Pages

Removing General Viruses Including Autorun.inf


Today Post tell you how to remove a general virus who's that also include Autorun.inf file. This tutorial made by The 7th Sage so total credit go to him.

I had also write some good post on removing the virus, i think you also like that so given you post link...




So let's start The present post.

Many People get infected by such viruses daily. On Xp, Vista etc. I concluded that Vista is safe from any threats, however I soon realized that my sister's laptop which is currently running Vista is infected by a malware.

We shall take sal.xls.exe virus as our sample virus, which infected my Sister's Laptop.

Like most viruses, When it infects, it will first create an autorun file (autorun.inf) into C drive which points to sal.xls.exe. And when you boot up the next time, sal.xls.exe will be executed and it actually creates one trouble and a few shits (additional files). The only trouble which it creates is the inability for you to view hidden file. When you enable viewing of hidden files from "folder's option", it will roll back to "Do not view hidden files". This is the only trouble, and it not harmful.

The additional files created as spoofs are:
algssl.exe
msfir80.exe (Is a trojan)
msime80.exe (Is a trojan)


Even with autorun.inf being rested comfortably on my C drive, I could still execute explorer from My Computer, but from the Windows Task Manager.






Form1" is created by the process of algssl.exe.




Then I check out 'msconfig' and found that..





So, the next to do was to remove all these files.

Take note that Windows Defender doesn't help in this case, one of the reason is that Windows Defender couldn't scan for hidden files (because the damage done to the laptop is to corrupt feature to view the hidden file).


Folow the Steps to remove the files and autorun.inf.

1) The first thing you have to do is to terminate the process of algssl.exe using "Task Manager". This is very important. Otherwise, the process of algssl.exe will cause interruption to the following steps, especially step 3.

2) The second thing that you need to do is to get rid of the autorun.inf file in C drive and all other drives. To do this, the most effective way is through this video. The content of autorun.inf looks like this..






3) Then, proceed to fix the viewing hidden files problem. This has to be done via regedit.
Click   Start/Run  ,  type   regedit   then  press Ok

Navigate to the following registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer
\Advanced\Folder\Hidden\SHOWALL

Now right click on,and delete the value "CheckedValue" in the right
hand window.

Now create a new "DWORD Value" called exactly "CheckedValue" in the
right hand window.
Double click on "CheckedValue".
In the opening 'Edit DWORD Value' box,set the 'Value data:' to 1

Press Ok,exit regedit,restart your pc. Thanks to this link

4) After restarted, 'enable viewing of hidden files' and also 'enable viewing protected operating system files'. Then use Windows search utility to search for the following files(if it is found) and delete them
msfir80.exe (would be found in c:\windows\system32)






msime80.exe (would be found in c:\windows\system32)
algssl.exe - You have to go to task manager to terminate the process first.
sal.xls.exe
tel.xls.exe

5) Then fix the startup settings. You can either get it done with regedit or msconfig or both. 
regedit:
Look under HKEY_LOCAL_MACHINE SOFTWARE\Microsoft\Windows\CurrentVersion\Run &
HKEY_CURRENT_USER\Software Microsoft\Windows\CurrentVersion\Run and delete way the entries for both msfir80.exe and msime80.exe

msconfig:
Disable the entries under msconfig/startup


6) Done, restart your machine.

Conclusion:


1) Vista is only resistant to infections if UAC is enabled 
2) Scan Memory Sticks before plugging them :P



I think you enjoy this tutorial!!!!!!!!


0 comments:

Post a Comment

Related Posts Plugin for WordPress, Blogger...

Hackarde's Search Engine- Search Hacking Tutorial,Tool and eBook

Loading
 
HACKARDE © 2011 | Designed by HrDe