Remove W32.Babelloh virus

W32.Babelloh is a worm that has affected many systems and can open backdoor port on infected computer allowing remote unauthorized access. This worm is capable of copying itself to other drives to infect them.

The worm creates following files that you must have seen:
•    %DriveLetter%:\RECYCLER
•    %DriveLetter%:\autorun.inf
•    %DriveLetter%:\RECYCLER\desktop.exe
•    %DriveLetter%:\RECYCLER\desktop.ini
•     %SystemDrive%\spoolsv32.exe
•     %SystemDrive%\wmiprvse.exe

Steps to remove W32.Babelloh worm:
1.    Disable System Restore for a while. To do that right click on My Computer, click on Properties and go to System Restore tab and tick the option saying “Turn off system restore”.

2.    Update the Anti Virus definitions for the best removal.

3.    Scan the system with the Anti Virus.

4.    Navigate to and delete following values from the registry (Open it by typing regedit in Run):

•    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\”PolicyRun” = “%SystemDrive%\spoolsv32.exe”
•    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”winmgmt” = “%SystemDrive%\wmiprvse.exe”
•    HKEY_USERS\S-1-5-21-1961063573-973683775-492528769-500\Software\Microsoft\Windows\CurrentVersion\Run\”winmgmt” = “%SystemDrive%\wmiprvse.exe”
•    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\”Shell” = “Explorer.exe %SystemDrive%\spoolsv32.exe”
•    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TrkWks\”ImagePath” = “%SystemDrive%\spoolsv32.exe”
•    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TrkWks\”ImagePath” = “%SystemDrive%\spoolsv32.exe”
•    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TrkWks\”ImagePath” = “%SystemDrive%\spoolsv32.exe”

5.    Restore the following registry entries to their original values (if required):

•    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\”ServiceCurrent” = “11”
•    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TrkWks\”Type” = “10”
•    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\”ServiceCurrent” = “11”
•    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TrkWks\”Type” = “10”
•    HKEY_USERS\S-1-5-21-1961063573-973683775-492528769-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\”ShowSuperHidden” = “0”
•    HKEY_USERS\S-1-5-21-1961063573-973683775-492528769-500\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\”NoDriveTypeAutoRun” = “B5”

Exit the editor to see the problem being fixed.

One Reply to “Remove W32.Babelloh virus”

Leave a Reply