Manual Process of removal
So let’s start the process off reclaiming the turf that virus took over from us.
- Cut The Supply Line
- Search for autorun.inf file. It is a read only file so you will have to change it to normal by right clicking the file , selecting the properties and un-check the read only option
- Open the file in notepad and delete everything and save the file.
- Now change the file status back to read only mode so that the virus could not get access again.
- Click start->run and type msconfig and click ok
- Go to startup tab look for regsvr and uncheck the option click OK.
- Click on Exit without Restart, cause there are still few things we need to do before we can restart the PC.
- Now go to control panel -> scheduled tasks, and delete the At1 task listed their.
- Open The Gates Of Castle
- Click on start -> run and type gpedit.msc and click Ok.
- If you are Windows XP Home Edition user you might not have gpedit.msc in that case download and install it from Windows XP Home Edition: gpedit.msc and then follow these steps.
- Go to users configuration->Administrative templates->system
- Find “prevent access to registry editing tools” and change the option to disable.
- Once you do this you have registry access back.
- Launch The Attack At Heart Of Castle
- Click on start->run and type regedit and click ok
- Go to edit->find and start the search for regsvr.exe,
- Delete all the occurrence of regsvr.exe; remember to take a backup before deleting. KEEP IN MIND regsvr32.exe is not to be deleted. Delete regsvr.exe occurrences only.
- At one ore two places you will find it after explorer.exe in theses cases only delete the regsvr.exe part and not the whole part. E.g. Shell = “Explorer.exe regsvr.exe” the just delete the regsvr.exe and leave the explorer.exe
- Seek And Destroy the enemy soldiers, no one should be left behind
- Click on start->search->for files and folders.
- Their click all files and folders
- Type “*.exe” as filename to search for
- Click on ‘when was it modified ‘ option and select the specify date option
- Type from date as 1/31/2008 and also type To date as 1/31/2008
- Now hit search and wait for all the exe’s to show up.
- Once search is over select all the exe files and shift+delete the files, caution must be taken so that you don’t delete the legitimate exe file that you have installed on 31st January.
- Also selecting lot of files together might make your computer unresponsive so delete them in small bunches.
- Also find and delete regsvr.exe, svchost .exe( notice an extra space between the svchost and .exe)
- Time For Celebrations
- Now do a cold reboot (ie press the reboot button instead) and you are done.
I hope this information helps you win your own battle against this virus. Soon all antivirus programs will be able to automatically detect and clean this virus. Also i hope Avast finds a way to solve this issues.
As a side note i have found a little back dog( winpatrol ) that used to work perfectly on my old system. It was not their in my new PC, I have installed it again , as I want to stay ahead by forever closing the supply line of these virus. You can download it form Winpatrol website.