Re: w32.spybot.worm

---

• From: "Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx>
• Date: Fri, 24 Feb 2006 12:51:30 -0600

---

If you have not done such you should also scan for malware while booted into
Safe Mode. Trend Micro has a free virus and detection program called
Sysclean that you do not need to install. Just place it and the current
pattern file in a common folder to run from. Possibly it can be of some help
before you need to resort to a pristine install which is the best way to
insure a clean and correctly operating computer but that is your call.
Symantec's website should have explicit instructions to manually remove the
worm if you have not looked there yet. --- Steve

http://www.trendmicro.com/download/dcs.asp -- link to Sysclean
http://securityresponse.symantec.com/ --- Symantec link.


"Andy Harlan" <andy@xxxxxxxxxxxxxxxxx> wrote in message
news:uFLjxrVOGHA.2912@xxxxxxxxxxxxxxxxxxxxxxx

I have detected a nasty worm on our server as w32.spybot.worm(symantec).
It
changes a couple registry key configurations controlling DCOM. It also
sets
itself to run on startup. However everytime I delete these keys they come
back. I have been adding service packs and patches today but still have
problems removing this bug. It says it is a file in Winnt\system32
however
I can not see it in safe mode, command prompt. I have all files to be
shown
including system files. I have a SQL database on this system at SP2. I
have updated to SP4 for Windows 2000 and am applying patches. However it
keeps disabling the DCOM and users get access permission 70 denied when
trying to access database program. Currently when I scan it does not find
a
virus but the registry changes continue to to change back to disable DCOM
and restrict anonymous access = 1 in LSA.

.

---

• Follow-Ups:
  • Re: w32.spybot.worm
    • From: harlanandrew28

• References:
  • w32.spybot.worm
    • From: Andy Harlan

• Prev by Date: Re: Local authentication errors on Windows 2003 Server
• Next by Date: Can someone confirm this for me??
• Previous by thread: w32.spybot.worm
• Next by thread: Re: w32.spybot.worm
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Problem using Windows Explorer, My Computer & Control Panel ... there's a free virus scan that you should do. ... It's a trojan or 2. ... I recommend booting in safe mode and doing it as I ... > on files or folders. ... (microsoft.public.win2000.general) Re: Generic Host Process error ... sounds like Norton anti-virus has a problem. ... try going into safe mode and uninstalling norton. ... it's a free virus scan. ... (microsoft.public.windowsxp.network_web) Re: Generic Host Process error ... sounds like Norton anti-virus has a problem. ... try going into safe mode and uninstalling norton. ... it's a free virus scan. ... (microsoft.public.windowsxp.hardware) Re: Generic Host Process error ... sounds like Norton anti-virus has a problem. ... try going into safe mode and uninstalling norton. ... it's a free virus scan. ... (microsoft.public.windowsxp.general) Re: Generic Host Process error ... sounds like Norton anti-virus has a problem. ... try going into safe mode and uninstalling norton. ... it's a free virus scan. ... (microsoft.public.windowsxp.perform_maintain)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.windows.server.security  > 2006-02