REDANT21LTD

Hi Im redant21ltd, Im new here in techtalkz, Im a computer technology Instructor and System Administrator of POWER SKILLS TECHNICAL CENTER in Philippines and I would like to share with you how to delete viruses with out using any anti virus., in some cases we need to use a 3rd party softwares like currprocess of nirsoft and autoruns of sysinternals because there are many viruses that restrict of tools like TASK MANAGER, REGEDIT, FOLDER OPTIONS, SYSTEM RESTORE.

the currprocess can display all processes and running programs, just like the task manager.


Using autoruns you can view whats inside your registry

You can download
currprocess for free:http://www.nirsoft.net/utils/cprocess.html

&

autoruns:http://technet.microsoft.com/en-us/s.../bb963902.aspx

Today i will show you how to delete BRONTOK.A Virus.

Incase you are infected of brontok
here is the manual removal

First we must know what are the manifestations

Manifestations:

1. There is No Folder Options

2. If you try to access the registry editor it will shutdown automatically.

If you notice in task manager there are 2

IMAGE NAME USER NAME
Isass.exe Workstation
Isass.exe SYSTEM
Services.exe Workstation
Services.exe SYSTEM
Winlogon.exe Workstation
Winlogon.exe SYSTEM
Inetinfo.exe

You need to end process the virus using 3rd party software CURRPROCESS
(Substitute for Taskmanager)

1. Look for Isass, Services, Winlogon and try to Kill Process them.

2. Now we need to open the registry using Gpedit.msc

Under User Configuration\Administrative Templates\System\

SETTINGS STATE
Prevent Access to the Registry editing Tools Not configured

Double click it and select Enabled.. it will become like this

Prevent Access to the Registry editing Tools Enable

click the Ok button, Minimize the window And then Refesh or press F5 on the Desktop

Go back again and double click it and select not configured

click the Ok button Ok, Minimize the window And then Refesh or press F5 on the Desktop

3. Type Regedit again..

4. Now that the Registry is Enabled, We need to go to
Hkcu\Software\Microsoft\Windows\Current Version\Policies\Explorer

And delete the Following:
Nofolderoptions

5. Refresh or F5 on the Desktop, try to access the Folder Option again in My Computer
to Tools, Folder Options, View select the show hidden files and folders , uncheck the Hide extension for known file types and Hide protected operating system files (Recommended).

6. Now Try to Access The Registry Editor Again and look for Possible Autorun:

Hkcu\Software\Microsoft\Windows\Current Version\Run

Look for Tok-Cirrhatus-8922 but before you delete it write down the location of the virus in a piece of paper, so that you will not forget it. Ex. "C:\Documents and Settings\Louie\Local Settings\Application Data\br18867on.exe"

7. Delete the Following Files using SHIFT+DELETE

Bron.tok-18-4
Loc.Mail.Bron.tok
Br18867on.exe
Csrss.exe
Services.exe
Svchost.exe
Winlogon.exe
Inetinfo.exe
Isass.exe
Smss.exe
Update.18.Bron.Tok.bin
Ok.SendMail-Bron-tok
Kosong.Bron.Tok.txt

And then Go back again in the Registry editing Tool
Now you can Delete the Tok-Cirrhatus-8922

In Hklm\Software\Microsoft\Windows\Current Version\Run

Look for Bron-Spizaetus-dggmlqtx but before you delete it write down the location of the virus in a piece of paper, so that you will not forget it. Ex. "C:\WINDOWS\ShellNew\bbm-xtqlmggd.exe" delete it.

and C:\Windows\sembako-dgzjlmg.exe.

Now is the time to delete the Bron-Spizaetus-dggmlqtx in the Registry together with Bron-Spizaetus

8. Check the Startup:
C:\Documents and Settings\Louie\Start Menu\Programs

Delete the Empty.pif

9. delete the At1.job and At2.job C:\WINDOWS\Tasks


That's it! if symptoms persist consult your doctor.. hehe...

W@freak

Great!

I encounter this virus before, and i dont see any forum that tuckle this kind of virus deletion..

now I know what to do if it will happen again..

thanks pal!

how about other viruses like ORAGON INI!, TAGA LIPA ARE!, destrukto, new document.exe?

Strider

Good Guide. Keep it up mate....

__________________




Want to ask a question? Try This! A guide on how to post a question, reply to a post etc.

REDANT21LTD

Ok! now I will show how to delete ORAGON INI!

here is the instructions:

ORAGON INI!

