1) Handling autorun.inf
(a) Search for autorun.inf file on each drives. It is a read only file. Right click on the file and select Properties and uncheck the read only option.
(b) Open the autorun.inf file in notepad and erase all the contents and save the file
(c) After you save the file, restore the permissions of the file to read only by checking the read only option
(d) Click Start and type in msconfig
(e) Go to startup tab. Look for regsvr and uncheck the option and click OK
(f) Click on "Exit without restart"
(g) Navigate to Control Panel and double click Scheduled Tasks and delete all irrelevant tasks listed there.
2) Gaining back access to registry
(a) Click on Start and type in gpedit.msc in the run dialog box
(b) Navigate to User Configuration -> Administrative Templates -> System
(c) Find "Prevent Access to Registry Editing Tools" and double click it and change the option to Disabled
(d) The above 3 steps can make you gain back access to the registry which was blocked previously
3) Eradicating the infected entries through registry editor
(a) Click on Start and type in regedit in the run dialog box
(b) Go to Edit and click Find (Ctrl + F)
(c) Search for regsvr.exe and edit / delete all the entries in the registry that contain regsvr.exe
(d) Remember that regsvr32 is a OS dependent file and hence regsvr32 should not be deleted
(e) regsvr.exe will be found after explorer.exe in most of the cases. In such cases, delete that regsvr.exe part alone from the entry. Eg: Shell = "Explorer.exe regsvr.exe"
Replace it with Shell = "Explorer.exe"
4) Eradicating the infected files through Search
(a) Click Start -> Search -> For files and folders
(b) Input "*.exe" in filename to search
(c) Click on "When it was modified" and select the specify date option and input today's date. Eg: From Date as 6/31/2009 and To Date as 6/31/2009
(d) Now hit the search button and permanently delete (shift+del) the exe files which looks suspicious to you. Eg: regsvr.exe, svchost .exe (There will be an extra space between svchost and .exe which is the infected file)
(e) Do not delete all the files of a sudden. Delete in small bunches.
5) Restart your computer
6) If the autorun.inf files still reside in your system even after following the above 5 steps try this last step. The last best thing to do is to boot into Safe Mode and then go to Command prompt. Then go to each drive (C:, D:, E:, F:, etc) and type in the following commands:-
c:\>attrib -a -s -h -r autorun.inf
c:\>del autorun.inf
d:\>attrib -a -s -h -r autorun.inf
d:\>del autorun.inf
do the same process on all drives by replacing drive letters.
Friday, July 31, 2009
Subscribe to:
Post Comments (Atom)
0 comments:
Post a Comment