1. The virus attempts to start itself every time the machine starts up, automatically because the user isn't dumb enough to go and click that link/exe once again.
2. The virus will do all it can to avoid being removed from the computer.
3. Every virus/program will have a process associated with it.
I am assuming the worst hit machine here, that is, the following things are already blocked:
Task-Manager(ALT+CTRL+DEL)
Run
Regedit
msconfig(Startup)
Folder Options
Hidden files (not working properly)
Control Panel
No Drives
*Autoruns (Explained specifically at the end)
So, to get started, we will first require the following free softwares (Even trial versions are okay)
Click here to download Tune-Up Utilities
Click here to downoad an Unlocker
Install both of them and start Tune-Up. It should look something like this:
Now, select the TuneUp StartUp Manager and look for the startups:
From this screen, make a note all those startup items labeled "Unknown", but checked.
Right click on each of them and click on properties
This screen will give you the location of the startup item, the file-location from where it was called. Note down all those startup entries and their locations.
Now, navigate to each of these entries and right-click. You will find an option called as "Unlocker". This is the tool that finds out the process associated with the exe. It will report some "handles" if indeed it is locked. You have to select each of the hadle and click on "unlock" after noting down the same process name in the list that you are maintaining. If Unlocker does not show any handles, its as simple as SHIFT+DEL. Delete the file immediately (The file will mostly be in WINDOWS folder or WINDOWS/system32).
Make sure the file that you are about to delete is indeed malicious
Google the name of the suspected exe and see the results. If Google also lists it as malicious, then you have got it right. Else, search for the next exe.
Now, again go back to the first screen and click on "Administer Control" and then TuneUp Registry Editor. This will open up the registry application which will look like this:
Now, from the menu bar, click on search and enter the name of the first exe file that you have noted down from the start-up entry details. It should look like this:
Now, the most important part,
Make sure the file that you are about to delete is indeed malicious
Google the name of the suspected exe and see the results. If Google also lists it as malicious, then you have got it right. Else, search for the next exe. Once found, navigate to each found entry and delete the value if it is listed as a value (simply select the value where the name is coming and press "delete"). Be careful not to delete keys, only delete values (left pane is for keys and right pane lists values of those keys in the registry editor)
Be very careful while doing this
Repeat the search to make sure that the entries are indeed gone.
Do this carefully for all those confirmed virus exe files.
At this point of time, you should be free of viruses.
Now, the next part, Reverting the changes made by the virus:
From the initial assumption that many things were blocked, we again open up the Tuneup Registry Editor. Here, we browse to the following key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
There will be values for this key on the right pane: You might see values like these:
(Default Value) (Value not set)
DisableTaskMgr 0x00000001
DisableRegistryTools 0x00000001
and many more depending on your infection. So now delete all of these by selecting each one and pressing DEL. Now, restart explorer.exe from the task-manager (CTRL+ALT+DEL)
Thats right, now your Task-Manager should work if you have followed all the steps perfectly
Find explorer.exe and right-click and select "terminate"
Then go to File>New Task (Run...) and type: "explorer.exe" without the quotes.
This whole process will make your windows and task-bar disappear till you start it back.
Else, just log-off and login if you are stuck here.
Now, navigate to these paths in the registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN
Change the CheckedValue to 2
Change the DefaultValue to 2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
Change the CheckedValue to 1
Change the DefaultValue to 2
This will restore all you hidden file problems.
Now, the final "autorun" problem:
Navigate to any drive and first open up Notepad.
Now, click on file>open>
Type "autorun.inf" and select any drive. This will show up on notepad something like this:
[AutoRun]
open=blasterrrr.bat
;shell\open=Open(&O)
shell\open\Command=blasterrrr.bat
shell\open\Default=1
;shell\explore=Manager(&X)
shell\explore\Command=blasterrrr.bat
Here, we notice that one particular file (will be mostly a .BAT file or a .CMD file or a .COM file or simply a .EXE file) is being repeated throughout. Now, open up cmd prompt and go to any drive, say c:\ (after closing the notepad file)
C:\> del /F /a autorun.inf
C:\> del /F /a blasterrrr.bat
Now, again, restart your explorer.exe (or simply relogin). Be sure not to click the drives meanwhile.
Done!
No comments:
Post a Comment