Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Registry Alteration ?


  • Please log in to reply
1 reply to this topic

#1 pstampy

pstampy

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:22 PM

Posted 20 January 2006 - 06:58 AM

The trial version of PC Doctor tells me that I have trojan. proxy.bk known to Symantec as backdoor.fivesec in my registry. Though no other AVS or anti spyware etc. seems to find anything, and I have tried quite a few. eg F Secure, AVG, Spybot, Ad aware and am told Norton can't find this either despite Symantec supposedly having a name for it.

PC Doctor states the trojan is to be found at the following places .

HKLM\SOFTWARE\Microsoft\Tracing\FWCFG

HKLM\SOFTWARE\Microsoft\Tracing\FWCFG##

HKLM\SOFTWARE\Microsoft\Tracing\FWCFG##Enable File Tracing

HKLM\SOFTWARE\Microsoft\Tracing\FWCFG##EnableConsoleTracing

HKLM\SOFTWARE\Microsoft\Tracing\FWCFG##FileTracingMask

HKLM\SOFTWARE\Microsoft\Tracing\FWCFG##ConsoleTracingMask

HKLM\SOFTWARE\Microsoft\Tracing\FWCFG##MaxFileSize

HKLM\SOFTWARE\Microsoft\Tracing\FWCFG##FileDirectory


I have used Regedit and can confirm that they are there in FWCFG along with 2 other items (Default) and File Directory

Does anyone know for certain whether it is OK to simply delete the above 5 "infected" items or could they be essential for something else ?
I am very inexperienced in editing the registry and would appreciate any advice. Is there an equivalent of the REM command to temp. disable a line before deleting it ? Are there any precautions I should take ?

thanks

BC AdBot (Login to Remove)

 


m

#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:22 PM

Posted 21 January 2006 - 11:46 AM

Hi :thumbsup:

This user had a similar problem:
http://www.bleepingcomputer.com/forums/lof...php/t39029.html

I don't think it would be advisable to simply run into the registry and start deleting those values. If you wish to, be my guest, but make sure you backup the registry in case something goes wrong:

I recommend trying this more simple approach to backing up the registry.

1. Click Start /Run and type in "regedit" (no quotes).

2. Next, click the File menu, Export

3. Select a location from the resulting box and give your backup registry a
name. Something like:

Regbackup 01-21-2006. <-- I just put todays date.

:flowers: Just a quick note: by default, Windows backs up the registry when you shut down your machine. The above is probably best used for those (like myself) who are editing registry settings, such as we are about to do!

If you don't wish to edit the registry, I recommend you follow the HijackThis preparation guide which can be found here. It is important that you follow the guide closely. A number of scans will be run which may well fix your problem.

As the guide says, after you have completed the scans that are recommended, please post your "HijackThis" log in a new topic in the forum found here. Please add your system infomation and also what problems you are having. Please wait for a few days and one of our experts will get onto fixing your computer for you.

David

Edited by D-Trojanator, 21 January 2006 - 11:46 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users