the one place i would be able to sort this problem out, but i think i do need so help from someone alot more expirenced than myslef, and hopefully i have come to the right place!

-Thanks, Silent.

 

Hi Silent Scream!
Great name for computer problems! When you scream in the internet, does anyone hear you?

If both the antivirus programs you mentioned are installed on your computer, please remove one of them. After that, please follow the steps in our READ & RUN ME FIRST.

There are a number of steps, but they are easy to follow if you just take them one at a time and do what they say. Afterwards, please post the six logs so we can look through them and make sure you really are malware free or if something further needs attention!

Thanks!
abri

 

Hey abri..

Just to make it clear, what 6 logs are you looking me to post?

-thanks for that response

P.s..
I removed Norton from my system, i now have AVG only!

 

Hi Silent Scream,
in my other post there's a link to the following instructions. This is sort of a shortened version of that. There may be some remnants of Norton left over. We'll work on that later.
abri

 

Ok, here are 3 logs..

HijackThis.log
Newfiles.txt
runkeys.txt

I cannot run the Bitdefender scan as it is taking alot more time than i expected to scan, so is it ok if i just upload..

HijackThis
Newfiles
runkeys
CounterSpy
Panda ActiveScan

??

 

emm.. im having problems with panda active scan so i will also leave it out, if thats ok!

 

Hi Silent Scream!

You haven't followed the directions in the READ & RUN ME carefully, so there are some things we will need to go back and do now.

You have two anti-virus programs running on your computer. These will conflict with each other and cause problems. Please choose one of them, either AVG or NOD32 and uninstall the other one. Both are good. I'm more familiar with AVG. The version of AVG you are running is 7.0. There's a newer version 7.5 now, so if you decide to keep the AVG, you should update to the newer version when we get finished here. There are a lot of downloads that have been tested which you can look at here: http://www.majorgeeks.com/ But to begin with, please uninstall one of these antivirus programs.

Next, please go to Add/Remove programs and uninstall the following:

Viewpoint Media Player
Messenger Plus! Live
J2SE Runtime Environment 5.0 Update 6
Java(TM) SE Runtime Environment 6 Update 1

After you've uninstalled these, please REBOOT your computer!

Once it boots back up, please install Java Runtime Environment vs. 6.2

You installed HijackThis to the Desktop and did not rename it. Please go back and read the instructions for downloading and installing HijackThis carefully!! It's very important that it be installed to the corrrect folder and that it be renames. Otherwise we cannot fix certain things. Please follow the instructions here:
Downloading & Installing HijackThis Then you will need to rerun HijackThis under the name analyse.exe and post a new HijackThis log.

You have not yet posted the two logs from Counterspy (or AVG anti-spyware if you couldn't run Counterspy - which should have been run in safe mode) and of the Panda online scan. The log from the Panda Scan is called Activescan.txt.

Please find these two scans and attach them along with the new HighjackThis log.

The BitDefender scan takes quite a long time to run. However, it gives us important information about your computer and also fixes things. With all of these scans, you must set them to fix anything they find and then to make a log of what they found.

Please post the ActiveScan log and the one from Counterspy. Try to get the BitDefender log as well, in particular if you're having an issue which is hard to get rid of.

abri

 

ok, thanks... where can i find the CounterSpy log file?? and heres the Proper HijackThis log..

 

Hi Silent Scream!

The log for counterspy can be found as follows as per the READ & RUN ME:

5: Cleaning Malware

For Windows Vista, XP, 2K and NT users

• Run CounterSpy - Make sure you have it Quarantine all detections! Also attach the log from CounterSpy later if you still have problems. To get the log after scanning. Click View -> Spyware Scan -> View Spyware Scan History. Next click on the scan you want to view, then click view full details of scan. Right-click anywhere in the window that just opened, click on Select All, right-click again select Copy. Now open notepad and right-click anywhere in notepad and select Paste. Now Save As CounterSpy.txt and attach to your next post.

Please post it with your next post.


Next: Go to Add/Remove programs and uninstall the following:

J2SE Runtime Environment 5.0 Update 6
Java(TM) SE Runtime Environment 6 Update 1

After you've uninstalled these, please REBOOT your computer!

Once it boots back up, please install Java Runtime Environment vs. 6.2




Did you choose to uninstall NOD32 and keep AVG? If so, please make sure NOD is unintalled and not just disabled. I still see entries for it. Was Nortons also installed on your computer? There's a file for Symantec as well. If you've uninstalled these, there are remnants we can still get rid of. If you haven't uninstalled them, please do so that only AVG is left on your computer.


Next - If you do not use Windows Messenger (which is different from MSN-Messenger!! – please use the following tool to disable and remove it:

Disable/Remove Windows Messenger


I don't see evidence for the worm you mentioned. Microsoft made a patch for the vulnerability which allows this worm to get onto your system and you appear to be keeping up with your Windows Updates, so I don't think you have this worm. To give you further information about your computer, I would have to see the Panda, BitDefender and Counterspy logs. If none of them found anything, they wouldn't produce a log.

