W32.Spybot.Worm

MartyM

Hi Aidan and ActorSeeksJob (and anyone else who might help!)

Symantec had been complaining about a threat that appeared to be repeatedly happening (W32.Spybot.Worm).

There was a file highlighted in Quarantine which I deleted, I then performed a complete system scan and nothing else was found!
However, the "Risk was partially removed" statement from the Symantec 'Risk History' is bugging me!

Is there something still on my laptop?


I will follow Aidans sticky ("I think I have a virus" - Please Read & Try BEFORE Posting) when I take the laptop home, but in work I cannot download any of the .exe files such as ATF Cleaner, etc...

Is there anything else I can do until then?
Is this worm dangerous?....I read it may do key logging??


Any help would be great!

Thanks!


Here's a section of the Symantec Risk History (it may not paste too well here!):

Risk Action Count Filename Risk Type Original Location User Status Current Location Primary Action Secondary Action Logged By Action Description Date
W32.Spybot.Worm Reboot Processing 40 live.messenger.com File c:\winnt\ user Infected c:\winnt\ Delete Leave alone (log only) Reboot Processing Performing Post-Reboot Risk Processing. 14/03/2008 01:48
W32.Spybot.Worm Partial 2 live.messenger.com File C:\WINNT\ SYSTEM Infected C:\WINNT\ Clean security risk Quarantine Auto-Protect scan Risk was partially removed. 14/03/2008 01:38
W32.Spybot.Worm Partial 2 live.messenger.com File C:\WINNT\ user Infected C:\WINNT\ Clean security risk Quarantine Auto-Protect scan Risk was partially removed. 14/03/2008 01:33
W32.Spybot.Worm Partial 2 live.messenger.com File C:\WINNT\ user Infected C:\WINNT\ Clean security risk Quarantine Auto-Protect scan Risk was partially removed. 14/03/2008 01:31
W32.Spybot.Worm Partial 2 live.messenger.com File C:\WINNT\ user Infected C:\WINNT\ Clean security risk Quarantine Auto-Protect scan Risk was partially removed. 14/03/2008 01:23
W32.Spybot.Worm Partial 2 live.messenger.com File C:\WINNT\ user Infected C:\WINNT\ Clean security risk Quarantine Auto-Protect scan Risk was partially removed. 14/03/2008 01:19
W32.Spybot.Worm Partial 2 live.messenger.com File C:\WINNT\ user Infected C:\WINNT\ Clean security risk Quarantine Auto-Protect scan Risk was partially removed. 14/03/2008 01:15
W32.Spybot.Worm Partial 2 live.messenger.com File C:\WINNT\ user Infected C:\WINNT\ Clean security risk Quarantine Auto-Protect scan Risk was partially removed. 14/03/2008 01:12
W32.Spybot.Worm Partial 2 live.messenger.com File C:\WINNT\ SYSTEM Infected C:\WINNT\ Clean security risk Quarantine Auto-Protect scan Risk was partially removed. 14/03/2008 01:11
W32.Spybot.Worm Partial 2 live.messenger.com File C:\WINNT\ SYSTEM Infected C:\WINNT\ Clean security risk Quarantine Auto-Protect scan Risk was partially removed. 14/03/2008 01:09
W32.Spybot.Worm Partial 2 live.messenger.com File C:\WINNT\ SYSTEM Infected C:\WINNT\ Clean security risk Quarantine Auto-Protect scan Risk was partially removed. 14/03/2008 01:07
W32.Spybot.Worm Partial 2 live.messenger.com File C:\WINNT\ SYSTEM Infected C:\WINNT\ Clean security risk Quarantine Auto-Protect scan Risk was partially removed. 14/03/2008 01:06
.
.
.
.
.
.
.
.
.
.
.
W32.Spybot.Worm Reboot Required - Cleaned by deletion 53 live.messenger.com File C:\WINNT\ SYSTEM Infected C:\WINNT\ Reboot Required - Clean security risk Reboot Required - Quarantine Auto-Protect scan 13/03/2008 22:35

ActorSeeksJob

Run DSS from the sticky thread and post the logs here

MartyM

Hi there! that was quick!

DSS downloaded with no problems, but it could not download HiJackThis, so it used its own internal scanner..

ActorSeeksJob

Hello

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

F2 - REG:system.ini: Shell=
O4 - HKCU\..\Run: [Internat.exe] internat.exe
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\Web\RELATED.HTM
O9 - Extra 'Tools' menuitem: @shdoclc.dll,-864 - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\Web\RELATED.HTM
O20 - Winlogon Notify: ccnotify - C:\Program Files\Rational\bin\ccnotify.dll (file missing)

2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.



Please download the OTMoveIt2 by OldTimer.

• Save it to your desktop.
• Please double-click OTMoveIt2.exe to run it.
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  

  [kill explorer]
  C:\WINNT\system32\internat.exe
  C:\WINNT\Web\RELATED.HTM
  purity 
  [start explorer]
  

• Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


Reboot and post a new DSS log

MartyM

Hi, I did not have the following?

O9 - Extra 'Tools' menuitem: @shdoclc.dll,-864 - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\Web\RELATED.HTM


My company is blocking this site....any other way to get this?

http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe

ActorSeeksJob

Don't worry if you can't find that HijackThis entry, just continue on with the rest of the steps

I have hosted OTMoveIt2 here for you

http://www.mediafire.com/?mgmvyclmdjn


Let me know if that works

MartyM

ActorSeeksJob wrote: »

Let me know if that works

Got it, thanks!

Will get back to it...

MartyM

Hi again!

No extra.txt generated this time from DSS???

