PDA

View Full Version : Problem.



o_O
03-19-2003, 09:23 AM
Hey, I've got a problem. I have some sort of virus, I suspect a trojan, on my machine, every time I boot I get an MS DOS prompt attempting to export the registry script 'moo.reg' although it appears it hasn't worked, even online, because "'moo.reg' is not a valid registry script." It may be a coincidence, but I use Norton Antivirus 7.0 Corporate edition, and I also use LiveUpdate, and it seems when I recieved this problematic file, LiveUpdate stopped working. I've reinstalled LiveUpdate, Norton AV, attempted to locate this file manually, and even reinstalled Windows (98) in a desperate bid to get rid of this thing. It tried to export the 'script' about 50 odd times until Explorer32 performs an illegal operation. I'm not exactly on a high powered machine (400MHz, 64MB/RAM), so it has quite an effect on it, what with all my TSRs. So can anyone help?

Cheers. :)

crono_logical
03-19-2003, 11:01 AM
Yeah, more intelligent trojans/viruses etc. attempt to destroy anti-virus software at the same time, hence why you can see Norton refusing to run correctly anymore - it probably does something either to corrupt the installation, or mess about when you attempt to start the LiveUpdate thing so reinstalling refuses to work either.


Anyway, the virus/worm you got is called kwbot, and spreads through Kazaa. It's actually rather old, so I'm surprised Norton isn't removing it without the LiveUpdate, unless you hadn't been keeping up to date :p Chances are you might also have at least a 2nd virus as well, since kwbot doesn't actually disable/break virus scanners. It's the cause for moo.reg though.


Looking at what kwbot does though, a quick way to temporarily clean it is to delete all .exe files in all Kazaa shared folders, and more importantly, delete the file <B>(windows dir.)\(System and/or System32)\Explorer32.exe</B> . It's not the real Explorer since explorer isn't found in that folder at all, it's pretending to be, that's all. You might find it easier to delete after getting the illegal operation by explorer32 or something. If not, you might need to boot into DOS and delete it from the prompt whil Windows isn't running.

If you also feel like quick registry tweaking (not as important once explorer32.exe is deleted), open regedit, go to the path "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur<I></I>rentVersion\Run" and delete any line with the data value set as "explorer32.exe". Do the same in "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur<I></I>rentVersion\RunServices". Don't worry about the key name, it names it as Windows version blah blah to make it look like it's part of Windows.

Once explorer32.exe is deleted though, you should be able to run the virus scanner as normal (assuming kwbot was the only virus present), you'll want to search the whole/all HDs in case it's copied itself elsewhere without you knowing.

o_O
03-20-2003, 09:03 AM
Crono, you are my saviour. That worked perfectly, although I think I might reformat, my computers got a memory leak. Thanks again Crono. :D

EDIT: Done, everything's nice and clean. :)