Editing the windows registry to undo the work of a virus

Life Technology
1

I spent most of yesterday battling some nsanti trojan. This little program called jvvo had instaleld and started messing things up. Well I think I’ve got it all sorted out now, except for one very annoying little problem.

One thing the jvvo id was alter the registry so that I can’t view hidden files and folders (and of course, that’s where it was hiding). Changing the settings doesn’t help, it reverts back immediately.

I found this report of what this virus does:

threatexpert.com/report.aspx … 13342e24cc

The most important part is this:

[quote] Registry Modifications

* The newly created Registry Value is:
      o [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
            + jvsoft = "%System%\jvvo.exe"

        so that jvvo.exe runs every time Windows starts 

* The following Registry Value was modified:
      o [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
            + CheckedValue = 0x00000000

        so that hidden files and folders are not displayed in explorer when browsing the file system [/quote]

So I know how the registry was modified.

Now what d I need to do to modify it back.

Anyone?

(I tried to just do a system restore, but it wouldn’t restore to an earlier point).

PS XP btw

Brian

2

Press Start then Run, and type in regedit and press enter

The registry editor will open and you can browse to the location, if you see something in the right pane referring to “jvsoft”, delete it.

In the second case, when you find “Checked Value” in the right pane, right click to edit the value.

Mucking about in the register is not for the faint hearted and can break your windows if you’re not careful. You might want to save the part of the registry you’re working so you can undo your changes.

3

[quote=“Bu Lai En”]I spent most of yesterday battling some nsanti trojan. This little program called jvvo had instaleld and started messing things up. Well I think I’ve got it all sorted out now, except for one very annoying little problem.

One thing the jvvo id was alter the registry so that I can’t view hidden files and folders (and of course, that’s where it was hiding). Changing the settings doesn’t help, it reverts back immediately.

I found this report of what this virus does:

threatexpert.com/report.aspx … 13342e24cc

The most important part is this:

[quote] Registry Modifications

* The newly created Registry Value is:
      o [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
            + jvsoft = "%System%\jvvo.exe"

        so that jvvo.exe runs every time Windows starts 

* The following Registry Value was modified:
      o [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
            + CheckedValue = 0x00000000

        so that hidden files and folders are not displayed in explorer when browsing the file system [/quote]

So I know how the registry was modified.

Now what d I need to do to modify it back.

Anyone?

(I tried to just do a system restore, but it wouldn’t restore to an earlier point).

PS XP btw

Brian[/quote]

Brian

As BFM has already mentioned then be very careful when playing with the registry, getting it wrong can seriously screw up your system.

Before you do anything, i would suggest you you back up the registry just in case, even if it has the virus setting in it for jvsoft.

For the jvsoft items found by doing a search, then assuming no other legit program on your PC might have set them up then just delete them, for restoring the value on the second registry item you mention, go to the item, right click on the item and select edit. The value to make it correct should be 1 and the value MUST be hexadecimal, anything else will cause problems.

Best of luck

For the two items you mention

4

Thanks fellas. Seems to have worked