Solving virus/malware attacks: Part 2

Written by Pavan Kumar on May 8, 2008

Advertisements

 

The first part of this article made a debut entry on google sharokh.exe, a widespread virus. And now, I am dealing with the next step malwares which will start themselves even in safe mode. To state in particular, I was infected with rqRJyxWO.dll and awtqqNef.dll. The second one was not creating so much inconvinience. I explain how to remove them.

As I told second one was not a big problem but the first one, was the first one of its kind I have ever seen in my life. That was stored in system32 folder and used to start itself in association with winlogon.exe, a critical system process for windows. I could not even end the process nor I could delete the viral file. It was detected by my antivirus program, but that too failed to clean the file. The main problem this dll created was to kill my explorer.exe process, so whenever the windows is startup, this used to get activated with winlogon.exe and end my explorer process, this was even true with safe mode. Even if I start explorer manually, it got killed again. As I was busy with my project work, I restored my system with ghost, but finally got a solution to the problem which I am going to explain step by step.

  • You need: Unlocker, RRT and your antivirus updated. Install unlocker.
  • I don’t deal much with RRT now as you all are already aware how to solve viral attack with that.
  • The central solution here is for a virus/ adware/ malware which is detected but could not be deleted by antivirus tool.
  • In your antivirus tool, note down the location of such files.
  • Goto that location and right click on the file, use unlocker to delete the file as shown in the snap below.

unlocker

 I recommend you the most to keep your partition backup using ghost for quick recovery of your system in case of any OS problems.

Solution for autorun.exe virus disabling your partition open/explore:

Though you don’t have any virus detected by your antivirus, whenever you double click on any partition, a "open with" dialogue pops up for you to choose which application to use to open that drive.

That is because of autorun.inf file stored on the drive which instructs computer to open a particular application whenever there is an attempt to open that drive and that application will be a virus which is already deleted / quarantined by your antivirus.

Now, you have to open folder options and make all files visible and delete the autorun.inf file. Alternately, you may create a new autorun.inf file and paste on the existing one to replace that and delete the new one manually. To create a dummy file, open notepad, goto file>save as>choose all files rather than text files(.txt) and key in the file name autorun.inf and save in a location and use that.

Now, just rename your partition and you are done! Now, its accessible.

       

Subscribe to RSS Feed or Get updates on your inbox:

People who liked this also read:

Category: computer

 

 

7 Readers responded to this post

This post will be useful for many :) :mrgreen:
yesterday a virus from my brother’s USB was trying to make changes in the system
but my spybot’s real time protection asked me b4 making any registrey changes and I was saved.
The only thing that happened was the change in IE’s title bar :P

@ Siddharth,

I always keep a separate account with limited access and I never use the pen drives on administrator account. One more way to save my system…. :idea:

Pavan Kumars last blog post..Solving virus/malware attacks: Part 2

thts gr8 thing pavan :mrgreen:
but actually every second time I am on my computer I have to do something that requires administrator access :P

Siddharths last blog post..Orkut has a new and cool logo!

@ Siddharth

I don’t own a pen drive, so no question of sharing data with others regularly. I only plug in pen drive rarely, some 3-4 times a week, so its not a problem for me. Also I don’t log myself off from administrator account, I just switch the user account to limited.

Pavan Kumars last blog post..Updates with Google and Orkut…

how about delextra.exe pavan?
(sorry OOT)
this is make my computer out of memory

@ Fauzan

Sorry for late reply. I wrote above solution as I was infected by those threats. I did not come across delextra.exe, so the solution I am providing here is not mine. You can read the solution here:

http://www.greatis.com/appdata/d/d/delextra.exe_Removal.htm

I have written a step by step guide for removing winlogon virus. You may find it helpfull.
http://snsays.com/26/removing-winlogon-virus/

1 Blog responses for this post
Leave Your Comments Below / Trackback

About The Author

    Pavan Kumar

    Pavan Kumar completed Engineering in Electronics and Communication in the year 2008. He is very enthusiastic and keen to work on different aspects of computer, internet and mobile related fields. The articles here reflect his creativity. This blog was started as a showcase of solutions for different problems and today it has got a good reputation in the blogosphere. Read More...

© 2014 - TechPavan.com. All rights reserved.

All content provided in this site are the property of TechPavan.com and is free for non-commercial usage. Read our Privacy Policy here.

Any kind content on this site cannot be reproduced in any form without permission of the author. We are not responsible for any loss or damage which may occur due to any of our content.

Site hosted on Bluehost powerful servers.