Re: Backdoor.ProratD and registry HELP!

From: Mike Burgess (winhelp2002_at_spamthis.com)
Date: 04/07/04 

Date: Tue, 6 Apr 2004 21:15:32 -0400

Randy,
Download: Process Viewer [freeware] WinNT/2K/XP/ME/95/98
http://www.xmlsp.com/pview/prcview.htm

Download: KillBox
http://broadbandmedic.com/download/

Log on as Administrator in Safe Mode and use the above to "kill" (delete)
the files.

In extreme cases reboot and press F8 to bring up the Troubleshooting Boot
Menu.
Select: Safe Mode w\Command Prompt and press Enter. Log on as Administrator.

Once you do the above restart normally and remove the Registry entries (if
exists)
____________________________________________________________
Mike Burgess [MVP Windows Shell\User] http://www.mvps.org/winhelp2002/
Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a HOSTS file
http://www.mvps.org/winhelp2002/hosts.htm [updated 04-02-04]
Please post replies to this Newsgroup, email address is invalid 

--
"Randy" <anonymous@discussions.microsoft.com> wrote in message
news:192fa01c41c3a$33eac000$a301280a@phx.gbl...
> I have this virus (backdoor.proratD) which shuts down
> Norton antivirus and
> firewall.  I have 6 corrupted files: windows\winlogon.exe,
> windows\system\service.exe, windows\systme32\fservice.exe
> wincom.exe  wininv.dll and winkey.dll.  I cannot delete
> the .dll files, even in safe mode as I am denied access.
> I am told that the virus exists in the  winkey.dll file.
> I can delete the fservice and sservice, but they are
> regenerated inmmediately(not so under safe mode, but once
> reboot normal and they are there again).  Registry changes
> noted by norton and sophos I have found and deleted, but
> they too are immediately replaced upon exiting registry,
> again even under safe mode.  Have noted no infestation (or
> odd changes) of win.ini or system.ini files. In the
> registry I notice that the HK
> Root\htafile\shell\open\command is modified with a
> mshta.exe file as is the
> HKLM\software\classes\htafile\shell\open\command key and I
> have read that these are 2 common places for virus
> startup.
>
> My questions are (and excuse the small list):
>
> How do I delete the .dll files?
> What is the mshta.exe file that exists in the WIN system
> 32 file and would deleting its reference from the registry
> hurt?
> How can this virus monitor reg changes and fix
> immediately, even in safe mode and can I overcome.
>
> I have windows XP pro with all updates.  I appreciate
> anyones assistance on this as Norton to date has not been
> any help.
>

Relevant Pages

  • RE: Bloodhound.exploit.6 Trojan
    ... It is not clear to me that you have removed this virus. ... What does it mean when it said in Regedit Default REG_SZ no value set ... Each and every key in the registry has a single default ... How can I get my computer to go into safe mode? ...
    (microsoft.public.security.virus)
  • Re: windows wont boot / safemode wont boot
    ... SFC isn't the diagnostic procedure it's made out to be. ... load the original XP Registry Hive and manually disable the services ... to Safe Mode and choose the optional mode "Last Known..." ... mouse pointer then once again defaults into reboot. ...
    (microsoft.public.windowsxp.general)
  • Re: windows wont boot / safemode wont boot
    ... suggested by someone I know to remove the Norton installation folder but I ... Interested in what you said about reloading the original registry hive, ... to Safe Mode and choose the optional mode "Last Known..." ... mouse pointer then once again defaults into reboot. ...
    (microsoft.public.windowsxp.general)
  • Re: Windows Start Menu
    ... Took my life in my hands and gave CCLeaner a go specifically the Registry Cleaner. ... I should mention I no longer try and use Trend Micro Housecalls - it has lousy communication screens and I found that it was telling me it was going through phases, but leaving it alone for some 30 minutes I got the message it was in a loop. ... So I switched to IE, which I don't normally use and there was a prompt to download Google Chrome, which I did. ... I tried Safe Mode but without selecting 'Safe Mode with Networking' I couldn't e-mail or browse. ...
    (comp.lang.cobol)
  • Re: Cannot not log on as administrator
    ... or any other online virus scanning because I was not logged as an ... My administrator accounts were not being recognized as ... > Reboot Windows XP into Safe Mode ...
    (microsoft.public.windowsxp.security_admin)