I inadvertently clicked on a link that someone sent me that said "Yo! Check out this camera I'm gonna get! Click Here", and by clicking on that I was infected with what my Symantec Anti-Virus says is the W32.Spybot.Worm Virus. THe virus occasionally deletes messages that I send out to other people and replaces it with the "Yo! Check out..." message that attempts to get others to get the virus.

I tried following Symantec's removal instructions from their website and I have done multiple scans with no results. When I originally clicked on the link, I was given notification that the link contained a virus and that the W32.Spybot.Worm virus had been placed in quarentine. Regardless, despite my attempts to delete the file in question with Symantec, I still have the virus. Please help me if you can.

try the thirty day free trial of
trojan remover after downloading and installing, click on update to get the latest definitions,
w32.spybot is listed in it's removal database.

I installed the remover and unfortunately it did not detect anything...

Only one last solution: erase AIM ( AOL Instant Message ) and reinstall it later...

Uninstall and reinstall wont help. Maybe if you uninstall then delete remaining AIM95 folder, but i think i tried that and it didnt work. I ran latest Nortons in safemode and that cleaned off spybot virus but im afraid this has to be a seperate virus. What do you have under Run in your registry?

I've surfed the web and read a lot of the stuff about things to look for in the registry. Unfortunately, nothing has matched up. I've tried the uninstall and reinstall and that definitey does not work. Is there anything in the registry in particular I should look for?

Just look for the stuff in the Run sections. List them and we can compare what is in each others. I suspect if we delete the right entry we should be fine, but sometimes its hard to tell what is supposed to be in there and what is not. Could you post the message you send and the url the link points to. I want to submit them to trendmicro but I wont have access to my friends pc, who actually has the virus, for a day or two.

Here are the values in my registry:
AltnetPointsManager
AtiModeChange
ATIPTA
AutoBar
CARPService
Cpqset
Display Settings
hpsysdrv
PreloadApp
QT4HPOT
QuickTime Task
srmclean
SynTPEnh
SynTPLpr
vptray
winupdat

And the link that loads the virus on to your machine (DON'T CLICK THIS LINK...OBVIOUSLY!)

http://172.16.38.252:3338/JVCGRDV800USMiniDVDigital.pif

The only one I have the same is winupdat but i was suspicous of this one because i have auto updates on my w2k machine and there is no entry for it in my run. another friend of mine with xp says they have auto update configured too but they have no entry in their run either.

Try deleting that value and rebooting, wouldnt hurt to run a scan after the reboot either. Let me know if it works. And dont worry you can always reconfigure auto update if in fact it was a legit value.

i have the exact same problem. it is actuallly impossible to get rid of this thing. it says its not there, but it is still sendin itself to people. if u figure it out, please tell me what to do.

Deleting the winupdat value from HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run and then running a anti-virus scan in safe mode seems to work.

Here is a more complete fix.

http://www.skywolf.net/fixes/aim.html

CDCoolGuy,

I work for a TV news company that is doing a news story about what you've just went through. We'd like to interview you about your experience as our personal (we need to put a human face on the issues to show people "it can happen to you.") If you're willing to be interviewed (and you live in the USA - we can't shoot outside the US), please e-mail me as soon as possible so we can set something up. Your help will be greatly appreciated. Please get back to me as soon as possible.

This thing is driving me crazy as well!

Norton Antivirus keeps warning me about this virus but states that it could not repair it. I checked the log files and it states:

Date: 10/11/2003, Time: 18:46:32, Guest on INSPIRONLAPTOP
The file
C:\DOCUMENTS AND SETTINGS\ALL USERS\DOCUMENTS\OPEN_ME.exe
is infected with the W32.Spybot.Worm virus.
Access to the file was denied.

The problem is, the "Documents" folders does not exist! At least, I cannot find it using Windows.

I went to Symantec's page, and they advise a manual fix (Windows in Safe Mode, Run Scan, Check/Delete using RegEdit).

I followed all of their steps, and still no luck. The "virused" file cannot not be found in the Run and RunOnce RegKeys.

Can anyone help? Is this thing capturing my passwords and sending it out? I'm completely paranoid at this point.

Thanks!

Hi,

I'm still looking for somebody to interview about IM viruses, especially the one we're talking about now (see my eearlier post). If anybody can help me out with this, not only will you be helping me out, but you'll also help warn lots of people about this problem and make sure nobody else gets this virus.

Try this: Open Task Manager, click Processes tab. In the list of running programs, locate the malware process: WUAUMQR.EXE Select and either End Task or End Process. To see if it's been terminated close Task Mgr., open it again. To remove Auto Start entries from Registry: 1. Click Start>Run, type Regedit, then press Enter. In left panel, dbl click the following: HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>current version>Run 3. In the right panel, locate & delete: WINSOCK2 driver=WUAUMQR.EXE 4. In the left panel, dbl click the following: HKEY_current_user_>software>microsoft>windows>current version>Run Once 5. In the right panel, locate and delete entry: winsock driver=WUAUMQR.EXE I hope this works for you as I am having trouble getting Task Manager to stay open. Any advice?

Sometimes if you disable backup and delete all shares, you get rid of hidden viruses.

Also, you can get hijackthis, do a scan and post it on here and other forums for tech support, and some can help you.

I just got a free antivirus that got rid of 8 virus that AVG and Panda online scan did not. I believe it scan for trojans too. It is called AVAST 4.0 home edition. Very good, much better than AVG for me.

This got rid of spybot worm and many others from my machine.