Question

W32.Spybot.Worm

Asked by: fhwaremote

I have and XP box running Norton Antivirus. It discovers the virus W32.Spybot.Worm and is unable to clean, repair, delete or quarinteen the file. I tried their instructions to delete in Safe Mode and it does not work because everytime I try to run regedit it will open and immediately close out. I am at a loss on how to get rid of this virus. The file it has infected is Windows\System32\winsock.exe Any help would be greatly appreciated.

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2003-10-24 at 08:27:52ID20777095
Topic

Anti-Virus Applications

Participating Experts
7
Points
500
Comments
9

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. Error: "Norton AntiVirus was unable to scan your comput…
    Error: "Norton AntiVirus was unable to scan your computer for infections . . . " (3019,1) Situation: I am running Windows XP Professional, Norton System Works 2003, Norton Personal Firewall 2003, and Norton Anti-virus 2004 Professional. While running a manual sca...
  2. Norton AntiVirus Difficulties
    Hi. I had Norton AntiVirus 2004 Professional installed on my computer when I got it, and was running AdAware 6.0 Personal to keep on top of spyware, and one day I got an error with Norton. I clicked the 'more info' link and it took me to the norton site, where it listed a few...
  3. Manual Deinstallation of Norton Antivirus
    I had do deinstallate Norton Antivirus manually as it was no longer possible through the deinstallation features of Windows 2000 Pro. I did it like described by Symantec Support and run Rnav2003.exe and have gone trough all the steps described. Now deinstallation seems to ha...
  4. Regedit disabled
    I believe I have the cashdeluxe spyware on my machine. Not sure if this is related, but when I goto run-regedit, the registry editor opens and is enabled for about 2 seconds and then gets disabled so I can't edit it. Any ideas on how to enable it? I've tried going through ...
  5. Get rid From Bad Situation(Hijack, Antivirus and Regedit D…
    Dear Experts, I have A real Problem with a Virus or Trojan. My Os is WinXp with Sp1 I cant Execute Hijackthis.exe . I can t Install a Antivirus(symantec). I can t Run Regedit. When I execute those files windows was shutting down. I cant do these works on Safe mode Too. How C...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: ghanaPosted on 2003-10-24 at 09:08:49ID: 9615171

There are 2 options: You can try automatic removal with Trend Micro System Cleaner (http://www.trendmicro.com/download/tsc.asp) or you follow the manual removal instructions:

Because W32.Spybot terminates task manager and regedit you need another tool to terminate the malware processe(s):
http://www.sysinternals.com/ntw2k/freeware/procexp.shtml

This is a freeware tool and has similar features like Windows built in task manager.

This is the removal description from Trend Micro's homepage (http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SPYBOT.GEN):

---------------------------------------

Identifying the Malware Program
Before proceeding to remove this malware, first identify the malware program.

Scan your system with Trend Micro antivirus and NOTE all files detected as WORM_SPYBOT.GEN. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's free online virus scanner.


Terminating the Malware Program
Since this malware terminates the Windows NT and 2000 Task Manager and is invisible on the Windows 95, 98, and ME Task Manager, you need to use a process viewer to terminate this malware. One such utility is Process Explorer from SystInternals (see URL above). This small program can be downloaded freely from the SysInternals site.

Once you have downloaded utility, locate and terminate the process of the file(s) detected earlier.



Removing Autostart Entries from the Registry

Removing autostart entries from registry prevents the malware from executing during startup. You will need the name(s) of the file(s) detected earlier.

1. Open Registry Editor. To do this, click Start>Run, type REGEDIT, then press Enter.
2. In the left panel, double-click the following:
      HKEY_LOCAL_MACHINE>Software>Microsoft>
      Windows>CurrentVersion>Run
3. In the right panel, locate and delete the entry or entries whose data value (in the rightmost column) is the malware file(s) detected earlier.
4. In the left panel, double-click the following:
      HKEY_CURRENT_USER>Software>Microsoft>
      Windows>CurrentVersion>RunOnce
5. In the right panel, locate and delete the entry or entries whose data value (the rightmost column) is the malware file(s) detected earlier.


