Sunday, November 29, 2009

Simple way to removal of Generic.PWS.j Trojan

You need to download "HiJackThis" tools to assist you in removal of this "hard to die" trojan.

Spent 2 days to study its infection mode before i can successfully killed it off.
It infect USB thumbdrive too.. thus it would infect others via USB mass storage devices..

My approach as followed:
==================
First I "write protect" the infected local drive's autorun files to
point it to a harmless text file.
I wrote a batch file to simplify removal if many PCs was infected
prior to acknowlegement of its existence.

@echo off
cls
if exist c:\autorun.inf attrib -h -a -s -r c:\autorun.inf
if exist d:\autorun.inf attrib -h -a -s -r d:\autorun.inf
if exist e:\autorun.inf attrib -h -a -s -r e:\autorun.inf
if exist f:\autorun.inf attrib -h -a -s -r f:\autorun.inf

REM Replace with harmless autorun.inf
REM ==================================
if exist c:\autorun.inf echo "[autorun]" > c:\autorun.inf
if exist d:\autorun.inf echo "[autorun]" > d:\autorun.inf
if exist e:\autorun.inf echo "[autorun]" > e:\autorun.inf
if exist f:\autorun.inf echo "[autorun]" > f:\autorun.inf

REM Make it read-only to prevent trojan from replacing its own copy.
REM
=============================================================
if exist c:\autorun.inf attrib +r c:\autorun.inf
if exist d:\autorun.inf attrib +r d:\autorun.inf
if exist e:\autorun.inf attrib +r e:\autorun.inf
if exist f:\autorun.inf attrib +r f:\autorun.inf

if exist c:\auto.exe attrib -h -a -s -r c:\auto.exe
if exist d:\auto.exe attrib -h -a -s -r d:\auto.exe
if exist e:\auto.exe attrib -h -a -s -r e:\auto.exe
if exist f:\auto.exe attrib -h -a -s -r f:\auto.exe

if exist c:\auto.exe echo "0"> c:\auto.exe
if exist d:\auto.exe echo "0"> d:\auto.exe
if exist e:\auto.exe echo "0"> e:\auto.exe
if exist f:\auto.exe echo "0"> f:\auto.exe
if exist c:\auto.exe attrib +r c:\auto.exe

if exist d:\auto.exe attrib +r d:\auto.exe
if exist e:\auto.exe attrib +r e:\auto.exe
if exist f:\auto.exe attrib +r f:\auto.exe

Run Hijack this to remove all unwanted trojans related to "Generic.PWS.j" Check the below files to get some ideas which files are related to this trojan.

There may be additional files, and these files are created in series, thus u could include latest *.EXE and *.DLL files found in C:\WINNT (or C:\WINDOWS) with respect
to the timestamp of files below.

"DIR /OD C:\WINNT"
"DIR /OD C:\WINNT\SYSTEM32"

Save this below text file in your local drive before reboot to safe
mode command-line

REM Deletion of the core trojan files:
REM ==================================
c:
cd %windir%
if exist DiskMan32.exe attrib -h -a -s -r DiskMan32.exe
if exist Kvsc3.exe attrib -h -a -s -r Kvsc3.exe
if exist AVPSrv.exe attrib -h -a -s -r AVPSrv.exe
if exist mppds.exe attrib -h -a -s -r mppds.exe
if exist MsIMMs32.exe attrib -h -a -s -r MsIMMs32.exe
if exist NVDispDrv.exe attrib -h -a -s -r NVDispDrv.exe
if exist cmdbcs.exe attrib -h -a -s -r cmdbcs.exe
if exist upxdnd.exe attrib -h -a -s -r upxdnd.exe
if exist DbgHlp32.exe attrib -h -a -s -r DbgHlp32.exe
if exist msccrt.exe attrib -h -a -s -r msccrt.exe
if exist DiskMan32.exe del DiskMan32.exe
if exist Kvsc3.exe del Kvsc3.exe
if exist AVPSrv.exe del AVPSrv.exe
if exist mppds.exe del mppds.exe
if exist MsIMMs32.exe del MsIMMs32.exe
if exist NVDispDrv.exe del NVDispDrv.exe
if exist cmdbcs.exe del cmdbcs.exe
if exist upxdnd.exe del upxdnd.exe
if exist DbgHlp32.exe del DbgHlp32.exe
if exist msccrt.exe del msccrt.exe

c:
cd %windir%
cd system32
if exist mppds.dll attrib -h -a -s -r mppds.dll
if exist upxdnd.dll attrib -h -a -s -r upxdnd.dll
if exist DiskMan32.dll attrib -h -a -s -r DiskMan32.dll
if exist cmdbcs.dll attrib -h -a -s -r cmdbcs.dll
if exist Kvsc3.dll attrib -h -a -s -r Kvsc3.dll
if exist DbgHlp32.dll attrib -h -a -s -r DbgHlp32.dll
if exist AVPSrv.dll attrib -h -a -s -r AVPSrv.dll
if exist MsIMMs32.dll attrib -h -a -s -r MsIMMs32.dll
if exist NVDispDrv.dll attrib -h -a -s -r NVDispDrv.dll
if exist msccrt.dll attrib -h -a -s -r msccrt.dll
if exist mppds.dll del mppds.dll
if exist upxdnd.dll del upxdnd.dll
if exist DiskMan32.dll del DiskMan32.dll
if exist cmdbcs.dll del cmdbcs.dll
if exist Kvsc3.dll del Kvsc3.dll
if exist DbgHlp32.dll del DbgHlp32.dll
if exist AVPSrv.dll del AVPSrv.dll
if exist MsIMMs32.dll del MsIMMs32.dll
if exist NVDispDrv.dll del NVDispDrv.dll
if exist msccrt.dll del msccrt.dll
============================================================

Reboot, and run Hijackthis to check if trojan is active, once cleared, you could safely remove the autorun.inf and auto.exe files.
Hope this helps...
Sharing is Caring...

Download Hijackthis V2.0.2
at
Labels: , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)