How to kill a detected worm

Discussion in 'Trojan Defence Suite' started by Hans Sturhan, Aug 16, 2003.

Thread Status:
Not open for further replies.
  1. Hans Sturhan

    Hans Sturhan Guest

    Tested TDS3 in 30 days configuration and found worm.Palyh as displayed at the TDS Console bottom window. Tried to erase the affected register file, doesnt work. Can`t see the worm in the affected file either. When I do another scan, the worm pops up again. I can`t find advice in the Help Menu, so how can I kill that biest?
  2. Jooske

    Jooske Registered Member

    Feb 12, 2002
    Netherlands, EU near the sea
    Hi Hans,
    welcome to the forum!
    If you see the alert in the bottom console and right click on it you will see more details about it and in the path it's location on the system is given.
    Is it in an email or is it in more places, so installed actually?
    In that alert window if you rightclick on it, you can delete it; look also in the System analyses > Autostart Explorer if you see the key there it could be started from.
    If not, look with regedit in the registry to the keys you know it could be in.
    Make sure it is no longer in the startup folders either, you might like to check extra in MSCONFIG if all is gone.
    If all that is cleansed out and you use Windows XP or ME you will like to get rid of that restorepoint and disable system restore, reboot, enable system restore and make manually a new restore point from this clean situation.

    You might also like to use an extra cleanser tool for this sobig thing as available by many av/at vendors, among others here at f-secure
    Please tell us how it goes!
  3. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Feb 10, 2002
    Perth, Western Australia
    What was the alert exactly ? A trace or a positive id (file detection)
  4. Hans Sturhan

    Hans Sturhan Guest

    The name shown in the lower left side was: Worm.Palyh and pointing to the registry location (I can`t remember the correct Name of that location). The infected file was located in my data files and ended *details.pif
    I meanwhile studied this case and found the removal tool at the Symantec site. That worked nicely - it is gone.

    Thanks for your reply.
  5. Hans Sturhan

    Hans Sturhan Guest

    Thanks for your reply and help.

    Although the file location in one of my data folders as *details.pif and the respective registry location was shown, I could not kill it.

    I than found the way, you recommend and actually killed the worm with a toll, supplied ba Symantec.
Thread Status:
Not open for further replies.