(HOW TO) Removing generic .exe virus from your PC / HDD

HowToSetup: (HOW TO) Removing generic .exe virus from your PC / HDD

Note: before performing following steps the operating system should be booted into safe mode and during these steps never ever double click any partition, folder or file. I am preparing this from within server 2008 but Windows Vista, Windows 7 and Windows 2008 share the same architecture so it hardly matters.

Steps:

1. open drive c: and identify any such folder which looks like folder (generally in color:yellow in Windows XP and Windows Vista too) but actually is an application. To know if it is a folder or an application (virus exe) right click on that folder and choose properties. Under general tab, make sure the "type" attribute says "File Folder" and if it says "Application" then definitely its a virus seed, in which case check the size of that particular virus application and go ahead with following 3 steps viz. 2, 3 and 4.

2. Suppose the application size says 259KB. Now in windows vista press "win_logo_key + f" to open file search dialog box. Click Advanced Search. From the location choose "c:" or "Everywhere" in case u want to search the whole drive for that particular virus application. For the "Size (KB)" entry choose "equals" from the drop down and put value 259 in the corresponding text box. Enter "*.exe" in a text box corresponding to a label which says "Name" (file name). Now check "Include non-indexed, hidden, and system files (might be slow)" check box and fire file search from the search button.

3. After the search has been completed all suspicious virus applications should get listed out, having size exactly 259KB. Now scroll through all entries and make sure that each and every folder (which is never a folder, but an application file) is actually an application and not any of your important data (which is very rare). Now select all these files and press shift + delete to permanently delete those from your partition.

4. Perform the above 3 steps again and again until all such threats have been fully eliminated from the specified partition or drive.

5. Sir now goto the command prompt typing ‘cmd’ in windows vista. type ‘cd\’ without quotes and press enter. now u r at partition root (c:\>). Now type ‘dir /a:h’ and press enter. This should list out all hidden files and folders under the specified partion. Now have a very careful eye on the results and look for any file with an extension .exe, .com, .bat + a file named ‘autorun.inf’ or ‘autorun.ini’. If there u c ‘autorun.inf’, open that file in notepad by typing ’start notepad autorun.inf’. Read through all the contents this file contains and look for a file name written with an extension .exe, .com, or .bat(very rare). Having known the file contents, the file specified with the said extension is a shell modifier and would have infected all partitions and folders so that if any of such partition or folder is double clicked,it can load the virus details from the main process and spread further, infecting all folders all the way to the last folder in the hierarchy.

5. Having memorized the file name listed in file ‘autorun.inf’, first of all go the the command prompt and type ‘cd %windir%/system32′ and press enter. This should bring u to the System32 directory. From here type ‘dir /a:h’ to list out all hidden files/folders. There probably u should c ‘autorun.inf’/'autorun.ini’ and an exe file specified in the those contents. Before removing main process from system32, to be on the safe side, create new directory say ‘backup’ by typing ‘mkdir backup’. Now type ‘dir /a:h *.exe’. Now all hidden EXEs are listed. copy each exe to the backup folder by typing ‘xcopy <name>.exe backup /H’ where <name> is a file name with an extension of .exe. Having copied all exe files to the backup folder, now we need to remove all these exe files. To remove these exe files type ‘del /f /a *.exe’ and to remove autoruns type ‘del /f /a autorun.inf autorun.ini’

5a. You may encounter an error while deleting exe file from system32. The error may be encountered if the file u r deleting is in execution, which means the virus is loaded into the memory. In this case check the name of the file u r deleting. Now go to command prompt and type ‘tasklist’. This should list out all processes in execution including a process (a virus process) that has locked itself from being deleted. Scroll through the listing and look for that process (generally the file name u r trying to delete). From the PID column check the Process Indentifier for that process. Suppose the PID for this process is 1164, now type ‘taskkill /F /PID 1164′. This should forcefully terminate the specified process and the file u r trying to delete from system32 should now easily get deleted.

6. Having done all of above, the virus has been rooted out but the footprints and still there which may again replace the virus. To fully eliminate the virus there is still something more to do. Go to each partition and type ‘cd\’ and ‘dir /a:h’. Delete all files having name ‘autorun.inf’/'autorun.ini’ and suspicious .exe, .com or .bat (generally mentioned in the contents of autorun.inf or autorun.ini). To delete these files type ‘del /f /a autorun.inf’ and ‘del /f /a autorun.ini’ and ‘del /f /a <name>.<extension>’ where <name> is a file name and <extension> is an extension of the file from .exe, .com or bat. You swtich between different partitions by typing ‘<partition>:’ where <partition> is a drive name. Rest all is the same.

7. After Above steps have been performed, the virus physically should get eliminated. But registry entries are still there. To remove registry entries go to registry editor by typing ‘regedit’ in command prompt. Click on ‘Computer’ which is a root in the shown hierarchy. Take backup of the whole registry. To do so while clicked on ‘Computer’, go to file, click ‘export’ and save .reg file anywhere safe onto ur pc. Now press ctrl + F. Type the file name (a suspicious virus application u deleted in the previous steps, remember this was mentioned in the contents of autorun.inf and was present in each partition + system32 (usually)). Click search. If the search finds any such entry the entry should be listed in right pane of regedit. Select entry name press delete but before deleting make sure it is the file name which is also the entry name under regedit column ‘Name’. It it is so delete that entry straight away but if it is not so (which means it is only entry contents which contains file name being searched), double click that entry to see contens. Now if contens directly point to the location of that virus process, delete this entry too. But If they do not, the virus may have likely attached itself to some of the windows own process, say rundll32.exe. In this case contents should look like %SystemRoot%\System32\rundll32.exe "%windir%\system32\<name>.exe", <params> %1. In these contents generally the virus attaches its main process to the end of the entry listing. But since the shown contents has one and only attached process to the rundll32.exe, this is the virus itself. Now very carefully take the virus portion off from the entry by removing ‘"%windir%\system32\<name>.exe", <params> %1′ portion from the entry, where <name> is a file name u r searching for and <params> after comma are the parameters passed to the process. Do the same for all such entries found.

8. Last Step is to remove process from automatically loading at system startup. In regedit, click ‘Computer’ entry, expand ‘HKEY_CURRENT_USER’ and expand until ‘COMPUTER\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run’. In the right pane, look for the suspicious virus loader entry and delete it. Now do the same for
1. COMPUTER\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
2. COMPUTER\HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
3. COMPUTER\HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

Now u can safely start into the normal mode and do not attach any external media before permorming the said checks.

Advertisements