| |
|
|
| ||||
Thank you for your support request. Below, you will find a list of help documents that best match your inquiry.
You should receive a response within 1-2 minutes.
WHAT WAS FOUND:
Norton Antivirus Knowledge Base
Technical Note
How to remove Backdoor.PolyDrop
Situation:
You have a computer infected with the BackDoor.PolyDrop Trojan, and you want to know how to remove it.
Solution:
The BackDoor.PolyDrop Trojan creates files named with a random assortment of letters and modifies the Windows registry. This document will help you undo the changes made by BackDoor.PolyDrop.
NOTE: For Trojans other than BackDoor.PolyDrop, please search the Knowledge Base for the particular Trojan name. If you do not know the name of the Trojan, please see Programs do not run after Norton AntiVirus quarantines or deletes a Trojan or a worm
What Backdoor.PolyDrop does
BackDoor.PolyDrop makes the following changes to the system:
- Creates a random-named file, for example, eutccec.exe, in the \Windows\System folder.
- Modifies the (Default) value from "%1" %* to eutccec.exe "%1" %* in the following registry key:
HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open\command
How to remove Backdoor.PolyDrop from your system
You will need to edit two system files and the Windows registry. Please follow, in turn, the instructions in each section.
NOTES:
- The procedure described in this document is complex and assumes that you are familiar with basic Windows and DOS procedures. If you are not, then we suggest that you obtain the services of a computer consultant.
- This is a random-name file creator. We will use the example eutccec.exe in this document. Please substitute the random-named file that you find on the system.
If you cannot start program files
If you cannot start program files because you have already deleted the eutccec.exe file, then please follow the procedure for your operating system. Otherwise, go on to the section titled Edit the registry.
- Windows 95/98 users please follow these steps:
1. Click Start, point to Programs, and then click MS-DOS Prompt.
2. Type cd windows in the DOS window, and then press Enter.
3. Type copy regedit.exe regedit.com and then press Enter.
4. Type exit and then press Enter. This will close the DOS window.
5. Click Start, point to Find, and then click Files or Folders.
6. Make sure that "Look in" indicates the drive on which Windows is installed.
7. Type regedit.com in the Named box, and then click Find Now.
8. Double-click the Regedit.com file in the results pane to start the Registry Editor, and then proceed to the Edit the registry section.- Windows NT users please follow these steps:
1. Click Start, point to Find, and then click Files or Folders.
2. Make sure that "Look in" indicates the drive on which Windows is installed.
3. Type regedit.exe in the Named box, and then click Find Now.
4. Right-click the Regedit.exe file in the results pane, and then click Copy.
5. Close the Find dialog box.
6. Right-click the Windows desktop, point to New, and then click Folder. Type a name for the folder, such as RegFix, and then press Enter.
7. Double-click the folder you just created to open it, click the Edit menu, and then click Paste. This will place a copy of Regedit.exe in the folder.
8. Click the View menu, and then click Options. The Options dialog box appears.
9. Click the View tab, and then make sure that "Hide file extensions for known file types" is not checked. Click OK.
10. Right-click the copy of the Regedit.exe file, and then click Rename.
11. Change Regedit.exe to Regedit.com, and then press Enter. Click Yes to confirm the change.
12. Double-click the Regedit.com file to start the Registry Editor, and then proceed to the Edit the registry section.
NOTE: After BackDoor.PolyDrop has been successfully removed, then you may delete the Regedit.com file.
Edit the registry
WARNING: We strongly recommend that you back up the system registry before making any changes. Incorrect changes to the registry can result in permanent data loss or corrupted files. Please make sure you modify only the keys specified in this document. For more information about how to back up the registry, please see How to Back Up the Windows 95/98/NT Registry before proceeding with the following steps. If you are concerned that you cannot follow these steps correctly, then please do not proceed. Consult a computer technician for more information.
If you are confident that you can complete the following steps without error, then please proceed with caution, keeping in mind all warnings you have read.
1. Start the Registry Editor if necessary:
2. Click Start, and then click Run. The Run dialog box appears.
- If you have performed the procedure in the previous section, the Registry Editor is already open. Skip to step 4.
- If it was not necessary to perform the procedures in the previous section, go on to step 2.
3. Type regedit and then click OK. The Registry Editor opens.
4. Navigate to and open the following key:
HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open\command
WARNING: Do not inadvertently modify the HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe subkey. Changes made to that key can prevent .exe files (program files) from running. Be sure to navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command subkey as shown in the following figure.
5. Double-click the (Default) value in the right pane.
6. Delete the current value data, and then type: "%1" %* (That is, type the following characters: quote-percent-one-quote-space-percent-asterisk.)
NOTE: The Registry Editor will automatically enclose the value within quotation marks. When you click OK, the (Default) value should look exactly like this: ""%1" %*"
Make sure you completely delete all value data in the command key prior to typing the correct data. If a space is left accidentally at the beginning of the entry, any attempt to run program files will result in the error message, "Windows cannot find .exe." If this happens to you, start over at the beginning of this document, making sure to completely remove the current value data.
7. Close the Registry Editor and go on to the next section.
Edit system files
Please follow these steps to remove changes made to two Windows files:1. Click Start, and then click Run.
2. Type the following command, and then press Enter to open the System Configuration Editor.
sysedit
NOTE: If you see the message "Windows cannot find .exe", then repeat the steps in the previous section, and make sure that you typed the text exactly as shown. If you do not see an error message, then proceed to the next step.
3. Close the Autoexec.bat and Config.sys windows in the System Configuration Editor.
WARNING: The steps that follow instruct you to remove text from the load= and run= lines of the Win.ini file. If you are using older programs, they may be loading at startup from one of these lines. If you are sure that the text contained in these lines are for programs that you normally use, we suggest you do not remove them. If you are not sure, but the text does not refer to the file names shown, you can prevent the lines from loading by placing a semi-colon in front of the line, for example:
; run=accounts.exe
4. Click the title bar of the Win.ini window, and then locate the load= line within the [windows] section; it is usually located near the top of the file.
5. Position the cursor to the immediate right side of the equal sign.
6. Press Shift+End to select all of the text to the right of the equal sign, and then press Delete.
7. Repeat steps 5 and 6 for the run= line, which is usually beneath the load= line.
8. Close the Win.ini window; click Yes when you are prompted whether to save the changes.
9. Click the title bar of the System.ini window, and then locate the shell=explorer.exe line within the [boot] section; it is usually located near the top of the file.
10. Position the cursor to the immediate right side of explorer.exe.
11. Press Shift+End to select all of the text to the right of explorer.exe, and then press Delete.
12. Close the System.ini window; click Yes when you are prompted whether to save the changes.
NOTE: Some computers may have an entry other than Explorer.exe after shell=. If this is the case, and you are running an alternative Windows shell, then change this line to shell=explorer.exe for now. You can change it back to your alternate shell after you have finished this procedure.
13. Exit the System Configuration Editor, start NAV, and then run a full system scan.
NOTE: if NAV detects files that are infected with Backdoor.polydrop when you run a full system scan, we suggest that you delete the infected files. They have been destroyed by the Trojan and cannot be repaired.
Keywords:
poly; polydrop; backdoor; drop; backdoor.polydorp; backdoor.poly; backdoor.drop
Document ID: 2000050813472206
Web URL: http://service1.symantec.com/SUPPORT/nav.nsf/docid/2000050813472206&src=exp
Products: General, Virus Information
Operating Systems: All Supported
Date Created: 05/08/2000
Last Modified: 05/24/2000