Virus - Vital Information Resources Under Seize
Most viruses will try to execute before the user logs in or after the user logs in to the computer.
Virus typicaly reside in Load Points of the Windows.
There are several Load Points of Windows namely Registry, Startup Folder, System 32 folder, Temp folder, etc.
The Virus entries in the Registry will try to execute before the user logs in i.e when the computer starts.
The Virus entries in Startup folder and Temp folders will execute after the User logs in.
The Registry Load Points are:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\SOFTWARE\CurrentControlSet\Services\__NS_Service_3 (or another number)
If __NS_Service_ exists , right click on it and choose delete from the menu.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY___NS_Service_3 (or another number)
If LEGACY___NS_Service_ exists then right click on it and choose delete from the menu.
HKCU\Software\Microsoft\Windows\Current Version\Explorer\Browser Helper Objects
HKCR\AppID\
e.g {01234567-89AB-CDEF-0123-456789ABCDEF}
Startup Folder:
C:\Documents and Settings\%user%\Start Menu\Programs\Startup
%user% is the name of the user who has logged in currently to the computer.
Here we have to search for the virus entries and delete it.
Temp folder:
Click Start->Run
Type %temp% and click OK
Delete all files and folders.
System Folder:
C:\Windows\System32
Here we have to search for the virus entries and delete them. Most of the virus entries listed here will give you a access denied message when you try to delete it as the process or dll file associated with these files will be running in the background.
So we need to stop the process in Task Manager and then try to delete the infected file or we have to restart the computer in Safe Mode and delete the file.
Program Files:
Click Start->Run
Type %programfiles% and click OK.
Select the Virus folder and delete it.
e.g: WebSearch
MsConfig Utility:
Click Start->Run
Type msconfig and click OK.
The System Configuration Utility Window will open.
Click on the Startup tab.
Here we can disable programs or services that we do not want to run.
TaskManager:
Click Start->Run
Type taskmgr and click OK.
The Task Manager Window will open.
We can stop any process by checking the program associated with it in System Information Tool.
MsInfo32:
Click Start->Run
Type msinfo32 and click OK.
The System Information Window will open.
Click on Software Environment.
Then check Running Tasks and Startup Programs
Services Window:
Click Start->Run
Type services.msc and click OK.
The Services Window will open.
We can stop any services temporarily to delete a infected file.
Important Web sites for Virus Removal:
To check if a process running in the Task Manager is associated with a virus or not, we need to refer these two web sites:
http://www.processlibrary.com/
http://www.liutilities.com/products/wintaskspro/processlibrary/
---------------------
To check spyware removal instructions and other Windows issues:
http://www.pchell.com/support/
---------------------
Free Virus Removal Tools:
http://us.mcafee.com/virusInfo/default.asp?id=vrt
http://www.bitdefender.com/site/Download/browseFreeRemovalTool/
http://www.microsoft.com/security/malwareremove/default.mspx
www.foundstone.com
---------------------
Important Notes:
NOTE 1: We have to know the name of the virus by running a full scan of the anti virus software ( McAfee VirusScan ) before we proceed with the virus removal procedure. After getting the name of the virus, we can search it in google to find out the files and processes associated with it. Then it will be easy for us to detect these files and we can remove them from the Load Points.
NOTE 2: Whenever we are not able to delete a file/folder, we need to restart the computer in Safe Mode and then try deleting the file. In Safe Mode, the computer starts with minimum drivers and software and is mainly used for troubleshooting purpose in Windows.
1. Restart the computer.
2. When the computer is rebooting, press the F8 key repeatedly.
3. You will get a page with options. Use the arrow keys to select " Safe Mode" and press Enter.
4. The computer will now start in Safe Mode.
NOTE 3: Before proceeding with the Virus Removal steps, we need to disable the System Restore feature of Windows temporarily.
1. Right click on the 'My Computer' and select 'Properties'
2. Click on System Restore tab
3. Check the box next to "Turn Off System Restore on all drives"
4. Click 'Apply' and then click OK.
NOTE 4: Always inform the customer to take the backup of his/her personal data (music, videos, documents) and registry backup before proceeding with the virus removal.
NOTE 5: After the virus removal procedure is complete, inform the customer to regularly perform the McAfee VirusScan and Windows update and use the SiteAdvisor while surfing internet.