Manifestations:

* Drives are not accessible
* AUTOPLAY in all Drives (C:\ , D:\)
* Oragon u in system tray
*ORAGON INI! In Internet Explorer
* No REGISTRY EDITING TOOL


Removal:

Reminder: Don’t double click any Drives, don’t use the rightclick then Autoplay.

1. You need to end process the wscript.exe in task manager.
Right click the Drive and select Open.

2. Check all drives C: & D: then go to Tools, Folder Options, View select the show hidden files and folders , uncheck the Hide extension for known file types and Hide protected operating system files (Recommended).

3. Delete the MsUpdate.sys.vbs & Autorun.inf using (Shift+Delete)

also in Windows folder delete the MsUpdate.sys.vbs.

4. Go to registry using Regedit in:
Hklm\Software\Microsoft\Windows\Current Version\Run

Unfortunately it doesn’t work… restricted

5. Now we need to open the registry using Gpedit.msc

Under User Configuration\Administrative Templates\System\

SETTINGS

Prevent Access to the Registry editing Tools=Not configured

Double click it and select Enabled.. it will become like this

Prevent Access to the Registry editing Tools=Enabled

Ok, Minimize the window And then Refesh or press F5 on the Desktop

Go back again and double click it and select not configured

Ok, Minimize the window And then Refesh or press F5 on the Desktop

6. Type Regedit again..

7. Now that the Registry is Enabled, We need to go to
Hklm\Software\Microsoft\Windows\Current Version\Run

Look for Microsoft = c:\MsUpdate.sys.vbs and delete it.


8. Delete the apostrophe in
Hklm\Software\Microsoft\Windows NT\Current Version\Winlogon\Shell

Explorer.exe “

9. Now its time to delete the ORAGON u in system tray and Internet Explorer.

Just go to registry using Regedit :

Press Ctrl+F to open the Find Window

Just type the ORAGON and wait for the result

Modify the Value of

S1159 = AM ORAGON Ü
S2359 = PM ORAGON Ü

10. After that press Ctrl+F to open the Find Window again and search the Oragon Ini!
(HKCU\Software\Microsoft\Internet Explorer\Main)

in WINDOW TITLE = ORAGON INI!

11. Restart the System

REDANT21LTD

FUNNY UST SCANDAL

Manifestations:

Task Manager, Regedit, Folder Options, CMD,Msconfig is not working
There is an AUTOPLAY in all Drives (C:\ , D:\)

Removal:

You need to end process the virus using 3rd party software CURRPROCESS
(Substitute for Taskmanager)

1. Look for Killer, smss and try to Kill Process them.

Reminder: Don’t double click any Drives, don’t use the rightclick then Open or Autoplay, instead, use the address bar to access the drive (ex. C: or D: ).

2. Go to Tools, Folder Options, View select the show hidden files and folders , uncheck the Hide extension for known file types and Hide protected operating system files (Recommended). Unfortunately it doesn’t work… because there is something wrong with the registry.

3. Go to registry using Regedit in:
Hklm\Software\Microsoft\Windows\Current Version\Explorer\Advanced\Folder\Hidden\Showall
Make the Checked Value = 1
Finally the hidden files is now visible.

4. In Drive C:\ and Drive D:\ look for:
Funny UST Scandal.avi.exe
Smss.exe
Autorun.inf
Select and delete them using SHIFT+DELETE Key.

5. then go to Windows folder and delete the following:
Funny UST Scandal.exe
Killer.exe
Smss.exe
Autorun.inf

6. Now check the registry using Regedit:
Hkcu\Software\Microsoft\Windows\Current Version\Run
Runonce = C:\Windows\smss.exe

Delete the comma in
Hklm\Software\Microsoft\Windows NT\Current Version\Winlogon\Shell

Explorer.exe,

7. Check the Startup:
C:\Document and Settings\All Users\Start Menu\Programs\Startup

Delete the smss.exe

REDANT21LTD

DESTRUKTO!!!

Manifestations:

* Drives are not accessible (DESTRUKTO!!!)
* AUTOPLAY in all Drives (C:\ , D:\)
* No Run
* No Search
* Destrukto!!! In Internet Explorer
* No REGISTRY EDITING TOOL
* Task Manager Restricted
* No Folder Options


Removal:

You need to end process the virus using 3rd party software CURRPROCESS
(Substitute for Taskmanager)

Try to make a short cut icon on the desktop.

