backdoor.winshell

[Rey]

Hi all,

I'm running win2000 professional and I encunter a virus when I did the
scan this morning. Symantec was not able to delete, fix, or
quarentine the corrupted file. The virus name is backdoor.winshell,
the location is c:\winnt\system32, and the file name is
c:\winnt\system32\svchost.exe. I tried the manual remove by searching
for the registry key run and runservices, but the run services key and
the value winshell or rhshell it asked to delete were not there.
Does enybody know how to remove this virus manually?

Thanks.

Rey

 

[JasonW]

You might try overwriting it with a new svchost.exe file from the CD or
whatever service pack you are running. It is located in the i386 directory.
If you've never done this, you can use the expand.exe program in the same
directory to extract the svchost.ex_ file.
"expand svchost.ex_ c:\winnt\system32\svchost.exe"

Symantec aslo recommends doing these steps:

1. Update the virus definitions.
2. Run a full system scan, and then delete all the files that are detected
as Backdoor.WinShell.

3. Using regedit to edit the registry, delete the value:

WinShell <Original location and file name of the Trojan>

from the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

-JasonW

 

[Rey]

Thanks Jason, I finally got this problem fix. I tried doing what
Symantec ask people to do, but the thing is that when I tried editing
the registry the key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
was not there at all, and
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run was
but the value winshell was not. I did what you sugested and
everything worked fine.

Thanks again for your help jason.

Rey