--------------------------------------------------------------------------Check and delete the following files in C:/Windows/System 32:
bsw.exe
helper.exe
hookdump.exe
intmon.exe
intmonp.exe
msmsgs.exe
msole32.exe
ole32vbs.exe
popuper.exe
shnlog.exe
uninstiu.exe
winhook.exe
winstall.exe
wp.exe
zloader3.exe
drsmartload45a45m.exe
drsmartload46a46m.exe
drsmartload849a849m.exe
drsmartload192a[1].exe
drsmartload45a7i.exe
drsmartload46a7i.exe
drsmartload849a7i.exe
drsmartload.exe
drsmartload45a7h.exe
drsmartload46a7h.exe
drsmartload849a7h.exe
drsmartload46a[1].exe
loader[1].exe
drsmartload45a[1].exe
drsmartload849a[1].exe
drsmartload849a8b5.exe
drsmartload45v.exe
drsmartload46v.exe
drsmartload849v.exe
drsmartload100a[1].exe
drsmartload45a.exe
drsmartload46a.exe
drsmartload849a.exe
drsmartload95a.exe
drsmartload1.exe
MTE3NDI6ODoxNg.exe
ntsystem.exe
cproc.exe
drsmartload44a[1].exe
MTE3NDI6ODoxNgnew.exe
MTE3NDI6ODoxNg[1].exe
drmv2clt.exe
drsmartload815a.exe
retadpu77.exe
arpl.exe
retadpu21.exe
wjiio.exe
retadpu[1].exe
retadpu[2].exe
retadpu.exe
retadpu1000106.exe
Find and Unregister DLL Files:
regsvr32 /u DLLName.dll
wldr.dll
param32.dll
hhk.dll
oleadm.dll
oleadm32.dll
dnr4019qe.dll
oybgrql.dll
atmtd.dll
winetn32.dll
ixt2.dll
tazth.dll
olnohdw.dll
ssqnool.dll
vtursro.dll
oembios32.dll
Find and Remove registry values:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunWindowsFY
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunWindowsFZ
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunmsnmessenger
FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF
HKEY_CURRENT_USERSoftwareMicrosoftInternetExplorerMainDefault_Page_URL=[siteaddress]
HKEY_CURRENT_USERSoftwareMicrosoftInternetExplorerMainDefault_Search_URL=[siteaddress]
HKEY_CURRENT_USERSoftwareMicrosoftInternetExplorerMainSearchBar=[siteaddress]
HKEY_CURRENT_USERSoftwareMicrosoftInternetExplorerMainSearchPage=[siteaddress]
HKEY_CURRENT_USERSoftwareMicrosoftInternetExplorerMainLocalPage=[siteaddress]
HKEY_CURRENT_USERSoftwareMicrosoftInternetExplorerSearchCustomizeSearch=[siteaddress]
HKEY_CURRENT_USERSoftwareMicrosoftInternetExplorerSearchSearchAssistant=[siteaddress]
HKEY_CURRENT_USERSoftwareMicrosoftInternetExplorerSearchURL(Default)=[siteaddress]
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallinternetupdate
D5BC2651-6A61-4542-BF7D-84D42228772Centry.
