June 22, 2009

How to remove computer worm W32.Troresba ?

W32.Troresba spreads through removable devices, shared drives/shared folders. When executed , copies these files to "Program Files" and "system32" folders.

How to remove Computer worm W32.Troresba ?


1. Perform standard procedure for virus removal
** Standard procedure for virus removal.

2. Remove these registry entries ?

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[ORIGINAL THREAT FILE NAME].exe" = "%System%\[ORIGINAL THREAT FILE NAME].exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"[ORIGINAL THREAT FILE NAME].exe" = "%Windir%\[ORIGINAL THREAT FILE NAME].exe"
HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices\"#{8fc4ec46-5d05-11de-a71e-000bdb6eb35f}" = "[BINARY DATA]"
HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices\"#{8fc4ec47-5d05-11de-a71e-000bdb6eb35f}" = "[BINARY DATA]"
HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices\"#{8fc4ec48-5d05-11de-a71e-000bdb6eb35f}" = "[BINARY DATA]"


Subkeys:

HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names\A
HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names\B
HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names\E
HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names\S
HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Builtin\Aliases\Members\S-1-5-21-329068152-343818398-1801674531\000003F1
HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Builtin\Aliases\Members\S-1-5-21-329068152-343818398-1801674531\000003F2
HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Builtin\Aliases\Members\S-1-5-21-329068152-343818398-1801674531\000003F3
HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Builtin\Aliases\Members\S-1-5-21-329068152-343818398-1801674531\000003F4



