Removing Common Malicious Programs

DISCLAIMER: The following procedures has been proven and tested to work on a Windows XP operating system and some RC version of 2000 and Vista. I’m not going to take responsiblity if further harm will be done into your system. Should you still want to apply the procedures, do backup your important files.

     In my last post, I gave my points and view with regards to malicious programs. Now, here’s the procedure on how to remove them.  This will only cover the common malicious programs transferred from USB devices (password_viewer.exe, autirun.inf, Winzip123.exe, Bar311.exe, and the likes). I searched for different solutions, and here’s what I’ve come up with. The following are what I think the simplest and best effective approach in removing and fixing malicious programs. The procedures will have 2 parts, one for the PC desktop and laptop and the other for the USB exernal device. If you’re not sure if your system is really infected by any of the above mention malicious programs then you can try a very effective method of determining it. For PC desktops and laptops, try to launch or do some commands using the command prompt, if your system reboots, then most probably your system is infected and should try to do the following. For USB devices, change your folder options to view hidden and system files and unhide common file extensions. Now, look into your USB devices and find something unusual like “autorun.inf”, folders names being duplicated and a folder name with a “.exe” filename extension, eg. MyPhotos.exe. If you are positive for the above the here’s how to fix it.

Part 1 (PC desktop/laptop)

1. Run the Task Manager or simply press CTRL + ALT + DEL
2. Look for and END the following running process: (password_viewer.exe, photos.exe or bar311.exe) —try to google those other processes you think should not be there
3. No we will you use REGEDIT to remove entries, the virus created in the system registry. To launch it, click on START button, then Run, type regedit
4. Go to HKEY_LOCAL_MACHINE\Software\Microsof\WindowsNT\CurrentVersion\Winlogon
5. In the userinit entry, right click and choose modify, you will notice the valu “, userinit.exe,password_viewer.exe”. Now remove the “,password_viewer.exe” part only, do not delete the entire entry.
6. Go to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced and look for and delete the following entries;
   • “Hidden”=dword:00000001
   • “HideFileExt”=dword:00000000
   • “ShowSuperHidden”=dword:00000001
7. Now go to HKEY_CURRENT_USER\Software\Microsoft\Comman Processor and in the autorun entry, delete “[system drive letter]:\Windows\pc-off.bat” or just delete the autorun key
8. Now to remove the autorun.inf, we will need to create a batch file by opening notepad and copy-paste the following codes (you can modify them according to file locations)
   
   • @echo off

     DriveLetter:

     attrib autorun.inf -h -r -s

     del autorun.inf -h -r -s

     del /a /f DriveLetter\Windows\password_viewer.exe

     del /a /f DriveLetter\Windows\pc-off.bat

9. Now Save As the file as removeandfix.bat
10. Double click the batch file to run the codes,if successful then this will removethe virus

     To verify if you have successfuly fix the problem, try to do the verification above again, if your system does’nt reboot. then CONGRATS!

 Part 2 (USB device)

     This one is fairly simple, you can either do the same procedures as “Part 1″ or you can simply (this is the most effective method for me) back up your important files, then REFORMAT your USB device and next time becareful where you insert you USB device.

So that’s it, I think. If you have any questions or you want further clarifications, then SHOUT @myShoutbox!!!