Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

NAV 2003 detects worm, but cannot delete it.

Status
Not open for further replies.

oiseming

Technical User
Jul 31, 2003
6
US
One of our computers has the w32.spybot.worm. Somehow, it slipped through in spite of having NAV installed on the computer since it was new.

NAV cannot delete or quarantine the worm. Symantec's Web site gives an explanation of why it can. Instead, it advises: "It is for this reason that there is no way to repair these programs, since there is nothing to repair. The only solution is to delete the file or files that comprise the malicious program."

But, here's the catch: Not only did NAV fail me, Symantic is entirely silent on the topic of how to go about deleting "the file or files that comprise the malicious program."

I'm running XP on a Hewlett-Packard equipped w/ a P4 processor. I can locate the offending file, msnet32.exe, but cannot delete it. Besides, I have no idea what other *.dll files, or whatever, there might be installed in conjunction with it.

So, does anyone have any suggestions?

TIA

Orrin

 
Thank you for your feedback. Unfortunately: Been there. Done that. It doesn't work! I tried it. The Symantic procedure outlined, here, relies upon NAV to do the deleting. NAV cannot delete it.

You bet! I most certainly did disable System Restore.

I'm still searching for a way out of the mess.

BTW, Zone Alert is preventing the worm from any activity. At least, it asks me "Yes" or "No" and I tell it no.

Best regards,

Orrin


 
Norton doesn't delete it.. You have to do it manually !!! That is exactly what the site tells you.. It tells you what files to delete after NAV finds them and then what changes to make in registry to finish the job !!!

Murray
 
Thank you for your reply. I appreciate your efforts and the efforts of others who are lending a hand.

I'm wondering if we're on the same page, here. The removal instructions I'm looking at are here:


Starting at the section entitled "Removal Instructions," I've followed all the steps. However, when I get down to the point where it says:

3.c If any files are detected as infected with W32.Spybot.Worm.
3.d. Write down the filenames, and then click Delete.

NAV does not and cannot delete the files.

That is exactly the problem.

But, if I go to this page:


Symantic says: "It is for this reason that there is no way to repair these programs, since there is nothing to repair. The only solution is to delete the file or files that comprise the malicious program."

But, if I go to c:\window\system32\msnet32.exe and try to delete this, the offending file, my OS will not let me do it.

What am I missing?

Orrin
 
Does your OS tell you the file is in use, or that you don't have permission? If permission, take ownership and give yourself full rights. If in use, see if you can find it running as a service and stop it. Or if in use, try to stop what's loading it; check your Run and Runonce reg keys, system.ini, win.ini, etc.

Try booting into Safe Mode and see if you can delete it. Where there's a will, there's a way.
 
Orrin:

Same thing, different url.. Write down the files Norton has deemed infected.. Then, boot into Safe Mode and dump them from there..

Have you tried stopping their process first by dumping the Registry as per Norton??

Murray
 
Thank you for the reply. I appreciate all assistance. Yes, the OS reports that the file is in use. I've considered doing as you suggest, booting in the safe mode and then going in and deleting the offending file. But, read on.

After looking through the posts to "The tech Support Guy," it's apparent I have plenty of company: lots of people have had problems with this worm. Furthermore, all of them have been unable to get rid of it, alone. Generally, it requires the use of Hijack This.
I had discovered earlier that Task Manager will only stay open for an instant. As other people have discovered, that's being caused by this worm. Furthermore, Regedit and MSConfig will close an instant after starting them, essentially making them useless.

It looks as if The Tech Support Guy will eventually be able to help. In the meantime, I'll read the posts in their forum pertaining to this worm before I approach them. For one thing, it looks as if I may as well download and install HiJack This because it's usually the tool they use to fix things up.
I don't know if it requires registration to read the posts to and from The Tech Support Guy, or not. But if anyone is interested or if anyone is so unlucky as to get struck with this worm, you can try taking a look:


Regards,

Orrin
 
Thanks for the info. Please let us know how you resolve this (because I'll probably get it next).
 
I'm not sure why my post of about 20 minutes ago wasn't posted, but Orrin, can you please post your results. I've tried everything that you have and am still having the same problems with Windows XP.
Thanks,
Chris cgm707@yahoo.com
 
The procedure I followed to remove the w32.spybot.worm is found in The Tech Guy forum. Go to the results for a search for posts pertaining to it...


...and scan down the page to "Need to remove 3w2.spybot.worm" The person to responded to my inquiry was polite and knowledgeable. The procedure didn't work *exactly* like "IMM" outlined because I was unable to actually delete the offending file per his instruction:

"Delete the C:\WINDOWS\System32\MSNET32.EXE file"

Therefore, I did not re-boot as instructed. Seeing as how I had "killed" the *.exe file with Process Explorer and it was no longer running, the final step of the procedure--doing a complete scan with NAV--was successful.

If we ever get infected with a worm, again, and NAV is unable to remove it, I think I'll try this:

1) Run Process Explorer and kill the offending *.exe file.
2) Do a complete scan using NAV.

I think that might have worked in this case.

One of the things this worm does is affect the operation of vital Windows services. When trying to use Regedit, MSConfig or Task Manager, their windows slam shut the instant they are opened. Any removal procedure that involves the use of Regedit, for instance, will not work until Process Explorer "kills" the worm's activity.

Orrin
 
Just a thought. Since you can't keep Task Manager open, would a utility like PC Mag's End-it-all help? That's a utility that gives you a bit more information about what's running on your system and allows you to selectively kill processes.
 
It sounds as if End-it-All performs the same functions that Process Explorer does. (I used Process Explorer because it was suggested to me.)

If it truly does work in the same way, one could go in with End-it-All and kill the worm's operation. Once that's done, I'd try initiating a complete scan with NAV. I'm sure that when NAV finds the offending file(s) it could then successfully delete it (them).
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top