Trojan horse BackDoor.Generic3.EKW
- From: spgandau <spgandau@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Sat, 9 Sep 2006 19:14:02 -0700
Windows XP home edition SP2
IE 6.0.2900
AVG free edition
Spybot S&D
My daughter clicked on a link and I got infected with this virus.
I discovered the problem when I used Spybot S&D to scan my machine.
I used AVG free edition to scan the entire computer. There were four
instances of the virus in the System Volume Information\_restore.... location.
I was able to get into the System Volume Information and used AVG to move
the infected files into the Virus Vault.
Next, I re-ran Spybot S&D to get the exact message information related to
the problems discovered.
The registry has been changed by the trojan, and this is where my
question(s) lie:
1. HKLM\System\CurrentControlSet\Services\wscsvc\Start!=W=2
SpyBot S&D shows that the above line is a security breach, and it directs me
to this line in the registry.
Anyone know where I can get exact information? I have read the MS security
related to a similar version (Generic3.BGG), but the registry keys that
Microsfot refers to are called "wgavm" and "wgareg".... and apparently they
are bogus keys and need to be deleted...??
Question: Is wscsvc a legitimate entry? It would appear that wscsvc was an
added entry created by the trojan, but I am not sure. Can I delete the
entire "wscsvc" key?
2. There are changes made in the antivirus, firewall, and SP2update settings
that shut them down. Any advice on how to correct the registry entries would
be appreciated. I used Control Panel / Security settings, but the firewall
was "locked OFF", and it would appear that I have lost administrator
privileges to reset the firewall to "ON". Is it possible that the mscsvc key
controls these settings?
See below for relevant entries made by Spybot S&D:
Windows Security Center.AntiVirusDisableNotify: Settings (Registry change,
nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security
Center\AntiVirusDisableNotify!=dword:0
Windows Security Center.AntiVirusOverride: Settings (Registry change,
nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security
Center\AntiVirusOverride!=dword:0
Windows Security Center.FirewallDisabled: Settings (Registry change, nothing
done)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\windowsfirewall\domainprofile\enablefirewall!=dword:1
Windows Security Center.FirewallDisabled: Settings (Registry change, nothing
done)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\windowsfirewall\standardprofile\enablefirewall!=dword:1
Windows Security Center.FirewallDisableNotify: Settings (Registry change,
nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security
Center\FirewallDisableNotify!=dword:0
Windows Security Center.FirewallOverride: Settings (Registry change, nothing
done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security
Center\FirewallOverride!=dword:0
Windows Security Center.SP2Update: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DoNotAllowXPSP2!=dword:0
Windows Security Center.UpdateDisableNotify: Settings (Registry change,
nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security
Center\UpdatesDisableNotify!=dword:0
Any help would be appreciated.
.
- Follow-Ups:
- Re: Trojan horse BackDoor.Generic3.EKW
- From: David H. Lipman
- RE: Trojan horse BackDoor.Generic3.EKW
- From: Panda_man
- Re: Trojan horse BackDoor.Generic3.EKW
- Prev by Date: Re: Help to identify what my PC is infected with
- Next by Date: RE: Trojan horse BackDoor.Generic3.EKW
- Previous by thread: Re: copy to clipboard
- Next by thread: RE: Trojan horse BackDoor.Generic3.EKW
- Index(es):
Relevant Pages
|
