February 22, 2010

How to remove computer worm W32.Pykspa.F?

Computer worm W32.Pykspa.F propagates through USB drives, removable drives , Skype and other mapped drives. It gatherers information from the infected system and sends it to a remote site.

How to remove Computer worm W32.Pykspa.F?

1. Perform standard procedure for Virus removal.
** Standard procedure for Virus removal

2. Remove this registry entries
** How to edit windows registry ?

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\"[RANDOM]" = "%Temp%\[RANDOM FILE NAME].exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\"[RANDOM]" = "[RANDOM].exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"[RANDOM]" = "%Temp%\[RANDOM FILE NAME].exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\"[RANDOM]" = "%Temp%\[RANDOM FILE NAME].exe ."
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\"[RANDOM]" = "[RANDOM].exe ."
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\"[RANDOM]" = "%Temp%\[RANDOM FILE NAME].exe ."

Restore the following registry entries to their previous values, if required:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\"DisableRegistryTools" = "1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\"DisableTaskMgr" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\"DisableRegistryTools" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\"DisableTaskMgr" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Security Center\"AntiVirusDisableNotify" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Security Center\"AntiVirusOverride" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Security Center\"FirewallDisableNotify" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Security Center\"FirewallOverride" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Security Center\"UacDisableNotify" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Security Center\"UpdatesDisableNotify" = "1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\"NoDriveTypeAutoRun" = "1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\"NoFolderOptions" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\"CheckedValue" = "91"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\"NoDriveTypeAutoRun" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\"NoFolderOptions" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\"ConsentPromptBehaviorAdmin" = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\"ConsentPromptBehaviorUser" = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\"EnableInstallerDetection" = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\"EnableLUA" = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\"EnableSecureUIAPaths" = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\"EnableVirtualization" = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\"FilterAdministratorToken" = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\"PromptOnSecureDesktop" = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\"ValidateAdminCodeSignatures" = "0"

Remove these files if exist in your system
%CurrentFolder%\[RANDOM FILE NAME].dll
%System%\[RANDOM FILE NAME].[RANDOM]
%System%\[RANDOM FILE NAME].exe
%Temp%\[RANDOM FILE NAME].[RANDOM]
%Temp%\[RANDOM FILE NAME].exe
%UserProfile%\Application Data\[RANDOM FILE NAME].[RANDOM]

Related:

Virus removal tools


No comments: