Hi

I am running ewido anti-spyware 4.0 and to be fair it has got rid of loads of rubbish. However it finds the worm.vb.dw but when I try to quarantine or delete it I get "Error while quarantining"


Please please help me get rid of this vicious worm.

did you try restarting windows in safe mode and running ewido then?

Yes this is a good idea, try to run ewido in safe mode.

It is often easier to remove a threat in safe mode.

If you still have a problem removing this threat feel free to tell us. We'll help you to remove it.

regards,

Thanks Guys

I thought I had managed to remove it late last night by following the path that the ewido programme was telling me in the message....

"cannot remove X because the folder X is embedded in X, do you want to delete X" (something like that)

So I followed that path in explorer and deleted the folder. Re-ran the scan in ewido and yipee no traces. However the sympton of the worm still remains. I cannot install any antivirus software as the worm has attacked my administrator rights etc.


In your opinion is the worm still there? If so why wont ewido pick it up now? Will running the programme in Safe Mode still help????


Appreciate your help.......

Please post here your scan log of the ewido scanner and a report log of the startup module.
Send me also a pm (private message) with a hijackthis log (tutorial site: http://www.evilissimo-softdev.de/hjt_en.html) of your infected system. Do NOT post the log here.

Many thanks Karl.Ewido.

Here is the scan log. Please excuse my ignorance but how do I provide the "report log of the startup module".

I will also PM you shortly with the "hijackthis log". I still feel the worm is on there somewhere as I cant install anything still.....


ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 18:09:55 03/07/2006

+ Scan result:



C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@atdmt[2].txt -> TrackingCookie.Atdmt : No action taken.
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@clickbank[1].txt -> TrackingCookie.Clickbank : No action taken.
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@com[1].txt -> TrackingCookie.Com : No action taken.
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@doubleclick[1].txt -> TrackingCookie.Doubleclick : No action taken.
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@mediaplex[2].txt -> TrackingCookie.Mediaplex : No action taken.
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@serving-sys[2].txt -> TrackingCookie.Serving-sys : No action taken.
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@statcounter[1].txt -> TrackingCookie.Statcounter : No action taken.


::Report end

Your ewido scan log and hijackthis log do not list really any suspicious entries. Are you sure that you still have the problems with this Worm?

Very sure, although the only symptom remaining is the fact I cannot install 95% of antivirus software I have tried to download. Reading up on this worm indicates that this is a classic symptom of this particular Worm. Various error messages relating to logging on as Administrator, incorrect user rights etc occur......

But you've tried to install those antivirus software as admin?

This is needed in the most cases.

Regards,

Yes I am def logged in as admin when installing.


This is what i know of this particular worm...

http://www.k7computing.com/virusinfo/WormVBDW.htm

and....

"...is a mass mailing worm that has its own SMTP engine but also tries to spread via P2P networks. It tries to download and execute files from the Internet. It kills antivirus related processes and modifies the host file to make its detection and removal harder.

This is what it says to me when I try and install most things...

Error creating Registry key

RegCreateKey Ex Failed; code 5
Access is denied

Also it seems have done something to my System Restore. it basically wont let me restore to more than a week ago.

hello ... I am also having trouble deleting this worm using ewido ... it finds the worm.vb.dw but when I try to quarantine or delete it I get "Error while quarantining" while in "safe mode" .... I have done this several times.

.... any info much appreciated

Try the Symantec on line scan. Or have a look at this link which list some of the variable names

http://securityresponse.symantec.com/avcenter/venc/data/w32.alcra.f.html?Open

Hi Pardner

I am not recommending this and I bare no responsibility if anything goes wrong on your PC, but this is what worked for me...

When my computer was starting/booting I did an F10 for system recovery. I then let it reinstall a former state from the partition drive. I must point out at this stage that I didnt lose any files or document but had to reinstall the software for things like my broadband modem, printer etc. Then I re-ran Ewido. This time it found the worm as befofe but this time I was able to delete it. Once deleted I could actually install other anti-virus software. These found other Trojans etc. I then re-ran Ewido and no signs of the worm. Fingers crossed PC been ok since.


Cheers
BBBG

Hey guys, I am having the same exact problem ~link not needed....thread merged into existing thread....Bubba~
I read through the whole thread but never found the best specific way to remove worm.vb.dw.

My basic problem is when I run ewido then it catches many rubbish and tons of worm.vb.dw and when I try to remove them I get an error and it quits out without deleting any of it. I am trying to fully install my AntiVirus but I keep getting the same errors saying stuff like you need to be an administrator bla bla bla...

If anyone has figured out the best way to fix this please let me know!

Thanks,
r1ft

Try the following:-

D/L and install CCleaner:-

http://www.filehippo.com/download_ccleaner/

Go into safe mode, run CCleaner (you will need to configure it to delete Windows temp files less than 48 hours old and also prefetch items). Now run an ewido memory scan, if it picks anything up you need to go to the analysis section and terminate (simultaneously) all the processes concerned (you will know these 'cos of the numbers in square brackets which are the PIDs). If you reboot, make sure you come back into 'safe'. Persevere with trying to terminate bad running processes; then do a full system scan with ewido.

I can't promise anything, but at least try.

If that doesn't work...boot into safe mode (with networking)...run an online scan here: http://www.bitdefender.com/scan8/ie.html

This should remove all traces of the worm.