Thread: New bad BAckdoor-Proggi?
View Single Post
  #2  
Old 12-10-2003, 15:33
TQN TQN is offline
VIP
  
Join Date: Apr 2003
Location: Vietnam
Posts: 358
Rept. Given: 143
Rept. Rcvd 24 Times in 13 Posts
Thanks Given: 196
Thanks Rcvd at 168 Times in 51 Posts
TQN Reputation: 24
Hi thinkping !
You don't need to reinstall Windows. You need follow below steps to repair your Windows:
- Use TaskManager to kill winx32sys.exe
- Delete two file winx32sys.exe and win386sys.exe in WinNT\system32 directory
- Delete two key of winx32sys.exe in registry: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and RunServices
- Delete key of winx32sys.exe in win.ini:
[windows]
Run=c:\winnt\system32\winx32sys.exe
- Delete key of winx32sys.exe in system.ini:
[boot]
Shell=Explorer.exe c:\winnt\system32\winx32sys.exe
- Repair the key of exefile in registry:
HKLM\SOFTWARE\Classes\exefile\shell\open\command:
c:\winnt\system32\win386sys.exe PASS "%1" %*
to "%1" %*
I used filemon and regmon of SysInternal to find the action of this backdoor program. It was written in Delphi.
Good luck to you.
TQN
Reply With Quote