Hi. This is the first time my pc is infected with a worm, and I’d appreciate it if someone could tell me exactly what I need to do. The worm was found in ldr64.dll, in my system32 folder, which I suppose is a bad thing. Now, I already sent the file to the avast chest. However, I found the following key in my registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ldr64.
My first question is: should I erase it?
I’d also like to know if my computer is still in danger. I don’t really know how worms work, but probably deleting an infected file or an entry is not enough…
I guess formatting is the safest way, but I have a lot of work to do with my computer, so I really don’t have the time for such a drastic option.
So, I just scheduled a boot time scan. I’ll reboot my computer in a few moments, after ewido is finished scanning.
There’s something I quite didn’t understand, though: you told me to send a registry key (the damned ‘ldr64’ folder I see with my registry editor) to the avast chest, right? How do I do that?
This program uses the Winlogon Notify key to automatically start. This key is used to run certain programs when specific actions occur such as computer starting up, a user logging in or logging off, or a computer shutting down.
You probably can’t send a registry key to the chest, but you can export it first (just in case, it creates a .reg file) and then delete the registry key. You need to exercise care (back-up you registry if possible) and only delete that small part of registry key that relates to ldr64.
Hi, tank you very much for the link. It was actually very useful. I followed the steps to delete the pertaining registry keys (after backing up my reg), and it seems that all vestiges of this worm have disappeared.
I have one final question, regarding worms in general: are these steps (deleting the malicious files and registry entries) usually enough to be sure that my computer is out of danger, or can the person who introduced this worm still have access to my files?
Protect your computer with one resident AV programs, one good software firewall, apt anti-spyware protection: Spybot S&D, Ad-Aware & SpywareBlaster, and keep all the software on your computer updated and patched. Use in browser security to prevent going to infested sites like siteadvisor, and Dr. Web’s pre-hyperlink scanner add-on for IE, FF, Flock, Opera.
Polonus has pretty much answered your question with his links and I will add to his comments, that prevention is much better than cure and have a multi level approach to your system security. In order for many of these worms to work effectively, place files in system folders, create registry entries, etc. they need administrator privileges, these they generally inherit from the users account.
Whilst browsing or collecting email, etc. if you get infected then the malware by default inherits the same permissions that you have for your user account. So if the user account has administrator rights, the malware has administrator rights and can reap havoc. With limited rights the malware can’t put files in the system folders, create registry entries, etc. This greatly reduces the potential harm that can be done by an undetected or first day virus, etc.
Check out the link to DropMyRights (in my signature below) - Browsing the Web and Reading E-mail Safely as an Administrator. This obviously applies to those NT based OSes that have administrator settings, winNT, win2k, winXP.
