Common Virus Problems

Brontok Worm

2007-12-26T21:05:00.000+05:30

Brontok is a computer worm which spreads through emails and USB drives. There are so many variants of brontok but they basically work similarly.How do I know if my system is infected?
You can’t start Regedit.exe
When trying to start any other registry editor, the system restarts
The system also restarts when executing certain EXE files
The presence of the following files:
%WINDIR%\eksplorasi.pif
%UserProfile%\Local Settings\Application Data\smss.exe
%UserProfile%\Local Settings\Application Data\services.exe
%UserProfile%\Local Settings\Application Data\lsass.exe
%UserProfile%\Local Settings\Application Data\csrss.exe
%UserProfile%\Local Settings\Application Data\inetinfo.exe
%UserProfile%\Local Settings\Application Data\winlogon.exe
%UserProfile%\Start Menu\Programs\Startup\Empty.pif
%UserProfile%\Templates\WowTumpeh.com
%WINDIR%\%CURRENT_USER%’s Setting.scr
%WINDIR%\ShellNew\bronstab.exe
All these files have the size of the worm’s main executable: 42,028 bytes(About 42 KB).

What does it do?
Disable Folder Options
Disable Registry Editor
Installs itself in the startup
When in memory, it will restart the system if any program involving the registry is started

How to remove Brontok?

Download and run this brontok removal tool from Bitdefender. This tool will kill the brontok process, restore folder options and registry editor and fix system startup.

Unable To Open Hard Drive On Double Click

2007-12-26T20:57:00.000+05:30

In some situation especially when anti-virus program has cleaned, healed, disinfected or removed a worm, trojan horse or virus from computer, there may be error happening whenever users try to open or access the drive by double clicking on the disk drive icon in Explorer or My Computer window to try to enter the drive’s folder. The problem or symptom happens in hard disk drive, portable hard disk drive or USB flash drive, and Windows will prompt a dialog box with the following message:

Windows Script Host

Can not find script file autorun.vbs.

Sometimes you will be asked to debug the VBScript with error code of 800A041F - Unexpected ‘Next’.

or

Choose the program you want to use to open this file with:

In this case, the “Always use the selected program to open this kind of file” option is grayed out.

The symptom occurs because when autorun.vbs is created by trojan horse or virus. The virus normally loads autorun.inf file to root folder of all hard drive or USB drive, and then execute autorun.bat file which contains script to apply and merge autorun.reg into the registry, with possible change to the following registry key to ensure that virus is loaded when system starts:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
Userinit=userinit.exe,autorun.exe

Finally, autorun.bat will call wscript.exe to run autorun.vbs.

When antivirus or security software detected the autorun.vbs file as infected, the file will be deleted or removed or quarantined. However, other files (autorun.*） and registry value still referring to autorun.vbs, and this document no longer exists, hence the error when users double click to open a drive folder.

To correct and solve this error, follow this steps:
1.Run Task Manager (Ctrl-Alt-Del or right click on Taskbar)
2.Stop wscript.exe process if available by highlighting the process name and clicking End Process.
3.Then terminate explorer.exe process.
4.In Task Manager, click on File -> New Task (Run…).
5.Type “cmd” (without quotes) into the Open text box and click OK.
6.Type the following command one by one followed by hitting Enter key:
del c:\autorun.* /f /s /q /a
del d:\autorun.* /f /s /q /a
del e:\autorun.* /f /s /q /a

c, d, e each represents drive letters on Windows system. If there are more drives or partitions available, continue to command by altering to other drive letter. Note that you must also clean the autorun files from USB flash drive or portable hard disk as the external drive may also be infected.
7.In Task Manager, click on File -> New Task (Run…).
8.Type “regedit” (without quotes) into the Open text box and click OK.
9.Navigate to the following registry key:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
10.Check if the value name and value data for the key is correct (the value data of userint.exe include the path which may be different than C drive, which is also valid, note also the comma which is also needed):“Userinit”=”C:\WINDOWS\system32\userinit.exe,”

If the value is incorrent, modify it to the valid value data.

autorun.inf In Pen Drive

2007-12-26T20:53:00.000+05:30

This virus is activated when we double click open the Pen Drive.
The autorun file in that drive runs a .exe file to activate the virus.
So, you must remove these two files (autorun.inf and a .exe file) from the pen drive.
Otherwise, the virus will roll back whole things what we have done to remove them.
These files may be hidden system files, to show the files, follow these steps:

1. Select Run from Start menu.
2. Type cmd and hit Enter.
3. Type the pen drive letter with a colon (for eg: J: ) and hit Enter.
4. Now type as following:
attrib -h -a -r -s and hit Enter.
5. Now, from My Computer, right click (do not double click) on the pen drive and select Open.
6. Delete the files autorun.inf and a .exe file from there.
Restart the system.

Run Command Disabled

2007-12-25T16:32:00.000+05:30

Open Group Policy(How?).Now you would see something like this.

Now you can see the option change it to enabled and then Not configured/

Registry Editor Disabled

2007-12-25T16:25:00.000+05:30

Open Group Policy(How?).
Then you would see something like this:
Now you can see the option change it to enabled and then Not configured.

Task Manager Disabled

2007-12-25T16:00:00.001+05:30

Problem:
When you press Ctrl+Alt+Del, it shows Task Manager Disabled by Your Administrator.

Cure:
To cure this problem, simply open Run command(Start --> Run) and type gpedit.msc and hit Enter. Then you will get the following screen:

(Most probably, your Run command would also have been disabled. In that case, open Start-->Programs-->Accessories-->Command Prompt. Then type gpedit.msc there and hit Enter to open Group Policy).OR

Group Policy

Here you will find RemoveTask Manager and all. Now what you will do first enable the feature by double clicking on the option and selecting the enable option and then again changing back to Not Configured.
Now see your task manager is back.