Posted on 2003-10-24
Medium Priority
Last Modified: 2011-08-18
I have and XP box running Norton Antivirus. It discovers the virus W32.Spybot.Worm and is unable to clean, repair, delete or quarinteen the file. I tried their instructions to delete in Safe Mode and it does not work because everytime I try to run regedit it will open and immediately close out. I am at a loss on how to get rid of this virus. The file it has infected is Windows\System32\winsock.exe Any help would be greatly appreciated.
Question by:fhwaremote
LVL 11

Accepted Solution

ghana earned 2000 total points
ID: 9615171
There are 2 options: You can try automatic removal with Trend Micro System Cleaner (http://www.trendmicro.com/download/tsc.asp) or you follow the manual removal instructions:

Because W32.Spybot terminates task manager and regedit you need another tool to terminate the malware processe(s):

This is a freeware tool and has similar features like Windows built in task manager.

This is the removal description from Trend Micro's homepage (http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SPYBOT.GEN):


Identifying the Malware Program
Before proceeding to remove this malware, first identify the malware program.

Scan your system with Trend Micro antivirus and NOTE all files detected as WORM_SPYBOT.GEN. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's free online virus scanner.

Terminating the Malware Program
Since this malware terminates the Windows NT and 2000 Task Manager and is invisible on the Windows 95, 98, and ME Task Manager, you need to use a process viewer to terminate this malware. One such utility is Process Explorer from SystInternals (see URL above). This small program can be downloaded freely from the SysInternals site.

Once you have downloaded utility, locate and terminate the process of the file(s) detected earlier.

Removing Autostart Entries from the Registry

Removing autostart entries from registry prevents the malware from executing during startup. You will need the name(s) of the file(s) detected earlier.

1. Open Registry Editor. To do this, click Start>Run, type REGEDIT, then press Enter.
2. In the left panel, double-click the following:
3. In the right panel, locate and delete the entry or entries whose data value (in the rightmost column) is the malware file(s) detected earlier.
4. In the left panel, double-click the following:
5. In the right panel, locate and delete the entry or entries whose data value (the rightmost column) is the malware file(s) detected earlier.

Removing Malware Entries from the Registry

1. Still in the Registry Editor, double-click the following:
2. In the right panel, locate and delete this entry:
      Dir0 = 012345:%System% \kazaabackupfiles
      (Note: %System% refers to the Windows System folder which is usually the folder C:\Windows\System, C:\Winnt\System32 or C:\Windows\System32.)
3. Close Registry Editor.

NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system.
LVL 11

Expert Comment

ID: 9618836
Glad, I could help you!

Expert Comment

ID: 11652120
Click Start, and then click Run.
Type regedit

then click OK.

Navigate to the key:


In the right pane, delete any values that refer to the file name that was detected as infected with W32.Spybot.Worm.

Navigate to the following key:


In the right pane, delete any values that reference the file name in step d.

Navigate to the following key:


In the right pane, delete any values that reference the file name in step d.

Navigate to the following key:


In the right pane, delete any values that reference the file name in step d.

Exit the Registry Editor.
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.


Expert Comment

ID: 12191883
hehe, just a note.

spybot doesnt caus your registry or taskmanager to close immediatley after opened. this is usually caused by some adware/spyware (forgot which one)

to remove spybot, plug your hdd into another machine that has norton and do a full system scan. this should remove the virus (it has for me several hundred times, i am a computer technician in a repair shop - 268 virus yesterday on a machine.. guess what they been doing!)

then, you will need to search and remove any entries from the 'run' and 'run services' registry entries for the 'local_machine' and 'current_user'. then delete the files manually. (probably best to do this bit in safe mode, make sure you login with your normal account ie on xp this usually isnt administrator)

hope this helps


LVL 11

Expert Comment

ID: 12191978
Just a note about the note.

Searching in 'current_user' to delete registry entries is important but might not be enough: If there were logged on differerent users on the machine you have to search all hives below HKEY_USERS for viral items. Because viruses modify the registry in 'current_user' this absolute path can vary if there were logged on different users.

Expert Comment

ID: 12316597
Two other suggestions:

1- If you know which application or process you need to stop, go to:
www.2amsolutions.com and grab a demo of Enstant Off. It will stop the program running immediately. Then you can run a AV program to remove the Malcode without having to reboot. (assuming this is a program that is running automatically)

2- Go to Symantec.com and dowload the removal tool for this malcode virus. The removal tools automatically terminate running processes as needed to remove the malcode or worm. Then the code is removed.


Expert Comment

ID: 13194464
You need to install updates from http://windowsupdate.microsoft.com to close security holes in your OS. Otherwise these backdoor programs will catch you again. If you have file lock problem, you can use Solo antivirus from http://srnmicro.com It removes viruses in windows locked files easily.

Expert Comment

ID: 13934799
I have got rid of it a couple of times by downloading stinger from mcafee here http://vil.nai.com/vil/stinger/ ,turning off system restore and rebooting in to safe mode then running stinger. Remember to turn system restore back on afterwards.

Expert Comment

by:Dilip Khanolkar
ID: 23698761
The most easiest ways are to allways patch the security loopholes as soon as possible & then reboot into safe mode & do a dos scan which will clean 99% of the viruses available rightnow. If its a spyware or adware or anything like that just patch the systems & go ahead with the scanning by spybot search & destroy. That will allways solve your spyware issues

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

UPDATE - 6/15/2011 Added support for Release Update 6 Maintenance Patch 2 Point Patch 1 (RU6 MP2 PP1). Fixed a defect in the username field that was hard-coded to look for a specific domain (left over code from testing). This release will be the …
This article investigates the question of whether a computer can really be cleaned once it has been infected, and what the best ways of cleaning a computer might be (in this author's opinion).
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question