Trojan.Laorenshen - Removal

If this Trojan is executed, it makes numerous changes to the Windows registry. If your virus definitions are current and your Symantec antivirus product detects Trojan.Laorenshen when it attempts to execute, delete it. If the Trojan has already run, removal can be difficult.

When Trojan.Laorenshen is executed, it makes numerous changes to the Windows registry. These changes prevent you from running any .exe, .com, .bat, or .reg files. The Trojan also disables all normal Win32 Portable Executable (PE) files from use. As a result, the procedure often used to fix the registry changes that Trojans often make (that of copying Regedit.exe to Regedit.com) will not work. However, there is a way to fix this problem, because 16-bit applications can still be executed.

NOTE: The following procedure is complex. Unless you are highly proficient in working with DOS commands and have a good understanding of the Windows file structure, we suggest that you obtain the services of a qualified computer professional.

Removal procedure

Before you can do this, you must click OK on any and all open message boxes. If you do not and any are left open, the target file will remain locked. As an alternative on NT-based systems, you can stop the processes.

1. Start the Registry Editor and reverse the registry changes.
2. Disable System Restore (Windows Me/XP).
3. Update the virus definitions.
4. Run a full system scan and delete all the files detected as Trojan.Laorenshen.

For specific details on each of these steps, read the following instructions.

1. Starting the Registry Editor and reversing the registry changes

1. Do one of the following, depending on the version of Windows you are running:
   • Windows 95/98: Click Start, point to Programs, and then click MS-DOS Prompt.
   • Windows Me: Click Start, point to Programs, point to Accessories, and then click MS-DOS Prompt.
   • Windows NT/2000/XP:
     • Click Start, and then click Run.
     • Type command
       
       and then press Enter.
       
       
2. Change to the %System% folder, in which the file, Laorenshen.exe, is located. The command that you use to do this will vary with your operating system and where Windows in installed.
   
   The following are the standard installation paths and the required commands. Type the appropriate command, and then press Enter:
   
   Windows 95/98/Me: cd Windows\System
   
   Windows NT/2000: cd Winnt\System32
   
   Windows XP: Windows\System32
   
   
3. Type the following, and then press Enter:
   
   copy ..\regedit.exe laorenshen.exe
   
   
4. Type the following, and then press Enter:
   
   edit \fix.reg
   
   
5. Type the following:
   
   REGEDIT4
   
   [HKEY_LOCAL_MACHINE\Software\CLASSES\.reg]
   @="regfile"
   
   [HKEY_LOCAL_MACHINE\Software\CLASSES\.exe]
   @="exefile"
   
   
6. Click File, and then click Save.
   
   
7. Click File, and then click Exit.
   
   
8. Type the following, and then press Enter.
   
   start \fix.reg
   
   
9. Type the following, and then press Enter.
   
   start regedit.exe
   
   The Registry Editor opens.
   
   
10. Now, you can reverse all the other changes that were made to the registry as mentioned in step 3 of the Technical Details section. The values to which you need to restore these keys can vary. You may need to check the registry of a computer that uses the same operating system and installation paths to determine what all the values should be.
    
    
11. Delete all the keys that were added to the registry as mentioned in step 3 of the Technical Details section.
    
    
12. Exit the Registry Editor when done.
    
    
13. Type the following, and then press Enter:
    
    del \fix.reg
    
    
14. Type the following, and then press Enter:
    
    del laorenshen.exe

2. Disabling System Restore (Windows Me/XP)
If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.

Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.

Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.

For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles:

• "How to disable or enable Windows Me System Restore"
• "How to turn off or turn on Windows XP System Restore"

For additional information, and an alternative to disabling Windows Me System Restore, see the Microsoft Knowledge Base article, "Antivirus Tools Cannot Clean Infected Files in the _Restore Folder," Article ID: Q263455.

3. Updating the virus definitions
Symantec Security Response fully tests all the virus definitions for quality assurance before they are posted to our servers. There are two ways to obtain the most recent virus definitions:

• Running LiveUpdate, which is the easiest way to obtain virus definitions: These virus definitions are posted to the LiveUpdate servers once each week (usually on Wednesdays), unless there is a major virus outbreak. To determine whether definitions for this threat are available by LiveUpdate, refer to the Virus Definitions (LiveUpdate).
• Downloading the definitions using the Intelligent Updater: The Intelligent Updater virus definitions are posted on U.S. business days (Monday through Friday). You should download the definitions from the Symantec Security Response Web site and manually install them. To determine whether definitions for this threat are available by the Intelligent Updater, refer to the Virus Definitions (Intelligent Updater).
  
  The Intelligent Updater virus definitions are available: Read "How to update virus definition files using the Intelligent Updater" for detailed instructions.

4. Scanning for and deleting the infected files

1. Start your Symantec antivirus program and make sure that it is configured to scan all the files.
   • For Norton AntiVirus consumer products: Read the document, "How to configure Norton AntiVirus to scan all files."
   • For Symantec AntiVirus Enterprise products: Read the document, "How to verify that a Symantec Corporate antivirus product is set to scan all files."
2. Run a full system scan.
3. If any files are detected as infected with Trojan.Laorenshen, click Delete.

Technical Details