Worm:Win32/Slenping

Viruses and worms
1

Hello, I am an experienced computer user and my mother’s PC is infected with a worm called “Worm:Win32/Slenping” as listed on Microsoft Security Essentials. MSE is not removing this virus, and Avast! does not detect this as a worm. Im at a loss in how to remove it, and am unable to locate this virus manually as it duplicates it’self, etc. I tried to “end” the running process and it does go away but upon restart the virus re-starts! I dont know how to submit the virus to Avast! through Avast! 5.0

Any assistance would be great!

2

Have you tried

Malwarebytes Anti-Malware 1.46 http://filehippo.com/download_malwarebytes_anti_malware/
after install click update so you have latest database before scan
click the remove selected button to quarantine anything found
post the scan log here

3

Hi JANEWAY,

Manual removal instructions: Step 1 : View the Worm:Win32/SlenpingComponents with its MD5s
Remove the “Worm:Win32/Slenping” components:
File Name File Size MD5
CLADD 15872 47b3ffcb7d8c548419e59016bbc928f4
CLADD 23040 420b2a09840556eb17e271b1040a8edf
CLADD 10752 da18b5716996f7baec2599e19e895732
CLADD 102400 74ce0a1fc6e88ac6747cf8371929f997
CLADD 82432 6c20afc772cadf040dc11fa40976e00f
CLADD 17920 314ed40ca15f0df95f657cc4aad6b478
CLADD 20480 d54b8553e6eb00f0b9b90c863ef30c38
CLADD 32768 3665733a6f7243e7cb1401f72c643139
CLADD 20480 c8f0941ace0b44110eb52ec79312408e
CLADD 37888 fd3f2ef797503ef9fb24a498875c4e0e
CLADD 40960 cbd1d397d488095b7875f329cf3bad8d
CLADD 17920 67db0ab7ad4904df4ad0e9fb09a2b673
CLADD 22016 76cfa64ca20d71a5235f8b3be6f90f6e
CLADD 78336 817fb825cd427fc8da2b7e1cdcdfa167
CLADD 45056 af9271019a3a47030229326d33282278
CLADD 196096 d059e984f3390403595e24de8b31e4be
CLADD 34816 20726cf8c05a02d73745c44e97b6dcc6
CLADD 15360 74713af69c2da4481a25495f6c59daaa
svchost.exe 77824 afa1b389c56b194ffbc8b4a12ac42edd
WindowsLive.exe 1892696 485f7fa25b3d0d38a4f14495c02eca54
CLADD 226816 af84769f839528652c480e016fc76c5b
CLADD 24576 f1ffec482bfedb9a0e7aefe124602241
CLADD 120320 80ff0ba83fc543af5c4f7a1bda5921be
CLADD 12288 97947c0c63e5635d86a1add389950305
CLADD 37888 41f13c8013d553422d30df143894f8e1

To remove Worm:Win32/Slenping, you must first stop any Worm:Win32/Slenping processes that are running in your computer’s memory. To stop all Worm:Win32/Slenping processes, press CTRL+ALT+DELETE to open the Windows Task Manager. Click on the “Processes” tab, search for Worm:Win32/Slenping, then right-click it and select “End Process” key.

To delete Worm:Win32/Slenping registry keys, open the Windows Registry Editor by clicking on the Windows “Start” button and selecting “Run.” Type “regedit” into the box and click “OK.” Once the Registry Editor is open, search for the registry key “HKEY_LOCAL_MACHINE\Software\Worm:^^^^^^.” Right-click this registry key and select “Delete.”

Finally, to completely get rid of Worm:Win32/Slenping you must manually remove other Worm:Win32/Slenping files. These Trojan.IRCBot files can be in the form of EXE, DLL, LSP, TOOLBAR, BROWSER HIJACK, and/or BROWSER PLUGIN. For example, Worm:^^/^^^^ create a file like
%PROGRAM_FILES%\Worm:^^^^^/^^^^^^.exe. Locate and remove these files,

polonus

4

Malwarebytes’ Anti-Malware 1.46
www.malwarebytes.org

Database version: 4313

Windows 6.1.7601 Service Pack 1, v.153
Internet Explorer 8.0.7601.16537

14/07/2010 3:58:16 PM
mbam-log-2010-07-14 (15-58-16).txt

Scan type: Quick scan
Objects scanned: 122976
Time elapsed: 7 minute(s), 56 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
C:\Users\Public\winsvrcn.exe (Backdoor.Bot) → No action taken.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) → No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) → No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windowssyscontrol (Backdoor.Bot) → No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Public\winsvrcn.exe (Backdoor.Bot) → No action taken.
C:\Users\Carolyn\AppData\Local\Temp\Nj6Hml0jD0.log (Extension.Mismatch) → No action taken.

5

the log say no action take, you have to click the remove selected button to quarantin the infection

so scan again and remove