Sunday, November 30, 2008

Attack the virus!

My system got infected a few days back.. I did not have any anti-virus software running .. (I know I know...I should have one!!!)

The virus blocked me from editing registry. Gave me the following pop up.


Initially, it did not trouble me much, because if I wanted to edit the registry I could just do some steps and I will be back to normal. But then yesterday, when I had some time to spare, I thought why not find the root-cause and remove it..Why should I allow it to run without my acknowledgment. Yes, the easier way was to install the anti-virus..So being lazy as usual, I installed AVG1.75 but , my bad luck, this virus remained undetected..So I thought, after all it is developed by another software engineer..If that person can spend time to write a virus...I could spend time to remove it too...

So I sat down found out the steps to remove it...and here you go.....

Symptoms:
Whenever we plug in a USB stick, it creates an executable "NewFolder.exe"
If we have a folder named "Phoenix", it will create an exe named "Phoenix.exe" within it.

Analysis:
In the task manager, you could find two instances regsvr.exe
If we kill these two instances from the task manager, as long as we don't log out, its fine.
On a reboot or a log-off + login, these instances are again there.

Searched for regsvr.exe. Found out that regsvr.exe was placed in two folders
1. c:\windows
2. c:\windows\system32

If it starts on login, it means it has hijacked the registry for WinLogon. And for sure, it has done something on registry..why else will it stop you from editing the registry :)

So first things first.....

1. Get your registry editing power back.

Do the following:
Go to Run -> Type gpedit.msc
In that Local ComputerPolicy ->User Configuration ->Administartive Templates->System

Within System, we have an entry stating "prevent access to registry editing tools". Double click it.
If it is "Not Configured" or "Disabled", set it as "Enabled" first and save. Then again change it to "Disabled".

Your powers are back...Congrats!!!

2. Delete the instances from taskmanager.

3. Remove the files from the directories:
a) c:\windows
b) c:\windows\system32

4. Lets edit the registry..If you are scared..forget it...Your virus is removed anyways...

Go to Run. Type regedit

Go to the key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
In that the value for Shell will contain "Explorer.exe regsvr.exe". Replace it as "explorer.exe"

There you are...Your virus is removed !!

I am still searching for the virus name......
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)