| Virus Troubleshooting Tutorial; Bronstab.exe, SystemkernelFile.exe | |
|---|---|
| Topic Started: 12 Sep 2006, 12:18 PM (554 Views) | |
| samundra | 12 Sep 2006, 12:18 PM Post #1 |
RiskyBoy
  ![]](http://209.85.122.83/static/1/pip_r.png)
|
Hey gyz, I believe in sharing knowledge. Sharing knowledge broadens our mind hehehe.. I found most of the computer in ktm are infected with the virus that has the following characteristics and most of the people don't know how to get rid of this virus. We are dependent on Antivirus but most of the Antivirus can't detect this virus like as Norton AV, AVG FreeAv etc. But some Antivirus Sophos, Avira Antivirus can catch this virus if it already installed in your computer before the infection of virus. If your computer is already infected with these virus then these software might be unable to clean the virus from your computer. To clean the virus from your computer you must Turn off the System Restore Point and try with Virus Scanning. This is my first tutorial, you may find many grammatical errors, avoid it. I am not that much good in English. My motive is to provide knowledge to my friends. Let me know if it is helpful to you. How to detect this virus in WindowsXP SP2. When we start computer the explorer is opened itself at the startup. It means that your computer is infected with the variants of this virus. Others detection process : 1. You won't be able to access the registry editor. StartRun Regedit 2. You won't be able to access System Configuration Utility . Start-Run Msconfig 3. Sometimes it also disables your Folder Options available under ToolsFolder Options 4. It also disables your access to Command Prompt StartRun cmd.exe Or "command.exe" In some cases, we can type and run But it displays the Endtask window. This is the main thing we have to care about that we can type in the command prompt although it displays the Endtask window. 5. This virus creates the sub-folder inside the folder with the same name as that of the folder itself and in some cases it chooses the random names of the folder. How to remove this virus : Basic idea of removing this virus is removing the .dll file from our computer and its other supportive file which is located in temp folder and other windows system folder. It can be detected easily. Since its file size different we have to find its file size. And then we'll find all .exe file with folder icons and file size of that virus {its generally from 14 kb to 53 kb} as I have found.  if you are able to access the "cmd.exe" or "command.exe" from normal mode then you can access the Windows Task Manager From Normal Mode too 1. StartRun Type "cmd.exe" {enter} Displays EndTask Window. Leave this window as it is. This keeps virus in active state. Again, 2. StartRun Type "Taskmgr.exe" {enter} You'll be able to access the Windows TaskMananger Window. Here Kill all the process run by the User Name = "Administrator" or "Your Username"  Take care that you've also killed the SVCHOST.EXE run by LOCALE SERVICE Kill these Most renowed startup items Image Name User Name 1. SVCHOST.exe LOCALE SERVICE 2. MsAgent Administrator 3. MicrosoftCommonItems Administrator Now, delete all temporary files StartRun Type "%temp%" {enter} Shift+Delete You can scroll down to virus file size info and start troubleshooting from there. SafeMode Troubleshooting First of all start your computer in Safe Mode with Command Prompt. It may take you time, as your computer is infected with virus. It might take you from 2 -7 mins to get the prompt. You machine seems to get stucked at point….but its actually processing. So, don't get impatient. Delete Temporary Files When you get to command prompt hit Ctrl+Alt+Del that would popup Windows Task Manager. Now click in New Task Button Deleting Temporary Files Type there "%temp%" without quotes and hit enter. You'll be shown a dialog box like the one below in safemode.  Don't click either of the buttons (Yes/No). And leave this dialog box as it is. Just ignore this window. Again Goto Windows Task Manager and Click in New Task and then hit enter "%temp%" is already listed there. This time you'll come to temp directory. There must be a folder with .exe Extension. To view this Right click View Details Folder Icon with Type = Applications ======> Virus Virus File Size Info Select anyone VirusFile {one with .exe and folder icon} and right click on it and view its properties. see above  There note down the file size Now, shift+delete all files from here. Then. open the search dialog box  Take care in specifying file size. Be Sure ! You have selected At Most and specified the virus file size it doesn't need to be exact. Suppose the virus file size is 23.3 kb then you can specify 24 kb. That would list the virus too. For convenient, select only one drive at a time and search for all files and folders When search is complete First sort all files with their File Size and then  Hold Shift+Delete delete all files with File Size= {Virus File Size} in my case it is 32 Kb Take care only delete those files whose file size equals to that of virus file size. otherwise, you might delete the system file. Some files can't be deleted don't bother for that. Repeat this process again and again until you get files deleted from all the hard drives meeting your criteria. Still some files can't be deleted right now. In most cases, they can be deleted. We have finished almost 50 % of the removing process. Setting up the Startup Items :: Start Run Type "Regedit" {enter} You will come to Registry Editor. Now scroll to HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINODWS\CURRENTVERSION\RUN And delete MsAgent, SVCHOST.EXE, MicrosoftCommonItems.exe and other virus files if listed. I would suggest to delete all the startup