The WinRAR virus, is transmitted by an altered copy of the WinRAR installer. There are several variations of the infection. There are several variations of its infection. I will try to give you the detailed and updated info for its removal.
Trojan Removers: As you might be aware that this malware could be installed by a Trojan, you will need to remove that Trojan as well. Try these free tools (for windows XP and prior) if your antivirus application has not been successful in detecting and removing this trojan. Vista users should rely on their antivirus applications for removing the trojan.
SmitFraudFix Tool: You can download this free tool from this link. It is advised to run this tool in safe mode of windows. This tool is for XP and prior windows. Below are the steps to use this tool. Double-click SmitfraudFix.exe Select 2 and press Enter to delete infect files. You will be prompted: Do you want to clean the registry ? answer Y (yes) and press Enter to remove the Desktop background and clean infected registry keys . The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and press Enter to restore a clean file. A reboot may be needed to finish the cleaning process.
VundoFix : This tool is probably for XP and prior windows. You can download this tool from this link. Double-click VundoFix.exe to run it. When VundoFix opens, click the Scan for Vundo button. Once it's done scanning, click the Remove Vundo button. You will receive a prompt asking if you want to remove the files, click YES Once you click yes, your desktop will go blank as it starts removing Vundo. When completed, it will prompt that it will reboot your computer, click OK.
Malwarebytes Antimalware : This is another great software to remove the malware infection. Unlike the Antivirus softwares it is geared more towards removing the rogue security application. It has a free version which can be downloaded from malwarebytes.org. With some luck this software may reduce your troubles substantially. Download , install , Update and Perform Quick Scan. The full scan takes several hours to complete. After the scan is over, press the "Remove selected" button.
Preparation: Search for and keep the windows operating system disk ready, if you got one with your computer. Or check if there is a Restore Partition on your hard disk, in that case you won't require an extra disk. It is advisable to have a functioning antivirus application on your computer. You will also need to install CCleaner, and a Firewall application, you can choose one of the freeware firewall applications listed at the end of this article.
Turn system restore off :This is necessary in order to remove the virus files that may be stored inside the system restore backup files, you can turn it back to ON after the computer is cleaned
in XP : start > all programs > accessories > system tools > system restore > system restore settings , uncheck the box that says "turn system restore off" Press Apply, press ok.
in Vista : type system in the search box, select the system option, click on system protection tab. Uncheck the system restore on the C drive, press Apply , Press ok (it will prompt you that you are turning system protection off , press that button to do so)
If you are unable to open Task Manager Sometimes you will find that you are not able to open the task manager, the run command etc. The virus does this to prevent you. There are several polpular free tools available on the internet to solve this problem. I will list them here, see which one helps you. 1) The UnHookEcec tool from Symantec. Download It from here UnHookExec.inf Download the file UnHookExec.inf and save it to your Windows desktop. (If you cannot connect to the Internet from the infected computer, download to an uninfected computer then save it either to a floppy disk or cd, dvd. Then take the disk and insert it in the disk drive of the infected computer.) Note: The tool has a .inf file extension Locate the download file, either on the Windows desktop or the floppy disk Right-click the UnHookExec.inf file and click install. (This is a small file. It does not display any notice or boxes when you run it.)
2) Open Notepad and copy and paste the following: On Error Resume Next Set shl = CreateObject("WScript.Shell") Set fso = CreateObject("scripting.FileSystemObject") shl.RegDelete "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools" shl.RegDelete "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr"
Save this file with .VBS extension. While saving enter the name in double quotes and select all files from the save as type in notepad. For the ease of use, save the file on desktop. for example "regtool.vbs" When the file is saved as a vbs file then the file icon changes as a VBScript script file Double click on the file name to execute it. t will enable the registry Tools
4) Use "Remove Restrictions Tool" . Do a google search with this name, and download the latest version from whichever site you like. It is a Demo version in which some advanced features are disabled, but it should be enough to remove the restrictions placed by the virus on your computer. Uninstall / delete this software after single use. There is no point in keeping it on your computer once it has done its job.
Remove Processes from Task Manager Press Ctrl Shift Esc to open Task Manager. See in the list of the processes. There may be a number of processes belonging to this malware depending on the variation. If you use a freeware tool called "Zenturi program checker" You may be able to see the path of a process in the task manager, and from the list of malware files given elsewhere in this article you may be able to locate the malware processes from windows genuine processes .
Removing a Program from windows startup: The system configuration utility can be started in xp and in vista by typing msconfig in the run box. The run box can be opened in xp by clicking on Start > run The best part of windows startup is that the setting is reversible, therefore you can check / uncheck any entry from windows startup any number of times. So do not hesitate to uncheck anything that you find doubtful. You can always check it back if you later come to know that it is something useful.