f79fd28e-36ee-4989-aa61-9dd8e30a82fa
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\decorin
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\aea3d2df-2b2c-4d7b-81a0-d975c6dc088e
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\64ba30a2-811a-4597-b0af-d551128be340
5839511e-ec1b-4f91-ace3-fb88e52f5239
WMuse
ed39ecef-902e-4ed1-8434-71e8db89e5ca
aea3d2df-2b2c-4d7b-81a0-d975c6dc088e
64ba30a2-811a-4597-b0af-d551128be340
Microsoft\drsmartload2
19452E5B-963F-4886-766D-0526284B6F61
Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\incestuously
03413bf7-e34c-445b-bfc0-a2b127255871
Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\f31aee4a-1530-4fef-8537-79c6973bff9a
f31aee4a-1530-4fef-8537-79c6973bff9a
dfa61db1-388e-4c87-8d56-540fa229bcb4
SOFTWARE\Policies\06849E9F-C8D7-4D59-B87D-784B7D6BE0B3
Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\5f938c17-fbc7-4a3c-8526-85e5b1a1f762
5f938c17-fbc7-4a3c-8526-85e5b1a1f762
27321538-5739-4aa1-b84c-7d18e4383f1f
Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\instcat
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\b292ec9f-a074-4115-8342-1f459702d8d2
b292ec9f-a074-4115-8342-1f459702d8d2
FD2A7D3A-3DA1-4CA5-AD39-B4C3A72B567F
MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\ssqnool
MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\vtursro
0B9B7B2E-30E3-4C5D-AD2C-C38724979B4B
AB5FE6E5-7C72-4B89-85D0-D57E7AEAC236
Find and Delete the following files in Start->Search:
bsw.exe
helper.exe
hookdump.exe
intmon.exe
intmonp.exe
msmsgs.exe
msole32.exe
ole32vbs.exe
popuper.exe
wldr.dll
param32.dll
hhk.dll
oleadm.dll
oleadm32.dll
shnlog.exe
uninstiu.exe
winhook.exe
winstall.exe
wp.exe
zloader3.exe
hp[X].tmp
perfcii.ini
sites.ini
wp.bmp
drsmartload45a45m.exe
drsmartload46a46m.exe
drsmartload849a849m.exe
drsmartload192a[1].exe
dnr4019qe.dll
drsmartload45a7i.exe
drsmartload46a7i.exe
drsmartload849a7i.exe
drsmartload.exe
drsmartload45a7h.exe
drsmartload46a7h.exe
drsmartload849a7h.exe
drsmartload46a[1].exe
loader[1].exe
drsmartload45a[1].exe
drsmartload849a[1].exe
drsmartload849a8b5.exe
oybgrql.dll
drsmartload45v.exe
drsmartload46v.exe
drsmartload849v.exe
drsmartload100a[1].exe
atmtd.dll._
atmtd.dll
drsmartload45a.exe
drsmartload46a.exe
drsmartload849a.exe
drsmartload95a.exe
drsmartload1.exe
MTE3NDI6ODoxNg.exe
drsmartload2.dat
gwiz
ntsystem.exe
cprocsvc
cproc.exe
winetn32.dll
ixt2.dll
tazth.dll
drsmartload44a[1].exe
MTE3NDI6ODoxNgnew.exe
MTE3NDI6ODoxNg[1].exe
drmv2clt.exe
drsmartload815a.exe
olnohdw.dll
runner1
retadpu77.exe
arpl.exe
ssqnool.dll
retadpu21.exe
vtursro.dll
wjiio.exe
retadpu[1].exe
retadpu[2].exe
retadpu.exe
retadpu1000106.exe
oembios32.dll
Check the Attributes on the WIN.INI and SYSTEM.INI Files
1. Click on the Start button.
2. Highlight Find then click on Files or Folders. The Find Files dialog box will then appear.
3. In the Named field type in WIN.INI.
4. In the Look In field type in C:\\WINDOWS
5. Click the Find Now button. The computer will then search for the WIN.INI file. When it is found, the file will be displayed towards the bottom of the dialog box.
When the search is finished, right-click on the small icon to the left of the file's name. A pop-up menu will appear.
6. Left-click on Properties. The Properties dialog box will then appear.
7. Make sure the Read-only checkbox located at the bottom is not checked. If it is checked, remove the check mark.
8. Click the Apply button, followed by the OK button.
9. Repeat steps 3 - 10, substituting SYSTEM.INI for WIN.INI.
Once you have removed the Read-only attribute from the WIN.INI and SYSTEM.INI files, close the Find Files dialog box by clicking the X in the top right corner.
Remove Trojan References from the WIN.INI and SYSTEM.INI Files
1. Click on the Start button then click on Run.
2. Type in SYSEDIT then click OK. The System Configuration Editor will then appear with several windows opening on your screen.
3. Close the autoexec.bat and config.sys windows. You will then be at the C:\\WINDOWS\\WIN.INI window.
Locate the line that begins with 'load='. Place a semicolon (;) in front of the line so that it reads:
;load= (other text may remain here) Write this line down. You will be using this information later.
Note: Many Trojan viruses are able toload using this load= line when they infect a computer. This line is also used occasionally by other legitimate programs. Inserting a semicolon will prevent Trojan files from loading but it may also disable functions of other programs (if they load from this line). After completing this process, if you recognize that a normal program will not load contact the manufacturer of that program to find out if an entry for their program should be placed in the load= line.
