[SexyTech]

Symantec has the removal instructions up.

HOW TO REMOVE W32.SPYBOT.WORM

=========================================
The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.


Disable System Restore (Windows Me/XP).
Update the virus definitions.
Restart the computer in Safe mode.
Run a full system scan and delete all the files detected as W32.Spybot.Worm.
Delete the value that was added to the registry.
Delete any zero-byte files in the startup folder.

For specific details on each of these steps, read the following instructions.

1. Disabling System Restore (Windows Me/XP)
If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.

Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.

Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.

For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles:
"How to disable or enable Windows Me System Restore"
"How to turn off or turn on Windows XP System Restore"

For additional information, and an alternative to disabling Windows Me System Restore, see the Microsoft Knowledge Base article, "Antivirus Tools Cannot Clean Infected Files in the _Restore Folder," Article ID: Q263455.

2. Updating the virus definitions
Symantec Security Response fully tests all the virus definitions for quality assurance before they are posted to our servers. There are two ways to obtain the most recent virus definitions:
Running LiveUpdate, which is the easiest way to obtain virus definitions: These virus definitions are posted to the LiveUpdate servers once each week (usually on Wednesdays), unless there is a major virus outbreak. To determine whether definitions for this threat are available by LiveUpdate, refer to the Virus Definitions (LiveUpdate).
Downloading the definitions using the Intelligent Updater: The Intelligent Updater virus definitions are posted on U.S. business days (Monday through Friday). You should download the definitions from the Symantec Security Response Web site and manually install them. To determine whether definitions for this threat are available by the Intelligent Updater, refer to the Virus Definitions (Intelligent Updater).

The Intelligent Updater virus definitions are available: Read "How to update virus definition files using the Intelligent Updater" for detailed instructions.

3. Restarting the computer in Safe mode
Restart the computer in Safe mode. All the Windows 32-bit operating systems, except for Windows NT, can be restarted in Safe mode. For instructions, read the document, "How to start the computer in Safe Mode."

4. Scanning for and deleting the infected files
Start your Symantec antivirus program and make sure that it is configured to scan all the files.
For Norton AntiVirus consumer products: Read the document, "How to configure Norton AntiVirus to scan all files."
For Symantec AntiVirus Enterprise products: Read the document, "How to verify that a Symantec Corporate antivirus product is set to scan all files."
Run a full system scan.
If any files are detected as infected with W32.Spybot.Worm.
Write down the filenames, and then click Delete.

5. Deleting the value from the registry

CAUTION: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry," for instructions.

Click Start, and then click Run. (The Run dialog box appears.)
Type regedit

then click OK. (The Registry Editor opens.)


Navigate to the key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run


In the right pane, delete any values that refer to the filename that was detected as infected with W32.Spybot.Worm.


Navigate to the key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce


In the right pane, delete any values that reference the filename in step d.


Exit the Registry Editor.

6. Delete the zero-byte files from the Startup Folder
Follow the instructions for your operating system:

NOTE: There may be legitimate files on your system that start with "tftp." Make sure to only delete the zero-byte files from the Startup folder.

Windows 95/98/Me/NT/2000
Click Start, point to Find or Search, and then click Files or Folders.
Make sure that "Look in" is set to (C and that "Include subfolders" is checked.
In the "Named" or "Search for..." box, type, or copy and paste, the file name, tftp*.*
Click Find Now or Search Now.
Delete the files that are zero-bytes and contained within any folder that ends with "Startup."

Windows XP
Click Start, and then click Search.
Click All files and folders.
In the "All or part of the file name" box, type, or copy and paste, the file names tftp*.*
Verify that "Look in" is set to "Local Hard Drives" or to (C.
Click "More advanced options."
Check "Search system folders."
Check "Search subfolders."
Click Search.
Delete the files that are zero-bytes and contained within any folder that ends with "Startup."

