Help me! Worms

[Halsafar]

Okay I have tried two different virus scanners and none can seem to remove the apparent set of worms on my comp.

I've tried AVG, found none.
I tried True Sword since it mentions knowledge of the worms in question, it finds them, apparently solves the problem, but then on consecutive scans new worms begin to show up.

Demotry-B
Gaobot.FQ

There was one other which showed its ugly face in spoolv.exe (BAIT-A or something).
They seem to be infecting files such as spoolv.exe, sysinfo.exe, alg.exe.

Note: The comp in question is not on the net and not the comp I am posting on.

Edit: Could Truesword be faking it so I buy their product? How can I proove these worms exist?

Thanks,
Halsafar

[dglienna]

Try this one: http://www.ewido.net/en/

[Halsafar]

Okay I downloaded the free trial.
Ran a full scan.
It found 80+ objects, mostly cookies, some FILENAME00#.CHK files.. All spyware apparently.

After running Ewido I ran True Sword and it immediatly picks up a virus reporting "spoolv.exe" process is in the wrong place, it should be in Windows/System32. Truthfully, that file is in Windows/System32 and no other spool*.exe can be found on my comp. Funny tho, if I say "Solve Problem" it says it is cleaning the virus out of alg.exe.

AVG and Ewido both say my comp is clean...
I do not feel safe.

Zone Alarm doesn't seem to be reporting any odd internet traffic...

I'm not sure what to do about this!!

Edit:

True Swords most common message to me:
"Malicious component or program is found in processes: SPOOLSV.EXE. "Added by the BAITAP-A WORM! Note - ""Spoolsv.exe"" is located in the Windows or Winnt directory, and not in System32, like the legitimate Spoolsv.exe system file"

[tr333]

avast! Virus Cleaner
Free avast! 4 Home Edition

[-TPM-]

Sometimes the best/only way is to look up the manual removal online. You should be able to find the instructions on trendmicro or McAfee's web sites.

[Halsafar]

I ran avast worm cleaner, it found nothing.
True sword still finds it but is unable to deal with it, even though it says it has solved it.
I checked sophos webpage for how to remove the problem. (McAFee was nothing more than a sales page for their virus scanners, very un-userfriendly).

Sophos gave me instructions on how to verify the registry changes the BAITAP-A worm would have made.

"When first run W32/Baitap-A copies itself to:

<Windows>\spoolsv.exe
<System>\resys.exe

W32/Baitap-A will create the following registry entry:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
SVCHOST
<WINDOWS>\SPOOLSV.EXE

W32/Baitap-A will change the following registry entry:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogin
Shell
explorer.exe <WINDOWS>\SPOOLSV.EXE "


Now, first off.

/Windows/spoolsv.exe does not exist.
/Windows/System/resys.exe does not exist

Neither of the registry locations show what Sophos says they should. The Microsoft/Windows/CurrentVersoin/RunOnce has a value which has not been set.

The other, WindowsNT one, just has Explorer.exe and nothing to do with spoolsv.exe



After all this, I cannot find ANY other manual removal methods. This is driving me up-the-wall. I think TRUE SWORD is bs`n me so I buy its product...

AVG, Ewido, Avast Cleaner all found NOTHING!
TrueSword, when scanning processes in memory finds this virus. I am so confused.



Edit:

I'd like to add, I have been trying to download and install OpenOffice off the main site. If I do, run the installer, it says "This executable has been changed, this is probably the results of a virus, please download again."

Edit:

I just found a Norton 2005 CD which came with the laptop in question. Heh, I'll try that, I do believe if Norton cannot find anything then there is nothing to find.

Also, to add, True Sword, after removing the problem, finds the problem again after about 2minutes.

[dglienna]

Run System File Checker (SFC). You might have to insert your Windows CD. It will replace any changed system files.

SFC /?

for more info

[Halsafar]

Okay I ran
sfc /scannow

It took about 20 minutes heh but finished without any warnrings, errors, nothing no questions or anything...

I also ran Norton 2005 fully up-to-date and it found nothing.

Is my theory that True Sword is bs`n me more true??? Infact, after I installed Norton, True Sword thought that ccApp.exe (installed by norton) contained a worm.

I says: "AKHER.D WORM!! Note - For a valid norton AV entry the filename is "navapexe". This is also not the valid Norton AV file with the same name."

Now I've installed norton on several systems in my life and I KNOW FOR A FACT that ccApp.exe is one of the proper files which Norton runs in the background.


What else can I do???? Short of reformatting my windows partition... (sadly, only a restore CD came with this laptop meaning my Linux partitions will be wiped...)

[dglienna]

Norton's site has this:
http://www.sarc.com/avcenter/venc/[email protected]

[Halsafar]

I am following the removal instructions.
From step one and on it seems there is nothing there.

sfc /scannow did not restore hal.dll so it wasn't broken...
Full System Scan did not find any virus'

I have yet to view the entire the registry changes since that will take a long time.

[Halsafar]

I posted on WindowsForums.com here is the reply I got:

Nellie2: "Well first of all, get rid of True Sword. It is a rogue program and is on Eric Howes list see here: http://www.spywarewarrior.com/rogue_anti-spyware.htm"

From that page I found:
"True Sword securitystronghold.com - ridiculous false positives work as goad to purchase - [A: 1-3-06 / U: 1-3-06]"

[tr333]

maybe you only need to scan with Lavasoft AdAware and Spybot-S&D.