I recently installed norton anti-virus and immediately found the backdoor trojan virus. Norton supposedly removed but now I can't use any application files. everytime I try to go into a program that is an application I get rerouted to a message about unwise.exe file not being found. I need to get into the registry to remove all entries about it but when I type regedit, again it goes to the message about unwise.exe. Help, this is on a server and my client is down now for 2 days.
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
backdoor trojan virus
- Thread starter alaser12
- Start date
KimberTech
MIS
Go here and have a read....is this your virus? This one is generally not damaging to the system, but without more detail I can't help much.
If not come back here and post the exact trojan that was found on the system.
What operating system are you using? Windows NT/2K etc?
What version of NAV are you using?
How is set up to deal with virus found? Heal, delete etc?
You may still have the files in quarantine. Kimber
The more I learn,I realize how much more there is to know!
KimberTech
MIS
Or maybe this one?
Harder to remove...
Hope you have the filenames of the files that were found to be infected. It will help us to help you.
Kimber
The more I learn,I realize how much more there is to know!
To do this, you need to go into a DOS window, then copy or rename REGEDIT.EXE to REGEDIT.COM. Once you've done this, look for this reg key:
HKEY_Classes_Root\exefile\shell\open\command
and replace the value of the key to <"%1" %*> without the bracekts.
This will remove that UNWISE.EXE reference there.
HTH, AVChap
... my $1 worth of advise, 2cents isn't enough due to inflation
HKEY_Classes_Root\exefile\shell\open\command
and replace the value of the key to <"%1" %*> without the bracekts.
This will remove that UNWISE.EXE reference there.
HTH, AVChap
... my $1 worth of advise, 2cents isn't enough due to inflation
KimberTech
MIS
AVChap...
was going to make some suggestions but no OS listed.
Are you familiar with this particular one?
I am not...always looking to expand my brain database.
Especially if this is another common one right now. Kimber
The more I learn,I realize how much more there is to know!
was going to make some suggestions but no OS listed.
Are you familiar with this particular one?
I am not...always looking to expand my brain database.
Especially if this is another common one right now. Kimber
The more I learn,I realize how much more there is to know!
- Thread starter
- #7
I have tried that already ( changing the regedit.exe to regedit.com) it still pops up the message and does not let you run the application. I am assuming because it is listed as a application file, not sure if it's even possible to change this. The OS is win98. I hav loaded the norton 2003 AV, it was downloaded the same night we found the virus. I was thinking of trying to access the registry remotely but I can't even get into the registry to turn it on.the file is not in quarantine as far as I know it was deleted. Any other ideas? Thanks in advance.
If you boot to dos, you can restore a previous version of your registry... maybe that will help you...
Boot to dos.
at the c:\ prompt type:
scanreg /restore
this will bring up a list of dates. pick a date previous to the known virus infection, let it do it's thing and reboot when prompted.
You may lose some access to programs that were installed after the registry restore date, but just reinstall them.
Unwise.exe doesn't belong to the actual 98 OS, it was probably the virus itself.
Good luck and let us know :O) ~ The day I think I know it all, i'm changing careers ~
Boot to dos.
at the c:\ prompt type:
scanreg /restore
this will bring up a list of dates. pick a date previous to the known virus infection, let it do it's thing and reboot when prompted.
You may lose some access to programs that were installed after the registry restore date, but just reinstall them.
Unwise.exe doesn't belong to the actual 98 OS, it was probably the virus itself.
Good luck and let us know :O) ~ The day I think I know it all, i'm changing careers ~
- Thread starter
- #9
Only one more thing I can think of, manual copy of the registry file. Check the dates to see if the system.1st is dated before your virus infection. If the dates are the same, don't bother doing the following.
Boot to dos from a floppy...
In the windows directory type:
attrib -r -h system.dat
rename the file to system.bak or something.
In the root of C (c:\) type:
attrib -r -h system.1st
then type
copy system.1st c:\system.dat
reverse the attrib commands (+R +H) on both files and reboot. ~ The day I think I know it all, i'm changing careers ~
Boot to dos from a floppy...
In the windows directory type:
attrib -r -h system.dat
rename the file to system.bak or something.
In the root of C (c:\) type:
attrib -r -h system.1st
then type
copy system.1st c:\system.dat
reverse the attrib commands (+R +H) on both files and reboot. ~ The day I think I know it all, i'm changing careers ~
- Thread starter
- #11
- Status