Inicio > Mis eListas > debunker > Mensajes

 Índice de Mensajes 
 Mensajes 2622 al 2636 
AsuntoAutor
Trabalenguas sobre vilogo
Esto si es Interes illu min
prueba illu min
nueva direccion Raul Ant
Re: Martha Rosenth Fernando
Re: P R Ó X I M A Fernando
Re: I M A G E N, Fernando
Re: SPAM protesta "Javier
aviso de virus Mamiblu
FRIENSHIP EN EL SU Guillerm
RE: aviso de virus Juan Ant
aviso de virus LÚSAR
Instrucciones para LÚSAR
Instrucciones para illu min
Fw: Re: enseXar at LÚSAR
 << 15 ant. | 15 sig. >>
 
Debunker
Página principal    Mensajes | Enviar Mensaje | Ficheros | Datos | Encuestas | Eventos | Mis Preferencias

Mostrando mensaje 2639     < Anterior | Siguiente >
Responder a este mensaje
Asunto:[debunker] Instrucciones para quitar el virus badtrans.b
Fecha:Miercoles, 28 de Noviembre, 2001  10:06:49 (-0600)
Autor:LÚSAR <lusar @.......com>

(Fuente: http://www.sophos.com/support/faqs/w32badtransb.html)

Instructions for removing W32/Badtrans-B and Troj/PWS-AV

The following instructions can be used to remove W32/Badtrans-B and Troj/PWS-AV from an infected computer.

It is not necessary for a user to double-click on the attachment to become infected as this worm can exploit a security vulnerability in Microsoft Outlook and Outlook Express. To prevent re-infection, users of Microsoft Outlook and Outlook Express should install the following patch available from Microsoft:

http://www.microsoft.com/technet/security/bulletin/MS01-020.asp

Preparing for removal

Download and install the virus identity (IDE) files for W32/Badtrans-B and Troj/PWS-AV from the Latest virus identities page.

Please read the FAQ regarding the use of IDE files.

The removal procedure depends upon the version of Windows the infected machine is running.

Removal on Windows NT/2000/XP

1. Open task manager to stop the process used by the worm:

Press CTRL+ALT+DEL. Select 'Task Manager'. Click on the 'Processes' tab.
Highlight the process 'KERNEL32.EXE' and click on 'End Process'.
You will see a confirmation message - click 'Yes'.

2. Use the Sophos Anti-Virus GUI to identify and delete all viral files:

At the Windows taskbar, select Start|Programs|Sophos Anti-Virus|Sophos Anti-Virus.
Ensure 'Local hard drives' or C:\ is selected by highlighting the green indicator light.
From the menu bar, select 'Options' and then 'Configuration'.
There are three tabbed pages. Select the 'Action' page. Check 'Disinfect Boot Sectors', 'Disinfect Documents' and 'Infected Files'. Under 'Infected Files', choose 'Delete' as the action.
Ensure that 'Request Confirmation' is checked. Click OK to return to the main screen.

3. At the main Sophos Anti-Virus screen, click the GO button. Sophos Anti-Virus checks your computer for viruses.

When infected files are found, one of the following messages may appear:

Virus 'W32/Badtrans-B' detected in filename
Do you want to remove the file?

or

Virus 'Troj/PWS-AV' detected in filename
Do you want to remove the file?

When prompted, choose 'Yes' to delete any files if they are infected with W32/Badtrans-B or Troj/PWS-AV. Do NOT attempt to remove files containing or any other virus or worm at this stage.

Please note: you may be unable to delete the KDLL.DLL file because the operating system has locked it open. If so, restart your computer and SWEEP the PC again. If you are still having problems please contact Sophos Technical Support or email support@sophos.com.

4. Reverse the registry change that the worm has made:

At the Windows taskbar, select Start|Run. Type in "Regedit" and press return. The registry editor will open.

Before you edit the registry, it is recommended you make a backup. To do this, in the Registry menu, click on Export Registry File, in Export Range select All, then save your registry as Backup.

Locate the key:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

and delete the following value, if it exists:

Kernel32

it will be pointing to a file called kernel32.exe.

You should now close Registry Editor and restart your machine. Once Windows has restarted, repeat step 3, this time selecting 'Yes' if the message:

Virus 'Troj/PWS-AV' detected in filename
Do you want to remove the file?

is displayed. The file will be removed if it exists. Please note no instances of W32/Badtrans-B should be reported during the second scan. If W32/Badtrans-B is reported during the second scan, contact Sophos Technical Support.

Removal on Windows 95/98/Me

1. Restart your computer in MS-DOS mode:

Click 'Start', and choose 'Shut Down'
Select 'Restart the computer in MS-DOS mode' and click OK. The computer will now restart.

Please note: if you are using Windows Me, this option will not be available to you. Instead, restart your computer with the emergency startup floppy disk supplied with your computer. If you do not have this, create one by clicking Start|Settings|Control Panel|Add/Remove Programs|Startup Disk|Create Disk. Put this disk into your computer and restart it.

2. When the computer has finished loading MS-DOS, you will see a command prompt:

Type "del c:\windows\system\kernel32.exe" and press return.
Type "del c:\windows\system\kdll.dll" and press return.
Type "exit" to restart Windows.

3. Use the Sophos Anti-Virus GUI to confirm affected files have been removed:

At the Windows taskbar, select Start|Programs|Sophos Anti-Virus|Sophos Anti-Virus.
Ensure 'Local hard drives' or C:\ is selected by highlighting the green indicator light.
From the menu bar, select 'Options' and then 'Configuration'.
There are three tabbed pages. Select the 'Action' page. Check 'Disinfect Boot Sectors', 'Disinfect Documents' and 'Infected Files'. Under 'Infected Files', choose 'Delete' as the action.
Ensure that 'Request Confirmation' is checked. Click OK to return to the main screen. Click the green GO button.

If any files are found to be infected with W32/Badtrans-B or Troj/PWS-AV, confirm deletion by choosing 'Yes'. Do NOT attempt to remove files containing any other virus or worm at this stage. If any files are found to be infected with either W32/Badtrans-B or Troj/PWS-AV, perform another SWEEP. If infected files are found on the second SWEEP please contact Sophos Technical Support or email support@sophos.com.

4. Reverse the registry change that the worm has made:

At the Windows taskbar, select Start|Run. Type in "Regedit" and press return. The registry editor will open.

Before you edit the registry, it is recommended you make a backup. To do this, in the Registry menu, click on Export Registry File, in Export Range select All, then save your registry as Backup.

Locate the key:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

and delete the following value, if it exists:

Kernel32

it will be pointing to a file called kernel32.exe.

You should now close Registry Editor and restart your machine.

Further information

Assuming the above steps have been successful your PC should no longer be infected with the W32/Badtrans-B worm or the Troj/PWS-AV trojan.

Sophos recommends changing passwords on any affected PCs as they may have stolen by Troj/PWS-AV. This could be considered a serious security breach.

For assistance, please contact Sophos Technical Support or email support@sophos.com.