mike
December 24th 03, 04:40 PM
Hi,
I went to the symantec site on this trojan
http://securityresponse.symantec.com/avcenter/venc/data/bac
kdoor.nettrojan.html
and found that it didn't really address your problem of
editing the registry since you cannot open regedit. I
recalled a fix I had for one of my clients with another
trojan. Here is how to edit this trojan from the registry
(copy and pasted)from
http://securityresponse1.symantec.com/sarc/sarc.nsf/html/w3
Because the worm modified the registry so that you cannot
run the .exe files, first make a copy of the Registry
Editor as a file with the .com extension, and then run
that file.
Windows XP:
Click Start, and then click Run.
Type command, and then press Enter. (A DOS window opens.)
Type the following lines, pressing Enter after typing each
one:
cd\
cd \windows
Proceed to step b of this section.
b) Type the following:
copy regedit.exe reg.com
and then press Enter.
Type the following:
start reg.com
and then press Enter. (The Registry Editor opens in front
of the DOS window.) After you finish editing the registry,
exit the Registry Editor, and then exit the DOS window.
Proceed to the next section, "Editing the registry and
reversing the changes the worm made," only after you have
completed the previous steps.
c. Navigate to each of these keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersio
n\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersio
n\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\RunServicesOnce
NOTE: All the keys do not exist on all the systems.
d. In the right pane, delete the value:
WinLoader %windir%\UNWISE.EXE
NOTE: This value may vary. Look for any value that refers
to the files detected as Backdoor.NetTrojan.
e. Exit the Registry Editor
I hope that combining these two strategies will fix your
problem
You may also wish to visit www.symantec.com and on this
page go to the link that says symantec security check, it
will scan your system for viruses over the net.
I went to the symantec site on this trojan
http://securityresponse.symantec.com/avcenter/venc/data/bac
kdoor.nettrojan.html
and found that it didn't really address your problem of
editing the registry since you cannot open regedit. I
recalled a fix I had for one of my clients with another
trojan. Here is how to edit this trojan from the registry
(copy and pasted)from
http://securityresponse1.symantec.com/sarc/sarc.nsf/html/w3
Because the worm modified the registry so that you cannot
run the .exe files, first make a copy of the Registry
Editor as a file with the .com extension, and then run
that file.
Windows XP:
Click Start, and then click Run.
Type command, and then press Enter. (A DOS window opens.)
Type the following lines, pressing Enter after typing each
one:
cd\
cd \windows
Proceed to step b of this section.
b) Type the following:
copy regedit.exe reg.com
and then press Enter.
Type the following:
start reg.com
and then press Enter. (The Registry Editor opens in front
of the DOS window.) After you finish editing the registry,
exit the Registry Editor, and then exit the DOS window.
Proceed to the next section, "Editing the registry and
reversing the changes the worm made," only after you have
completed the previous steps.
c. Navigate to each of these keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersio
n\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersio
n\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\RunServicesOnce
NOTE: All the keys do not exist on all the systems.
d. In the right pane, delete the value:
WinLoader %windir%\UNWISE.EXE
NOTE: This value may vary. Look for any value that refers
to the files detected as Backdoor.NetTrojan.
e. Exit the Registry Editor
I hope that combining these two strategies will fix your
problem
You may also wish to visit www.symantec.com and on this
page go to the link that says symantec security check, it
will scan your system for viruses over the net.