W32.spybot.worm still alive after HDD format and XP home reinstall

[Guest]

Hi,

this weekend my PC got infected with W32.spybot.worm and W32.randex.gen through mIRC. I then decided to solve this problem by formatting my HDD and reinstalling XP home with a fresh install.

So, i formatted, i reinstalled XP, my drivers, ad-aware 6.0, spybot S&D 1.3, spy-sweeper and finally Norton Antivirus 2004 (demo version from a Maximum PC cd). At this point i created a restore point. Everything looks fine until I reinstalled my internet service.

First, i got the usual pop-ups, usually fixed with a windows update. So, I went over the internet to the winupdate sate. It's there that i got again the "mediaticket" browser hijack and the NAV alert saying that W32.spybot.worm was found on several files: winservicess.exe, wuam.exe, NAVSCAN64.exe, wuamgrd.exe, PDSched.exe.

Questions:
1- is it possible that the virus survived after a format ???
2- as w32.spybot.worm send IP address to a IRC server and open backdoor port, could this be that when i connected to the internet some backdoor allowed viral stuff to survived ?

I tried the removal instructions of Symantec site (http://securityresponse.symantec.com/avcenter/venc/data/pf/w32.spybot.worm.html) but when i am in Safe mode, NAV doesn't make the scan: nothing happen when i click on scan.

So that's where I am. I think taking that restore point i created and contact my internet provider to give me another internet installation kit with a new IP and username, etc

Another question: I actived my XP home after creating the system restore point... if i restore XP home, will i have to reactivate XP ?

Any help, comments ?

 

[Willie]

Did you enable the XP firewall at the very least BEFORE connecting to the
internet? If not, you may have been re-infected with any one of many spyware
outthere in internet land. It's safe to say that your format took care of
the original issue, B U T...

Willie

Hi,

this weekend my PC got infected with W32.spybot.worm and W32.randex.gen

through mIRC. I then decided to solve this problem by formatting my HDD and
reinstalling XP home with a fresh install.

So, i formatted, i reinstalled XP, my drivers, ad-aware 6.0, spybot S&D

1.3, spy-sweeper and finally Norton Antivirus 2004 (demo version from a
Maximum PC cd). At this point i created a restore point. Everything looks
fine until I reinstalled my internet service.

First, i got the usual pop-ups, usually fixed with a windows update. So,

I went over the internet to the winupdate sate. It's there that i got again
the "mediaticket" browser hijack and the NAV alert saying that
W32.spybot.worm was found on several files: winservicess.exe, wuam.exe,
NAVSCAN64.exe, wuamgrd.exe, PDSched.exe.

Questions:
1- is it possible that the virus survived after a format ???
2- as w32.spybot.worm send IP address to a IRC server and open backdoor

port, could this be that when i connected to the internet some backdoor
allowed viral stuff to survived ?

I tried the removal instructions of Symantec site

(http://securityresponse.symantec.com/avcenter/venc/data/pf/w32.spybot.worm.
html) but when i am in Safe mode, NAV doesn't make the scan: nothing happen
when i click on scan.

So that's where I am. I think taking that restore point i created and

contact my internet provider to give me another internet installation kit
with a new IP and username, etc

Another question: I actived my XP home after creating the system restore

point... if i restore XP home, will i have to reactivate XP ?

 

[Guest]

Hi,

this weekend my PC got infected with W32.spybot.worm and W32.randex.gen through mIRC. I then decided to solve this problem by formatting my HDD and reinstalling XP home with a fresh install.

So, i formatted, i reinstalled XP, my drivers, ad-aware 6.0, spybot S&D 1.3, spy-sweeper and finally Norton Antivirus 2004 (demo version from a Maximum PC cd). At this point i created a restore point. Everything looks fine until I reinstalled my internet service.

First, i got the usual pop-ups, usually fixed with a windows update. So, I went over the internet to the winupdate sate. It's there that i got again the "mediaticket" browser hijack and the NAV alert saying that W32.spybot.worm was found on several files: winservicess.exe, wuam.exe, NAVSCAN64.exe, wuamgrd.exe, PDSched.exe.

Questions:
1- is it possible that the virus survived after a format ???
2- as w32.spybot.worm send IP address to a IRC server and open backdoor port, could this be that when i connected to the internet some backdoor allowed viral stuff to survived ?

I tried the removal instructions of Symantec site (http://securityresponse.symantec.com/avcenter/venc/data/pf/w32.spybot.worm.html) but when i am in Safe mode, NAV doesn't make the scan: nothing happen when i click on scan.

