How to Remove Sobig Worm

Dec. 17 -- All antivirus vendors have had virus definition files since August to recognize and stop Sobig.F. Most will also clean and remove the virus.

If you don't have an updated antivirus, and suspect you have Sobig.F, you can scan and remove it from your machine using one of the following online or downloadable scanners: McAfee's Stinger, or Trend HouseCall. You can also use the removal tool from Symantec or Panda (requires registration).

Users can manually remove Sobig.F using the following procedure:

1. Windows XP/ME users should turn off system restore. You'll find more information for Windows XP here (http://support.microsoft.com/default.aspx?kbid=283073) and for Windows ME here (http://support.microsoft.com/default.aspx?kbid=264887).

2. Windows NT/2000/XP users should open the task manager, and terminate the process winppr32.exe. Press ALT+CTRL+DEL to bring up task manager, click on the process tab and scroll down until you see the process above. Windows 9x/ME users can reboot into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose "Safe Mode").

3. Delete the harvested address file winstt32.dat, and executable file winppr32.exe from your WINDOWS directory (typically c:\windows or c:\winnt).

4. Back up the registry. Go to start/run and type in Regedit and press enter. Once in the registry, select "Export" from the file menu. When the export dialog appears, click on ALL for the export range at the bottom of the screen. Type in a name and click Save to save a copy of the registry. To later restore the registry in case of a problem, you just need to double click on the file name.

5. Edit the registry by finding and deleting the value "TrayX"="%Windir%\winppr32.exe /sinc" from the following registry keys: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Once finished, reboot and run your antivirus to find any other infected files and delete them.