Sunday, March 7, 2010

THE VIRUS WAS REPORTED BY ONE OF OUR READERS AND SURPRISINGLY THIS VIRUS SPREADS UNDER THE NAMES OF SONGS.EXE, KHATARNAK.EXE AND PICTURES.EXE APART FROM OTHERS.




STEPS TO REMOVE THIS VIRUS:



1. TURN OFF THE SYSTEM RESTORE.



2. BOOT IN THE SAFE MODE.



3. GO TO ADD/REMOVE PROGRAMS AND REMOVE ANY PROGRAMS REFERENCING “W32/SILLYFDC,” “WORM.IM.SOHANAD” OR “KHATARNAK.EXE (IF ANY)



4. RUN TASK MANAGER AND KILL THE PROCESS (IF ANY) RELATING TO THESE EXE

5. SEARCH THE HARD DRIVE WITH THE NAME CORRESPONDING TO KHATARNAK.EXE, SONGS.EXE AND PICTURES.EXE ETC.



6. TYPE MSCONFIG IN THE RUN BOX AND REMOVE CHECKMARKS NEXT TO ANY “KHATARNAK.EXE” OR “XSAFE.EXE” ENTRIES ON THE “STARTUP” TAB



7. RUN THE REGISTRY EDITOR AND DELETE THE FOLLOWING ENTRIES (IF ANY):



HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\SERVICES\SRSKL\SECURITY\”SECURITY” = “[BINARY DATA]”

HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\SERVICES\SRSKL\”TYPE” = “1″

HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\SERVICES\SRSKL\”START” = “3″

HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\SERVICES\SRSKL\”IMAGEPATH” = “%WINDIR%\FONTS\SRSKL.FON”

HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\SERVICES\SRSKL\”ERRORCONTROL” = “0″

HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\SERVICES\SRSKL\”DISPLAYNAME” = “SRSKL”

HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\SERVICES\DOGKILLER\SECURITY\”SECURITY” = “[BINARY DATA]”

HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\SERVICES\DOGKILLER\”TYPE” = “1″

HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\SERVICES\DOGKILLER\”START” = “3″

HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\SERVICES\DOGKILLER\”IMAGEPATH” = “%TEMP%\~DWPHX.TMP”

HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\SERVICES\DOGKILLER\”ERRORCONTROL” = “0″

HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\SERVICES\DOGKILLER\”DISPLAYNAME” = “DOGKILLER”

8. REBOOT

THE VIRUS SHOULD HAVE GONE.

0 comments:

Post a Comment