So that's where I am. I think taking that restore point i created and contact my internet provider to give me another internet installation kit with a new IP and username, etc

Another question: I actived my XP home after creating the system restore point... if i restore XP home, will i have to reactivate XP ?

Any help, comments ?

Symantec's site says that new variant's of this worm may spread via DCOM (port 135), Did you turn on your XP firewall or another one BEFORE you connected to the internet? If not then that is your problem.

 

[Willie]

Maybe some of these will help...I know you already have Spybot and Ad-Aware,
but Hijackthis is great! And by all means, download and update Spyware
Blaster. Hope you solve your issue.

Check for Spyware;
Lavasoft Ad-Aware - www.lavasoftusa.com
SpyBot S&D - http://www.safer-networking.org/
CWShredder : http://www.spywareinfo.com/~merijn/files/CWShredder.exe
Online Spyware scan: http://aumha.org/a/noads.php
Stinger- http://vil.nai.com/vil/averttools.asp
Hijackthis: http://tomcoyote.com/hjt/
Also: http://www.net-integration.net/tools/hijackthis.html
SpywareBlaster: http://www.javacoolsoftware.com/spywareblaster.html

Willie

Hi,

this weekend my PC got infected with W32.spybot.worm and W32.randex.gen

through mIRC. I then decided to solve this problem by formatting my HDD and
reinstalling XP home with a fresh install.

So, i formatted, i reinstalled XP, my drivers, ad-aware 6.0, spybot S&D

1.3, spy-sweeper and finally Norton Antivirus 2004 (demo version from a
Maximum PC cd). At this point i created a restore point. Everything looks
fine until I reinstalled my internet service.

First, i got the usual pop-ups, usually fixed with a windows update. So,

I went over the internet to the winupdate sate. It's there that i got again
the "mediaticket" browser hijack and the NAV alert saying that
W32.spybot.worm was found on several files: winservicess.exe, wuam.exe,
NAVSCAN64.exe, wuamgrd.exe, PDSched.exe.

Questions:
1- is it possible that the virus survived after a format ???
2- as w32.spybot.worm send IP address to a IRC server and open backdoor

port, could this be that when i connected to the internet some backdoor
allowed viral stuff to survived ?

I tried the removal instructions of Symantec site

(http://securityresponse.symantec.com/avcenter/venc/data/pf/w32.spybot.worm.
html) but when i am in Safe mode, NAV doesn't make the scan: nothing happen
when i click on scan.

So that's where I am. I think taking that restore point i created and

contact my internet provider to give me another internet installation kit
with a new IP and username, etc

Another question: I actived my XP home after creating the system restore

point... if i restore XP home, will i have to reactivate XP ?

 

[Richard Urban]

You didn't get infected when you went to Windows Update. You got infected
because you were "connected" to the internet (probably by broadband) BEFORE
you secured your system with a firewall and antivirus program.

When you load a new system, unplug the internet connection until you have
the aforementioned programs installed and configured. Then shut down and
plug in the connection.

It only takes about 1 second to get infected today, and you don't even have
to open your web browser to have it happen!

Hi,

this weekend my PC got infected with W32.spybot.worm and W32.randex.gen

through mIRC. I then decided to solve this problem by formatting my HDD and
reinstalling XP home with a fresh install.

So, i formatted, i reinstalled XP, my drivers, ad-aware 6.0, spybot S&D

1.3, spy-sweeper and finally Norton Antivirus 2004 (demo version from a
Maximum PC cd). At this point i created a restore point. Everything looks
fine until I reinstalled my internet service.

First, i got the usual pop-ups, usually fixed with a windows update. So,

I went over the internet to the winupdate sate. It's there that i got again
the "mediaticket" browser hijack and the NAV alert saying that
W32.spybot.worm was found on several files: winservicess.exe, wuam.exe,
NAVSCAN64.exe, wuamgrd.exe, PDSched.exe.

Questions:
1- is it possible that the virus survived after a format ???
2- as w32.spybot.worm send IP address to a IRC server and open backdoor

port, could this be that when i connected to the internet some backdoor
allowed viral stuff to survived ?

I tried the removal instructions of Symantec site

(http://securityresponse.symantec.com/avcenter/venc/data/pf/w32.spybot.worm.
html) but when i am in Safe mode, NAV doesn't make the scan: nothing happen
when i click on scan.

So that's where I am. I think taking that restore point i created and

contact my internet provider to give me another internet installation kit
with a new IP and username, etc

Another question: I actived my XP home after creating the system restore

point... if i restore XP home, will i have to reactivate XP ?

 

[Bruce Chambers]

Greetings --

No, the worm didn't survive the hard drive format. Instead, you
invited reinfection when you connected to the Internet without having
first enabled your firewall.