=========================================

[mad-martin]

this link may also be usefull.

http://www.cert.org/tech_tips/w32_blaster.html

[KeithKman]

I got this in an e-mail:

Subject: Checking for W32.blaster worm infecting the network and How to fix computers if the computers are infected

How can you tell if you computer is infected with the virus:

Please check you computer for possible infection! If you computer is
infected with the worm then you should be able to locate a file call
msblast.exe in the following location:

C:\winnt\system32\msblast.exe
C:\windows\system32\msblast.exe

You will also find the following registry entry in your computer
registry:


HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\windows
auto update="msblast.exe"

* If you didn't find the worm, you shall make sure to update your
windows computers to fix the RPC vulnerabilities. See the following for
the installation instruction:
http://www.microsoft.com/technet/tre...n/MS03-026.asp
Also, please make sure Symantec Antivirus install
and updated.

* If you find a computer with the worm, disconnected off the
network by removing the network cable. Please inform or E-mail Help
Desk about the infection and make sure to have them install or update
the Antivirus software.

To Remove the worm download the following tool from symantec web site
and save in into a CD or Diskette then follow the instruction below or
contact help desk or systems duty administrator to get the Microsoft RPC
Patch and worm fix:

1. Download the FixBlast.exe file from:
http://securityresponse.symantec.com...r/FixBlast.exe

2. Save the file to a convenient location, such as your downloads
folder or the Windows Desktop (or removable media that is known to be
uninfected, if possible). Store it on a diskette or CD.

3. Close all the running programs before running the tool.
If you are running Windows XP, then disable System Restore.
Refer to the section, "System Restore option in Windows Me/XP," for
additional details.

CAUTION: If you are running Windows XP, we strongly recommend
that you do not skip this step. The removal procedure may be
unsuccessful if Windows XP System Restore is not disabled, because
Windows prevents outside programs from modifying System Restore.

4. Double-click the FixBlast.exe file to start the removal tool.
5. Click Start to begin the process, and then allow the tool to
run.

NOTE: If, when running the tool, you see a message that the tool was not
able to remove one or more files, run the tool in Safe mode. Shut down
the computer, turn off the power, and wait 30 seconds. Restart the
computer in Safe mode and run the tool again. All the Windows 32-bit
operating systems, except Windows NT, can be restarted in Safe mode. For
instructions, read the document "How to start the computer in Safe Mode
http://service1.symantec.com/SUPPORT...01052409420406 ."

6. Restart the computer and reconnect the network cable.
7. Run the removal tool again to ensure that the system is clean.
8. If you are running Windows XP, then re-enable System Restore.
9. you must update your windows computers to fix the RPC
vulnerabilities. Follow the installation instruction:
http://www.microsoft.com/technet/tre...n/MS03-026.asp
Also, Contact Help Desk to install Symantec
Anti-Virus Software and Run Update to make sure that you are using the most current virus definitions.

Awsome info gained...


U guys r too good..

[zambrij]

I followed all of the instructions at http://securityresponse.symantec.com...bot.worm.html. I identified the virus file name as 123.exe and was able to delete it with NAV. But, when I got to the last two steps of the instructions, I could not find anything in the registry that refers to that file to delete nor did I find any relative, zero byte, "tftp" files to delete. And I am still having problems...my task manager still won't run. I ran a scan again and now no viruses are found. What is the problem and how do I fix it?
Thanks!

[nerdandfreak]

hey guys, u know something about welchia31.worm???? u know how to delete it?? its affecting my ddlhost.exe, and slowing my dsl speed. thankz

[stu37]

do you mean this? here's the fix:
W32.Welchia.Worm
Hope this works

[stu37]

i see it didn't work. anyways here's the site:

http://securityresponse.symantec.com...ools.list.html

[wdfndn]

I went to the first link supplied by Kiethman http://www.microsoft.com/technet/tr...in/MS03-026.asp
On this page I am given the options to download the patch for my particular OS. My question how can I find out which edition of xp I use, 32 bit or 64 bit?....When I run "winver" the info I get is:
Version 5.1 [build 2600.xpsp2.030422-1633: service pack 1].
One other question. Are these individual security patches already covered by critical updates and service packs on the windows update homepage?

[mad-martin]

you run the 32 bit version
and yes they are released as critical updates aswell

[guyguy]

how is it that when i went to symantec security response site and actuially saw the removal tool you poeple posted here it was for w32.blaster.worm

[guyguy]

anybody? hello? :echo: :echo: