Re: w32.spybot.worm
From: Robert Tuck (robertt_at_SPAMMENOT.com)
Date: 02/05/04
- Next message: Russell: "winnet.exe"
- Previous message: billw1701: "Alexa is it spyware or not"
- In reply to: anonymous_at_discussions.microsoft.com: "Re: w32.spybot.worm"
- Next in thread: anonymous_at_discussions.microsoft.com: "Re: w32.spybot.worm"
- Reply: anonymous_at_discussions.microsoft.com: "Re: w32.spybot.worm"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 4 Feb 2004 15:13:01 -0800
To check items that are started with Windows, use Regedit to look in the
following keys:
Hkey_Local_Machine/Software/Microsoft/Windows/CurrentVersion/Run
Hkey_Local_Machine/Software/Microsoft/Windows/CurrentVersion/RunOnce
Hkey_Local_Machine/Software/Microsoft/Windows/CurrentVersion/RunOnceEx
Hkey_Current_User/Software/Microsoft/Windows/CurrentVersion/Run
Hkey_Current_User/Software/Microsoft/Windows/CurrentVersion/RunOnce
Be careful what you delete, but if you see any of the files that Norton
flagged as infected, delete them from here, both the key and value. Any
mistakes made in the Registry could cause big problems for Windows.
-Robert
<anonymous@discussions.microsoft.com> wrote in message
news:a1fe01c3eb6d$276c7dd0$a001280a@phx.gbl...
> Yup! After I posted the reply to you I went the task
> manager route. Didn't find anything suspicious.
> I'm still not sure but what rwtrisfg32.dll was a new file
> inserted by the worm message.
> I have gone to file properties and on the 'security' tab
> I have assigned ownership to nobody. A scan by Norton
> anti-virus didn't flag the file again.
> However, oddly, it did flag four files with w32dumaruk.
> Two of these were deleted and two were quarantined.
> Somewhere in the registry though two of the files are
> still marked for 'startup' and I can't find them. I
> don't have software that will do a word search of the
> registry or my ignorance doesn't let me do a search!
> So at this point I hope to have laid the problem to rest
> (that just put a curse on it working) but wish I could
> delete a file fromt he system32 rather than have it
> quarentined or assign a security level to it.
> I know there is a toolkit (thouseands of dollars) that
> will run DOS and thus circumvent NT so files in system32
> can be deleted.
> I also wondered about doing a reinstall of NT4 and SP6.
> I can't find a knowledgable opinion on the idea.
>
> Thanks for your help. I hadn't thought of doing a search
> for the file but will do so. My first experience at
> rooting out a worm or virus in the system32 directory.
>
> Bob H.
> >-----Original Message-----
> >I would just kill anything that doesn't look like it's
> supposed to be
> >running. In the Task Manager, click on the Processes
> tab, then look through
> >the list (it's probably large). It sounds like you
> probably have been
> >infected by a worm. Check out the following website and
> see if the
> >description fits what you're seeing:
> >http://www.sophos.com/virusinfo/analyses/w32dumaruk.html
> >
> >I found this with a Google search on the dll
> name "rwtrisfg32.dll".
> >
> >Good luck!
> >-Robert
>
- Next message: Russell: "winnet.exe"
- Previous message: billw1701: "Alexa is it spyware or not"
- In reply to: anonymous_at_discussions.microsoft.com: "Re: w32.spybot.worm"
- Next in thread: anonymous_at_discussions.microsoft.com: "Re: w32.spybot.worm"
- Reply: anonymous_at_discussions.microsoft.com: "Re: w32.spybot.worm"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
