Solved

how to remove the virus or worm called soundblaster.exe which breaking my head for the last few days???

Posted on 2004-10-03
18
1,479 Views
Last Modified: 2010-05-18
Hi all,
 am a new member to this group.
well, My system is affected with a virus called Soundblaster.exe this virus is sitting in C:Windows/System32.
I scanned using Norton Antivirus , McAfee and also spyware (webroot spysweeper). there is no use to remove the virus from the system.
Then I tried to remove as described in the website
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SDBOT.NP
As described in the site i removed the soundblaster.exe file in the TaskManager... no use still itz active
and then as described below from the link

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing at startup.

Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Run
In the right panel, locate and delete the entry:
Micr Update = "soundblaster.exe"

>>>>in my PC There  was no Micr Update = "soundblaster.exe"  entry in the rigistry


In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Runservices
In the right panel, locate and delete the entry:
Micr Update = "soundblaster.exe"

>>>>there is no folder called Runservices



In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>
Windows>CurrentVersion>Run
In the right panel, locate and delete the entry:
Micr Update = "soundblaster.exe"
Removing Other Malware Entries from the Registry

>>>>again in my PC There  was no Micr Update = "soundblaster.exe"  entry in the rigistry



Still in the Registry Editor in the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>Ole
Still in the left panel, change the entry:
EnableDCOM = "N"
to
EnableDCOM = "Y"


>>>>>>>> Itz already enabled to 'Y'



Still in the Registry Editor in the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>
Control>Lsa
Still in the left panel, change the entry:
restrictanonymous = "dword:00000001"
to
restrictanonymous = "dword:00000000"
Close Registry Editor.


>>>>>>>> Itz already restrictanonymous = "dword:00000000"


finally i tried to remove using the free version of Trend Micro antivirus software from the same site and still coundnt sort out.

0
Comment
Question by:prasant_g
  • 4
  • 3
  • 3
  • +4
18 Comments
 
LVL 12

Accepted Solution

by:
rossfingal earned 43 total points
ID: 12213303
Hi!

You may have to try this in "safe" mode.
If you're running Windows XP/ME - turn off "System Restore"
Make sure show all files and folders is enabled
Try to kill it using Task Manager.
Search your entire computer for any instances of soundblaster.exe
Delete all that you find.
Clean out all of your temp files:
# C:\Windows\Temp - delete ALL of the CONTENTS of the folder - Not the "temp" folder itself!
# C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files (all contents)
  <=This will delete all your cached internet content including cookies.
  This is recommended and strongly suggested!
    However, if you delete all your cookies - this can affect your stored Internet passwords
    and your ability to logon automatically to various sites.
    So, consider deleting all your cookies - optional
# C:\Documents and Settings\<Your Profile>\Local Settings\Temp (all contents)
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files (all contents)
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp (all contents)
# Empty your "Recycle Bin".
Reboot your computer and see how it's going.

Good luck!  (heard this is a "Nasty" one!)
RF
0
 
LVL 2

Assisted Solution

by:kitisak
kitisak earned 41 total points
ID: 12214446
You should try to scan virus by Sysclean of Trend micro in safe mode.
you can download Sysclean from http://www.trendmicro.com/ftp/products/tsc/sysclean.com. And you have to use it with pattern from http://www.trendmicro.com/download/pattern.asp (lptxxx.zip ; xxx is number).
0
 

Author Comment

by:prasant_g
ID: 12236406
hi Rossfingal,

I tried to kill all the virus in SAFE mode, n still the problem exists?. now my pc is very slow with lot of virus i guess...

0
Live: Real-Time Solutions, Start Here

Receive instant 1:1 support from technology experts, using our real-time conversation and whiteboard interface. Your first 5 minutes are always free.

 

Author Comment

by:prasant_g
ID: 12236459
yea, this virus is deadly.
can some one activate and use my pc when it is in logout??
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 12245013
Disconnect from network
0
 
LVL 2

Expert Comment

by:kitisak
ID: 12245034
Did you update your AV before scanning?
0
 

Author Comment

by:prasant_g
ID: 12246836
yup, obviously i updated my Antivirus b4 scanning...
0
 
LVL 2

Expert Comment

by:kitisak
ID: 12255860
Maybe you have to disable system restore, connection and sharing first. Then you login to Safe Mode and scan virus again.
0
 
LVL 6

Assisted Solution

by:acmp
acmp earned 41 total points
ID: 12257964
At least 1 vairant that I noted on the McAfee site looks as though it gets into Windows File Protection. If your's does this then everytime you remove it then Windows will put it back.

Can you do a search for 'Soundblaster.exe' and see if it exists elsewhere.  By default WFP uses %systemroot%\system32\dllcache to keep copies of 'important' files. If you virus is here too then you'll need to use a WFP tool to remove it.

If you do find it then I'll see what I can find to remove it.

acmp<><
0
 
LVL 1

Expert Comment

by:Hispano8888
ID: 12329136
Go to this link

http://securityresponse1.symantec.com/sarc/sarc.nsf/html/w32.blaster.worm.removal.tool.html

If it didn't work go to Start, then Run. And type this command  shutdown -a
It will block the Virus but only temporay!!!.....but then you have a time how to delete that
****TY VIRUS!!!!

I wish you god LUCK!!!
0
 

Author Comment

by:prasant_g
ID: 12329357
well, finally i guess  we can delete with sophos antivirus with the latest *.ide files. while deleting disconnect from the network and run the antivirus several times. hope it has removed the **** virus.
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 12539502
My guess is that the information provided above, and including the 'system restore' issue helped resolved this, based on the last response and the tool prasant_g used.  I'd recommend a split between all but myself, unless Asker responds.
Thanks, LucF.
Asta
0
 
LVL 6

Expert Comment

by:acmp
ID: 12591155
It all sounds fair to me

acmp<><
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 12593396
I agree, LucF, thanks for your work here.  ":0) Asta
0
 

Expert Comment

by:fizbin01
ID: 12682836
When something like this happens, I just format the workstation, reinstall all apps and a good current copy of mcafee 8.0 with current dat.
Works everytime.
0

Featured Post

Gigs: Get Your Project Delivered by an Expert

Select from freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Possible virus infection 9 85
ransomware and redirected folders 9 99
antispam / virus gateway 5 57
Opinions of Sophos Intercept X and Endpoint Security 2 20
Change your password...do it now!. Probably the easiest point of access to your account is through guessing your password. If your password is guessable, do change it now. If not for your sake but for everyone else in your friends list. Remember …
I recently had to create a utility which aim is to update McAfee's Virusscan and that had to be launched from a command line. I thought I’d share my experience with you. Why is it useful to be able to update an Antivirus from the command line?…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

785 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question