Aiuto! W32 Francette

coker · 03-05-2004, 21:58

aiuto !!!! c'è qualcuno che mi può dire come liberarmi del virus W32 francette e w32 HLLW gaobot sono stato infettato e i tool di symantec non fuzionano grazie !

ring · 04-05-2004, 11:29

Per quanto riguarda il FRANCETTE, leggi qui di seguito (e ricordati il System Restore...)

----------------------------------------------------------------------------------
1. Disabling System Restore (Windows Me/XP)
If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.

Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.

Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.

For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles:
"How to disable or enable Windows Me System Restore"
"How to turn off or turn on Windows XP System Restore"

For additional information, and an alternative to disabling Windows Me System Restore, see the Microsoft Knowledge Base article, "Antivirus Tools Cannot Clean Infected Files in the _Restore Folder," Article ID: Q263455.
2. Updating the virus definitions
Symantec Security Response fully tests all the virus definitions for quality assurance before they are posted to our servers. There are two ways to obtain the most recent virus definitions:

Running LiveUpdate, which is the easiest way to obtain virus definitions: These virus definitions are posted to the LiveUpdate servers once each week (usually on Wednesdays), unless there is a major virus outbreak. To determine whether definitions for this threat are available by LiveUpdate, refer to the Virus Definitions (LiveUpdate).
Downloading the definitions using the Intelligent Updater: The Intelligent Updater virus definitions are posted on U.S. business days (Monday through Friday). You should download the definitions from the Symantec Security Response Web site and manually install them. To determine whether definitions for this threat are available by the Intelligent Updater, refer to the Virus Definitions (Intelligent Updater).

The Intelligent Updater virus definitions are available: Read "How to update virus definition files using the Intelligent Updater" for detailed instructions.

3. Restarting the computer in Safe mode or ending the Trojan process
Windows 95/98/Me
Restart the computer in Safe mode. All the Windows 32-bit operating systems, except for Windows NT, can be restarted in Safe mode. For instructions, read the document, "How to start the computer in Safe Mode."

Windows NT/2000/XP
To end the Trojan process:
Press Ctrl+Alt+Delete once.
Click Task Manager.
Click the Processes tab.
Double-click the Image Name column header to alphabetically sort the processes.
Scroll through the list and look for Cnqmax.exe.
If you find the file, click it, and then click End Process.
Exit the Task Manager.

4. Scanning for and deleting the infected files
Start your Symantec antivirus program and make sure that it is configured to scan all the files.
For Norton AntiVirus consumer products: Read the document, "How to configure Norton AntiVirus to scan all files."
For Symantec AntiVirus Enterprise products: Read the document, "How to verify that a Symantec Corporate antivirus product is set to scan all files."
Run a full system scan.
If any files are detected as infected with W32.Francette.Worm, click Delete.

5. Reversing the changes made to the registry

Click Start, and then click Run. (The Run dialog box appears.)
Type regedit

Then click OK. (The Registry Editor opens.)

Navigate to the key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

In the right pane, delete the value:

"Microsoft IIS"="syshost.exe"

Exit the Registry Editor.

---------------------------------------------------------------------------------
Come vedi, quindi, non è necessario il removal tool; basta un semplice antivirus aggiornato.

Per quanto riguarda il GAOBOT, usa pure il removal tool, ma ricordati di disabilitare il System Restore di Windows; per sicurezza, fai tutto in modalità provvisoria.
Tieni però conto di quanto segue:

--------------------------------------------------------------------------------
Before you begin:
If you are running Windows NT/2000/XP, make sure that you do, or have done, the following:
Create a secure password. This threat takes advantage of weak network passwords. (A full-time Internet connection, such as DSL or Cable, is considered a network connection for these purposes.)
Patch the DCOM RPC vulnerability as described in Microsoft Security Bulletin MS03-026.
Patch the WebDav vulnerability as described in Microsoft Security Bulletin MS03-007.
Patch the Workstation service buffer overrun vulnerability as described in Microsoft Security Bulletin MS03-049.
Patch the Microsoft Messenger Service Buffer Overrun Vulnerability as described in Microsoft Security Bulletin MS03-043.
Patch the Locator service vulnerability as described in Microsoft Security Bulletin MS03-001.
Patch the UPnP vulnerability as described in Microsoft Security Bulletin MS01-059.
Patch the vulnerabilities in the Microsoft SQL Server 2000 or MSDE 2000 audit as described in Microsoft Security Bulletin MS02-061.

