Wednesday, November 11, 2009

Manually Clean & Remove Viruses Basic to In-depth Home Computer Security Guide Page 11

Manually Clean & Remover Folder.exe & Brontok Virus

1. Manually remove it (new folder.exe Fix)

Delete File named svichossst.exe

[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre nt Version\Policies\ System]“@”=[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run]“Yahoo Messenger”= [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows NT\CurrentVersion \Winlogon]“Shell”=”Explorer.exe “

2. Remove brontok Virus manually (New Folder.exe or newfolder.exe Virus)

Here is the method to remove brontok virus manually though avg can remove it very easily.

Start your computer in safe mode with command prompt and type the following command to enable registry editor:-

reg delete HKCU\software\microsoft\windows\currentversion\pol icies\system /v “DisableRegistryTools”

and run HKLM\software\microsoft\windows\currentversion\pol icies\system /v “DisableRegistryTools”

After this your registry editor is enable type explorer go to run and type regedit
then follow the following path :-


on the right side delete the entries which contain ‘Brontok’ and ‘Tok-’ words.

After that restart your system open registry editor and follow the path to enable folder option in tools menu

HKCU \ Software \ Microsoft \ Windows \ Currentversion \ Policies \ Explorer \ ‘No FolderOption’

Delete this entry and restart your computer

And search *.exe files in all drives (search in hidden files also) remove all files which are display likes as folder icon. Your computer is completely free from virus brontok.

Install and keep up-to-date AntiSpyware Software

AntiSpyware software helps to protect users from spyware and other potentially unwanted software like adware. AntiSpyware helps to reduce negative effects caused by spyware, including slow computer performance, annoying pop-up ads, unwanted changes to Internet settings, and unauthorized use of user’s private information. Continuous protection improves Internet browsing safety by guarding spyware in ways they can enter the system. The worldwide SpyNet community plays a key role in determining which suspicious programs are classified as spyware.

AntiSpyware gives the real-time protection by monitoring the system at different checkpoints. These checkpoints are triggered when programs make changes to Windows configuration. These changes can occur when user installs software on his system, or they can occur when spyware or other potentially unwanted software attempts to install on the system.

In case Real-Time Protection detects a change in any checkpoint, AntiSpyware alerts the user and provides the option for user to allow or block the change.

A good AntiSpyware gives the real-time protection, the counteract methods and updates itself for the latest checkpoints & spyware.

Different AntiSpywares are available on the Internet. Microsoft has also released an antispyware by the name Microsoft AntiSpyware (Beta), which is available free on its site. For more details on Microsoft AntiSpyware (Beta), refer to the following link:

Harden the Operating System by turning off unnecessary clients, services and features

Hardening of the operating system (OS) is a topic on its own for which there are a number of good references releases time to time on product basis by their respective vendors. Discussion on hardening on Operating System is beyond the scope of this document. For further reading on hardening the Operating System, please see the following links:

a. Turn off the “Hide file extensions for known file types” feature:

By default, Windows hides the file extensions of known file types. This behaviour has been used to trick users into executing malicious code. But a user may choose to disable this option in order to have file extensions displayed by Windows. Multiple email-borne viruses are known to exploit hidden file extensions. The first major attack that took advantage of a hidden file extension was the VBS/LoveLetter worm which contained an email attachment named "LOVE-LETTER-FOR-YOU.TXT.vbs". Other malicious programs have since incorporated similar naming schemes, examples include:

• Downloader (MySis.avi.exe or QuickFlick.mpg.exe)
• VBS/Timofonica (TIMOFONICA.TXT.vbs)
• VBS/OnTheFly (AnnaKournikova.jpg.vbs)

The files attached to the email messages sent by these viruses may appear to be harmless text (.txt), MPEG (.mpg), AVI (.avi) or other file types when in fact the file is a malicious script or executable (.vbs or .exe, for example).

b. Remove the ability of others to access file shares and printers on the host
since poorly protected file shares are being actively targeted:

For all Windows users:

• Disable by deselecting the “File and Printer Sharing for Microsoft Networks” option in the Network and Dial-Up Connections applet. This service allows networked computers to transparently access files that reside on remote systems.

• Disable by deselecting the “Client for Microsoft Networks” option in the Network and Dial-Up Connections applet. This service will disable the facility that allows a distributed application to call services that are available on various computers on a network.

For Windows 2000 and XP users only:

To enable or disable the services in aforesaid Operating Systems go to Start> Settings>Control Panel>Performance and Maintenance>Administrative Tools>Services:

• Disable Performance Logs & Alerts: This service collects performance data from local or remote computers based on preconfigured schedule parameters.

• Disable Remote Registry Service: This service enables remote users to modify registry settings on local computer.

• Disable Windows Management Instrumentation (WMI) Driver Extensions: This service provides systems management information to and from drivers.

• Disable TCP/IP NetBIOS Helper Service: This service enables name resolution over TCP/IP.

• Disable Remote Administration Service: This service provide total control of user’s system to the remote user. (To disable this service, right click on My Computer> Properties>Remote Tab, then deselect “Allow Remote Assistance invitations to be sent from this computer”)

Users should be extremely cautious about disabling the above mentioned services, as it is quiet possible that they might be using these services for different purposes in their environment. Disabling these services before any consent could result in malfunctioning of program/s. Please consult to the system vendor before taking any step.


No comments:

Post a Comment

You Have Successfully Posted the Message.