Scribd
Upload
105 views2 pages

Important:: 5. To Delete The Value From The Registry

The document provides instructions to remove malware from a system by deleting registry values and scheduled tasks. It instructs the user to: 1) Back up the registry before making any changes. 2) Open the Registry Editor and navigate to several registry subkeys to delete specific malicious values. 3) Reset some values to their default settings if needed. 4) Exit the Registry Editor. 5) Open the Scheduled Tasks window, check for and delete a scheduled task with a specific name that matches malware.

Uploaded by

Xie Mean
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOC, PDF, TXT or read online on Scribd
105 views2 pages

Important:: 5. To Delete The Value From The Registry

The document provides instructions to remove malware from a system by deleting registry values and scheduled tasks. It instructs the user to: 1) Back up the registry before making any changes. 2) Open the Registry Editor and navigate to several registry subkeys to delete specific malicious values. 3) Reset some values to their default settings if needed. 4) Exit the Registry Editor. 5) Open the Scheduled Tasks window, check for and delete a scheduled task with a specific name that matches malware.

Uploaded by

Xie Mean
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOC, PDF, TXT or read online on Scribd
You are on page 1/ 2

5.

To delete the value from the registry Important: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified subkeys only. For instructions refer to the document: How to make a backup of the Windows registry. a. Click Start > Run. b. Type regedit c. Click OK. Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool, and then continue with the removal. d. Navigate to the subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

e. In the right pane, delete the value:


"Bron-Spizaetus" = "%Windir%\INF\norBtok.exe"

f. Navigate to the subkey:


HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

g. In the right pane, delete the value:


"Tok-Cirrhatus" = "%UserProfile%\Local Settings\Application Data\smss.exe"

h. Navigate to the subkey:


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

i. In the right pane, reset the value to its default value:


"Shell" = "Explorer.exe"

j. Navigate to the subkey:


HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Polic ies\Explorer

k. In the right pane, reset the following value to its default value if required:
"NoFolderOptions" = "0" or "NoFolderOptions" = "1"

l. Navigate to the subkey:


HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\explo rer\advanced

m. In the right pane, reset the following values to their default value if required:
"Hidden" = "0" or "Hidden" = "1" "ShowSuperHidden" = "0" or "ShowSuperHidden" = "1" "HideFileExt" = "0" or "HideFileExt" = "1"

n. Exit the Registry Editor. 6. To delete the scheduled tasks added by the worm Click Start, and then click Control Panel. (In Windows XP, switch to Classic View.) In the Control Panel window, double click Scheduled Tasks. Right click the task icon and select Properties from pop-up menu. The properties of the task is displayed. Delete the task if the contents of the Run text box in the task pane, matches the following: %Windir\Tasks\At1.job

You might also like