Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

W32.Spybot.Worm

Posted on 2003-10-24
9
Medium Priority
?
281,243 Views
Last Modified: 2011-08-18
I have and XP box running Norton Antivirus. It discovers the virus W32.Spybot.Worm and is unable to clean, repair, delete or quarinteen the file. I tried their instructions to delete in Safe Mode and it does not work because everytime I try to run regedit it will open and immediately close out. I am at a loss on how to get rid of this virus. The file it has infected is Windows\System32\winsock.exe Any help would be greatly appreciated.
0
Comment
Question by:fhwaremote
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 11

Accepted Solution

by:
ghana earned 2000 total points
ID: 9615171
There are 2 options: You can try automatic removal with Trend Micro System Cleaner (http://www.trendmicro.com/download/tsc.asp) or you follow the manual removal instructions:

Because W32.Spybot terminates task manager and regedit you need another tool to terminate the malware processe(s):
http://www.sysinternals.com/ntw2k/freeware/procexp.shtml

This is a freeware tool and has similar features like Windows built in task manager.

This is the removal description from Trend Micro's homepage (http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SPYBOT.GEN):

---------------------------------------

Identifying the Malware Program
Before proceeding to remove this malware, first identify the malware program.

Scan your system with Trend Micro antivirus and NOTE all files detected as WORM_SPYBOT.GEN. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's free online virus scanner.


Terminating the Malware Program
Since this malware terminates the Windows NT and 2000 Task Manager and is invisible on the Windows 95, 98, and ME Task Manager, you need to use a process viewer to terminate this malware. One such utility is Process Explorer from SystInternals (see URL above). This small program can be downloaded freely from the SysInternals site.

Once you have downloaded utility, locate and terminate the process of the file(s) detected earlier.



Removing Autostart Entries from the Registry

Removing autostart entries from registry prevents the malware from executing during startup. You will need the name(s) of the file(s) detected earlier.

1. Open Registry Editor. To do this, click Start>Run, type REGEDIT, then press Enter.
2. In the left panel, double-click the following:
      HKEY_LOCAL_MACHINE>Software>Microsoft>
      Windows>CurrentVersion>Run
3. In the right panel, locate and delete the entry or entries whose data value (in the rightmost column) is the malware file(s) detected earlier.
4. In the left panel, double-click the following:
      HKEY_CURRENT_USER>Software>Microsoft>
      Windows>CurrentVersion>RunOnce
5. In the right panel, locate and delete the entry or entries whose data value (the rightmost column) is the malware file(s) detected earlier.


Removing Malware Entries from the Registry

1. Still in the Registry Editor, double-click the following:
      HKEY_CURRENT_USER>Software>Kazaa>LocalContent
2. In the right panel, locate and delete this entry:
      Dir0 = 012345:%System% \kazaabackupfiles
      (Note: %System% refers to the Windows System folder which is usually the folder C:\Windows\System, C:\Winnt\System32 or C:\Windows\System32.)
3. Close Registry Editor.

NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system.
0
 
LVL 11

Expert Comment

by:ghana
ID: 9618836
Glad, I could help you!
0
 

Expert Comment

by:shenazzer
ID: 11652120
Click Start, and then click Run.
Type regedit

then click OK.


Navigate to the key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run


In the right pane, delete any values that refer to the file name that was detected as infected with W32.Spybot.Worm.


Navigate to the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunOnce


In the right pane, delete any values that reference the file name in step d.


Navigate to the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunServices


In the right pane, delete any values that reference the file name in step d.


Navigate to the following key:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run


In the right pane, delete any values that reference the file name in step d.


Exit the Registry Editor.
0
Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

 
LVL 1

Expert Comment

by:brayshaw_uk
ID: 12191883
hehe, just a note.

spybot doesnt caus your registry or taskmanager to close immediatley after opened. this is usually caused by some adware/spyware (forgot which one)

to remove spybot, plug your hdd into another machine that has norton and do a full system scan. this should remove the virus (it has for me several hundred times, i am a computer technician in a repair shop - 268 virus yesterday on a machine.. guess what they been doing!)

then, you will need to search and remove any entries from the 'run' and 'run services' registry entries for the 'local_machine' and 'current_user'. then delete the files manually. (probably best to do this bit in safe mode, make sure you login with your normal account ie on xp this usually isnt administrator)

hope this helps

brayshaw

0
 
LVL 11

Expert Comment

by:ghana
ID: 12191978
Just a note about the note.

Searching in 'current_user' to delete registry entries is important but might not be enough: If there were logged on differerent users on the machine you have to search all hives below HKEY_USERS for viral items. Because viruses modify the registry in 'current_user' this absolute path can vary if there were logged on different users.
0
 
LVL 1

Expert Comment

by:quantum2
ID: 12316597
Two other suggestions:

1- If you know which application or process you need to stop, go to:
www.2amsolutions.com and grab a demo of Enstant Off. It will stop the program running immediately. Then you can run a AV program to remove the Malcode without having to reboot. (assuming this is a program that is running automatically)

2- Go to Symantec.com and dowload the removal tool for this malcode virus. The removal tools automatically terminate running processes as needed to remove the malcode or worm. Then the code is removed.

Q2
0
 

Expert Comment

by:palivalx
ID: 13194464
You need to install updates from http://windowsupdate.microsoft.com to close security holes in your OS. Otherwise these backdoor programs will catch you again. If you have file lock problem, you can use Solo antivirus from http://srnmicro.com It removes viruses in windows locked files easily.
0
 

Expert Comment

by:jeduffy
ID: 13934799
I have got rid of it a couple of times by downloading stinger from mcafee here http://vil.nai.com/vil/stinger/ ,turning off system restore and rebooting in to safe mode then running stinger. Remember to turn system restore back on afterwards.
0
 
LVL 2

Expert Comment

by:Dilip Khanolkar
ID: 23698761
The most easiest ways are to allways patch the security loopholes as soon as possible & then reboot into safe mode & do a dos scan which will clean 99% of the viruses available rightnow. If its a spyware or adware or anything like that just patch the systems & go ahead with the scanning by spybot search & destroy. That will allways solve your spyware issues
0

Featured Post

Enroll in October's Free Course of the Month

Do you work with and analyze data? Enroll in October's Course of the Month for 7+ hours of SQL training, allowing you to quickly and efficiently store or retrieve data. It's free for Premium Members, Team Accounts, and Qualified Experts!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

HOW TO REMOTELY CLEAN MEROND.O WITH ESET SILENTLY PROBLEM       If you have the fortunate luck to contract the Merond.O virus on your network, it can be quite troublesome to remove as it propagates to network shares on your network. In my case, the …
An introduction to the wonderful sport of Scam Baiting.  Learn how to help fight scammers by beating them at their own game. This great pass time helps the world, while providing an endless source of entertainment. Enjoy!
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

597 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question