Here is the OTMoveIt2 log:

Explorer killed successfully
C:\WINNT\system32\internat.exe moved successfully.
C:\WINNT\Web\RELATED.HTM moved successfully.
< purity >
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 04222008_162836

ActorSeeksJob

Do you recognise this file

c:\program files\WORK\elmo\elmosvc.exe


If not do this

Go to this site:
http://www.virustotal.com/
On top you'll find 'Browse'
Click the browse button and browse to the file:

c:\program files\WORK\elmo\elmosvc.exe

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results as well in your next reply.



Then tell me how your PC is running

MartyM

I'm not familiar with that file but it appears to be located under our WORK environment folder. WORK is our standard office environment....dont ask me what that really means but it sets up our basic working environment.

I will follow your steps anyway and see how it goes!

Initially I thought my PC seemed slower after the reboot but it seems ok now....mind you I have not done much except browse the net since starting this procedure!

The cursor is acting funny (on this site anyway while I type this)....it keeps flickering really fast and its hard to tell where on the page it is???

Based on your other findings, is this anything to worry about?

O4 - HKUS\S-1-5-21-507921405-1897051121-725345543-161355\..\Run: [Internat.exe] internat.exe (User 'clrcase')

MartyM

I've decided against sending that file to the web site. I'm pretty sure its ok and as it appears to be work related I better not!

ActorSeeksJob

Post a new HijackThis log there

MartyM

ActorSeeksJob wrote: »

Post a new HijackThis log there

ok will do, when back in the office tomorrow!

just to note, I have not changed anything since the last HijackThis log I posted?

does that other internat.exe file look dodgy or??

thanks for your time and help so far!!!

ActorSeeksJob

Yes that is dodgy

I thought we had fixed it

Either I missed one of the entries or it respawned, will see in the log

MartyM

ActorSeeksJob wrote: »

Yes that is dodgy

I thought we had fixed it

Either I missed one of the entries or it respawned, will see in the log

Hi ActorSeeksJob

Here is the log from HijackThis...

ActorSeeksJob

Fix this entry in HijackThis

O4 - HKUS\S-1-5-21-507921405-1897051121-725345543-161355\..\Run: [Internat.exe] internat.exe (User 'clrcase')


Reboot and post a new HijackThis log and tell me how your PC is running

MartyM

PC is still ok...

ActorSeeksJob

Perfect

• Make sure you have an Internet Connection.
• Double-click OTMoveIt2.exe to run it.
• Click on the CleanUp! button
• A list of tool components used in the Cleanup of malware will be downloaded.
• If your Firewall or Real Time protection attempts to block OtMoveit2 to rech the Internet, please allow the application to do so.
• Click Yes to beging the Cleanup process and remove these components, including this application.
• You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.

Also make a new system restore point and flush the old ones


Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
SpywareBlaster protects against bad ActiveX
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here

* SpywareGuard offers realtime protection from spyware installation attempts.

Make Internet Explorer more secure

• Click Start > Run
• Type Inetcpl.cpl & click OK
• Click on the Security tab
• Click Reset all zones to default level
• Make sure the Internet Zone is selected & Click Custom level
• In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
• Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here

Thank you for your patience, and performing all of the procedures requested.

MartyM

Some problems with OTMoveIt2 in the office environment!

What to do?

Here are the results after I clicked 'Clean Up!'


File/Folder not found.
File/Folder not found.
File/Folder not found.
File/Folder not found.
File/Folder not found.
File/Folder not found.
File/Folder not found.
File/Folder not found.
File/Folder not found.
File/Folder not found.
File/Folder not found.
File/Folder not found.
File/Folder Access Denied (content_filter_denied) not found.
File/Folder not found.
File/Folder not found.
File/Folder not found.
File/Folder not found.
File/Folder not found.
File/Folder not found.
File/Folder not found.
File/Folder not found.
File/Folder not found.
File/Folder not found.
File/Folder not found.
File/Folder not found.
File/Folder Access denied to "download.bleepingcomputer.com" according to: not found.
File/Folder - not found.
File/Folder - not found.
File/Folder the usage of systems and services not found.
File/Folder not found.
File/Folder This page is categorized as: "Computers/Internet;Spyware Effects/Privacy Concerns;Newsgroups/Forums;Software Downloads" not found.
File/Folder not found.
File/Folder If you wish to question or dispute this result, click not found.
File/Folder not found.
File/Folder If you need access to this site for Business reasons, please contact your manager and follow the not found.
File/Folder not found.
File/Folder not found.
File/Folder not found.
File/Folder not found.
File/Folder not found.
File/Folder not found.
File/Folder not found.
File/Folder not found.
File/Folder not found.
File/Folder For assistance, contact not found.
File/Folder not found.
File/Folder not found.
File/Folder not found.
File/Folder not found.
File/Folder not found.
File/Folder not found.
File/Folder not found.
File/Folder not found.
File/Folder not found.
File/Folder not found.
File/Folder not found.
File/Folder not found.
File/Folder not found.
File/Folder not found.

ActorSeeksJob

Thats a problem with your firewall at work

Just go ahead and delete OTMoveIt2.exe and the other tools we ran

Then go on with the rest of the steps

MartyM

another problem is that windows2000 does not seem to have an option to create a restore point?

i'll reboot anyway!

what was the end result?
was i infected with a worm or were these steps just precautionery?

ActorSeeksJob

You had a backdoor bot

http://www.bleepingcomputer.com/startups/internat.exe-8093.html


I am not sure how you make a system restore point on Windows 2000

aidan_walsh

You can't. System Restore was introduced with Windows ME, and never back ported to 2000.

MartyM

Fair play to ya!....and thanks a million for taking the time to look at the logs AND fix the problem!!

Never noticed any strange behavior while I had it, so hopefully they didnt get any valuable personal info from me!

Thanks again!!!