Bneo.Trojan - Removal

NOTE: These instructions are for all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1. Update the virus definitions, run a full system scan, and delete all files that are detected as Bneo.Trojan.
2. Delete any values that the Trojan added to the registry.
3. If you are running Windows 95/98/Me, remove any lines that the Trojan added to Win.ini or System.ini.
   

For details on how to do this, read the following instructions.

To scan for and delete the infected files:

1. Obtain the most recent virus definitions. There are two ways to do this:
   • Run LiveUpdate, which is the easiest way to obtain virus definitions. These virus definitions have undergone full quality assurance testing by Symantec Security Response and are posted to the LiveUpdate servers one time each week (usually Wednesdays) unless there is a major virus outbreak. To determine whether definitions for this threat are available by LiveUpdate, look at the Virus Definitions (LiveUpdate) line at the top of this write-up.
   • Download the definitions using the Intelligent Updater. Intelligent Updater virus definitions have undergone full quality assurance testing by Symantec Security Response. They are posted on U.S. business days (Monday through Friday). They must be downloaded from the Symantec Security Response Web site and installed manually. To determine whether definitions for this threat are available by the Intelligent Updater, look at the Virus Definitions (Intelligent Updater) line at the top of this write-up.
     
     Intelligent Updater virus definitions are available here. For detailed instructions on how to download and install the Intelligent Updater virus definitions from the Symantec Security Response Web site, click here.
     
2. Start your Symantec antivirus program, and make sure that it is configured to scan all files.
   • Norton AntiVirus Consumer products: Read the document How to configure Norton AntiVirus to scan all files.
   • Symantec Enterprise antivirus products: Read the document How to verify a Symantec Corporate antivirus product is set to scan All Files.
3. Run a full system scan.
4. If any files are detected as infected by Bneo.Trojan, first write down the file name, and then click Delete.

To remove the values that the Trojan added to the registry:

CAUTION: Symantec strongly recommends that you back up the registry before you make any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify only the keys that are specified. Read the document How to make a backup of the Windows registry for instructions.

1. Click Start, and click Run. The Run dialog box appears.
2. Type regedit and then click OK. The Registry Editor opens.
3. For each of the following keys
   
   HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
   
   look in the right pane for any values that refer to the file name that was detected as infected with Bneo.Trojan. If you find any such values, delete them.
4. Exit the Registry Editor.

To remove any lines that the Trojan added to Win.ini or System.ini:

This procedure is necessary only if you are running Windows 95/98/Me.

NOTE: (For Windows Me users only) Due to the file-protection process in Windows Me, a backup copy of the file that you are about to edit exists in the C:\Windows\Recent folder. Symantec recommends that you delete this file before you continue with the steps in this section. To do this using Windows Explorer, go to C:\Windows\Recent, and in the right pane select the Win.ini file and delete it. It will be regenerated as a copy of the file that you are about to edit when you save your changes to that file.

1. Click Start, and click Run.
2. Type the following, and then click OK.
   
   edit c:\windows\win.ini
   
   The MS-DOS Editor opens.
   
   NOTE: If Windows is installed in a different location, make the appropriate path substitution.
   
3. In the [windows] section of the file, look for the line that begins with
   
   load=
   
   If the line exists, and if it refers to the file name that was detected as infected with Bneo.Trojan, delete the entire line.
4. In the [windows] section of the file, look for the line that begins with
   
   run=
   
   If the line exists, and if it refers to the file name that was detected as infected with Bneo.Trojan, delete the entire line.
5. Click File, and click Save.
6. Click File, and click Exit.
7. Click Start, and click Run.
8. Type the following, and then click OK:
   
   edit c:\windows\system.ini
   
9. Locate the line that begins with shell= .
10. The line should look like this:
    
    shell=explorer.exe
    
    If the line contains any other text--particularly if there is added text that refers to the Trojan--remove all of the other text. The line should look like this when you have finished:
    
    shell=explorer.exe
    
    NOTE: Some computers may have an entry other than Explorer.exe after shell= . If this is the case, and if you are running an alternative Windows shell, then change this line to shell=explorer.exe for now. You can modify it to specify your preferred shell after you have finished this procedure.
    
11. Click File, and click Save.
12. Click File, and click Exit.

Technical Details