| I have come across a malware analysis report, which displays the files and folders created by a number of identified viruses. The most identifiable of them are wsnpoem a trojan horse, and Microsoft Security Advisor - another trojan horse. This particluar infection adds so many exe files on an infected computer, that it would be impossible to clean the computer unless you have the analysis report of this virus infection at hand. And moreover it would make the automated removal by the antivirus programs all the more difficult. This article provides thorough detection and removal instructions. All the tools/ software mentioned in this article are freeware.
|
Aliases: You can see a list of the aliases on this link |
| Turn system restore Off : The malicious files are also saved in the system restore backup. You need to turn system restore off in order to remove them. You can turn it ON again after cleaning the computer. Click here to read more... |
Delete Files: These are the files found on an infected computer see report
c:\asasa.exe
c:\syst.exe
%AppData%\config.cfg
%AppData%\~tmp.html
%AppData%\Microsoft\Wallpaper1.bmp
%AppData%\Microsoft\Windows Media\9.0\WMSDKNSD.XML
%Temp%\1_dropper_286962.exe
%Temp%\4_jmm7.exe
%Temp%\5_odb.exe
%Temp%\60325cahp25ca0.exe
%Temp%\6_ldr.exe
%Temp%\avto.exe
%Temp%\avto1.exe
%Temp%\avto2.exe
%Temp%\avto3.exe
%Temp%\avto4.exe
%Temp%\pinnew.exe
%Temp%\q1.exe
%Temp%\q2.exe
%Temp%\q3.exe
%Temp%\q4.exe
%Temp%\q5.exe
%Temp%\q6.exe
%Temp%\q7.exe
%Temp%\q8.exe
%Temp%\q9.exe
%Temp%\teste1_p.exe
%Temp%\teste2_p.exe
%Temp%\teste3_p.exe
%Temp%\teste4_p.exe
%Temp%\winoryDg.exe
%Temp%\wndutl32.dll
%System%\13441600.dat
%System%\adsndsn.exe
%System%\icq6s.dll
%System%\ntos.exe
%System%\wsnpoem\audio.dll
%System%\wsnpoem\video.dll
%Windir%\odb.exe
%Windir%\runsql.exe
%Windir%\sv.exe
%Windir%\svc.exe
%Windir%\svw.exe
%Windir%\svx.exe
%Windir%\wdmon.exe
%Windir%\vlc.exe
%Windir%\svhoster.exe
%Windir%\svzip.exe
%Windir%\Plakafaripecil.dll
These are the newly created folders
%ProgramFiles%\Microsoft Security Adviser
%System%\wsnpoem
These files are located in this folder - Microsoft Security Adviser
MSSADV.EXE
msctrl.exe
msavsc.exe
msscan.exe
msiemon.exe
msfw.exe
These files are located in this folder- wsnpoem
audio.dll
video.dll %Windir% is by default C:\Windows or C:\Winnt
%System% refers to the System folder. By default C:\Windows\System (in Windows 95/98/Me), C:\Winnt\System32 (in Windows NT/2000), or C:\Windows\System32 (in Windows XP and Vista).
%ProgramFiles% is C:\Program Files
%Temp% is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP). |
| View Hidden Files: Before you could delete the files and folders you need to search for them, and before doing that you need to enable to view hidden files and folders Click here to read more |
| Boot in safe mode: Sometimes you will not be able to delete a file even if you find it, in that case you should boot in safe mode and then try to delete it/ them. Click here to read more |
| End Process in the Task Manager: If you find any of the exe files listed above, running in the Task Manager, you can select them on after the other and press End process button that will help you to delete them from the hard disk later. Click here to read more |
Remove entry from Windows Startup: Look in the windows startup, by opening the system configuration utility and remove the entres of any of the files listed above. Click here to read more
|
Unable to open Task Manager and/ or registry editor - If that happens, you can try these free tools to enable the task manager and the registry tools again. Click here to read more If you do not see Folder Options in all Windows Explorer menus and in Control Panel you can enable it by editing registry. Click here to read more |
| Run CCleaner : If you manage to delete the files/ folders from the hard disk, even then there will be associated entries in the windows registry. If you run a free temp files/registry cleaner called CCleaner, that will help you to automatically clean the registry from the virus entries as well as the temp folder . Click here to read more |
Block the sites/ ports: Keep yourself protected with a firewall, you can see the logs of the firewall to see if there is any suspicious communication to and from your computer which you are not aware of. there is a lot of outbound communication by this virus, you can find that out on this link |
| Run system file chekcer: Windows has a built in tool called system file checker. It scans the computer to see if any of the windows system files are corrupt/missing and replaces them with a good copy. you should run this tool so that it will replace the deleted/ modified system files. Click here to read more |
Delete the registry keys manually: If you are brave enough to do so. You can edit the registry by using the windows built in registry editor. Click here to read more See the registry entries created by this worm on the infected computer on this link
All the Best
reference with permission from Threatexpert |
