backdoor.winshell

[T Johnston]

My anti-virus software found this virus in the help32.exe
file and can't delete it. I tried to find it in the
registry to delete but it does not show up there. Every
time I start my computer a box pops up with something that
ends with cmd.exe. Also, I have been getting this
error: "svchost.exe has generated errors and will be
closed by Windows". Can anyone help me? Thanks!

 

[Jack Seredyniecki]

http://securityresponse.symantec.com/avcenter/venc/data/backdoor.winshell.html

 

[Larry Brasher]

Hello,

Try this removal tool:

http://securityresponse.symantec.com/avcenter/venc/data/backdoor.winshell.50
.removal.tool.html

The Backdoor.Winshell.50 Removal Tool does the following:
Terminates the Backdoor.Winshell.50 and Trojan.Stealther.B viral
processes.
Deletes the Backdoor.Winshell.50 and Trojan.Stealther.B files.
Deletes the registry values that Backdoor.Winshell.50 and
Trojan.Stealther.B added.
Deletes the services created by Backdoor.Winshell.50 and
Trojan.Stealther.B.

Check and make sure following registry values are deleted from the registry
Click Start, and then click Run. (The Run dialog box appears.)
Type regedit
Then click OK. (The Registry Editor opens.)
Navigate to the key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
In the right pane, delete the value:

"CSRSWIN"="<Original location and file name of the Trojan>"
Navigate to the key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
In the right pane, delete the value:
"CSRSX"="<Original location and file name of the Trojan>"
Navigate to the key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
Delete the registry keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CSRSX
and:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CSRSX
Exit the Registry Editor.

Larry Brasher
MCSE (2000,NT),MCSA, A+
Microsoft Platforms Support
Windows NT/2000 Networking