Error Message - Help..

[Juleswc]

Hi All,

Whenever I load Windows 2000 I get the following error message.

C:\WINNT\SYSTEM32\WHBOY.exe

Anybody know, what, where and how I get rid of this?

ANY advice would be great!

Thanks

Jules

 

[Sky14657]

Searching with Google gives the description of this trojan TROJ_LEGMIR.BI
It modifies the following registry entry to ensure its automatic execution at every Windows logon:

From:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\
CurrentVersion\Winlogon
Shell = "Explorer.exe"

To:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\
CurrentVersion\Winlogon
Shell = "Explorer.exe C:\WINDOWS\System32\whboy.exe"

See the rest of the description here:

http://nl.trendmicro-europe.com/ent...ail.php?id=84664&VName=TROJ_LEGMIR.BI&VSect=T

----------------------------------------

Everybody has the right to be stupid -- but some people abuse the privilege. (a quote from Stalin - and I am one of the abusers, sometimes...)
----------------------------------------
Experienced in the IT-chaos since 1984...

 

[Juleswc]

Thanks for the info, It looks like I'll just format the hard drive, and start from scratch...

Cheers

Jules

 

[aftertaf]

you dont have to.......



Aftertaf

"Resolve is never stronger than the night before it was never weaker

 

[Juleswc]

suggestions as to how I can get rid of this?
As I would of course prefer not to format the disk...

I've booted in safe mode, and ran Norton Virus...

 

[bcastner]

1. Go to Safe Mode
2. Start regedit, and navigate to:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

Edit the value "Shell" so that it says only:
"Explorer.exe"

3. Delete three files:
\Winnt\bak.exe – this is a copy of the original Trojan.
\Winnt\System32\whboy.exe – this is a copy of the original Trojan.
\Winnt\System32\whboy.txt – this is a .DLL component of the Trojan that is used to run its malicious routines.