1. Right Click on the desktop then select New, Shortcut..

You need to Kill process the wscript.vbs

Reminder: Don’t double click any Drives, don’t use the rightclick then Autoplay, just right click the Drive and select Open.

2. We need to open the registry, unfortunately the registry is restricted, so we need to use gpedit.msc to open it.

Reminder:But, we need to create a GPEDIT shortcut on the desktop in order to open the restricted registry..

3. In GPEDIT.MSC = Under User Configuration\Administrative Templates\System\

SETTINGS

Prevent Access to the Registry editing Tools=Not configured

Double click it and select Enabled.. it will become like this

Prevent Access to the Registry editing Tools=Enabled

Ok, Minimize the window And then Refesh or press F5 on the Desktop

Go back again and double click it and select not configured

Ok, Minimize the window And then Refesh or press F5 on the Desktop

4. Type Regedit again..

5. Now that the Registry is Enabled, We need to go to

Hkcu\Software\Microsoft\Windows\Current Version\Policies\Explorer
And delete the Following:
NoFind = 1
NoRun = 1

Hkcu\Software\Microsoft\Windows\Current Version\Policies\System

DisableTaskMgr = 1

And in:

Hklm\Software\Microsoft\Windows\Current Version\Policies\Explorer

NoFolderOptions = 1

Try to Refresh it..

6. After that press Ctrl+F to open the Find Window and search the Desktrukto!!!
(HKCU\Software\Microsoft\Internet Explorer\Main)

in WINDOW TITLE =DESKTRUKTO!!!

7. Now you can view the hidden files because the Folder Option is not restricted anymore.

HOW:
Go to Tools, Folder Options, View select the show hidden files and folders , uncheck the Hide extension for known file types and Hide protected operating system files (Recommended).

8. Delete the explorer.vbs and autorun.inf using (Shift+Delete).

9. Now go back to Registry again, check if there is an malicious codes in RUN..
Hklm\Software\Microsoft\Windows\Current Version\Run

Explorer = C:\WINDOWS\system32\explorar.vbs

Reminder: Delete the location first before you delete the malicious code in registry.

10. then delete the destrukto.html in System32..

11. Double check your work.. don’t forget to check all drives, make sure that there is no autoplay in all drives..

12. Restart your System.

REDANT21LTD

The key for manual virus deletion is familiarization!

you must be familiarize in windows

1. You need to know how task manager work,regedit, gpedit.msc, folder options(Hide,unhide protected system files,Show all hidden File extension), search, attrib (DOS Command), run,msconfig, how to create a shortcut, safemode.

2. you must be familiar in windows folder, system32, system,temp,startup folder.

3. You must be familiar with file extensions.
ex: exe,vbs,bat,asm,inf

beware in double extension like this:
abc.doc.exe,iloveyou.txt.vbs

its 100% virus! coz in windows there is no such thing as double extension.

4. and you need to memorize this registry locations:

*hkey_local_machine\software\microsoft\windows\cur ren version\run

*hkey_current_user\software\microsoft\windows\curr en version\run

*hkey_current_user\software\microsoft\windows\curr ent version\policies\explorer

*hkey_current_user\software\microsoft\windows\curr ent version\policies\system

*hkey_local_machine\software\microsoft\windows\cur rent version\explorer\advanced\folder\hidden\showall\(c heckedvalue = 1)

*Hklm\Software\Microsoft\Windows NT\Current Version\Winlogon\Shell\(explorer.exe)

and

C:\Documents and Settings\"USER"\Start Menu\Programs.

NOTE:
if you want a program to autostart when you turn on your computer, place it here:

1. Hkey_local_machine\software\microsoft\windows\curr en version\run.

2. Hkey_current_user\software\microsoft\windows\curre n version\run.

3. C:\Documents and Settings\"USER"\Start Menu\Programs.

That's the reason why virus writer always place their viruses to these locations, because, their goal is to auto execute their virus when you turn on your PC.

actually you can delete all the entry inside that location..

when you are deleting a virus, make sure use the SHIFT+DELETE key, to delete the virus permanently.

but before you delete it, make sure the virus is not processing, always check the your taskmanager.

that's it for today!...

karsen

hey it really great man. it was very useful for me

The Chosen One

use unlocker to unlock files from being used and delete them

__________________
*DISCLAIMER*
Everything I post is an order from a little guy in my head.I DONT take the responsability of what he does or says.The name of the little guy is Perfect Hacker
MY blog

1mAn3rd

Wow incredible, I never knew how to manually delete a virus before xD Thanks!

__________________
--1mAn3rd