Remove these files if exist in the system

Program Files\Analog Devices.exe
Program Files\Analog Devices\SoundMAX.exe
Program Files\Common Files.exe
Program Files\Common Files\InstallShield.exe
Program Files\Common Files\Microsoft Shared.exe
Program Files\Common Files\MSSoap.exe
Program Files\Common Files\ODBC.exe
Program Files\Common Files\Services.exe
Program Files\Common Files\SpeechEngines.exe
Program Files\Common Files\System32.exe
Program Files\ComPlus Applications.exe
Program Files\InstallShield Installation Information.exe
Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}.exe
Program Files\Internet Explorer.exe
Program Files\Internet Explorer\Connection Wizard.exe
Program Files\Internet Explorer\PLUGINS.exe
Program Files\Internet Explorer\SIGNUP.exe
Program Files\Messenger.exe
Program Files\microsoft frontpage.exe
Program Files\microsoft frontpage\version3.0.exe
Program Files\Movie Maker.exe
Program Files\Movie Maker\MUI.exe
Program Files\Movie Maker\Shared.exe
Program Files\NetMeeting.exe
Program Files\Online Services.exe
Program Files\Outlook Express.exe
Program Files\Uninstall Information.exe
Program Files\Windows Media Player.exe
Program Files\Windows Media Player\Icons.exe
Program Files\Windows Media Player\Sample Playlists.exe
Program Files\Windows Media Player\Skins.exe
Program Files\Windows Media Player\Visualizations.exe
Program Files\Windows NT.exe
Program Files\Windows NT\Accessories.exe
Program Files\Windows NT\Pinball.exe
Program Files\WindowsUpdate.exe
Program Files\xerox.exe
Program Files\xerox\nwwia.exe
System32\1025.exe
System32\1028.exe
System32\1031.exe
System32\1033.exe
System32\1037.exe
System32\1041.exe
System32\1042.exe
System32\1054.exe
System32\2052.exe
System32\3076.exe
System32\3com_dmi.exe
System32\[ORIGINAL THREAT FILE NAME].exe
System32\appmgmt.exe
System32\CatRoot.exe
System32\CatRoot2.exe
System32\Com.exe
System32\config.exe
System32\config\System32profile\Start Menu\Programs\Startup\[ORIGINAL THREAT FILE NAME].exe
System32\dhcp.exe
System32\DirectX.exe
System32\dllcache.exe
System32\drivers.exe
System32\export.exe
System32\ias.exe
System32\icsxml.exe
System32\IME.exe
System32\inetsrv.exe
System32\Macromed.exe
System32\Microsoft.exe
System32\mui.exe
System32\npp.exe
System32\NtmsData.exe
System32\oobe.exe
System32\ras.exe
System32\ReinstallBackups.exe
System32\Restore.exe
System32\ShellExt.exe
System32\spool.exe
System32\usmt.exe
System32\wbem.exe
System32\wins.exe
System32\xircom.exe
Windows\Config.Msi.exe
Windows\Documents and Settings.exe
Windows\Documents and Settings\Administrator.exe
Windows\Documents and Settings\Administrator\Application Data.exe
Windows\Documents and Settings\Administrator\Cookies.exe
Windows\Documents and Settings\Administrator\Desktop.exe
Windows\Documents and Settings\Administrator\Favorites.exe
Windows\Documents and Settings\Administrator\Local Settings.exe
Windows\Documents and Settings\Administrator\My Documents.exe
Windows\Documents and Settings\Administrator\NetHood.exe
Windows\Documents and Settings\Administrator\PrintHood.exe
Windows\Documents and Settings\Administrator\Recent.exe
Windows\Documents and Settings\Administrator\SendTo.exe
Windows\Documents and Settings\Administrator\Start Menu.exe
Windows\Documents and Settings\Administrator\Templates.exe
Windows\Documents and Settings\All Users.exe
Windows\Documents and Settings\All Users\Application Data.exe
Windows\Documents and Settings\All Users\Desktop.exe
Windows\Documents and Settings\All Users\Desktop\My Documents.exe
Windows\Documents and Settings\All Users\Documents.exe
Windows\Documents and Settings\All Users\DRM.exe
Windows\Documents and Settings\All Users\Favorites.exe
Windows\Documents and Settings\All Users\Start Menu.exe
Windows\Documents and Settings\All Users\Start Menu\Programs\Startup\[ORIGINAL THREAT FILE NAME].exe
Windows\Documents and Settings\All Users\Templates.exe
Windows\Documents and Settings\Default User.exe
Windows\Documents and Settings\Default User\Application Data.exe
Windows\Documents and Settings\Default User\Cookies.exe
Windows\Documents and Settings\Default User\Desktop.exe
Windows\Documents and Settings\Default User\Favorites.exe
Windows\Documents and Settings\Default User\Local Settings.exe
Windows\Documents and Settings\Default User\My Documents.exe
Windows\Documents and Settings\Default User\NetHood.exe
Windows\Documents and Settings\Default User\PrintHood.exe
Windows\Documents and Settings\Default User\Recent.exe
Windows\Documents and Settings\Default User\SendTo.exe
Windows\Documents and Settings\Default User\Start Menu.exe
Windows\Documents and Settings\Default User\Templates.exe
Windows\Documents and Settings\LocalService.exe
Windows\Documents and Settings\LocalService\Application Data.exe
Windows\Documents and Settings\LocalService\Cookies.exe
Windows\Documents and Settings\LocalService\Local Settings.exe
Windows\Documents and Settings\NetworkService.exe
Windows\Documents and Settings\NetworkService\Application Data.exe
Windows\Documents and Settings\NetworkService\Cookies.exe
Windows\Documents and Settings\NetworkService\Local Settings.exe
Windows\Documents and Settings\VirusMaster.exe
Windows\Program Files.exe
Windows\RECYCLER.exe
Windows\RECYCLER\[SID].exe
Windows\System32 Volume Information.exe
Windows\temp.exe
Windows\WINDOWS.exe
UserProfile\Application Data.exe
UserProfile\Cookies.exe
UserProfile\Desktop.exe
UserProfile\Favorites.exe
UserProfile\Local Settings.exe
UserProfile\My Documents.exe
UserProfile\NetHood.exe
UserProfile\PrintHood.exe
UserProfile\Recent.exe
UserProfile\SendTo.exe
UserProfile\Start Menu.exe
UserProfile\Templates.exe
Windows\[ORIGINAL THREAT FILE NAME].exe
Windows\AppPatch.exe
Windows\Config.exe
Windows\Config\[ORIGINAL THREAT FILE NAME].exe
Windows\Config\ADMIN.exe
Windows\Connection Wizard.exe
Windows\Cursors.exe
Windows\Fonts.exe
Windows\Help.exe
Windows\Help\Tours.exe
Windows\Installer.exe
Windows\java.exe
Windows\java\classes.exe
Windows\java\trustlib.exe
Windows\Media.exe
Windows\Minidump.exe
Windows\msagent.exe
Windows\msagent\chars.exe
Windows\msagent\intl.exe
Windows\msapps.exe
Windows\msapps\msinfo.exe
Windows\Offline Web Pages.exe
Windows\Prefetch.exe
Windows\Provisioning.exe
Windows\Provisioning\Schemas.exe
Windows\Registration.exe
Windows\Registration\CRMLog.exe
Windows\Resources.exe
Windows\Resources\Themes.exe
Windows\System32.exe
Windows\System3232.exe
Windows\Tasks.exe
Windows\Temp.exe
Windows\Web.exe
Windows\Web\ADMIN.exe
Windows\Web\printers.exe
Windows\Web\Wallpaper.exe
Windows\WinSxS.exe
Windows\WinSxS\InstallTemp.exe
Windows\WinSxS\Manifests.exe
Windows\WinSxS\Policies.exe
%Temp%\~DF48C2.tmp
%Windir%\Tasks\02.job
%Windir%\Tasks\03.job



Related
Virus/Trojan Removal Tips And Tools: mywork.exe, msvcrt.ax, igfxtray.exe, Autorun.inf, auto2.pif
Remove "Autorun.inf" and "Antivirus 2008" using ESET NOD32 Antivirus
Vipre: Antivirus, Antispyware, Anti-Rootkit - Free Trial Download
Top 10 AntiVirus Software 2008
Download Kingsoft Internet Security 9 with 6 Months Free Trial
Panda's Antivirus, Firewall and Internet Security With 3 Months Free Service


Posted by Vidhu at 9:01 AM
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)