Backdoor.NTHack - Removal

To remove this worm, delete any files detected as Backdoor.NTHack and delete the value NewGina from the registry key

KEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

NOTE: If the hard drive is configured for NTFS, to be able to delete or rename any of the infected files, you must add the group "Everyone" to each of the files, assign special access, and enable the full set of privileges. Then restart the computer to take ownership of the files and allow removal of the infected files.

To remove the worm:

1. Run LiveUpdate to make sure that you have the most recent virus definitions.
2. Start Norton AntiVirus (NAV), and then run a full system scan, making sure that NAV is set to scan all files.
3. Delete any files that are detected as Backdoor.NTHack.

To edit the registry:

CAUTION: We strongly recommend that you back up the system registry before you make any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Please make sure you modify only the keys that are specified. Please see the document How to back up the Windows registry before proceeding.

1. Click Start, and then click Run. The Run dialog box appears.
2. Type regedit and then click OK. The Registry Editor opens.
3. Navigate to the following key:
   
   HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
   
4. In the right pane, delete the following value:
   
   NewGina
   
5. Navigate in turn to each of the following keys, and delete the value that is indicate for each one:
   
   Key: HKEY_LOCAL_MACHINE\system\currentcontrolset\services\os2srv\parameters
   Value: firestarter  <path to sud.exe>
   
   Key: HKEY_LOCAL_MACHINE\system\currentcontrolset\services\index\parameters\
   Value: firestarter  <path to remscan.exe>
   
   Key: HKEY_LOCAL_MACHINE\system\currentcontrolset\services\index
   Value: image path <path to fire demon.exe>
   
   Key: HKEY_LOCAL_MACHINE\system\currentcontrolset\services\eventlog\application\index
   Value: event message file <path to fire demon.exe>
   
   Key: HKEY_LOCAL_MACHINE\system\currentcontrolset\services\eventlog\application\mmtask
   Value: event message file <path to fire demon.exe>
   
   Key: HKEY_LOCAL_MACHINE\system\currentcontrolset\services\eventlog\application\os2srv
   Value: event message file <path to fire demon.exe>
   
   Key: HKEY_LOCAL_MACHINE\system\currentcontrolset\services\mmtask
   Value: image path <path to fire demon.exe>
   
   Key:  HKEY_LOCAL_MACHINE\system\currentcontrolset\services\os2srv
   Value: imagepath <path to fire demon.exe>
   
6. Click Registry, and click Exit.

Technical Details