| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 51625 | 2004-11-25 20:50:00 | spybot.dn worm | Douglas (6454) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 296432 | 2004-11-25 20:50:00 | How do I remove this from a PC? Can I open the Registry and remove every entry of w32usb2.exe Thanks Doug | Douglas (6454) | ||
| 296433 | 2004-11-25 20:58:00 | Welcome to PF1. Removal instructions are here, click on this link (www.trendmicro.com) |
godfather (25) | ||
| 296434 | 2004-11-25 21:00:00 | Looks like your on the right track, as per Trend Micro (www.trendmicro.com), you'll need to patch your OS. What antivus programme are you using? | Murray P (44) | ||
| 296435 | 2004-11-25 21:00:00 | Yup this is what u do here . It's also a GOOD idea to keep your system up to date . I WOULD also get off the net, until you do the following . This worm propagates via network shares . It takes advantage of the following known Windows vulnerability: Windows LSASS vulnerability For detailed information about these vulnerability, refer to the following Microsoft page: Microsoft Security Bulletin MS04-11 This worm also has backdoor functionalities . It comes with a built-in Internet Relay Chat (IRC) client engine, which enables it to connect to an IRC channel and wait for commands from a malicious user . It processes the commands on the local machine giving remote users virtual control of the infected system . This worm also steals the CD keys of certain game applications . It runs on Windows 2000 and XP . Solution: Restarting in Safe Mode » On Windows 2000 1 . Restart your computer . 2 . Press the F8 key, when you see the Starting Windows bar at the bottom of the screen . 3 . Choose the Safe Mode option from the Windows Advanced Options Menu then press Enter . » On Windows XP 1 . Restart your computer . 2 . Press F8 after the Power-On Self Test (POST) is done . If the Windows Advanced Options Menu does not appear, try restarting and then pressing F8 several times after the POST screen . 3 . Choose the Safe Mode option from the Windows Advanced Options Menu then press Enter . Removing Autostart Entries from the Registry Removing autostart entries from the registry prevents the malware from executing at startup . 1 . Open Registry Editor . Click Start>Run, type REGEDIT, then press Enter . 2 . In the left panel, double-click the following: HKEY_LOCAL_MACHINE>Software>Microsoft> Windows>CurrentVersion>Run 3 . In the right panel, locate and delete the entry: Win32 USB 2 . 0 Driver= "W32USB 2 . EXE" 4 . In the left panel, double-click the following: HKEY_LOCAL_MACHINE>Software>Microsoft> Windows>CurrentVersion>Runservices 5 . In the right panel, locate and delete the entry: Win32 USB 2 . 0 Driver= "W32USB 2 . EXE" 6 . In the left panel, double-click the following: HKEY_LOCAL_MACHINE>Software>Microsoft> Windows>CurrentVersion>Runonce 7 . In the right panel, locate and delete the entry: Win32 USB 2 . 0 Driver= "W32USB 2 . EXE" 8 . In the left panel, double-click the following: HKEY_CURRENT_USER>Software>Microsoft> Windows>CurrentVersion>Run 9 . In the right panel, locate and delete the entry: Win32 USB 2 . 0 Driver= "W32USB 2 . EXE" 10 . In the left panel, double-click the following: HKEY_CURRENT_USER>Software>Microsoft> Windows>CurrentVersion>Runonce 1 1 . In the right panel, locate and delete the entry: Win32 USB 2 . 0 Driver= "W32USB 2 . EXE" 1 2 . In the left panel, locate and delete the following keys: * HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es \Win32 USB 2 . 0 Driver * HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\R oot \LEGACY_WIN32_USB 2 . 0_DRIVER * HKEY_LOCAL_MACHINE\System\ControlSet001\Services \Win32 USB 2 . 0 Driver * Close Registry Editor . NOTE: If you were not able to terminate the malware process as described in the previous procedure, restart your system . Additional Windows ME/XP Cleaning Instructions Users running Windows ME and XP must disable System Restore to allow full scanning of infected systems . Users running other Windows versions can proceed with the succeeding procedure sets . Running Trend Micro Antivirus Scan your system with Trend Micro antivirus and delete all files detected as WORM_SPYBOT . DN . To do this, Trend Micro customers must download the latest pattern file and scan their system . Other Internet users can use HouseCall, Trend Micro’s free online virus scanner . Applying Patches This malware exploits known vulnerabilities on certain platforms . Download and install the critical pathes from the following links: |
Spacemannz (808) | ||
| 1 | |||||