After the system configuration utility window is open, Click on the Startup tab, that will list all the programs that are scheduled to start when you turn your computer On. Expand the middle column using your mouse pointer so that you can see the path of the program on the hard disk, that will give you a clear idea, what program that is. Locate and uncheck the entries if found, look for any suspicious names, if you find an entry of any of the malware files listed in this article, uncheck them. This step is very important. The further cleaning depends on cleaning this list. Press Apply , Press Close/Ok , at the next prompt select "Restart the computer".
Searching andd Deleting the Folders / files on
the hard disk After restarting the computer, You may need to enable to view hidden files and folders if you can not see the folders listed below. In XP, Control panel > Folder options > View . Locate "Hidden Files and Folders", select "View hidden files and folders" , press Apply, press ok.
Below are number of variations of this virus. Remember on thing is common among them, is that all of them install WinRAR on your computer, they come through the infected copy if WinRAR installer. There are several files created inside Temp folder, which i will not list here. I suggest you to run ccleaner to get rid of them automatically Variation1: C:\Documents and Settings\All Users\Start Menu\Programs\WinRAR C:\Documents and Settings\[UserName]\Start Menu\Programs\WinRAR C:\Program Files\WinRAR C:\Program Files\WinRAR\Formats
Variation2: This variation acts similar to the one above exept it does somthing more 1) modifies the following file so as to redirect major popular sites C:\Windows\System32\drivers\etc\hosts 2) These processes could be found in the Task Manager explore.exe, explore.exe, WRAR38~1.EXE , uninstall.exe
Variation3: This variation is similar to the first except that it adds more files on your hard disk.
And modifies the Hosts file similar to the variation2
Variation4:This variation is different form the three above. It creates the following files/ folders
C:\Documents and Settings\[UserName]\ftpdll.dll C:\Windows\System32\ftpdll.dll C:\Documents and Settings\[UserName]\Application Data\winrar.exe C:\Windows\System32\drivers\forwin.exe C:\Documents and Settings\[UserName]\Local Settings\Temp\3CB4.tmp C:\Documents and Settings\[UserName]\Local Settings\Temp\62CE.tmp C:\Documents and Settings\[UserName]\Local Settings\Temp\71C1.tmp C:\Documents and Settings\[UserName]\Local Settings\Temp\7C29.tmp C:\Documents and Settings\[UserName]\Local Settings\Temp\7C5D.tmp C:\Documents and Settings\[UserName]\Local Settings\Temp\7DF6.tmp C:\Documents and Settings\[UserName]\Local Settings\Temp\7E8F.tmp C:\Documents and Settings\[UserName]\Local Settings\Temp\E75.tmp
These processes could be found in the Task manager forwin.exe, winrar.exe
A new service called Schedule - Task Scheduler is created by the file "%System%\drivers\forwin.exe" The entries of winrar.exe and forwin.exe could be located in the windows startup.
Variation5: This variation is different than the all above.
The following files are created
C:\Documents and Settings\All Users\Start Menu\Programs\WinRAR\Console RAR manual.lnk C:\Program Files\WinRAR\Console RAR manual.lnk C:\Documents and Settings\All Users\Start Menu\Programs\WinRAR\WinRAR help.lnk C:\Program Files\WinRAR\WinRAR help.lnk C:\Documents and Settings\All Users\Start Menu\Programs\WinRAR\WinRAR.lnk C:\Documents and Settings\[UserName]\Local Settings\Temp\jya2.tmp C:\Documents and Settings\[UserName]\Local Settings\Temp\mya1.tmp
The following directories are created: C:\Documents and Settings\All Users\Start Menu\Programs\WinRAR C:\Documents and Settings\[UserName]\Start Menu\Programs\WinRAR C:\Program Files\WinRAR C:\Program Files\WinRAR\Formats
Variation6: Creates The following folders C:\Documents and Settings\All Users\Start Menu\Programs\WinRAR C:\Documents and Settings\[UserName]\Start Menu\Programs\WinRAR C:\Program Files\WinRAR C:\Program Files\WinRAR\Formats and files C:\Windows\System32\msupdate.exe C:\Documents and Settings\[UserName]\Local Settings\Temp\IXP000.TMP\wrar380.exe C:\Documents and Settings\[UserName]\Local Settings\Temp\IXP000.TMP\winlogon.exe
The files could be found as processes in task manager and their entries could be found in the windows startup as well. And also in the registry.