Removing Malware Entries from the Registry

1. Still in the Registry Editor, double-click the following:
      HKEY_CURRENT_USER>Software>Kazaa>LocalContent
2. In the right panel, locate and delete this entry:
      Dir0 = 012345:%System% \kazaabackupfiles
      (Note: %System% refers to the Windows System folder which is usually the folder C:\Windows\System, C:\Winnt\System32 or C:\Windows\System32.)
3. Close Registry Editor.

NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system.

 

by: ghanaPosted on 2003-10-24 at 22:57:28ID: 9618836

Glad, I could help you!

 

by: shenazzerPosted on 2004-07-27 at 16:51:16ID: 11652120

Click Start, and then click Run.
Type regedit

then click OK.


Navigate to the key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run


In the right pane, delete any values that refer to the file name that was detected as infected with W32.Spybot.Worm.


Navigate to the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunOnce


In the right pane, delete any values that reference the file name in step d.


Navigate to the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunServices


In the right pane, delete any values that reference the file name in step d.


Navigate to the following key:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run


In the right pane, delete any values that reference the file name in step d.


Exit the Registry Editor.

 

by: brayshaw_ukPosted on 2004-09-30 at 09:50:04ID: 12191883

hehe, just a note.

spybot doesnt caus your registry or taskmanager to close immediatley after opened. this is usually caused by some adware/spyware (forgot which one)

to remove spybot, plug your hdd into another machine that has norton and do a full system scan. this should remove the virus (it has for me several hundred times, i am a computer technician in a repair shop - 268 virus yesterday on a machine.. guess what they been doing!)

then, you will need to search and remove any entries from the 'run' and 'run services' registry entries for the 'local_machine' and 'current_user'. then delete the files manually. (probably best to do this bit in safe mode, make sure you login with your normal account ie on xp this usually isnt administrator)

hope this helps

brayshaw

 

by: ghanaPosted on 2004-09-30 at 09:59:00ID: 12191978

Just a note about the note.

Searching in 'current_user' to delete registry entries is important but might not be enough: If there were logged on differerent users on the machine you have to search all hives below HKEY_USERS for viral items. Because viruses modify the registry in 'current_user' this absolute path can vary if there were logged on different users.

 

by: quantum2Posted on 2004-10-14 at 23:58:54ID: 12316597

Two other suggestions:

1- If you know which application or process you need to stop, go to:
www.2amsolutions.com and grab a demo of Enstant Off. It will stop the program running immediately. Then you can run a AV program to remove the Malcode without having to reboot. (assuming this is a program that is running automatically)

2- Go to Symantec.com and dowload the removal tool for this malcode virus. The removal tools automatically terminate running processes as needed to remove the malcode or worm. Then the code is removed.

Q2

 

by: palivalxPosted on 2005-02-01 at 08:51:36ID: 13194464

You need to install updates from http://windowsupdate.microsoft.com to close security holes in your OS. Otherwise these backdoor programs will catch you again. If you have file lock problem, you can use Solo antivirus from http://srnmicro.com It removes viruses in windows locked files easily.

 

by: jeduffyPosted on 2005-05-05 at 05:20:06ID: 13934799

I have got rid of it a couple of times by downloading stinger from mcafee here http://vil.nai.com/vil/stinger/ ,turning off system restore and rebooting in to safe mode then running stinger. Remember to turn system restore back on afterwards.

 

by: khanolkardilipPosted on 2009-02-20 at 23:04:43ID: 23698761

The most easiest ways are to allways patch the security loopholes as soon as possible & then reboot into safe mode & do a dos scan which will clean 99% of the viruses available rightnow. If its a spyware or adware or anything like that just patch the systems & go ahead with the scanning by spybot search & destroy. That will allways solve your spyware issues

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...