Solved

how to remove the virus or worm called soundblaster.exe which breaking my head for the last few days???

Posted on 2004-10-03
18
1,477 Views
Last Modified: 2010-05-18
Hi all,
 am a new member to this group.
well, My system is affected with a virus called Soundblaster.exe this virus is sitting in C:Windows/System32.
I scanned using Norton Antivirus , McAfee and also spyware (webroot spysweeper). there is no use to remove the virus from the system.
Then I tried to remove as described in the website
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SDBOT.NP
As described in the site i removed the soundblaster.exe file in the TaskManager... no use still itz active
and then as described below from the link

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing at startup.

Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Run
In the right panel, locate and delete the entry:
Micr Update = "soundblaster.exe"

>>>>in my PC There  was no Micr Update = "soundblaster.exe"  entry in the rigistry


In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Runservices
In the right panel, locate and delete the entry:
Micr Update = "soundblaster.exe"

>>>>there is no folder called Runservices



In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>
Windows>CurrentVersion>Run
In the right panel, locate and delete the entry:
Micr Update = "soundblaster.exe"
Removing Other Malware Entries from the Registry

>>>>again in my PC There  was no Micr Update = "soundblaster.exe"  entry in the rigistry



Still in the Registry Editor in the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>Ole
Still in the left panel, change the entry:
EnableDCOM = "N"
to
EnableDCOM = "Y"


>>>>>>>> Itz already enabled to 'Y'



Still in the Registry Editor in the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>
Control>Lsa
Still in the left panel, change the entry:
restrictanonymous = "dword:00000001"
to
restrictanonymous = "dword:00000000"
Close Registry Editor.


>>>>>>>> Itz already restrictanonymous = "dword:00000000"


finally i tried to remove using the free version of Trend Micro antivirus software from the same site and still coundnt sort out.

0
Comment
Question by:prasant_g
  • 4
  • 3
  • 3
  • +4
18 Comments
 
LVL 12

Accepted Solution

by:
rossfingal earned 43 total points
ID: 12213303
Hi!

You may have to try this in "safe" mode.
If you're running Windows XP/ME - turn off "System Restore"
Make sure show all files and folders is enabled
Try to kill it using Task Manager.
Search your entire computer for any instances of soundblaster.exe
Delete all that you find.
Clean out all of your temp files:
# C:\Windows\Temp - delete ALL of the CONTENTS of the folder - Not the "temp" folder itself!
# C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files (all contents)
  <=This will delete all your cached internet content including cookies.
  This is recommended and strongly suggested!
    However, if you delete all your cookies - this can affect your stored Internet passwords
    and your ability to logon automatically to various sites.
    So, consider deleting all your cookies - optional
# C:\Documents and Settings\<Your Profile>\Local Settings\Temp (all contents)
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files (all contents)
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp (all contents)
# Empty your "Recycle Bin".
Reboot your computer and see how it's going.

Good luck!  (heard this is a "Nasty" one!)
RF
0
 
LVL 2

Assisted Solution

by:kitisak
kitisak earned 41 total points
ID: 12214446
You should try to scan virus by Sysclean of Trend micro in safe mode.
you can download Sysclean from http://www.trendmicro.com/ftp/products/tsc/sysclean.com. And you have to use it with pattern from http://www.trendmicro.com/download/pattern.asp (lptxxx.zip ; xxx is number).
0
 

Author Comment

by:prasant_g
ID: 12236406
hi Rossfingal,

I tried to kill all the virus in SAFE mode, n still the problem exists?. now my pc is very slow with lot of virus i guess...

0
 

Author Comment

by:prasant_g
ID: 12236459
yea, this virus is deadly.
can some one activate and use my pc when it is in logout??
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 12245013
Disconnect from network
0
 
LVL 2

Expert Comment

by:kitisak
ID: 12245034
Did you update your AV before scanning?
0
 

Author Comment

by:prasant_g
ID: 12246836
yup, obviously i updated my Antivirus b4 scanning...
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 2

Expert Comment

by:kitisak
ID: 12255860
Maybe you have to disable system restore, connection and sharing first. Then you login to Safe Mode and scan virus again.
0
 
LVL 6

Assisted Solution

by:acmp
acmp earned 41 total points
ID: 12257964
At least 1 vairant that I noted on the McAfee site looks as though it gets into Windows File Protection. If your's does this then everytime you remove it then Windows will put it back.

Can you do a search for 'Soundblaster.exe' and see if it exists elsewhere.  By default WFP uses %systemroot%\system32\dllcache to keep copies of 'important' files. If you virus is here too then you'll need to use a WFP tool to remove it.

If you do find it then I'll see what I can find to remove it.

acmp<><
0
 
LVL 1

Expert Comment

by:Hispano8888
ID: 12329136
Go to this link

http://securityresponse1.symantec.com/sarc/sarc.nsf/html/w32.blaster.worm.removal.tool.html

If it didn't work go to Start, then Run. And type this command  shutdown -a
It will block the Virus but only temporay!!!.....but then you have a time how to delete that
****TY VIRUS!!!!

I wish you god LUCK!!!
0
 

Author Comment

by:prasant_g
ID: 12329357
well, finally i guess  we can delete with sophos antivirus with the latest *.ide files. while deleting disconnect from the network and run the antivirus several times. hope it has removed the **** virus.
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 12539502
My guess is that the information provided above, and including the 'system restore' issue helped resolved this, based on the last response and the tool prasant_g used.  I'd recommend a split between all but myself, unless Asker responds.
Thanks, LucF.
Asta
0
 
LVL 6

Expert Comment

by:acmp
ID: 12591155
It all sounds fair to me

acmp<><
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 12593396
I agree, LucF, thanks for your work here.  ":0) Asta
0
 

Expert Comment

by:fizbin01
ID: 12682836
When something like this happens, I just format the workstation, reinstall all apps and a good current copy of mcafee 8.0 with current dat.
Works everytime.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Crypto Ransomware 9 101
Anti exploit excel 3 107
Symantec EndPoint Protection 15 46
Sophos EC migration to Cloud. 1 44
Have you ever tried to find someone you know on Facebook and searched to find more than one result with the same picture? Perhaps someone you know has told you that they have a 'facebook stalker' or someone who is 'posing as them' online and ta…
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
This video discusses moving either the default database or any database to a new volume.
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now