W32.Friendgreet.worm - Removal

These instructions pertain to all the current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1. Update the virus definitions.
2. Restart the computer in Safe mode.
3. Configure Windows to show all files.
4. Remove the "WinSrv Reg" program and the "Friend Greetings" or "FG" program by using the Add/Remove Programs applet in the Control Panel.
5. Run a full system scan, and delete all the files detected as W32.Friendgreet.worm.
6. Delete the other files that the program added to the system.
7. Reverse the changes that the program made to the registry.
   

For details on how to do this, read the following instructions.

1. Updating the virus definitions
Symantec Security Response fully tests all the virus definitions for quality assurance before they are posted to our servers. There are two ways to obtain the most recent virus definitions:

• Running LiveUpdate, which is the easiest way to obtain virus definitions: These virus definitions are posted to the LiveUpdate servers once each week (usually on Wednesdays), unless there is a major virus outbreak. To determine whether definitions for this threat are available by LiveUpdate, refer to the Virus Definitions (LiveUpdate).
• Downloading the definitions using the Intelligent Updater: The Intelligent Updater virus definitions are posted on U.S. business days (Monday through Friday). You should download the definitions from the Symantec Security Response Web site and manually install them. To determine whether definitions for this threat are available by the Intelligent Updater, refer to the Virus Definitions (Intelligent Updater).
  
  The Intelligent Updater virus definitions are available: Read "How to update virus definition files using the Intelligent Updater" for detailed instructions.

2. Restarting the computer in Safe mode
All the Windows 32-bit operating systems, except Windows NT, can be restarted in Safe mode. For instructions, read the document, "How to start the computer in Safe Mode."

3. Configuring Windows to show all files

1. Start Windows Explorer.
2. Click the View menu (Windows 95/98/NT) or the Tools menu (Windows Me/2000/XP), and then click Options or Folder options.
3. Click the View tab.
4. Uncheck "Hide file extensions for known file types."
5. Do one of the following:
   • Windows 95/NT: Click "Show all files."
   • Windows 98: In the Advanced settings box, under the "Hidden files" folder, click Show all files.
   • Windows Me/2000/XP: Uncheck "Hide protected operating system files," and under the "Hidden files" folder click "Show hidden files and folders."
6. Click Apply, and then click OK.

4. Removing the "WinSrv Reg" and "Friend Greetings" programs
Uninstall the "WinSrv Reg" and/or the "Friend Greetings" and/or the "FG" program using the Add/Remove Programs applet in the Control Panel.

NOTE: The exact sequence of mouse clicks and button names vary depending on the version of Windows you are running. These instructions are for Windows 98. If you have questions about how to do this in other versions of Windows, read your Windows documentation.

1. Click Start, point to Settings, and then click Control Panel.
2. Double-click Add/Remove Programs.
3. In the list, select "WinSrv Reg."
4. Click Add/Remove, and follow the prompts.
5. If "Friend Greetings" or "FG" is present in the list, select it, and then repeat step 4.

5. Scanning for and deleting the detected files

1. Start your Symantec antivirus program and make sure that it is configured to scan all the files.
   • Norton AntiVirus consumer products: Read the document, "How to configure Norton AntiVirus to scan all files."
   • Symantec enterprise antivirus products: Read the document, "How to verify a Symantec Corporate antivirus product is set to scan all files."
2. Run a full system scan.
3. If any files are detected as infected with W32.Friendgreet.Worm, click Delete.

NOTES:

• There have been reports of this program leaving files in the Temporary Internet Files folder. If, after removing the program, your Symantec antivirus program continues to detect W32.Friendgreet.Worm, but cannot delete or quarantine it, we suggest that you delete the contents of the Web browser's Temporary Internet Files folder. See your Web browser documentation for instructions.
• If you are using Windows Me or XP and your Symantec antivirus product continues to detect W32.Friendgreet.worm in the System Restore folder, read the "System Restore option in Windows Me/XP" instructions in the Additional Information section at the end of this document.

6. Deleting the other files the program added to the system
Use Windows Explorer to locate and delete these files:

• C:\Program Files\Common Files\Media\Install.log
• C:\Program Files\Common Files\Media\Otdock.dll
• C:\Program Files\Common Files\Media\Otglove.dll
• C:\Program Files\Common Files\Media\Otms.exe
• C:\Program Files\Common Files\Media\Otupdate.exe
• C:\Program Files\Common Files\Media\Uninstal.exe
• C:\Program Files\Common Files\Media\Winsrvc.dat
• C:\Program Files\Common Files\Media\Winsrvc.exe

7. Reversing the changes the program made to the registry

NOTE: Many, if not all, of these keys and values should have been removed when you uninstalled the program using Add/Remove Programs. This information is provided in the event that the uninstallation procedure failed. Even if this is the case, it is necessary to only remove the value that was added to the Run key (step 3); the other registry changes can be ignored.

CAUTION: Symantec strongly recommends that you back up the registry before you make any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read document, "How to make a backup of the Windows registry," for instructions.

1. Click Start, and then click Run. (The Run dialog box appears.)
2. Type regedit, and then click OK. (The Registry Editor opens.)
3. Navigate to the following key:
   
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   
   
4. In the right pane, delete the following value:
   
   PMedia C:\Program Files\Common Files\Media\winsrvc.exe
   
   
5. Navigate to the following key:
   
   HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
   CurrentVersion\Uninstall\WinSrv Reg
   
   
6. Navigate to and delete the key:
   
   HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
   CurrentVersion\Uninstall\Friend Greetings
   
   
7. In the right pane, delete the following values:
   
   DisplayName WinSrv Reg
   
   UninstallString C:\Program Files\Common Files\Media\UNINSTAL.EXE C:\Program Files\
   Common Files\Media\INSTALL.LOG WinSrv Reg Uninstall
   
   
8. Navigate to the following key:
   
   HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
   CurrentVersion\explorer\Browser Helper Objects
   
   
9. In the left pane, delete the following key:
   
   {7011471D-3F74-498E-88E1-C0491200312D}
   
   
10. Navigate to the following key:
    
    HKEY_LOCAL_MACHINE\Software\CLASSES
    
    
11. In the left pane, delete the following keys:
    
    IEEvtCatcher.IEEvtCatcherObj.1
    
    IEEvtCatcher.IEEvtCatcherObj
    
    IEMsgSvr.IEMsgSvrObj.1
    
    IEMsgSvr.IEMsgSvrObj
    
    
12. Navigate to the following key:
    
    HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID
    
    
13. In the left pane, delete the following keys:
    
    {7011471D-3F74-498E-88E1-C0491200312D}
    {7677C920-9CC3-4621-AF8C-AD45402DC2FD}
    
    
14. Navigate to the following key:
    
    HKEY_LOCAL_MACHINE\Software\CLASSES\Interface
    
    
15. In the left pane, delete the following key:
    
    {059D8C85-A00F-40AF-8078-7692A0A79F19}
    
    
16. Navigate to the following key:
    
    HKEY_LOCAL_MACHINE\Software\CLASSES\TypeLib
    
    
17. In the left pane, delete the following key:
    
    {3972ADCE-8737-45DE-A6E2-A253348E5A1E}
    
    
18. Exit the Registry Editor.

Technical Details