I had mentioned in my last post that I had removed the winupd01 virus but not completely. And yesterday, it returned as feared. However I realized it was a silly mistake of mine to miss 2 more of its files that were starting up even after removing the winupd01.exe
So here is the removal process:(I should mention, this is for Windows XP as I have XP and have never used vista or windows 7. I don't know if this is applicable for Vista and win7 as the paths may be different.)
First, get this tool: "Autoruns"
http://technet.microsoft.com/hi-in/sysinternals/bb963902(en-us).aspxIt shows all the programs that run automatically when you start your computer. Extract the zip file to some folder. Now again, the virus auto-closes this software so just rename the Autoruns.exe to any other name like Autorunsss.exe and run it.
There will be several startup entries of the viruses which are as follows:1) In "Image Hijacking" tab:
winupd01.exe2) In "Winlogon" tab: 1 or 2 entries for
szywo.exe and/or knauct.exe and/or ahrg.exe (All these files are in C:\Documents and Settings\[username]\Application Data\
OR C:\Documents and Settings\[username]\)
3) In "Logon" tab: (Somewhat same as those in Winlogon tab but more entries.
4) In "Drivers" tab, there might be 1 or 2 .sys files of the virus. The name is random. So you will need to find any suspicious .sys file. In the list, check for those entries for which the 'Publisher' and 'Description' column has no value. For such an entry if the filename is totally weird like
ijlocpvb.sys or
lbrtfdc.sys, note it down.
Do not delete these startup entries for now as its no use deleting them now; the virus will simply rewrite them. Now to delete these files, start your computer in another OS like linux. You can use a linux live DVD like Ubuntu live so that you dont have to install it. Just put the dvd/cd in and boot up your computer. (Make sure the first boot device is CDROM in your BIOS setting to boot from the cd. Google it if you don't know how to do it.)
Then delete the following:1) Delete C:\Windows\System32\winupd01.exe
2) Delete all .exe files in C:\Documents and Settings\[username]\
3) Delete all .exe files in C:\Documents and Settings\[username]\Application Data\
(This is probably where you'll find the szywo.exe)
4) Delete all .exe files in C:\Documents and Settings\[username]\Local Settings\Temp\
5) Delete all .exe files in C:\Documents and Settings\[username]\Local Settings\Temporary Internet Files\
6) If you had noted down any suspicious .sys file from the Drivers list, then remove it also. It will be in: C:\Windows\System32\drivers\
Just to be on the safe side, take a backup copy of that file before deleting it so that after restarting into windows if u find something not working properly, you realize that .sys file was actually a Windows needed file and you can restore it back.
Thats it, now restart in Windows again.
The virus wont be running now. Now delete all its startup entries using the Autoruns tool.
*The virus may have made changes to the hosts file (C:\Windows\System32\drivers\etc\hosts) which affects internet browsing.
Check the size of the hosts file. If it is about 4.7mb then open it with notepad and delete all its contents and add this line which is the default content:
127.0.0.1 localhost
If you have multiple users on your XP, then you should check for and delete the exe files in all the users' Documents and Settings folder as given above. Also, delete the startup entries for each user. To delete the startup entries for another user, in the Autoruns program, click on the 'User' menu and then click the another user's name. And then delete the startup entries of the virus as mentioned above.
Thats it! You've gotten rid of the stubborn email spamming virus.
Leave a comment if you have any problems.
---
iPod + pwn = iPwn :P
