||||
Symantec.com > Security Response > Threats and Risks > Trojan.Eurosol
PRINT THIS PAGE

Trojan.Eurosol - Removal

Risk Level 1: Very Low

Printer Friendly Page

Discovered: May 21, 2001
Updated: February 13, 2007 11:46:11 AM
Also Known As: Trojan.Win32.Eurosol
Type: Trojan Horse


To remove this Trojan, attempt to repair files detected as Trojan.Eurosol, restore the shell= line, and delete the keys that it added to the registry.

To scan with Norton AntiVirus:
  1. Run LiveUpdate to make sure that you have the most recent virus definitions.
  2. Start Norton AntiVirus (NAV), and then run a full system scan, making sure that NAV is set to scan all files.
  3. If any files are detected as Trojan.Eurosol, choose Repair. If any files cannot be repaired, choose Delete.

To edit the System.ini file:
  1. Click Start, and click Run.
  2. Type the following and then click OK.

    edit c:\windows\system.ini

    The MS-DOS Editor opens.

    NOTE: If you have installed Windows to a different location, make the appropriate substitution.
  3. In the [boot] section of the file, look for an entry similar to the following:

    shell=Explorer.exe <additional text added by Trojan>
  4. Delete all text (on the shell=Explorer.exe line only) that is to the right of Explorer.exe. When you are done, the line should read:

    shell=Explorer.exe
  5. Click File, click Exit, and then click Yes when prompted to save the changes.

To edit the registry:
If ATGuard is installed on your system, you will need to reverse the registry modifications made by the Trojan horse.

CAUTION: We strongly recommend that you back up the system registry before making any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Please make sure you modify only the keys specified. Please see the document How to back up the Windows registry before proceeding.
  1. Click Start, and click Run. The Run dialog box appears.
  2. Type regedit and then click OK. The Registry Editor opens.
  3. Navigate to and delete the following keys:

    HKEY_LOCAL_MACHINE\Software\WRQ\IAM\FirewallObjects\Applications\NETBIO32.EXE

    HKEY_LOCAL_MACHINE\Software\WRQ\IAM\FirewallObjects\IPHosts\ftp.hotbox.ru

    HKEY_LOCAL_MACHINE\Software\WRQ\IAM\FirewallObjects\IPFilterRules\Rule#

    (where Rule# is the Rule key which refers to the information related to ftp.hotbox.ru.)
  4. Click Registry, and then click Exit to save the changes.


Writeup By: Brian Ewell
Search by name
Example: W32.Beagle.AG@mm
Windows 7
Windows Vista Security
©1995 - 2009 Symantec Corporation
Site Map|
Legal Notices|
Privacy Policy|
|
Contact Us|
Global Sites|
License Agreements|
RSS