||||
Symantec.com > Security Response > Threats and Risks > Netbus.160.W95
PRINT THIS PAGE

Netbus.160.W95 - Removal

Risk Level 1: Very Low

Printer Friendly Page

Discovered: September 10, 1998
Updated: February 13, 2007 11:49:14 AM
Type: Trojan Horse


To remove this Trojan, you need to:
  • Run LiveUpdate and then run a full system scan. Delete any files detected as Netbus.160.W95.
  • Restart the computer in Safe Mode, and remove the reference from the registry.
  • Run another full system scan with NAV.

Here are detailed instructions. Please follow the instructions in each section.

To scan with NAV:
  1. Run LiveUpdate to make sure that you have the most recent virus definitions.
  2. Start NAV, and run a full system scan, making sure that NAV is set to scan all files.
  3. If any files are detected as Netbus.160.W95, write down their locations, and then delete them.

    NOTE: If the file is in use, NAV may not be able to delete it. In this case, choose Ignore, and then go on to the next section.

To restart the computer in Safe Mode
To restart the computer in Safe Mode, follow the steps for your version of Windows. When you finish this, proceed to the next section.

NOTE: In Safe Mode, Windows uses default settings (VGA monitor, no network, Microsoft mouse driver, and the minimum device drivers required to start Windows). You will not have access to CD-ROM drives, printers, or other devices.
  • Windows 95
    1. Exit all programs, and then shut down the computer.
    2. Turn off the power, and then wait 30 seconds. You must turn off the power to remove the virus from memory. Do not use the reset button.
    3. When you see the "Starting Windows 95" message, press F8.
    4. Type the number for Safe Mode, and then press Enter.
  • Windows 98
    1. Click Start, and then click Run.
    2. Type msconfig and then click OK. The System Configuration Utility dialog box appears.
    3. Click the General tab, and click Advanced.
    4. Check Enable Startup Menu, click OK, and then click OK again.
    5. Exit all programs, and then shut down the computer.
    6. Turn off the power, and then wait 30 seconds. You must turn off the power to remove the virus from memory. Do not use the reset button.
    7. Turn on the computer, and then wait for the menu.
    8. Type the number for Safe Mode, and then press Enter.
  • Windows 2000
    1. Exit all programs, and then shut down the computer.
    2. Turn off the power, and then wait 30 seconds. You must turn off the power to remove the virus from memory. Do not use the reset button.
    3. As the computer restarts, you will see a continuous line along the bottom of the screen that looks similar to this: |||||||||||||||||||||||||||||. Beneath this line you will see the text, "For trouble-shooting and advanced startup options for Windows 2000, press F8." Immediately press F8.
    4. Type the number for Safe Mode, and then press Enter.

To edit the registry:
Please follow these steps to remove the entry that the Trojan placed in the registry \Run key:

CAUTION: We strongly recommend that you back up the system registry before making any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Please make sure you modify only the keys specified. Please see the document How to back up the Windows registry before proceeding.
  1. Click Start, and click Run. The Run dialog box appears.
  2. Type regedit and then click OK. The Registry Editor opens.
  3. Navigate to the following key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  4. In the right pane, look for the entry that refers to the file in which the Trojan was detected. It should look similar to one of the following:
    • If the Trojan was found in the file MyComputer.exe:

      (Default)        "C:\Windows\MyComputer.exe"

      Right-click the entry, press Delete, and then click Yes to confirm.

      NOTE: In some cases, this will not be the only value that begins with (Default). Make sure that you select the correct one. If you select the (Default) entry that indicates (value not set), you will not be able to delete it (this is by design).
    • If the Trojan was found in Hacker411.exe:

      Hacker411        "C:\Windows\System\Hacker411.exe"

      Right-click the entry, press Delete, and then click Yes to confirm.

      NOTE: The path to \Hacker411.exe may differ.
  5. Exit the Registry Editor.

To run a full system scan:
To be sure that there are no other infected files on the computer, run another full system scan. If you were not able to delete the Trojan during the initial scan, you will be able to do so now.

(Optional) Windows 98 users only
If you used the Microsoft System Configuration Utility to enable the startup menu, you can now disable it. Please follow these steps:
  1. Click Start, and click Run.
  2. Type msconfig and then Click OK. The System Configuration Utility dialog box appears.
  3. Click the General tab, and click Advanced.
  4. Uncheck Enable Startup Menu, click OK, and then click OK again.
  5. Restart the computer.


Writeup By: George Koris
Search by name
Example: W32.Beagle.AG@mm
Windows 7
Windows Vista Security
©1995 - 2009 Symantec Corporation
Site Map|
Legal Notices|
Privacy Policy|
|
Contact Us|
Global Sites|
License Agreements|
RSS