Re: Trojan horse BackDoor.Generic3.EKW
- From: "David H. Lipman" <DLipman~nospam~@Verizon.Net>
- Date: Sun, 10 Sep 2006 08:26:27 -0400
From: "spgandau" <spgandau@xxxxxxxxxxxxxxxxxxxxxxxxx>
| Windows XP home edition SP2
| IE 6.0.2900
| AVG free edition
| Spybot S&D
|
| My daughter clicked on a link and I got infected with this virus.
| I discovered the problem when I used Spybot S&D to scan my machine.
| I used AVG free edition to scan the entire computer. There were four
| instances of the virus in the System Volume Information\_restore.... location.
| I was able to get into the System Volume Information and used AVG to move
| the infected files into the Virus Vault.
|
| Next, I re-ran Spybot S&D to get the exact message information related to
| the problems discovered.
| The registry has been changed by the trojan, and this is where my
| question(s) lie:
|
| 1. HKLM\System\CurrentControlSet\Services\wscsvc\Start!=W=2
| SpyBot S&D shows that the above line is a security breach, and it directs me
| to this line in the registry.
|
| Anyone know where I can get exact information? I have read the MS security
| related to a similar version (Generic3.BGG), but the registry keys that
| Microsfot refers to are called "wgavm" and "wgareg".... and apparently they
| are bogus keys and need to be deleted...??
|
| Question: Is wscsvc a legitimate entry? It would appear that wscsvc was an
| added entry created by the trojan, but I am not sure. Can I delete the
| entire "wscsvc" key?
|
| 2. There are changes made in the antivirus, firewall, and SP2update settings
| that shut them down. Any advice on how to correct the registry entries would
| be appreciated. I used Control Panel / Security settings, but the firewall
| was "locked OFF", and it would appear that I have lost administrator
| privileges to reset the firewall to "ON". Is it possible that the mscsvc key
| controls these settings?
|
| See below for relevant entries made by Spybot S&D:
|
| Windows Security Center.AntiVirusDisableNotify: Settings (Registry change,
| nothing done)
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security
| Center\AntiVirusDisableNotify!=dword:0
|
| Windows Security Center.AntiVirusOverride: Settings (Registry change,
| nothing done)
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security
| Center\AntiVirusOverride!=dword:0
|
| Windows Security Center.FirewallDisabled: Settings (Registry change, nothing
| done)
|
| HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\windowsfirewall\domainprofile\enablefirewal
| l!=dword:1
|
| Windows Security Center.FirewallDisabled: Settings (Registry change, nothing
| done)
|
| HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\windowsfirewall\standardprofile\enablefirew
| all!=dword:1
|
| Windows Security Center.FirewallDisableNotify: Settings (Registry change,
| nothing done)
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security
| Center\FirewallDisableNotify!=dword:0
|
| Windows Security Center.FirewallOverride: Settings (Registry change, nothing
| done)
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security
| Center\FirewallOverride!=dword:0
|
| Windows Security Center.SP2Update: Settings (Registry change, nothing done)
|
| HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DoNotAllowXPSP2!=dwor
| d:0
|
| Windows Security Center.UpdateDisableNotify: Settings (Registry change,
| nothing done)
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security
| Center\UpdatesDisableNotify!=dword:0
|
| Any help would be appreciated.
Trojan horse BackDoor.Generic3.EKW is not a virus. As the name indicates, it was a Trojan.
C:\System Volume Information\_restore
Is the System Restore cache. If it was in the System Restore cache, then it must have been
on the system to be cached but you don't note it present.
Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe
To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close
Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }
NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.
C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.
You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.
When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm
Additional Instructions:
http://pcdid.com/Multi_AV.htm
* * * Please report back your results * * *
--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
.
- References:
- Trojan horse BackDoor.Generic3.EKW
- From: spgandau
- Trojan horse BackDoor.Generic3.EKW
- Prev by Date: RE: Trojan horse BackDoor.Generic3.EKW
- Next by Date: Re: HELP! HELP HELP!!! PLEASE!!!
- Previous by thread: RE: Trojan horse BackDoor.Generic3.EKW
- Next by thread: Re: HELP! HELP HELP!!! PLEASE!!!
- Index(es):
Relevant Pages
|
Loading
