Home > Win Xp > Win XP / W32.Spybot.worm / NAV

Win XP / W32.Spybot.worm / NAV

Failed repeatedly to delete it until I ran HJT (a grand program, btw) and deleted it that way. Start your PC in safe mode and scan all files (not just program files). Does anyone have any advice on how he may rid himself of this worm? Generic detection spybot 2.x based worms is available in a few min via online update...Michael · actions · 2003-May-24 3:41 pm · MichaelPremium Memberjoin:2001-05-06Canada

Michael to Randy Bell Premium Member 2003-May-24

Already have an account? Care to speculate? My friend turned on the XP firewall and was asked to reboot. I have used it for over 2 years, trouble free.if you decide on this course of action please go to www.kerio.com and download the version KPF 2.1.5.please post back with results.david

DBAN was a miracle cure for ridding a hard drive of Norton's rotten GoBack too. Thanks again for all your help.[text was edited by author 2003-05-24 00:54:10] · actions · 2003-May-24 12:52 am · Michael

Michael to psloss Premium Member 2003-May-24 1:30 pm to pslossOkay, I Log keystrokes. Do you know if he is sharing any of his hard drives?

Thanks again. Paul :-( 0 LVL 65 Overall: Level 65 Windows XP 43 Message Expert Comment by:SheharyaarSaahil ID: 115122782004-07-09 do u have any Linmeimei.exe file on the hard drive ?? 0 I've rebooted twice and won't do it again until I move intact zipped programs and files to an external hard drive for safekeeping. Microsoft Windows SSL Library Denial of Service Vulnerability (BID 10115).VERITAS Backup Exec Agent Browser Remote Buffer Overflow Vulnerability (BID 11974).

I remember you writing about increased probes to this port and I am wondering what the significance is (if any) of port 445 being open in relation to this worm. Advertisement VirtualMe Thread Starter Joined: Sep 27, 2002 Messages: 867 Has anyone noticed that folks getting the W32.Spybot.worm alert all have Win XP and Nortons AV, and the ones that posted Paul 0 LVL 2 Overall: Level 2 Windows XP 2 Message Expert Comment by:sp_100 ID: 115034702004-07-08 paulbasel , I posted before. http://newwikipost.org/topic/GyRFhSlPRrOsuntIi4Fmwh2skGkmUftJ/Win-XP-W32-Spybot-worm-NAV.html All rights reserved.

Let me know if you find any evidence that the program actually ran and I'll post manual removal details tomorrow...some of that can be found in the posts I made earlier Troubleshooting Process and the FINAL FIX: This issue see… Acronis Windows XP AOMEI Backupper Pro (Cloning software) Video by: Ed Two types of users will appreciate AOMEI Backupper Pro: 1 - Paul 0 LVL 65 Overall: Level 65 Windows XP 43 Message Expert Comment by:SheharyaarSaahil ID: 115010282004-07-08 O4 - HKLM\..\Run: [Microsoft Windows Update] wupdate.exe O4 - HKLM\..\RunServices: [Microsoft Windows Update] wupdate.exe I was successful in all but one, the dreaded W32.spybot.worm.

by Keith Marcotte / November 22, 2003 12:08 PM PST In reply to: Re:What is the exact warning message? It was in several places in the registry and also in the Windows/Prefetch directory. Microsoft Workstation Service Buffer Overrun Vulnerability (BID 9011) using TCP port 445. Installation When Worm:Win32/Spybot is run, it copies itself to the %windir% or as an executable.

by Donna Buenaventura / November 21, 2003 11:06 PM PST In reply to: W32.Spybot.worm If you've tried the removal instruction of Symantec for W32.Spybot.worm but still receive the alert, try to There are also no files in quarantine.The other computer that he is networked to is also running NAV and a full system scan on it shows nothing out of the ordinary. It was not present in Run or RunOnce or any other location. I have WinXP Home with recently renewed subscription to Norton AV and am becoming increasingly disillusioned with Norton AV.

I found one trojan and Spybot Search & Destroy found the other one. I know my way around the registry, msconfig, and how to update and run anti-virus and anti-spyware programs and I have never, ever seen anything like this creature before. Run the AntiVirus tool and delete all viruses it found 4. Join & Ask a Question Advertise Here Enjoyed your answer?

At startup, as fast as Windows opens I get a 'Network Connection' notice (definitely not a Norton alert) that 'you or a program has requested to connect to h.animeteam.net', and 'which Let me know if you find any evidence that the program actually ran and I'll post manual removal details tomorrow...some of that can be found in the posts I made earlier Then goto C:\Documents and Settings\ur usernmae\Local Settings\Temp and delete all files present here 6.

Me or XP?

It traces to WINDOWS/lsass.exe, and can't be fixed. Show Ignored Content As Seen On Welcome to Tech Support Guy! flavallee replied Mar 17, 2017 at 9:35 PM Chrome unusable, overrun with ads askey127 replied Mar 17, 2017 at 8:38 PM Games Stutters After A... How are the computers connected to the Internet?

Flag Permalink This was helpful (0) Collapse - Re:Re:What is the exact warning message? After deleting those entries as well as the ones from wupdate.exe, running all the tools, rebooting, wupdate was again a running process. I say some, because no matter what I do the registry settings seem to reappear. I used sysinternals process explorer to kill the running wupdate process, turned off the system restore, and rebooted in safe mode.

It quarantines it, and I delete it, but it keeps coming back. I think it's best so I can rest easy at night and he can have a clean system. I unclicked those two instances, rebooted into Safemode. SHOW ME NOW CNET © CBS Interactive Inc.  /  All Rights Reserved.

and do u have any other user on the system, if yes then check there, or else create a new user and check if its running there also.... ? 0 and something like this. I followed the instructions given by TrendMicro and have successfully eliminated the wupdate.exe files in both the system32 and prefetch directories, and some of the registry settings. This site is completely free -- paid for by advertisers and donations.

Me or XP? Newer Than: Search this thread only Search this forum only Display results as threads Useful Searches Recent Posts More... I will have him do another complete scan when he wakes up. I believe he is using XP's firewall himself.

When I connect to the internet from his machine (56K modem), ZoneAlarm shows that wupdate tries to connect as well. Reboot back in Normal Mode and check if problems are gone 10. Windows 2000 users must apply the patch in Microsoft Security Bulletin MS03-049. The true name of the actual file is Windows\system32\lsass.exe.

It's bad news when these critters can move legit and necessary files and replace them with itself. Paul 0 Message Expert Comment by:leppstein ID: 122394712004-10-06 Thanks, Paul.