|
I cleaned a virus off an XP computer, using this simple set of instructions.
UPDATE YOUR PATCHES AND VIRUS DEFINITIONS, OR BE PREPARED TO GIVE ME $45 PER HOUR TO FIX YOUR MACHINE! (...Now waiting for all the "Mac" and "Linux" responses......)
(In case you're wondering why 2 hours charge, it's 'cause it was all the way into downtown Dallas, many miles from where I live, and I had to go pick it up and deliver it...)
:evilgrin:
------------
W32/Spybot-B Type Win32 worm Detection Detected by Sophos Anti-Virus since May 2003. Description W32/Spybot-B is a peer-to-peer worm that spreads via the KaZaA file sharing network.
W32/Spybot-B creates the folder <Windows system32>\kazaabackupfiles and copies itself there using the following filenames:
download_me.exe zoneallarm_pro_crack.exe AVP_Crack.exe PornScreenSaver.exe Battlefield1942_bloodpatch.exe Unreal2_bloodpatch.exe UT2003_bloodpatch.exe AquaNox2 Crack.exe NBA2003_crack.exe FIFA2003 crack.exe C&C Generals_crack.exe nt_spread.exe NetBios_Spread.exe Dancing_Screensaver.exe NudeDance_202Brittany.exe DancingPlayboySpread.exe Ejay_crack20.exe The_REASON_CRACK_LEGIT.exe Dance.exe Matrix_ScreenSaver.exe Netstat.exe conf32.exe sdbot_nt_mod.exe netbios_patch.exe Hack_scanner.exe cisco_scan.exe ULTIMATE_scanner.exe Battlefield1942_Keygen.exe ALL_WIN_osSERIAL-keygen.exe winXP_keygen.exe serials_2002ALLUPDATE.exe
To enable sharing of these files the registry entry
HKCU\Software\Kazaa\LocalContent\Dir0
is updated to point to this location.
In order to be run automatically on system startup W32/Spybot-B copies itself to the Windows system folder with the filename TESTING.EXE and sets the following registry entries to point to this file:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver
While W32/Spybot-B is active it attempts to terminate the following programs:
regedit.exe msconfig.exe taskmgr.exe netstat.exe
W32/Spybot-B also logs keystrokes to the file testing.txt in the Windows system folder and attempts to steal passwords.
W32/Spybot-B has an IRC backdoor component that attempts to contact an intruder announcing the infection and allowing a malicious user remote access to the computer.
Recovery Please follow the instructions for removing worms. You should change any passwords that may have become compromised.
Windows NT/2000/XP
In Windows NT/2000/XP you will also need to edit the following registry entries. The removal of these entries is optional in Windows 95/98/Me. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver
and delete them if they exist.
Close the registry editor.
--Afternote: If you must peer-to-peer, use Kazaa LITE or Limewire... it's Kazaa FULL that lets in these nasty buggers...
|