| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 54406 | 2005-02-11 10:39:00 | Korgo worm in Reg | stingrae (7270) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 323999 | 2005-02-11 10:39:00 | Hey, I've got TDS-3 Professional and it detected the Worm.Korgo in my Registry, i.e., HKEY_Local_MAchine\Software\Microsoft\Windows\Curr entVersion\Run[Update Service=winu32.exe]. The 'winu32.exe' is the infected regvalue. Now I've tried all sorts of removal tools, Stinger, FixKorgo, AVG and some others, but they don't detect it. All the notes I've read on the worm say it creates a fake regvalue in the "System Update", and can just be deleted. So can I just delete the entry 'winu32.exe' which would mean deleting the "update service". ? If I create a restore point and then delete that value, could it be restored later? or would it be deleted permanently? Thanks. |
stingrae (7270) | ||
| 324000 | 2005-02-11 11:00:00 | Just delete the whole key there - that is it has the name "Update Service" with the value "winu32.exe" You can backup that registry branch under the file menu of the registry editor (Export, using selected branch). Or if you use the msconfig util (Start->Run->msconfig->startup tab), then it is a matter of unchecking the value there ) Assuming that you have XP here. The old virus writers are trying to make that startup entry look legit by using the name Update service ... (strangely their startup methods always seem pretty poor). |
gibler (49) | ||
| 1 | |||||