Trojan.Trafbrush removal tips...
1.Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3.Backup your system registry.
4.Restart your system in safe mode.
5. Run a full system scan.
6. Delete these values and registry subkeys added to the registry.
* HKEY_CLASSES_ROOT\Brushy.brush.1
* HKEY_CLASSES_ROOT\Brushy.brush
* HKEY_CLASSES_ROOT\CLSID\{E157D62A-D8A4-45DF-8E9B-C33D93821BDF}
* HKEY_CLASSES_ROOT\TypeLib\{F54A0656-1D23-4FC1-883E-E68E4CD29566}
* HKEY_CLASSES_ROOT\Interface\{5A1F62AE-0E47-4547-8E5C-AC73FE58C9AE}
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E157D62A-D8A4-45DF-8E9B-C33D93821BDF
* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[SIX RANDOM LETTERS][TWO RANDOM NUMBERS]\"ImagePath" = "%System%\drivers\[SIX RANDOM LETTERS][TWO RANDOM NUMBERS].sys"
* HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\[SIX RANDOM LETTERS][TWO RANDOM NUMBERS]\"ImagePath" = "%System%\drivers\[SIX RANDOM LETTERS][TWO RANDOM NUMBERS].sys"
* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations\"SUCCESS" = "%UserProfile%\Local Settings\Temp\v22.exe"
Stop all services created by this Trojan.
1. Click Start > Run.
2. Type services.msc, and then click OK.
3. Locate and select the service that was detected.
[ * HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[SIX RANDOM LETTERS][TWO RANDOM NUMBERS]\"ImagePath" = "%System%\drivers\[SIX RANDOM LETTERS][TWO RANDOM NUMBERS].sys"
* HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\[SIX RANDOM LETTERS][TWO RANDOM NUMBERS]\"ImagePath" = "%System%\drivers\[SIX RANDOM LETTERS][TWO RANDOM NUMBERS].sys"]
4. Click Action > Properties.
5. Click Stop.
6. Change Startup Type to Manual.
7. Click OK and close the Services window.
8. Restart the computer.
Source: Symantec
No comments:
Post a Comment