VIRUS Removal for Dummies

VIRUS Removal for Dummies

Virus means “Virtual Information Resources Under Seize”. A computer virus is a computer program that can copy itself and infect a computer without permission or knowledge of the user. This is a simple Script or Batch program that will run each time when the infected media is accessed. A virus can only spread from one computer to another when its host is taken to the uninfected computer, for instance by a user sending it over a network or the Internet, or by carrying it on a removable medium such as a floppy disk, CD, or USB drive. Viruses may takes the extension of *.exe,*.com,*.bat. A worm can spread itself to other computers without needing to be transferred as part of a host, and a Trojan horse is a file that appears harmless until executed.

Infections created by the Virus: - Normally whenever the virus is executed it modifies the Registry values of the system and changes the Policies defined for that particular user. The infections that generally viruses make are:-

• Restrict access to the Registry Editing Tools.
• Disable the Run Command from Start Menu.
• Restrict access to MsConfig Tools.
• Disable the Folder Option Menu.
• Disable Task Manager.
• Disable Command Prompt.
• Disable the System Restore.

Effect of Virus on Personal/Professional Computers: - Some viruses are programmed to damage the computer by damaging programs, deleting files, or reformatting the hard disk. Others are not designed to do any damage, but simply replicate themselves and perhaps make their presence known by presenting text, video, or audio messages.

• Virus restricts the access to Registry Editing, Run Command and MsConfig so there is no way left to remove virus except Formatting. Most Antivirus programs don’t work if they are not properly updated.
• Windows XP provides the facility to kill the process using Task Manager when computer hangs but if this tool is disabled then restart is only option to solve Hang condition and any Professional may loose there unsaved Important Data.
• If system crashes then System Restore is the tool to restore the Last Known Good Configuration but if this is disabled then there is no way to restore system settings.
• They typically take up computer memory used by legitimate programs. As a result, they often cause erratic behavior and can result in system crashes and data loss.
• Any Hidden data can not be shown if the Folder Option menu is disabled.

Tools to remove Virus Infection: -

Registry Editor (Regedit): -The Registry is a database used to store settings and options for the 32 bit versions of Microsoft. It contains information and settings for all the hardware, software, users, and preferences of the PC. Whenever a user makes changes to a Control Panel settings, or File Associations, System Policies, or installed software, the changes are reflected and stored in the Registry.

The Registry has a hierarchal structure; although it looks complicated the structure is similar to the directory structure on your hard disk, with Regedit being similar to Windows Explorer.

Each main branch (denoted by a folder icon in the Registry Editor, see left) is called a Hive, and Hives contains Keys. Each key can contain other keys (sometimes referred to as sub-keys), as well as Values. The values contain the actual information stored in the Registry. There are three types of values; String, Binary, and DWORD - the use of these depends Use this feature with care, as modifying the wrong key or value could cause major problems within the registry, so remember to always make a backup first.

There are several methods for starting the Registry Editor, the simplest is to click on the Start button, then select Run, and in the Open box type "regedit", or use “regedit.exe” from windows directory, it should now open and look like the image below.

Group Policy Editor (GPedit.msc): - The mechanism by which desktop settings are configured automatically, as defined by the administrator is handled by group policy editor. Type “gpedit.msc” in Run window or use “gpedit.msc” from “\windows\system32\” directory to open Group Policy Editor.

Removing Infections using these tools: -

Enable Registry Editing: -

If registry editing is disabled then navigate to following policy in group policy editor: -

User Configuration > Administrative Templates > System

Change the policy Prevent access to registry editing tools and Disable it to Enable Registry Editing.

Enable MsConfig Tool: -

Use registry editor and then create new Text Document named “Restore.txt” and type the following: -

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]

"DisableConfig"= -

Enable Folder Option: -

Append the following key to “Restore.txt”: -

[HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Policies\

Explorer]

"NoFolderOptions"= -

Enable Task Manager and Run: -

Append the following key in same file: -

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]

"DisableTaskMgr"= -

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\

Explorer]

"NoRun"= -

Enable System Restore and Command prompt: -

Append the following key: -

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]

"DisableSR"= -

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System]

"DisableCMD"= -

Change the Extension from *.txt to *.reg and then Right Click on the file and click on Merge.