Bruce Chambers
--
Help us help you:



You can have peace. Or you can have freedom. Don't ever count on
having both at once. - RAH

Hi,

this weekend my PC got infected with W32.spybot.worm and

W32.randex.gen through mIRC. I then decided to solve this problem by
formatting my HDD and reinstalling XP home with a fresh install.

So, i formatted, i reinstalled XP, my drivers, ad-aware 6.0, spybot

S&D 1.3, spy-sweeper and finally Norton Antivirus 2004 (demo version
from a Maximum PC cd). At this point i created a restore point.
Everything looks fine until I reinstalled my internet service.

First, i got the usual pop-ups, usually fixed with a windows update.

So, I went over the internet to the winupdate sate. It's there that i
got again the "mediaticket" browser hijack and the NAV alert saying
that W32.spybot.worm was found on several files: winservicess.exe,
wuam.exe, NAVSCAN64.exe, wuamgrd.exe, PDSched.exe.

Questions:
1- is it possible that the virus survived after a format ???
2- as w32.spybot.worm send IP address to a IRC server and open

backdoor port, could this be that when i connected to the internet
some backdoor allowed viral stuff to survived ?

I tried the removal instructions of Symantec site

(http://securityresponse.symantec.com/avcenter/venc/data/pf/w32.spybot
..worm.html) but when i am in Safe mode, NAV doesn't make the scan:
nothing happen when i click on scan.

So that's where I am. I think taking that restore point i created

and contact my internet provider to give me another internet
installation kit with a new IP and username, etc

Another question: I actived my XP home after creating the system

restore point... if i restore XP home, will i have to reactivate XP ?

 

[Guest]

thanks everyone !

so, i'll do a system restore with recovering from the restore point i created earlier and i'll set the XP firewall before connecting to the internet

two questions:
1- the system restore will "un-activate" the XP activation i have made after creating the restore point ?
2- the firewall coming with XP home is enough to block mostly any viral attacks or do you recommand that i buy some 3rd party product ?

thanks again

 

[Richard Urban]

ZoneLabs has an excellent FREE firewall (ZoneAlarm - Free) that is tons
better than the one that is used in "any" version of Windows. There are also
others. No need to buy anything, unless you want more bells and whistles.

--
Regards:

Richard Urban

aka Crusty (-: Old B@stard

 

[Willie]

Not sure about the re-activation, but as for the firewall, get the free one
at www.zonelabs.com ...but, the XP will be good enough till the Zone Labs
one is installed...But, you MUST have one before connecting for anything.

Willie

thanks everyone !

so, i'll do a system restore with recovering from the restore point i

created earlier and i'll set the XP firewall before connecting to the
internet

two questions:
1- the system restore will "un-activate" the XP activation i have made

after creating the restore point ?

2- the firewall coming with XP home is enough to block mostly any viral

attacks or do you recommand that i buy some 3rd party product ?

 

[Bruce Chambers]

so, i'll do a system restore with recovering from the restore point

i created earlier and i'll set the XP firewall before connecting to
the internet

two questions:
1- the system restore will "un-activate" the XP activation i have

made after creating the restore point ?

No, System Restoration should not affect activation.

2- the firewall coming with XP home is enough to block mostly any

viral attacks or do you recommand that i buy some 3rd party product ?
WinXP's built-in firewall is _adequate_ at stopping incoming
attacks, and hiding your ports from probes. It doesn't give you any
alarms, or any other kind of indication, to tell you that it is
working, though. Nor is it very easily configurable. What WinXP also
does not do, is protect you from any Trojans or spyware that you (or
someone else using your computer) might download and install
inadvertently. It doesn't monitor out-going traffic at all, other
than to check for IP-spoofing, much less block (or at even ask you
about) the bad or the questionable out-going signals. It assumes that
any application you have on your hard drive is there because you want
it there, and therefore has your "permission" to access the Internet.
Further, because the ICF is a "stateful" firewall, it will also assume
that any incoming traffic that's a direct response to a Trojan's or
spyware's out-going signal is also authorized.

ZoneAlarm, Kerio, or Sygate are all much better than WinXP's
built-in firewall, and are much more easily configured, and there are
free versions of each readily available. Even the commercially
available Symantec's Norton Personal Firewall is superior by far,
although it does take a heavier toll of system performance then do
ZoneAlarm or Sygate.


Bruce Chambers
--
Help us help you:



You can have peace. Or you can have freedom. Don't ever count on
having both at once. - RAH

 

[Guest]

awright !!!

everything is fixed... no more virus and i've got a reliable firewall with Zonealarm

thanks everyone !!