Solved

W32.Spybot.Worm

Posted on 2003-10-24
9
281,095 Views
Last Modified: 2011-08-18
I have and XP box running Norton Antivirus. It discovers the virus W32.Spybot.Worm and is unable to clean, repair, delete or quarinteen the file. I tried their instructions to delete in Safe Mode and it does not work because everytime I try to run regedit it will open and immediately close out. I am at a loss on how to get rid of this virus. The file it has infected is Windows\System32\winsock.exe Any help would be greatly appreciated.
0
Comment
Question by:fhwaremote
9 Comments
 
LVL 11

Accepted Solution

by:
ghana earned 500 total points
Comment Utility
There are 2 options: You can try automatic removal with Trend Micro System Cleaner (http://www.trendmicro.com/download/tsc.asp) or you follow the manual removal instructions:

Because W32.Spybot terminates task manager and regedit you need another tool to terminate the malware processe(s):
http://www.sysinternals.com/ntw2k/freeware/procexp.shtml

This is a freeware tool and has similar features like Windows built in task manager.

This is the removal description from Trend Micro's homepage (http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SPYBOT.GEN):

---------------------------------------

Identifying the Malware Program
Before proceeding to remove this malware, first identify the malware program.

Scan your system with Trend Micro antivirus and NOTE all files detected as WORM_SPYBOT.GEN. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's free online virus scanner.


Terminating the Malware Program
Since this malware terminates the Windows NT and 2000 Task Manager and is invisible on the Windows 95, 98, and ME Task Manager, you need to use a process viewer to terminate this malware. One such utility is Process Explorer from SystInternals (see URL above). This small program can be downloaded freely from the SysInternals site.

Once you have downloaded utility, locate and terminate the process of the file(s) detected earlier.



Removing Autostart Entries from the Registry

Removing autostart entries from registry prevents the malware from executing during startup. You will need the name(s) of the file(s) detected earlier.

1. Open Registry Editor. To do this, click Start>Run, type REGEDIT, then press Enter.
2. In the left panel, double-click the following:
      HKEY_LOCAL_MACHINE>Software>Microsoft>
      Windows>CurrentVersion>Run
3. In the right panel, locate and delete the entry or entries whose data value (in the rightmost column) is the malware file(s) detected earlier.
4. In the left panel, double-click the following:
      HKEY_CURRENT_USER>Software>Microsoft>
      Windows>CurrentVersion>RunOnce
5. In the right panel, locate and delete the entry or entries whose data value (the rightmost column) is the malware file(s) detected earlier.


Removing Malware Entries from the Registry

1. Still in the Registry Editor, double-click the following:
      HKEY_CURRENT_USER>Software>Kazaa>LocalContent
2. In the right panel, locate and delete this entry:
      Dir0 = 012345:%System% \kazaabackupfiles
      (Note: %System% refers to the Windows System folder which is usually the folder C:\Windows\System, C:\Winnt\System32 or C:\Windows\System32.)
3. Close Registry Editor.

NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system.
0
 
LVL 11

Expert Comment

by:ghana
Comment Utility
Glad, I could help you!
0
 

Expert Comment

by:shenazzer
Comment Utility
Click Start, and then click Run.
Type regedit

then click OK.


Navigate to the key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run


In the right pane, delete any values that refer to the file name that was detected as infected with W32.Spybot.Worm.


Navigate to the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunOnce


In the right pane, delete any values that reference the file name in step d.


Navigate to the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunServices


In the right pane, delete any values that reference the file name in step d.


Navigate to the following key:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run


In the right pane, delete any values that reference the file name in step d.


Exit the Registry Editor.
0
 
LVL 1

Expert Comment

by:brayshaw_uk
Comment Utility
hehe, just a note.

spybot doesnt caus your registry or taskmanager to close immediatley after opened. this is usually caused by some adware/spyware (forgot which one)

to remove spybot, plug your hdd into another machine that has norton and do a full system scan. this should remove the virus (it has for me several hundred times, i am a computer technician in a repair shop - 268 virus yesterday on a machine.. guess what they been doing!)

then, you will need to search and remove any entries from the 'run' and 'run services' registry entries for the 'local_machine' and 'current_user'. then delete the files manually. (probably best to do this bit in safe mode, make sure you login with your normal account ie on xp this usually isnt administrator)

hope this helps

brayshaw

0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 11

Expert Comment

by:ghana
Comment Utility
Just a note about the note.

Searching in 'current_user' to delete registry entries is important but might not be enough: If there were logged on differerent users on the machine you have to search all hives below HKEY_USERS for viral items. Because viruses modify the registry in 'current_user' this absolute path can vary if there were logged on different users.
0
 
LVL 1

Expert Comment

by:quantum2
Comment Utility
Two other suggestions:

1- If you know which application or process you need to stop, go to:
www.2amsolutions.com and grab a demo of Enstant Off. It will stop the program running immediately. Then you can run a AV program to remove the Malcode without having to reboot. (assuming this is a program that is running automatically)

2- Go to Symantec.com and dowload the removal tool for this malcode virus. The removal tools automatically terminate running processes as needed to remove the malcode or worm. Then the code is removed.

Q2
0
 

Expert Comment

by:palivalx
Comment Utility
You need to install updates from http://windowsupdate.microsoft.com to close security holes in your OS. Otherwise these backdoor programs will catch you again. If you have file lock problem, you can use Solo antivirus from http://srnmicro.com It removes viruses in windows locked files easily.
0
 

Expert Comment

by:jeduffy
Comment Utility
I have got rid of it a couple of times by downloading stinger from mcafee here http://vil.nai.com/vil/stinger/ ,turning off system restore and rebooting in to safe mode then running stinger. Remember to turn system restore back on afterwards.
0
 
LVL 2

Expert Comment

by:Dilip Khanolkar
Comment Utility
The most easiest ways are to allways patch the security loopholes as soon as possible & then reboot into safe mode & do a dos scan which will clean 99% of the viruses available rightnow. If its a spyware or adware or anything like that just patch the systems & go ahead with the scanning by spybot search & destroy. That will allways solve your spyware issues
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

UPDATE - 6/15/2011 Added support for Release Update 6 Maintenance Patch 2 Point Patch 1 (RU6 MP2 PP1). Fixed a defect in the username field that was hard-coded to look for a specific domain (left over code from testing). This release will be the …
Have you ever tried to find someone you know on Facebook and searched to find more than one result with the same picture? Perhaps someone you know has told you that they have a 'facebook stalker' or someone who is 'posing as them' online and ta…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now