Re: hackarmy

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: George Valkov (null_at_somewhere.com)
Date: 05/16/04 

Date: Sun, 16 May 2004 16:09:17 +0300

Yes, changes are applied emediately and You don't have to save anithing in
Regedit.
I assume You've done this in Safe Mode.
Note: Hold down the SHIFT key while You are loggin on. This will prevent
programs in the RUN group from starting automatically.
If You use Windows XP, You can try to write protect those RUN folder (with
regedit) after You delete the links:
1. Browse to the RUN folder.
2. Delete links that You want to remove.
3. Click on the RUN folder, Edit, Permissions
  Click the [Advanced] button
  Fill the check-box that reads:
      Replace permissions on all child objects...
  Click Add and type in Everyone
  Fill the Deny boxes for (Set Value, Create Subkey)
  Click Add and type in System
  Fill the Deny boxes for (Set Value, Create Subkey)
  Click Add and type in Administrators
  Fill the Deny boxes for (Set Value, Create Subkey)

Allso take a look to the startup folder:
Start Menu, All programs, Startup (for Windows XP).
Delete all unwanted items.
This should prevent the virus from starting up automatically.

Consider using an antivirus program to clean infected files.
If possible, run a Full System Scan in Safe Move and Delete Everithing that
is infected.

Good luck!
George Valkov

"Ian" <ipember@removethisfirst.msn.com> wrote in message
news:#qZ8b#zOEHA.2740@TK2MSFTNGP11.phx.gbl...
> I did the registry entries as advised. But when I exit and restart the
> rundll32 files reappear in the registry. The data held for each rundll
> files is as follows
>
> 1st: NVMediacenter
> rundll32.exe NVMCtray.dll, nvtaskbarInit
>
> 2nd: NVcplDaemon
> rundll32.exe x:\windows\systems32\nvcpl.dll,nvstrtup
>
>
> why are they running afetr i delete them from the registry? Why is
backweb
> still runnin after I delete it from the registry? After making registry
> changes, presuamably you just exit (there is no "save" option) and it
saves
> it?
>
>
>
>
> "George Valkov" <null@somewhere.com> wrote in message
> news:OYiAhHzOEHA.1276@TK2MSFTNGP11.phx.gbl...
> > start run:
> > regedit
> > Browse to
> > [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
> > On the right side You see pregrams that will run for the current user on
> > startup.
> > Browse to
> > [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
> > On the right side You see pregrams that will run for each user on
startup.
> >
> > If You don't want a program to run, simply delere the link on the right
> > side.
> > I suggest You do this in safe mode. Press F8 at system startup and
select
> > Safe Mode from the menu.
> >
> > George Valkov
> >
> >
> >
> > "Ian" <ipember@removethisfirst.msn.com> wrote in message
> > news:#srCXQyOEHA.4036@TK2MSFTNGP12.phx.gbl...
> > > My AVG found this "backdoor hackarmy" virus recently and I deleted it
> > after
> > > I was told it couldn't be repaired. Will this have completely removed
> it
> > do
> > > you think?
> > >
> > > When I go into task manager, in process menu I cn see two entries for
> > > RUNDLL32.EXE (with different memory usage) what is this all about?
> > >
> > > and finally (!!!) I also have a backweb.exe file running on start up
> > which
> > > I think came with some Logitech software I ran to install mouse etc.
I
> > > don't think I need this file and I understand that it is spyware. I
> have
> > > run Adaware and spybot and as already mentioned, I run AVG antivirus
> > >
> > >
> > > hope you can help
> > >
> > >
> > > ---
> > > Outgoing mail is certified Virus Free.
> > > Checked by AVG anti-virus system (http://www.grisoft.com).
> > > Version: 6.0.686 / Virus Database: 447 - Release Date: 14/05/2004
> > >
> > >
> >
> >
>
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.686 / Virus Database: 447 - Release Date: 14/05/2004
>
>

Relevant Pages

  • reply
    ... >tried deleting it from the msconfig Startup tool system, ... neither the listed name or command line name ... First, ME comes with a registry backup application, try ... folder temporarily by using attrib.exe: ...
    (microsoft.public.security.virus)
  • Re: false mount point
    ... One way to test my theory is to boot up in safe mode. ... folder to appear, booting into safe mode would disable it temporarily. ... As soon as you hear the startup tone, hold down the Shift key on the ... Use a real news client if you want me to see your posts. ...
    (comp.sys.mac.apps)
  • Re: explorer.exe has generated errors and will be closed by Windows. (Critical)
    ... changes to the registry, there is no need to reboot if the process is ... In safe mode, no third party drivers ... there could be a startup that is overwhelming your cpu. ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: Curiosity: Folder pop-up on boot-up
    ... The last entry is missing quotes. ... After you extract the files from the zip folder run ... look under Startup for an entry titled CCC.lnk. ... Copy the information under each of the Registry entries ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: hackarmy
    ... Browse to the RUN folder. ... > Fill the Deny boxes for (Set Value, Create Subkey) ... >Start Menu, All programs, Startup. ... >> rundll32 files reappear in the registry. ...
    (microsoft.public.scripting.virus.discussion)