You can edit this file according to infection but “Windows Registry Editor Version 5.00” should be the first line to access the registry.

Examples of common viruses and their removal: -

“NewFolder.exe”, “MicrosoftPowerpoint.exe”, “d.com”, “niedect.com”, ”u.bat” are the common viruses. These entire viruses create the “Autorun.inf” file which is having the following data: -

[AutoRun]

open= “Virus_Name”

;shell\open=Open(&O)

shell\open\Command=”Virus_Name”

shell\open\Default=1

;shell\explore=Manager(&X)

shell\explore\Command=”Virus_Name”

Here the “shell\open\Default=1” shows that whatever method you use to open the Drive either “OPEN” or “EXPLORE” the virus will be executed. Both virus and autorun file is copied in each drive. This is the reason that if you format any one drive than your computer still infected by this virus.

You can see that the folders in Shared Documents have an exe extension If you have unchecked Hide extensions for known file types in Folder Options

Removal: - To remove the infection use the registry editing tool as mentioned above since these entire virus have the same symptoms as described.

Now uncheck the Hide Protected operating system files (Recommended) in Folder Options and search the files “ssvichosst.exe”, “scvhost.exe”, ”autorun.inf ”, “amvo.exe”, “MicrosoftPowerpoint.exe”, “d.com”, “niedect.com”, “u.bat”, “killer.exe”, “funny ust scandal.avi.exe”, “blastclnnn.exe”, “hinhem.scr” and delete these files if any file doesn’t delete than open the Task Manager and under Processes Tab search that file and End that Process now retry removing that file.

You Should Follow these Steps inorder to Remove the Virus:-

• First open your any of the Drive from My Computer just by Double Clicking it.
• If it Opens in a Seperate window than it means that your Computer may be infected from Virus.
• Now type "x:\Autorun.inf" in the address-bar where "x" is your Drive letter.
• If the Autorun File exists than it will be opened Now You can get the Name of the Virus by just checking [AutoRun]
  open= “Virus_Name”
• Now it's the Time to Remove Virus from the System, To do so you just have to KILL all the Processes which are Running under Your USERNAME using Windows Task Manager Except "explorer.exe" and "taskmgr.exe". You are doing this because you don't know by what Process the Virus is Running.
• Now go to the Registry Key "Hkey_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Run" and Delete all the Key which have the entry in Registry under this section and whose path is "Windows\System32"...Means you have to Delete the Registry Entry of the Virus which is having a Copy in System32 Folder.
• Repeat the Previous Step 6 again but now Replace "Hkey_Local_Machine" by "Hkey_Current_User".
• Now Show all the Hidden Files including System Files using Folder Option. Don't Forget to uncheck the Hide Protected operating system files (Recommended) in Folder Options.
• Now go to the StartUp Folder of the Current User and All Users and Delete any Hidden Link.
• Now the Task Becomes Very Easy Just Search the Virus_Name using Windows Search utility (Include Hidden Files and Folder Also) and Delete All the Entries of Search Name.
• Now go to Each and Every Drive and Delete the File "Autorun.inf".
• Restart the Computer......Now your System is Free from That Virus.

*** If you can't Kill some Processes except "explorer.exe" and "taskmgr.exe" than note down that Process Name and use the Command Prompt like this...

Goto Run---Type "cmd"---Ok---type "tasklist"---Enter---Note Down the PID Values those Processes-----Now type "taskkill /PID [PID No.] /PID [PID No. if more than one Process can't be Killed] /F"---Enter.

By this way you can Easily Kill any of the Running Processes. ***

Now your Computer is free from these Viruses.

If you have any Queries Regarding to Virus Removal Please

Post Here

Presented By:-

SUSHIL KUMAR JANGID