--------------------------------------------------------------------------------

Scusa la "lungaggine", ma così non si rischia di tralasciare niente.
Fammi sapere com'è andata!!
Ciao

03-05-2004, 21:58	#1
coker Member Iscritto dal: Dec 2000 Messaggi: 25	Aiuto! W32 Francette aiuto !!!! c'è qualcuno che mi può dire come liberarmi del virus W32 francette e w32 HLLW gaobot sono stato infettato e i tool di symantec non fuzionano grazie !

04-05-2004, 11:29	#2
ring Senior Member Iscritto dal: Nov 2003 Città: Mordor Messaggi: 336	Per quanto riguarda il FRANCETTE, leggi qui di seguito (e ricordati il System Restore...) ---------------------------------------------------------------------------------- 1. Disabling System Restore (Windows Me/XP) If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer. Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations. Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat. For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles: "How to disable or enable Windows Me System Restore" "How to turn off or turn on Windows XP System Restore" For additional information, and an alternative to disabling Windows Me System Restore, see the Microsoft Knowledge Base article, "Antivirus Tools Cannot Clean Infected Files in the _Restore Folder," Article ID: Q263455. 2. Updating the virus definitions Symantec Security Response fully tests all the virus definitions for quality assurance before they are posted to our servers. There are two ways to obtain the most recent virus definitions: Running LiveUpdate, which is the easiest way to obtain virus definitions: These virus definitions are posted to the LiveUpdate servers once each week (usually on Wednesdays), unless there is a major virus outbreak. To determine whether definitions for this threat are available by LiveUpdate, refer to the Virus Definitions (LiveUpdate). Downloading the definitions using the Intelligent Updater: The Intelligent Updater virus definitions are posted on U.S. business days (Monday through Friday). You should download the definitions from the Symantec Security Response Web site and manually install them. To determine whether definitions for this threat are available by the Intelligent Updater, refer to the Virus Definitions (Intelligent Updater). The Intelligent Updater virus definitions are available: Read "How to update virus definition files using the Intelligent Updater" for detailed instructions. 3. Restarting the computer in Safe mode or ending the Trojan process Windows 95/98/Me Restart the computer in Safe mode. All the Windows 32-bit operating systems, except for Windows NT, can be restarted in Safe mode. For instructions, read the document, "How to start the computer in Safe Mode." Windows NT/2000/XP To end the Trojan process: Press Ctrl+Alt+Delete once. Click Task Manager. Click the Processes tab. Double-click the Image Name column header to alphabetically sort the processes. Scroll through the list and look for Cnqmax.exe. If you find the file, click it, and then click End Process. Exit the Task Manager. 4. Scanning for and deleting the infected files Start your Symantec antivirus program and make sure that it is configured to scan all the files. For Norton AntiVirus consumer products: Read the document, "How to configure Norton AntiVirus to scan all files." For Symantec AntiVirus Enterprise products: Read the document, "How to verify that a Symantec Corporate antivirus product is set to scan all files." Run a full system scan. If any files are detected as infected with W32.Francette.Worm, click Delete. 5. Reversing the changes made to the registry Click Start, and then click Run. (The Run dialog box appears.) Type regedit Then click OK. (The Registry Editor opens.) Navigate to the key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run In the right pane, delete the value: "Microsoft IIS"="syshost.exe" Exit the Registry Editor. --------------------------------------------------------------------------------- Come vedi, quindi, non è necessario il removal tool; basta un semplice antivirus aggiornato. Per quanto riguarda il GAOBOT, usa pure il removal tool, ma ricordati di disabilitare il System Restore di Windows; per sicurezza, fai tutto in modalità provvisoria. Tieni però conto di quanto segue: -------------------------------------------------------------------------------- Before you begin: If you are running Windows NT/2000/XP, make sure that you do, or have done, the following: Create a secure password. This threat takes advantage of weak network passwords. (A full-time Internet connection, such as DSL or Cable, is considered a network connection for these purposes.) Patch the DCOM RPC vulnerability as described in Microsoft Security Bulletin MS03-026. Patch the WebDav vulnerability as described in Microsoft Security Bulletin MS03-007. Patch the Workstation service buffer overrun vulnerability as described in Microsoft Security Bulletin MS03-049. Patch the Microsoft Messenger Service Buffer Overrun Vulnerability as described in Microsoft Security Bulletin MS03-043. Patch the Locator service vulnerability as described in Microsoft Security Bulletin MS03-001. Patch the UPnP vulnerability as described in Microsoft Security Bulletin MS01-059. Patch the vulnerabilities in the Microsoft SQL Server 2000 or MSDE 2000 audit as described in Microsoft Security Bulletin MS02-061. -------------------------------------------------------------------------------- Scusa la "lungaggine", ma così non si rischia di tralasciare niente. Fammi sapere com'è andata!! Ciao

Strumenti
Mostra una versione stampabile Invia questa pagina per email