Sunday, November 28, 2010

How To Remove Exe Viruses Manually ?

As part of their routine, many worms and Trojans make changes to the registry. Some of them change one or more of the shell\open\command keys. If these keys are changed, the worm or Trojan will run each time that you run certain files.
 
For example, if the \exefile\shell\open\command key is changed, the threat will run each time that you run any .exe file. This may also stop you from running the Registry Editor to try to fix this.
 
They may also change a registry value so that you cannot run the Registry Editor at all.
 
The most common type of viruses we encounter daily is sscvihost.exe and autorun.ini. I am going to explain how to remove these viruses if anti-viruses are not doing so.
 
sscvihost.exe may have many names, the popular are W32/Sohana-AO(Sophos) and W32.Imaut.AY (Symantec/Norton). Basically this is a type of worm virus that spreads via USB thumb drives and/or Yahoo! Messenger. A worm virus, technically, doesn’t destroy your files, it just add tons of of useless files in order to fill up your hard drive or slowdown your system resources. We don’t like that do we?
 
Symptoms:
  • CLTR+ALT+DEL is not working
  • Folder Options is missing from your TOOLS menu
  • Registry Editor (RegEdit) is not working
  • Your system is slowing down gradually
  • There seems to be a lot of hard drive activity even if you are doing nothing
  • You have a New Folder.exe in every folder and in each sub folder
Follow these steps:
 
Download the file UnHookExec.inf and save it to your Windows desktop. (Link is given at last of the post)
 
(If you cannot connect to the Internet from the infected computer, download to an uninfected computer then save it to a floppy disk. Then take the floppy disk and insert it in the floppy disk drive of the infected computer.)
 
Note: The tool has a .inf file extension.
 
Right-click the UnHookExec.inf file and click install. (This is a small file. It does not display any notice or boxes when you run it.)
 
Removing the virus:
 
FIRST: You have to stop the virus from running in the first place. If your system is already infected, it is already running in the background. You must restart your computer then run it in safe mode.
  • Restart your PC
  • Press F8 as soon after the BIOS boots. If you don’t know what that is, just keep pressing F8 until a menu appears.
  • Select Safe Mode from the menu
  • On your desktop, right click on the file UnHookExec.inf then select install. You won’t see any prompt or confirmation so don’t worry about it.
  • By now, CTRL+ALT+DEL is already working so open up your Task Manager. End task the following programs/processes:
                                                SSCVIHOST.exe
                                                blastclnnn.exe
                                                New Folder.exe
 
SECOND: Delete the virus files from your PC. There are two ways to do this, via windows shell or command prompt (DOS) shell. Since Folder Options has been disabled by the virus, you cannot switch to show hidden files and system files. Well you can edit it in your Registry, but let’s just do it the DOS-way. Follow this carefully.
  • Select Run from your start menu, then type cmd. Press enter. The paths differ depending on your operating system, but in this procedure let’s assume you are using Windows XP
  • At the command prompt go to your system32 folder (this may differ if you are using NT/2000 or XP). For the sake of this procedure lets assume you are using XP. Type cdwindowssystem32
  • On this path (c:windowssystem32>) type the following commands in order:
  1. attrib -h -r -s SSCVIHOST.exe
  2. del SSCVIHOST.exe
  3. attrib -h -r -s blastclnnn.exe
  4. del blastclnnn.exe
  5. attrib -h -r -s autorun.ini
  6. del autorun.ini
  7. attrib -h -r -s svchosl.exe
  8. del svchosl.exe
  9. cdwindows (this will move you to the windows prompt c:windows)
  10. attrib -h -r -s SSCVIHOST.exe
  11. del SSCVIHOST.exe
 
THIRD: Clean up the registry. Your RegEdit is already running because of the file we’ve downloaded from Symantec. On your run box (from the Start menu) type regedit. WARNING: Be careful on what you edit here, because a single mistake may screw up your system. Just follow the paths that are mentioned here so you won’t get lost. Make sure you edit only what mentioned in this procedure.
 
Navigate to the following registry entries:
 
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon
 
“Shell” = “Explorer.exe SSCVIHOST.exe”
 
(edit and remove the word SSCVIHOST.exe leaving only Explorer.exe, if you screw this up windows shell won’t show on your next boot)
 
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
 
“Yahoo Messengger” = “%System%SSCVIHOST.exe”
 
(delete this entry)
 
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerWorkgroupCrawlerShares
 
“shared” = “[SHARE NAME]New Folder.exe”
 
(delete this entry)
 
Restore the following registry entries to their original values, if required:
 
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem
 
“DisableTaskMgr” = “1?
 
(set to zero (0) to enable)
 
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem
 
“DisableRegistryTools = “1?
 
(set to zero (0) to enable)
 
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer
 
“NofolderOptions” = “1?
 
(set to zero (0) to enable)
 
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSchedule”AtTaskMaxHour”
 
(Remove an entry here that has a name with blastclnnn.exe, or just remove all entries here)
 
FOURTH: Clean again after cleaning. Restart your PC, again in Safe Mode (remember to press F8). This time we will remove all other files that have been created by the virus. Folder options in your Tools menu is already working so open that up. Then select “Show Hidden files and folders” and uncheck “Hide protected operating system files.” Then search your whole hard disk (using windows search from the start menu) and SHIFT+DEL all these files. Also cleanup your recycle bin after this.
  • SSCVIHOST.exe
  • blastclnnn.exe
  • New Folder.exe (these are the garbage files created by the worm it will create thousands upon thousands of these in your hard drive)
 
FIFTH: Check your autoruns. On your run box at the start menu, type msconfig. Look at the startup tab for any suspicious files that are related to the virus and disable (you can also remove it in the registry) it.
 
That’s it. Reboot your system normally and check your Task Manager (CLTR+ALT+DEL) if there are running processes that aren’t supposed to be running.
 
Download UnHookExec.inf From HERE
 
Hey! My friends, If you like my post you can save it using "Save Page as PDF" button below and you can even share them to your friends with social networking buttons provided below this post.

Add To Google BookmarksStumble ThisFav This With TechnoratiAdd To Del.icio.usDigg ThisAdd To RedditTwit ThisAdd To FacebookAdd To Yahoo
Posted by Bijay Mishra at 12:23:00 PM Labels:

No comments:

Post a Comment

Hey Guys! Thanks for visiting my blog. Hope you enjoy reading. Just leave your comments if you think this post is a worth readable! Your valuable comments are always welcomed. Please don't spam! and No abusive language would be tolerated. I would moderate your feedback and then it would be published. If you have any query I will try to give feedback as soon as possible.

Subscribe to: Post Comments (Atom)