Security Incidents mailing list archives
Re: While we're on viruses...
From: AM7 () OPERAMAIL COM (Mohammed Al-Shehri)
Date: Sat, 20 May 2000 05:52:11 -0400
First, click Start, and go to Run. In the box, type regedit and click OK. When regedit starts, you will see a file-like tree on the left hand panel. Open the folders to follow the path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run At the end, click on 'Run' once, and the right hand panel should change. On the right hand side of Regedit, look for the item titled Loader = "c:\windows\system\***" The *** will be a random .exe name. Write this down as it is the sub7 server! Right click on that line only and choose delete. Last, open the folders to follow the path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices At the end, click on 'RunServices' once, and the right hand panel should change. On the right hand side of Regedit, again look for the item titled the same as above. Right click on that line only and choose delete. Close regedit and reboot your PC. Close RegEdit and use Windows Explorer to open the file c:\windows\win.ini Near the top you will see a line starting with run= If you see a path pointing to the sub7 server here as well, delete it so the line Only reads run= Save and close the win.ini file, then open your system.ini (also in the c:\windows directory) Look for a line starting with Shell=explorer.exe If the Sub7 server name is after this, remove that file name so the line reads exactly shell=explorer.exe Save and close system.ini. Restart your computer to remove Sub7 from memory. Once your computer starts back up, open your C:\windows\system\ directory and find the random file from the above steps. Right-click this file and choose Delete. Then empty your recycle bin. anyway ... did you try the AVP anti-virus ??? AM7+
From: Keith McCammon <kmccammon () TIDALWAVE NET> Subject: While we're on viruses... -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hey all, A co-worker came in today and his home PC found "Subseven 22", which can only be the 2.2 beta release. Norton 2000 could not "clean" the virus, but it did delete the infected file. However, with previous versions of SubSeven, the registry changes had to be made before the file was deleted. Anyone know anything about the latest release of this fine virus? In particular I'm looking for the latest registry fixes and such for total eradication. Many thanks... Keith W. McCammon Network Administrator Quantum Communications, Inc.
Current thread:
- Re: While we're on viruses... Mohammed Al-Shehri (May 20)
- <Possible follow-ups>
- Re: While we're on viruses... William Miller (May 20)