Follow the procedure to delete win32 virus completely.
Disable System Restore (Windows Me/XP).
Remove all the entries that the risk added to the hosts file.
Update the virus definitions.
Run a full system scan and delete all the files detected.
Delete any values added to the registry.
For specific details on each of these steps, read the following instructions.
1. To disable System Restore (Windows Me/XP)
If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.
Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.
Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.
For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles:
How to disable or enable Windows Me System Restore
How to turn off or turn on Windows XP System Restore
Note: When you are completely finished with the removal procedure and are satisfied that the threat has been removed, reenable System Restore by following the instructions in the aforementioned documents.
2. To remove all the entries that the risk added to the hosts file
Navigate to the following location:
Windows 95/98/Me:
%Windir%
Windows NT/2000/XP:
%Windir%\System32\drivers\etc
Notes:
The location of the hosts file may vary and some computers may not have this file. There may also be multiple copies of this file in different locations. If the file is not located in these folders, search your disk drives for the hosts file, and then
complete the following steps for each instance found.
%Windir% is a variable that refers to the Windows installation folder. By default, this is
C:\Windows (Windows 95/98/Me/XP) or C:\Winnt (Windows NT/2000).
Double-click the hosts file.
If necessary, deselect the "Always use this program to open this program" check box.
Scroll through the list of programs and double-click Notepad.
When the file opens, delete all the entries added by the risk.
Close Notepad and save your changes when prompted.
3. To delete the value from the registry
Important: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified subkeys only. For instructions refer to the document: How to make a backup of the Windows registry.
Click Start > Run.
Type regedit
Click OK.
Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool, and then continue with the removal.
Navigate to and delete the subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RpcRemotes
Navigate to the subkey:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup
In the right pane, delete the value:
"Ph4nt0m" = "Ph4nt0m"
Navigate to the subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv
In the right pane, reset the value to the original value if applicable:
"Start"
Navigate to the subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess
In the right pane, reset the value to the original value if applicable:
"Start"
Exit the Registry Editor.
No comments:
Post a Comment