W32.Leave.Worm - Removal

Run LiveUpdate to make sure that you have the most recent virus definitions.

1. Start Norton AntiVirus (NAV), and run a full system scan, making sure that NAV is set to scan all files.
2. Delete any files detected as W32.Leave.worm.
3. If you delete any of the system files that are mentioned in the list in the previous section, you should restore them from the Windows installation CD.

To edit the registry:

CAUTION: We strongly recommend that you back up the system registry before you make any changes. Incorrect changes to the registry can result in permanent data loss or corrupted files. Please make sure you modify only the keys that are specified in this document. For more information about how to back up the registry, please read How to back up the Windows registry before proceeding with the following steps. If you are concerned that you cannot follow these steps correctly, then please do not proceed. Consult a qualified computer technician for more information.

1. Click Start, and click Run. The Run dialog box appears.
2. Type regedit and then click OK. The Registry Editor opens.
3. Navigate to and select the following key:
   
   HKEY_CURRENT_USER\Software\Mirabilis\
   ICQ\Agent\Apps
   
4. In the right pane, look for and select the value
   
   icqrun   C:\WINDOWS\regsv.exe
   
5. Press Delete, and then click Yes to confirm.
6. Navigate to and select the following key:
   
   HKEY_LOCAL_MACHINE\Software\Classes\Scandisk
   
7. This entire subkey has been created by the worm and can be deleted. Insure that you have selected the Scandisk key and that it is highlighted.
8. Press Delete, and then click Yes to confirm.
9. Follow the instructions for your version of Windows
   • Windows NT/2000
     1. Navigate to and select the following key:
        
        HKEY_LOCAL_MACHINE\Software\Microsoft\
        Windows\CurrentVersion\Run
        
     2. In the right pane, look for and select the value
        
        regsv   C:\WINDOWS\regsv.exe
        
     3. Press Delete, and then click Yes to confirm.
   • Windows 9x/ME
     1. Navigate to and select the following key:
        
        HKEY_LOCAL_MACHINE\Software\Microsoft\
        Windows\CurrentVersion\RunServices
        
     2. In the right pane, look for and select the value
        
        regsv   C:\WINDOWS\regsv.exe
        
     3. Press Delete, and then click Yes to confirm.
        
10. Exit the registry editor.

Technical Details