items. That would ease our troublshoot. If you can't find the key then take the help of "msconfig" StartRun Type "Msconfig" {enter} Check the "Startup items TabPage" And see the Location. And then scroll to that location in registry and delete all values. Deleting Manually the Startup Items : Now, we need to delete manually the startup items from the start menu for all users. Goto StartPrograms Startup Right Click And select Explore all users  And shift+delete MicrosoftCommonItems.exe also ".pif" You have to explorer through each user startup items to be sure that this startup item has been deleted. Sometimes it also copies itself to the quick launch bar to delete it from quick launch explore to this C:\Documents and Settings\Microsoft\Application Data\Microsoft\Internet Explorer\Quick Launch and delete it manually. You can also delete it by right clicking directly on quick launch with mouse over virus file. Now, Re-check if there is any virus file left on your machine. In case if you are unable to delete any virus file or temporary file it means the file is still in use. Then you must use Windows TaskManager to Kill this active virus and try to delete the file. Some Side Effects:: Since this virus make some changes in the system files, you folder icons may get change, and you need to replace them manually. And it also prevents some programs from starting. I couldn't start photoshop after I removed this virus from my office computer. it gave warning message that image8.jpg It also prevents the installation of Antivirus Software. You should play trick to install them. As I have written this tutorial I don't think there's any necessary to write the trick for installation of Antivirus. Precaution from this virus • Always keep the setting to show extension for the files and system files. Show you can easily see the extensions. YourComputerName.exe folders.exe network.exe NewFolder.exe etc. • As this virus has the ability to write itself in the CDs. That is if you write anything from the infected computer then it gets itself copied to the write folder and you unknowingly write it to CD. It also copies itself to the FlashDrive (PenDrive) and Floppies. So, if your computer is already infected with the virus. Don't write any CD from it. • It makes your computer boot slowly. References From : Avira Antivirus http://www.free-av.com Sophos Antivirus Samundra |
 |
 
|
| samundra | 12 Sep 2006, 12:30 PM Post #2 |
|
RiskyBoy
|
 This dialog box might appear after the removal of virus. but don't worry. Its just dialog box....it won't do any harm. |
|
|
|
| dipti | 5 Oct 2006, 04:33 AM Post #3 |
|
Member
|
Samundra did nice piece of work; really useful info. But I want to add something on that 'dialoge box' issue. It will be annoying if it just keeps popping out everytime, so we've got to find complete solution. And what I found missing is you can go for 'system restore' in case you're bugged by this type of problem. System Restore performs the following tasks: - Restores your computer to a previous state - Restores your computer without losing your personal files - Stores one to three weeks of past restore points - Locates dates associated with restore points - Ensures that all restorations are reversible - Provides several types of restore points To get into System Restore (in Win XP) : Start>All Programs>Accessories>System Tools>System Restore |
|
|
|
| samundra | 29 Oct 2006, 04:16 AM Post #4 |
|
RiskyBoy
|
Sorry, I delayed for reply. I was bg with Dashain and Tihar and I wanted to give my full-time at least this time to my friends. Thanks Dipti. Now, lets get to the point. Yeah Dipti, System Restore should work but you know what...the virus I have done the runtime troubleshooting had copied them to the System Restore folder. That means even if you go with System Restore that won't be the ultimate solution, but you can at least give a try to It. And about dialog box, I have been searching for the ultimate solution. The problem is that The virus keeps itself in startup mode, that means it becomes active in each start of the computer. And when you run computer in safemode command prompt only it won't start, and becomes inactive but as soon as when you turn your computer in desktop mode virus becomes active and gives you a dialog box, and gives you 2 button. Yes And No it doesn't matter whichever button you click, virus will become active. Just to be sure, you try with REGEDIT . In some computer you get the dialog box that eksplorasi.exe file is missing. Somehow virus makes itself linked to the EXPLORER.EXE file which is the main startup file of the computer and calls itself from there. As I have come up with the conclusion. I think, now you got me, and you can also try for the ultimate solution and let us know when you are finished with. Have a nice time, with best regards, samundra |
|
|
|
| rupesh | 27 Feb 2008, 05:39 AM Post #5 |
Newbie
|
 nice post
|
|
|
|
| samundra | 10 Mar 2008, 08:25 AM Post #6 |
|
RiskyBoy
|
Finally, the solution is found. Though I found this solution earlier but I delayed posting it here, I thought I would better post it. The virus makes the registry entry [red] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon == > Shell [/red] Shell = Explorer.exe "SomeScriptsHere" Each time the computer is started, anything here in shell will also get executed. So Remove the part SomeScriptsHere and keep only Explorer.exe Shell= Explorer.exe There might be one more addition in Userinit Keep only Userinit = C:\WINDOWS\system32\userinit.exe and remove the rest part. This will solve the problem of that annoying dialog box. |
|
|
|
| 1 user reading this topic (1 Guest and 0 Anonymous) | |
| « Previous Topic · Computer Problems / Alerts · Next Topic » |
7:53 AM Nov 8
