July 18, 2009

How to Remove Computer Worm W32.Daprosy ?

Computer worm W32.Daprosy propagates through removable drives and shared storage drives or devices and it may also spread through email.
How to remove computer worm W32.Daprosy ?
1. Perform standard procedure for virus removal
** Standard procedure for virus removal.

2. Delete these registry values added by the worm.
** How to edit registry ?

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"WinSys" = "%Windir%\system.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"LSAShell" = "%Windir%\lsass.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"SessionMngr" = "C:\Documents and Settings\All Users\Application Data\PolariSys\dirlock.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Shell" = "Explorer.exe \"C:\Documents and Settings\All Users\Application Data\Microsoft\Keyboard\kbdsys.exe\"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\"DisableSR" = "1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"Hidden" = "2"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"HideFileExt" = "1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"ShowSuperHidden" = "1"
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"Hidden" = "2"
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"HideFileExt" = "1"
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"ShowSuperHidden" = "0"
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"SuperHidden" = "1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\"NoFolderOptions" = "1"



Remove these files ...

C:\Documents and Settings\All Users\Application Data\Microsoft\Keyboard
C:\Documents and Settings\All Users\Application Data\PolariSys
C:\Windows.exe
C:\Program Files.exe
System32\hlpsvc1.exe
System32\hlpsvc2.exe
%SystemDrive%\Read1st!.exe
%SystemDrive%\goats.exe
C:\Windows\Classified.exe
C:\Windows\system.exe
C:\Windows\lsass.exe
%UserProfile%\My Documents\Classified.exe
C:\Documents and Settings\All Users\Application Data\Microsoft\Keyboard\kbdsys.exe
C:\Documents and Settings\All Users\Application Data\PolariSys\dirlock.exe
C:\Windows\shutdown.dll
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Classified.exe


Source : Symantec
Posted by Vidhu at 7:57 AM
Labels:

3 comments:

Anonymous said...

Daprosy cannot be removed using "standard" procedure. It cannot be removed in safe mode.

August 4, 2009 at 9:41 PM
Anonymous said...

Sadly, this Daprosy thing is an exemption to "standard procedure". It has already turned off System Restore and it is "alive" in Safe Mode!

August 8, 2009 at 6:25 PM
Anonymous said...

Some worms cannot be removed using "general" methods and Daprosy is one of them. It could not be removed in Safe Mode and prevents user from deleting it using System Restore.

August 13, 2009 at 7:47 AM

Post a Comment

Subscribe to: Post Comments (Atom)