Tries to establishe new connection with a remote IRC Server
Variation7: Creates the following folders C:\Documents and Settings\[UserName]\Local Settings\Temp\IXP000.TMP C:\Program Files\WinRAR C:\Program Files\WinRAR\Formats
and files C:\Program Files\winrar\uninstall.exe C:\Documents and Settings\[UserName]\Local Settings\Temp\ixp000.tmp\explore.exe C:\Windows\System32\explore.exe C:\Documents and Settings\[UserName]\Local Settings\Temp\IXP000.TMP\WRAR38~1.EXE
Adds WinRAR SFX to the windows registry C:\windows\system32\explore.exe is added in the windows startup Modifies the hosts file so that all the major sites are redirected elsewhere
Variation8: Creates the following folders C:\Documents and Settings\[UserName]\Start Menu\Programs\WinRAR C:\Program Files\WinRAR C:\Program Files\WinRAR\Formats C:\Program Files\WinRAR\Uninstall C:\Windows\Win RAR and files C:\Documents and Settings\[UserName]\Local Settings\Temp\\_ir_sf7_temp_0\irsetup.exe
The process irsetup could be located in Task Manager
Variation9: Creates the following folders C:\Documents and Settings\All Users\Start Menu\Programs\WinRAR C:\Documents and Settings\[UserName]\Start Menu\Programs\WinRAR C:\Program Files\WinRAR C:\Program Files\WinRAR\Formats and files C:\Program Files\WinRAR\uninstall.exe The virus created svchost.exe, and wrar380.Regged.exe could be located in Task Manager
Variation10: Creates these folders C:\Documents and Settings\All Users\Start Menu\Programs\WinRAR C:\Documents and Settings\[UserName]\Start Menu\Programs\WinRAR C:\Program Files\WinRAR and a hidden folder C:\Program Files\WinRAR\Formats and these files C:\Documents and Settings\[UserName]\Local Settings\Temp\ufd.bat C:\Windows\System32\drivers\NXSPPPWP.sys C:\Windows\System32\drivers\QUSPKPUW.sys C:\Windows\abacupvn.exe
Variation11: C:\Documents and Settings\All Users\Start Menu\Programs\WinRAR C:\Documents and Settings\[UserName]\Start Menu\Programs\WinRAR C:\Program Files\WinRAR And this is an additional folder C:\Windows\System32\Sys (the folder may appear like a legitimate folder, but it is in fact a virus/keylogger folder, delete it if found)
These files will be found in the above mentioned folder, and elsewhere, delete them (the files)
C:\Documents and Settings\[UserName]\Local Settings\Temp\@2.tmp C:\Windows\System32\Sys\Explorer.001 C:\Windows\System32\Sys\Explorer.006 C:\Windows\System32\Sys\Explorer.007 C:\Windows\System32\Sys\Explorer.exe
This entry may be found inside the windows startup, remove it if found C:\Windows\System32\sys\explorer.exe
These processes may be found in the Task Manager, End them Explorer.exe (this is the tricky part, because Explorer.exe is a legitimate windows processes, but the virus creates a proces of the same name but in another location. You might have to use a free tool called Zenturi Program Checker to determine if the Explorer.exe is legitimate or not. The authentic explorer.exe will be located at C:\Windows\explorer.exe, if you have a file with similar name but located elsewhere then there is a reason to doubt)
This registry entry will be created so that the fake explorer.exe runs each time the computer starts [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] Explorer = "C:\Windows\System32\Sys\Explorer.exe"
Manually removing malware entries from Registry
You can edit the registry by using the windows built in registry editor. Click on Start > Run to open the run command box in XP, whereas in Vista the box is already open. type regedit and press Enter or Ok , that will open the registry editor. Now Click on Edit > Find. You can use this box to find a particular registry key/ value. In order to do that, copy the last part of the registry keys if they are inside curly braces {}, after the last / (forward slash) and then paste it into this box, or type in the name of the malware in the box and press "Find Next", if the search stops , you should either see a message saying "Finished searching through the registry"or it will stop at that key found. The found item will be displayed in blue selection. You can delete the entire key, that is the entry in the left side of the panel, once you confirm yourself that this key belongs to the malware by looking at the entire key and comparing it with the ones listed here, and by looking at the values that it has created in the right side of the panel. In case you are not sure if you want to remove the key, you can remove the values in the right side panel instead, that will also cripple the functioning of the malware. To delete a key/ value, use the mouse pointer to select it first, then right click on it to see a menu and select delete from it, then say yes to the confirmation alert. Alternately you can press the delete key on the keyboard to delete the selected entry. You can also use the names of the files / folders created by the malware to search for their associated keys in the registry.
