PDA

View Full Version : Cannot remove Win32.tiny.abk



sntooth
2008-02-01, 07:21
Spybot identifies Win32.tiny.abk on my system but cannot remove it.

I am running Spybot S & D 1.5.1.15 update 1/31/08. Windows XP SP2, all updates.
I have tried with earlier versions and I have tried in safe mode.The files which are identified are removed by S&D, but then return after a restart, and ONLY after I enable my network connection.

The files identified by the latest version are
C:\Windows\Temp\7CF28762C38CA0D4.tmp
C:\Windows\Temp\AE8AB41F91F72503.tmp

Previous versions of S&D (1.4) also identified the following:
C:\Windows\Temp\3D6627311AA2FDBD.tmp
C:\Windows\Temp\8AF12AB59DCE7145.tmp
but these files are no longer identified by S & D as part of the Win32.tiny.abk threat, even though they appear with the other tmp files on a restart.

I was originally infected by clicking on a link sent to me in a 'spoofed' instant message in Pidgin from one of my contacts. S&D picked up on Win32.BHO.je and fixed that problem. Also, I found and deleted the following files:
C:\windlsvc.exe
C:\ducvb.exe
C:\Program Files\Helper\superfindout.dll

One other thing I have noticed is that there is constant activity on my network connection; sending & receiving, approx 5kb/s.

I received a warning from my ISP for 'unwanted activity', so I tried the 'netstat'
command in DOS, and it spit out a list of hundreds of connections/sites in different HTTP states.

No other anti-virus can find anything, except for AVG which tells me that shell32.dll has been changed.

Please help! Thanks for any suggestions.

sntooth
2008-02-01, 19:25
Using 'netstat -bv' as well as the Spybot Process List, I have found that the process generating the network connections is services.exe.

Also, the remote port of every connection is 25, which is the common port for sending mail to a SMTP server, so I guess my system is sending hundreds of spam emails.

The netstat -bv results look like this;
Proto----Local Address-------Foreign Address---------State
TCP------localhost:1076-------208.72.***.***:smtp---SYN_SENT
C:\WINDOWS\system32\mswssock.dll
C:\WINDOWS\system32\WS2_32.dll
-- unknown component(s) --
C:\WINDOWS\system32\kernel32.dll
[services.exe]

I have found that I cannot disable these modules using Spybot.

There are more than 40 'Loaded modules' within services.exe according to the Spybot Process List, but I don't know how to identify the troublemaker (if different that above). I looked at each file in explorer, and the only thing I know to do is to check the timestamps - and they all look old (2006/mid 2007).

When I start 'randomly' killing modules to identify the problematic one, I eventually get the System shut down notice, and my system becomes unusable.

Any help would be greatly appreciated.