Locate the line that begins with 'run='. Place a semicolon (;) in front of the line so that it reads:
;run= (other text may remain here) Write this line down also. You will be using this information later.
4. Close the C:\\WINDOWS\\WIN.INI window. You will be asked if you wish to savechanges. Answer Yes. The C:\\WINDOWS\\SYSTEM.INI window will then be on top.
Locate the line that begins with 'shell=explorer.exe'.
If there is anything written after 'shell=explorer.exe' write itdown (usually something like: Winsyst.exe). 'Winsyst.exe' is the name of a Trojan. After you have written it down, erase everything written after'shell=explorer.exe' on that line. (Be absolutely sure you leave'shell=explorer.exe' and subsequent lines).
5. Close the C:\\WINDOWS\\SYSTEM.INI window by clicking the X in the top rightcorner. You will be asked if you wish to save changes. Answer Yes.
6. Close the remaining windows until you are back on the desktop.
Delete the Trojan Files
For further disinfection, remove the Trojan files by doing the following:
1. Click on the Start button.
2. Highlight Find then click on Files or Folders. The Find Files dialog box will then appear.
3. Type in the name of the Trojan file in the Named field. The name of the Trojan file can be found in the information you wrote down.
Note: To determine the name of the Trojan file refer to the lines you wrote down in steps 4, 5, and 8 above. Entries in the load= and run= lines are paths that point to a specific file and tell it to run. Determine each complete path on the load= line and the run= line (ex. C:\\windows\\emppkg3243.exe). A path normally begins with a root directory (i.e. C:\\) and ends with a particular file to run (i.e. pkg3243.exe). Generally, the portion that follows the last back slash 'pkg3243.exe' is the file, and the portion before the last back slash 'C:\\windows' is the location (or path) to that file.
Make sure the C: drive is selected in the Look In field so the entire C: drive will be searched.
4. Click the Find Now button. The computer will then search for the file. When it is found, the file will be displayed towards the bottom of the dialog box.
When the search is finished, right-click on the small icon to the left of the file's name. A pop-up menu will appear.
5. Left-click on Delete to delete the file. Answer Yes to any prompts asking if you are sure.
Note: If you are unable to delete the file, write down the location of the file (specified under the In Folder column), then see the Deleting Files in MS-DOS section below.
Deleting Files in MS-DOS
If you were unable to delete the virus or Trojan files in Windows, you shouldbe able to delete them in MS-DOS. Deleting a file in MS-DOS requires restartingthe computer in MS-DOS mode and then typing in the DOS commands to navigate tothe location of the file and then delete the file.
Note: Trojan virus files are most commonly located in the C:\\Windows or C:\\Windows\\System directories. The list of Trojan virus files above tells you the location of the most common Trojan viruses.
For example, if you had a file named WN32SYS.EXE in the C:\\Windows\\Systemdirectory that you were unable to delete in Windows you would do the followingto delete the file in MS-DOS:
· Click on the Start button then click on Shut Down.
· Select restart the computer in MS-DOS mode then click OK or Yes. Thecomputer will then restart in MS-DOS mode. You will be left at a screen with ablack background. The last line of the screen will say C:\\Windows> followedby a blinking cursor. This specifies that you are currently in the C:\\Windowsdirectory.
· To change to the C:\\Windows\\System directory you would type the following:CD SYSTEM (followed by the Enter key on the keyboard). The last line on the screen would then change to C:\\Windows\\System specifying that you are now in the C:\\Windows\\System directory.
· Some Trojan virus files are marked to allow read-only access. It is a goodpractice to remove any read-only access attributes the Trojan file may have. Toremove the read-only attribute of the WN32SYS.EXE file you would type thefollowing: ATTRIB -r -s WN32SYS.EXE (followed by the Enter key on the keyboard). The last line on the screen will then remain at C:\\Windows\\Systemspecifying you are still in the C:\\Windows\\System directory.
· To delete the WN32SYS.EXE file you would then type the following: DELWN32SYS.EXE (followed by the Enter key on the keyboard). The last line onthe screen will then remain at C:\\Windows\\System specifying you are still in the C:\\Windows\\System directory.
· To return to Windows, you would type the word EXIT followed by pressing theEnter key on the keyboard. The computer will then return to Windows.
The above example can be used to delete Trojan virus files in MS-DOS.
--------------------------------------------------------------------------------
No comments:
Post a Comment