Får feilmelding om Remote Procedure Call

[sofTest]

Hvis du ikke slår av system restore, så nytter dette ikke.

[Jarmo]

Restarting in Safe Mode

 

» On Windows 2000

 

 

Restart your computer.

 

Press the F8 key, when you see the Starting Windows bar at the bottom of the screen.

 

Choose the Safe Mode option from the Windows Advanced Options Menu then press Enter.

» On Windows XP

 

 

Restart your computer.

 

Press F8 after the Power-On Self Test (POST) is done. If the Windows Advanced Options Menu does not appear, try restarting and then pressing F8 several times after the POST screen.

Choose the Safe Mode option from the Windows Advanced Options Menu then press Enter.

Removing Autostart Entries from the Registry

 

Removing autostart entries from registry prevents the malware from executing during startup.

 

Open Registry Editor. To do this, click Start>Run, type REGEDIT, then press Enter.

In the left panel, double-click the following:

HKEY_LOCAL_MACHINE>Software>Microsoft>

Windows>CurrentVersion>Run

In the right panel, locate and delete the entry:

windbs= "winxtc.exe" In the left panel, double-click the following:

HKEY_LOCAL_MACHINE>Software>Microsoft>

Windows>CurrentVersion>RunServices

In the right panel, locate and delete the entry:

windbs= "winxtc.exe" In the left panel, double-click the following:

HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services

Still in the left panel, locate and delete the subkey:

Windows Database Control

Close Registry Editor.

NOTE: If you were not able to terminate the malware process from memory, as described in the previous procedure, restart your system.

Endret 20. juli 2004 av jarmo

[Jarmo]

W32/Agobot-WD is an IRC backdoor and network worm.

W32/Agobot-WD is capable of spreading to computers on the local network that have weak passwords.

 

When first run, W32/Agobot-WD copies itself to the Windows system folder as winxtc.exe and creates the following registry entries to run itself on startup:

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\windbs

= winxtc.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\windbs

= winxtc.exe

 

The worm runs continuously in the background as a service process, providing backdoor access to the computer.

W32/Agobot-WD modifies the HOSTS file located at

<WINDOWS>\System32\Drivers\etc\HOSTS

mapping selected anti-virus websites to the loopback address 127.0.0.1 in an attempt to prevent access to these sites. The worm may also terminate and disable various anti-virus and security related programs, and may delete network shares.

 

W32/Agobot-WD is an IRC backdoor and network worm.

W32/Agobot-WD is capable of spreading to computers on the local network that have weak passwords.

 

When first run, W32/Agobot-WD copies itself to the Windows system folder as winxtc.exe and creates the following registry entries to run itself on startup:

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\windbs

= winxtc.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\windbs

= winxtc.exe

 

The worm runs continuously in the background as a service process, providing backdoor access to the computer.

 

W32/Agobot-WD modifies the HOSTS file located at

<WINDOWS>\System32\Drivers\etc\HOSTS

mapping selected anti-virus websites to the loopback address 127.0.0.1 in an attempt to prevent access to these sites. The worm may also terminate and disable various anti-virus and security related programs, and may delete network shares.

Endret 20. juli 2004 av jarmo

[goggen]

Har slått av system restore ja. Har stått avskrudd så lenge jeg har fikla med dette. Problemet med winxtc.exe og hosts-fila, er at de dukker opp ved neste reboot selv om jeg sletter dem.

 

Edit: Hmmm, har løst det (enn så lenge) med å bare slette verdien i høyre felt i registret (edit binary data) i stedet for å slette hele entryen. Det funker så langt, og da funker også hostsfila (ingen re-henvisninger av antivirussider til local host)

 

Satser på at det holder seg..

Endret 20. juli 2004 av goggen