Worm Spreads

Shared by: ardneket.khadka

Tags

Stats

views:: 16
posted:: 12/8/2012
language:
pages:: 6

Public Domain

Document Sample

Worms spreads by creating a copy of itself and starts by autorun.inf files. It is essential to
remove the malicious and autorun.inf files not only from computers but also from the
source, and that is the USB Drive. PreciseSecurity have created a procedure to delete the
malicious files on infected drives.

PROCEDURE:
1. While the computer is still off;
2. Plugin the USB Drive
3. Insert the Windows XP CD-ROM into the CD-ROM drive. It must be the bootable
Windows XP Installer
4. Start the computer from the CD-ROM drive. It will start Windows Setup screen
5. When the “Welcome to Setup” prompt appears.Press “R” to start the Recovery
Console
6. If asked “Which Window installation would you like to logon to” select the number.
Type “1? then Enter, if only one installation of Windows is present
7. Enter the administrator password, press Enter
8. It will bring you to command prompt, C:\Windows>
9. Proceed with the following command:
- Type d: (This is the drive letter of USB. It can be e: or f: defending on how many hard
disk or cd drive is installed)
- Type attrib -h -r -s autorun.inf
- Type “edit autorun.inf” it will open DOS Editor and display contents as follows
==========================
[autorun]
open=file.exe
shell\Open\Command=file.exe
shell\open\Default=1
shell\Explore\Command=file.exe
shell\Autoplay\command=file.exe
==========================
Take note on the file that it called to open (in above example it is file.exe)

10. Exit DOS Editor and return to command prompt, D:\>
11. Delete the file that was called to open on DOS Editor
- Type del /f /a file.exe

12. Delete autorun.inf file
- Type del /f /a autorun.inf

13. Exit Recovery Console by typing exit.
How to remove new folder exe or regsvr
exe or autorun inf virus
March 29th, 2008 | Save to del.icio.us now(41)

I want to tell you a story, two days back i got affected by this virus very badly as it eat up
all my empty hard disk space of around 700 MB .

I was surprised that my most reliable friend Avast, for the first time failed me in this war
against viruses but then again avg and bitdiffender also failed against it. This virus is
know popularly as regsvr.exe virus, or as new folder.exe virus and most people identify
this one by seeing autorun.inf file on their pen drives, But trend micro identified it as
WORM_DELF.FKZ. It is spreading mostly using pen drives as the medium.

Well, so here is the story of how i was able to kill the monster and reclaim my hard disk
space.

Manual Process of removal

I prefer manual process simply because it gives me option to learn new things in the
process.

So let’s start the process off reclaiming the turf that virus took over from us.

1. Cut The Supply Line
a. Search for autorun.inf file. It is a read only file so you will have to change
it to normal by right clicking the file , selecting the properties and un-
check the read only option
b. Open the file in notepad and delete everything and save the file.
c. Now change the file status back to read only mode so that the virus could
not get access again.

d.
e. Click start->run and type msconfig and click ok
f. Go to startup tab look for regsvr and uncheck the option click OK.
g. Click on Exit without Restart, cause there are still few things we need to
do before we can restart the PC.
h. Now go to control panel -> scheduled tasks, and delete the At1 task listed
their.
2. Open The Gates Of Castle
a. Click on start -> run and type gpedit.msc and click Ok.

b.
c. If you are Windows XP Home Edition user you might not have gpedit.msc
in that case download and install it from Windows XP Home Edition:
gpedit.msc and then follow these steps.

d. Go to users configuration->Administrative templates->system
e. Find “prevent access to registry editing tools” and change the option to
disable.

f.
g. Once you do this you have registry access back.
3. Launch The Attack At Heart Of Castle
a. Click on start->run and type regedit and click ok
b. Go to edit->find and start the search for regsvr.exe,
c.
d. Delete all the occurrence of regsvr.exe; remember to take a backup before
deleting. KEEP IN MIND regsvr32.exe is not to be deleted. Delete
regsvr.exe occurrences only.
e. At one ore two places you will find it after explorer.exe in theses cases
only delete the regsvr.exe part and not the whole part. E.g. Shell =
“Explorer.exe regsvr.exe” the just delete the regsvr.exe and leave the
explorer.exe
4. Seek And Destroy the enemy soldiers, no one should be left behind
a. Click on start->search->for files and folders.
b. Their click all files and folders
c. Type “*.exe” as filename to search for
d. Click on ‘when was it modified ‘ option and select the specify date option
e. Type from date as 1/31/2008 and also type To date as 1/31/2008

f.
g. Now hit search and wait for all the exe’s to show up.
h. Once search is over select all the exe files and shift+delete the files,
caution must be taken so that you don’t delete the legitimate exe file that
you have installed on 31st January.
i. Also selecting lot of files together might make your computer
unresponsive so delete them in small bunches.
j. Also find and delete regsvr.exe, svchost .exe( notice an extra space
between the svchost and .exe)
5. Time For Celebrations
1. Now do a cold reboot (ie press the reboot button instead) and you are
done.

I hope this information helps you win your own battle against this virus. Soon all
antivirus programs will be able to automatically detect and clean this virus. Also i hope
Avast finds a way to solve this issues.
As a side note i have found a little back dog( winpatrol ) that used to work perfectly on
my old system. It was not their in my new PC, I have installed it again , as I want to stay
ahead by forever closing the supply line of these virus. You can download it form
Winpatrol website.

UPDATE : Avast Boot Time Scheduling

Check out How to stop regedit, task manager and msconfig from closing automatically if
your regedit or msconfig closes automatically.

This method costs about $20, but is guaranteed to work every time.

- put the harddrive into desktop PC (buy laptop to IDE converter, suggested:
www.tigerdirect.ca)

-format the drive to FAT32 (you can always switch it to ntfs later, with a prog such as
partition magic)

- Copy I386 folder from WinXP cd onto the laptop harddrive

- put smartdrv.exe in the root directory (speeds up dos transers)

- install dos 7.10 on drive (free download, but I suggest putting your laptop harddrive in
IDE 1 to be sure of it’s detection on startup)

- put the harddrive back in the laptop

-When you turn on the laptop DOS should load, otherwise select it from the list

- run smartdrv.exe (type C:\smartdrv.exe at command prompt)
- run 16bit Windows XP installer (type C:\I386\winnt.exe)

- now let the laptop sit! Even if it appears to stall, it will continue, some older harddrives
do not spin very fast and need time to load (5-10min is not an unreasonable wait *with
smartdrv.exe installed, expect longer without it!

- follow the Windows installer directions!
(Total time, depending on computer speeds: 1-2hrs – though most of this is waiting for
Windows XP to install)

*you will now have dos and windows on the drive, you can remove dos, or leave it, it is
up to you!!

**The best part about this installation method is it is much cheaper than buying an
external drive, as long as you have access to a desktop computer.

***Any questions or comments about this installation method can be sent to:
william_a_wilson@hotmail.com

Hope this helps solve your driveless installation problems!!!

Some parts of a window include: Head jamb, sash lock, top rail, bottom rail, stile,
muntin, pane, stool, apron, exterior sill, lower sash and upper sash.