Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus


  • Please log in to reply
2 replies to this topic

#1 David Selig

David Selig

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:07:55 AM

Posted 02 July 2005 - 01:59 AM

Hello there. I have recently had a message informing me that my computer had been infected by the virus
w32.toxbot
I run Windows XP service Pack 1. i believe the virus may have infected during a 10 min time when I switched off Norton IS Firewall...
I have been to the following page
securityresponse.symantec.com/avcenter/venc/data/w32.toxbot.html
and tried to follow the instructions, and although the virus notification has disappeared, and a Norton Anti-Virus scan shows clean, I still seem to have some of the registry keys present etc etc.
oes anyone have any ideas? I realise that this discussion is for SPyware, do you have any ideas where I can find help on the worm/virus problem?
Many thanks for any help,
David.

BC AdBot (Login to Remove)

 


#2 Rimmer

Rimmer

  • Members
  • 2,159 posts
  • OFFLINE
  •  
  • Location:near Sydney, Australia
  • Local time:10:55 PM

Posted 02 July 2005 - 03:03 AM

Hi David,
Did you do this bit?

4. To delete the value from the registry
Important: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified subkeys only. Read the document, "How to make a backup of the Windows registry," for instructions.

  1. Click Start > Run.
  2. Type regedit

      Then click OK.

  3. Navigate to the subkeys:

      HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Minimal\[RANDOM FILE NAME]
      HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Network\[RANDOM FILE NAME]

  4. In the right pane, delete the value:

      "[DEFAULT]" = "Service"

  5. Navigate to and delete the registry subkeys:

      HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_[RANDOM FILE NAME]
      HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\[RANDOM FILE NAME]
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DHCP Client
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\DHCP Client
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DHCP_CLIENT
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DHCP Client

  6. Exit the Registry Editor.


If so what entries are you seeing?

Soltek QBIC, Pentium 4 3.0GHz, 512MB RAM, 200GB SATA HDD, ATI Radeon 9600XT 256MB, Netgear 54Mb/s WAP, ridiculously expensive Satellite Broadband
Windows XP Home SP2, Trend Micro Internet Security, Firefox, Thunderbird, AdAwareSE, Spybot S&D, SpywareBlaster, A-squared Free, Ewido Security Suite.

#3 David Selig

David Selig
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:07:55 AM

Posted 03 July 2005 - 08:35 AM

Thanks for your answer. Yes, I tried this stage, and got the following results


HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Minimal\[RANDOM FILE NAME]

DELETED OK
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Network\[RANDOM FILE NAME]

DELETED OK

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_[RANDOM FILE NAME]
COULD NOT DELETE

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\[RANDOM FILE NAME]
NOT FOUND
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DHCP Client
DELETED OK
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\DHCP Client
DELETED OK
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DHCP_CLIENT
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DHCP Client
COULD NOT DELETE

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DHCP Client
DELETED OK

So, what other steps could I take? Any way of removing the added services?

Thanks again for your help, David.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users