Sunday, March 7, 2010

RECENTLY MY COMPUTER WAS INFECTED WITH THIS VIRUS CALLED SYSDATE.EXE THAT WAS INSIDE THE RECYCLER FOLDER IN THE C: DRIVE. I KNEW THAT IT WAS A VIRUS SINCE MY PC DIDN’T HAVE THE RECYCLER FOLDER EARLIER. THUS THE LOCATION OF THE VIRUS WAS C:\RECYCLER\S-1-5-21-8324555943-4443154761-431384085-6428\SYSDATE.EXE


SYMPTOMS OF THIS VIRUS:

• IN THE RECYCLER FOLDER THERE WAS ANOTHER FOLDER BUT IN THE LOOKS OF THE RECYCLE BIN WHOSE NAME WAS SOMETHING LIKE S-1-5-21-8324555943-4443154761-431384085-6428 AND ON DOUBLE CLICKING IT, I CAME ACROSS ALL THE FILES WHICH WERE THERE IN THE RECYCLE BIN.

• THERE WAS AN ENTRY IN THE REGISTRY EDITOR NAMED TASKMAN THAT CAME BACK AGAIN AND AGAIN ON DELETING.

• THERE WERE NO CHANGES IN THE STARTUP AND TASK MANAGER IN MY SYSTEM BUT IF THERE IS ANY IN YOURS THEN REMOVE THE PROCESS FROM STARTUP AND KILL FROM TASK MANAGER.

NOTE: GO TO FOLDER OPTIONS -> VIEW TAB -> CHECK THE OPTION OF SHOW HIDDEN FILES AND FOLDERS AND UNCHECK THE OPTION OF HIDE PROTECTED OPERATING SYSTEM FILES.

HERE ARE THE STEPS HOW I REMOVED THE VIRUS AND FIXED MY PROBLEM.

1. FIRST OF ALL TO SEE ALL THE CONTENTS IN THE RECYCLER FOLDER WE NEED TO CHANGE THE ATTRIBUTES OF THE FOLDER.

2. OPEN COMMAND PROMPT (BY TYPING CMD IN THE RUN BOX) AND TYPE

ATTRIB C:\RECYCLER –R –H –S PRESS ENTER.

THEN AGAIN TYPE

ATTRIB C:\RECYCLER\ S-1-5-21-8324555943-4443154761-431384085-6428 –R –H –S AND PRESS ENTER.

3. THE SHAPE AND LOOK OF THE FOLDER WILL CHANGE FROM THAT OF RECYCLE BIN TO A NORMAL FOLDER WHICH WILL NOW SHOW ALL THE CONTENTS INSIDE IT.

4. THERE WERE TWO FILES INSIDE THE S-1-5-21-8324555943-4443154761-431384085-6428 FOLDER, SYSDATE.EXE AND AUTORUN.INF, BOTH OF WHICH WERE UNDELETABLE.

5. NOW TO DELETE RECYCLER, S-1-5-21-8324555943-4443154761-431384085-6428, AUTORUN.INF AND SYSDATE.EXE FILES, FIRST KILL THE EXPLORER.EXE PROCESS FROM THE TASK MANAGER.

6. YOUR EXPLORER WILL SHUT DOWN BUT TASK MANAGER WOULD BE STILL RUNNING. NOW GO TO FILE -> NEW TASK. CLICK ON BROWSE

7. GO TO THE RECYCLER FOLDER IN THIS BROWSE FUNCTION AND SHIFT DELETE THE SYSDATE.EXE AND AUTORUN.INF FILES THERE, THEY WILL GET EASILY DELETED AND WILL COME BACK.

8. THEN DELETE THE RECYCLER FOLDER AS WELL.

9. AFTER YOU HAVE DONE WITH REMOVING THE VIRUSES, TYPE EXPLORER.EXE IN THE NEW TASK SECTION WHICH WILL BRING THE EXPLORER RUNNING AGAIN.

10. TYPE REGEDIT IN THE RUN BOX TO OPEN REGISTRY EDITOR, NAVIGATE TO HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON AND DELETE THE TASKMAN KEY IN THE RIGHT PANE.

REFRESH TO SEE IF IT COMES AGAIN. IF IT DOES NOT COME AGAIN, YOUR VIRUS WILL HAVE BEEN REMOVED.

11. IF YOUR COMPUTER HAS MORE THAN ONE USER THEN NAVIGATE TO HKCU\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON AND EDIT THE SHELL KEY ON RIGHT SIDE. EDIT IT TO REMOVE THE C:\RECYCLER\ S-1-5-21-8324555943-4443154761-431384085-6428 VALUE.

THE VALUE SHOULD BE ONLY EXPLORER.EXE

RESTART THE COMPUTER TO SEE THE VIRUS REMOVED.

I DID ALL THE ABOVE STEPS ON MORE THAN ONE PC AND IT WORKED ON EACH OF THEM

0 comments:

Post a Comment