Are you noticing any specific differences in the way your computer is working over how it was working a month or two ago?


Once you've made the above changes to your computer, please run Analyse.exe (the HijackThis) and post a fresh log with the Counterspy log.

Thanks.
abri

 

ok, uninstalled messenger with that tool.. what was the point in that??


Here is the Hijackthis (analyse.exe) scan log..

I cannot upload the counterspy log as it is over the forum limit. and yeah it is a .txt file.. but it is huge!

 

It is a vulnerability in the system for viruses and is not used by most people.

Did you run CCleaner in Safe Mode for all your users including the administrator before you ran Counterspy (also in safe mode)? If not, please go into safe mode and run CCleaner as per the READ & RUN ME FIRST instructions, followed by Counterspy and get a new log. Be sure and have it fix anything it finds!!

What problems did you have running Panda? Did you use Internet Explorer and have Active X turned on in your options? If you have an infection, Panda and BitDefender will resolve a number of problems that other scans don't get.

Has your computer shown any signs of infection? Popups, unexpected shutdowns, unusual running processes in the Task Manager?

Thanks.
abri

 

I have ran both in safe mode and no my pc isnt showing any signs of a virus or worm anymore.. and there are no unusual processes running

 

Hi Silent Scream!

The Counterspy log is normally a bit less than 5 kb, so if yours is too big to load here, it's at least 20 times that! Since it's a .txt file, you can just double click on it, open it up and see if it found any viruses or other malware and if it removed it. It gives a complete report on what it did. It lists all cookies and the logs on your computer, which is what CCleaner removes, so if the settings on CCleaner were not the default settings and run according to our instructions, it's possible that some of your Counterspy log is made up of those things and that this is what is causing that log to be so bulky. If it is showing anything bad, like a description of trojans which could not be removed, please tell me! But if you don't find anything bad in your Counterspy log, then please uninstall Counterspy under Sunbelt in Add/Remove Programs. Then go to Program Files and delete the following:

C:\Documents and Settings\Matthew\Application Data\Sunbelt Software
C:\Documents and Settings\All Users\Application Data\Sunbelt Software
C:\Program Files\Sunbelt Software

Okay, if you've already uninstalled Nortons, there is still a piece of it hanging around.

Let's stop it!

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to Symantec Core LC
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.

Click OK until you get back to Windows.

Next run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.


* At the lower right, click on the Config button
* Then click the Misc tools button
* Select Delete an NT Service
* Copy/paste Symantec Core LC into the box that opens, and press OK
* If you receive any error messages just ignore them and continue.
*After clicking Fix, allow your computer to reboot.


There're still signs that you have both NOD32 and AVG on your computer! The NOD32 is loading at startup. Please uninstall it! It's not enough to disable a second antivirus program, it needs to be uninstalled. If you've already uninstalled it, please tell me so we can get rid of that one item.

From what I've seen, I don't think your computer is infected, but without the missing logs, I can't tell you for sure. It could have been a false positive, although Norton does not make too many false positives. Nevertheless, running multiple antivirus systems can lead to false positives. When you have more time, I recommend running the BitDefender and Panda and see if they come up basically clean. Panda will remove anything that's highly dangerous, but will leave most of what it finds. You can click on both of their logs and see if they found anything, but remember, you have to run both of these using Internet Explorer.


If you are not having any other malware problems, it is time to do our final steps:

1. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
2. After doing the above, you should work thru the below link:
   • How to Protect Yourself from Malware

Let me know how everything went!
abri

 

Ok, i have done everything you asked me in that post. and i have uninstalled NOD32 via add/remove programs, it is not visably loading and there is no trace of it in my start menu

 

Silent Scream,
The last post was edited, so I hope you got the correct version of that post.
abri

 

Doen everything in last post, norton stopped and disabled.. HJT scan, but i uninstalled NOD32 not sure about that?

 

Hey Silent Scream !

If you uninstalled NOD32, I think you're fine. If you find you're still getting messages about malware, then come back and we can look at it again.

Your logs are clean. If you are not having any other malware problems, it is time to do our final steps:

Step two below is optional, because I don't think you had any malware. If you notice your computer continues to operate without problems, then you can set a new one after a few reboots. Also, consider using CCleaner regularly according to the instructions in the READ & RUN ME FIRST. It will keep your computer a lot cleaner and less vulnerable.

1. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
2. If you are running Windows XP or Windows ME, do the below:
   • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
3. After doing the above, you should work thru the below link:
   • How to Protect yourself from malware!

abri

 

Job done..

Thanks alot for your help and time, you have been very helpful and im and 100% greatful for this help.

If there are any further problem i will get back in contact with you.

-Thank You
Silent-

 

Happy Surfing and good luck!


abri