Once you have deleted an entry, press the F3 key on the keyboard to search for the next occurance of the entry, do this till you reach the end of the registry. Now copy the second registry key/ filename and repeat the above procedure. This is a tedious process and takes time and effort, but there is no better way to make sure the malware is out of your computer.
you will find a number if registry keys associated with the malware files/ folders listed in this article, due to space constratint i choose not to list them. If you want you can search the registry for the names of the malware files that you located on your hard disk, and delete their associated keys.
Using CCleaner: CCleaner is a freeware temp files and registry cleaner. We need to use this type of software because almost all the infection that occur through internet, come through the temp files, and unfortunately windows does not remove temp files automatically. The best way to manage this is to install ccleaner (from ccleaner.com or from one of the several download links provided on their sites, such as filehippo.com etc) - set it so that it runs automatically with windows start (options > settings> Run Ccleaner when computer starts) -add recycle bin Cleaner > Advanced > check the box "Custom files and folders" Options > Include > Add Folder browse and select C:\RECYCLER or C:\RECYCLED in XP or C:\$Recycle Bin (in Vista)
(adding the recycle bin to the ccleaner helps a great deal, that will automatically remove the files from the recycle bin, it is necesary for your protection, because the latest security threats add virus files inside the recycle bin which are executed when the computer restarts. )
Run the Cleaner and the registry menus in CCleaner. One thing to be pointed here is that the automatic running of ccleaner, runs only one menu in it , that is the Cleaner. You will also need to run the second menu called Registry once in a while, particularly if you are trying to remove a virus from your computer.
Using the Antivirus Application: Follow this step, if even after applying all the above steps, the virus still shows its presence in the computer. Your best helper is the antivirus program on your computer. Keep it always updated. Install another freeware application if your antivirus has expired or is not upto your expectation. Anyway you can keep the antivirus on your computer and also install another one. I will tell you how to . I have been successfully using the Avast Home Edition Antivirus installation to remove most of the infections. Here is what you need to do. Open the system configuration utility. Click on start > run , type msconfig, press ok, select the startup tab, expand the middle column, locate the entry of your antivirus application, and uncheck it, press apply, press OK/Close, Exit without restarting. Now Download and install the Avast Antivirus Home edition from avast website. Keep your computer connected to internet so that it can update itself during installation. Run the installer, selet the option to "Schedule a boot scan during startup", now it will prompt you to restart the computer. During the boot scan, it will detect the viruses an prompt you for action, select delet/delete All, as you see appropriate. Let it complete the scan and start your computer.
once the viruses are removed you can uninstall Avast antivirus, if you decide to stick with your antivirus. In that case, go to startup and check the box of your antivirus in the list, press apply, press ok/close and restart the computer. If you decide to keep Avast and your antivirus both together, keep only one entry checked in the startup list, so that only one antivirus is active at any given time. You can use the other antivirus whenever you want, simply by turning off the running antivirus and then opening the other one. As long as you run one antivirus at a time, you can have as many antivirus programs on your computer as you want. If you decide to use Avast alone, you can uninstall your antivirus application, if it was a demo version, or a commercial version which is not updating anymore because you have not paid for the yearly subscription, in that case it is better to uninstall the antivirus.
If you decide to keep Avast Home edition antivirus, do not forget to fill in the registration form on their website, on the same page where you downloaded it. You need to fill in your email ID, avast will mail you the product activtion key. The activation lasts for one year, and can be updated for free again. I have been using it since more than a year now, and it has been good so far.
Using the system file checker (optional)
Follow this step if you notice trouble in the normal functioning of windows. Click on start > run , type cmd , press Ok. That should open the command prompt Now type sfc /scannow and press enter. If you do not have a restore partiton it will prompt you to insert the windows installation/ operating system disk, you need to use only the disk that came with your computer, or the one that you used to installed windows on your computer, other disks will be rejected, and also if you have installed SP3 on xp , then you will see that several files are missing, in that case go on pressing Ignore each time you get a "file missing" prompt.
This utility will check and replace the damaged/ altered or missing system files. It is a necessary step.
If you are unable to access one or more sites during the repair process
- It can happen if your Hosts file has been altered. To repair/ edit the hosts file. Login as administrator. open the following file in notepad C:\ WINDOWS \system32 \drivers \etc \hosts remove anything other than 127.0.0.1 Localhost, and save and close the file. In some cases there may be entries created by you or some security application installed on your computer to block malicious sites on your computer, but there is no reason for security related sites to be in this list. - if possible use another computer to download the software needed for repairing your computer, and then copy and transfer it to the infected computer using any available means like a pen drive. - if you are using only internet explorer, and if it is blocked from visiting some of the security related sites, try to download/ install Firefox browser, and see if you can use it for the same purpose.
Using Firewall
It is highly recommended to install a standalone firewall, there are excellent freewares available which i have listed below.
