I have and XP box running Norton Antivirus. It discovers the virus W32.Spybot.Worm and is unable to clean, repair, delete or quarinteen the file. I tried their instructions to delete in Safe Mode and it does not work because everytime I try to run regedit it will open and immediately close out. I am at a loss on how to get rid of this virus. The file it has infected is Windows\System32\winsock.exe Any help would be greatly appreciated.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

There are 2 options: You can try automatic removal with Trend Micro System Cleaner (http://www.trendmicro.com/download/tsc.asp) or you follow the manual removal instructions:

Because W32.Spybot terminates task manager and regedit you need another tool to terminate the malware processe(s):

This is a freeware tool and has similar features like Windows built in task manager.

This is the removal description from Trend Micro's homepage (http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SPYBOT.GEN):


Identifying the Malware Program
Before proceeding to remove this malware, first identify the malware program.

Scan your system with Trend Micro antivirus and NOTE all files detected as WORM_SPYBOT.GEN. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's free online virus scanner.

Terminating the Malware Program
Since this malware terminates the Windows NT and 2000 Task Manager and is invisible on the Windows 95, 98, and ME Task Manager, you need to use a process viewer to terminate this malware. One such utility is Process Explorer from SystInternals (see URL above). This small program can be downloaded freely from the SysInternals site.

Once you have downloaded utility, locate and terminate the process of the file(s) detected earlier.

Removing Autostart Entries from the Registry

Removing autostart entries from registry prevents the malware from executing during startup. You will need the name(s) of the file(s) detected earlier.

1. Open Registry Editor. To do this, click Start>Run, type REGEDIT, then press Enter.
2. In the left panel, double-click the following:
3. In the right panel, locate and delete the entry or entries whose data value (in the rightmost column) is the malware file(s) detected earlier.
4. In the left panel, double-click the following:
5. In the right panel, locate and delete the entry or entries whose data value (the rightmost column) is the malware file(s) detected earlier.

Removing Malware Entries from the Registry

1. Still in the Registry Editor, double-click the following:
2. In the right panel, locate and delete this entry:
      Dir0 = 012345:%System% \kazaabackupfiles
      (Note: %System% refers to the Windows System folder which is usually the folder C:\Windows\System, C:\Winnt\System32 or C:\Windows\System32.)
3. Close Registry Editor.

NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Glad, I could help you!
Click Start, and then click Run.
Type regedit

then click OK.

Navigate to the key:


In the right pane, delete any values that refer to the file name that was detected as infected with W32.Spybot.Worm.

Navigate to the following key:


In the right pane, delete any values that reference the file name in step d.

Navigate to the following key:


In the right pane, delete any values that reference the file name in step d.

Navigate to the following key:


In the right pane, delete any values that reference the file name in step d.

Exit the Registry Editor.
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

hehe, just a note.

spybot doesnt caus your registry or taskmanager to close immediatley after opened. this is usually caused by some adware/spyware (forgot which one)

to remove spybot, plug your hdd into another machine that has norton and do a full system scan. this should remove the virus (it has for me several hundred times, i am a computer technician in a repair shop - 268 virus yesterday on a machine.. guess what they been doing!)

then, you will need to search and remove any entries from the 'run' and 'run services' registry entries for the 'local_machine' and 'current_user'. then delete the files manually. (probably best to do this bit in safe mode, make sure you login with your normal account ie on xp this usually isnt administrator)

hope this helps


Just a note about the note.

Searching in 'current_user' to delete registry entries is important but might not be enough: If there were logged on differerent users on the machine you have to search all hives below HKEY_USERS for viral items. Because viruses modify the registry in 'current_user' this absolute path can vary if there were logged on different users.
Two other suggestions:

1- If you know which application or process you need to stop, go to:
www.2amsolutions.com and grab a demo of Enstant Off. It will stop the program running immediately. Then you can run a AV program to remove the Malcode without having to reboot. (assuming this is a program that is running automatically)

2- Go to Symantec.com and dowload the removal tool for this malcode virus. The removal tools automatically terminate running processes as needed to remove the malcode or worm. Then the code is removed.

You need to install updates from http://windowsupdate.microsoft.com to close security holes in your OS. Otherwise these backdoor programs will catch you again. If you have file lock problem, you can use Solo antivirus from http://srnmicro.com It removes viruses in windows locked files easily.
I have got rid of it a couple of times by downloading stinger from mcafee here http://vil.nai.com/vil/stinger/ ,turning off system restore and rebooting in to safe mode then running stinger. Remember to turn system restore back on afterwards.
Dilip KhanolkarCommented:
The most easiest ways are to allways patch the security loopholes as soon as possible & then reboot into safe mode & do a dos scan which will clean 99% of the viruses available rightnow. If its a spyware or adware or anything like that just patch the systems & go ahead with the scanning by spybot search & destroy. That will allways solve your spyware issues
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.