| Antivirus | Spyware & Adware removal | Registry Cleaner | Windows updates | Web Protection |

    ¤ Solutions
 »  Security Main Page
 »  Virus Removal
 »  Spywares Removal
 »  Trojans Removal
 »  Our Forums
 »  Our Blogs
    ¤ Populer Threads
 »  Remove fake Antivirus
 »  Rmov SpywareGuard 2008
 »  Remove Sinowal trojan
 »  Remove Virtumonde
 »  Remove Vundo troajn
 »  Google Search redirect
 »  Trojan Downloader
 »  Trojan Dropper
 »  Trojan Generic
 »  Worm32 NetBooster
 »  Zlob trojan removal
 »  Generic Host Proccess
 »  Remove Winweb Security
 »  Virus Trigger Removal
 »  Spyware CyberLog-x
 »  Cookies - 207.net
 »  AdWare.Adrotator
 »  See Other virus removal
    ¤ Tweaks
 »  Proxy Sites
 »  Computer & Internet
 »  Folder Lock
 »  Hack Windows Admin
 »  Windows Utilities - Tips

    ¤ Downloads
 »  Super Anti Spyware
 »  MalwareBytes
 »  Threat Fire
 »  Anti Viruses
 »  Firewalls
 »  Registry Cleaners
 »  See all Downloads

 
Remove Trojan w32 Killaut.a

Malware type: Trojan
Aliases: Trojan-Downloader.Win32.AutoIt.s (Kaspersky)
W32/YahLover.worm (McAfee)
W32.Killaut.A (Symantec)
TR/Spreader.A (Avira)
Mal/Generic-A (Sophos)

W32.Killaut.A is a worm that copies itself to local and removable drives. It also disables system tools and certain antivirus-related processes.

Payload: Disables system tools and certain antivirus-related processes.

Techincal Information:
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP

Once executed, the worm copies itself as the following files:
%UserProfile%\My Documents\[CURRENT USER ACCOUNT].exe
%System%\debug_32.exe
%System%\MsMpEng.exe
%Windir%\Tasks\At1.job
%Windir%\Tasks\At2.job
%Windir%\Tasks\dmadmin_1.exe
%Windir%\compmgmt.exe

For each subfolder found in %UserProfile%\My Documents, the worm creates files in the following format:
%UserProfile%\My Documents\[FolderName].exe

For each subfolder found in %SystemDrive%, the worm creates files in the following format:
%SystemDrive%\[FolderName].exe

The folders attributes are then set to hidden to entice the user to click on the malicious file instead of the original folder.

The worm then copies the following files to all available local drives and removable drives.
%SystemDrive%\autorun.inf
%SystemDrive%\New_Folder.exe

The worm deletes the following registry subkeys to disable the normal startup process for the compromised computer:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shell\find
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shell\explore
HKEY_LOCAL_MACHINE\SYSTEM\LastKnownGoodRecovery
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot

It also attempts to end the following processes:
sp_rsser.exe
avgupsvc.exe

It then attempts to stop or pause the following services:
sp_rssrv
avg7alrt



HOW TO REMOVE W32.Killaut.A MANUALLY:
start the computer in Safe Mode.

1. Temporarily Disable System Restore (Windows Me/XP).
2. Update the virus definitions.

3. Reboot computer in SafeMode

4. Run a full system scan and clean/delete all infected file

5. Delete/Modify any values added to the registry.

Restore the following registry entries to their original values, if required:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\"3" = "63 00 3A 00 5C 00 77 00 69 00 6E 00 64 00 6F 00 77 00 73 00 5C 00 63 00 6F 00 6D 00 70 00 6D 00 67 00 6D 00 74 00 2E 00 65 00 78 00 65 00 2C 00 30 00 00 00 74"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run

\"compmgmt.exe " = "63 00 3A 00 5C 00 77 00 69 00 6E 00 64 00 6F 00 77 00 73 00 5C 00 73 00 79 00 73 00 74 00 65 00 6D 00 33 00 32 00 5C 00 64 00 65 00 62 00 75 00 67 00 5F 00 33 00 32 00 2E 00 65 00 78 00 65 00 00 00 00"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Shell" "63 00 3A 00 5C 00 77 00 69 00 6E 00 64 00 6F 00 77 00 73 00 5C 00 63 00 6F 00 6D 00 70 00 6D 00 67 00 6D 00 74 00 2E 00 65 00 78 00 65 00 00 00 07"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Sheli" = "63 00 3A 00 5C 00 77 00 69 00 6E 00 64 00 6F 00 77 00 73 00 5C 00 74 00 61 00 73 00 6B 00 73 00 5C 00 64 00 6D 00 61 00 64 00 6D 00 69 00 6E 00 5F 00 31 00 2E 00 65 00 78 00 65 00 00 00 00"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Schedule\"AtTaskMaxHours" = "0x00000048"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule

\"AtTaskMaxHours" = "0x00000048"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
\"NoFolderOptions" = "0x00000001"

HKEY_CURRENT_USER\Control Panel\don't load\"appwiz.cpl" = "6E 00 6F 00 00 00 00"
HKEY_CURRENT_USER\Control Panel\don't load\"Services.cpl" = "6E 00 6F 00 00 00 00"
HKEY_CURRENT_USER\Control Panel\don't load\"Startup.cpl" = "6E 00 6F 00 00 00 00"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
\"NoFolderOptions" = "0x00000001"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
\"NoRun" = "0x00000001"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
\"NoFind" = "0x00000001"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
\"NoFileMenu" = "0x00000001"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run
\"Sheli" = "63 00 3A 00 5C 00 77 00 69 00 6E 00 64 00 6F 00 77 00 73 00 5C 00 74 00 61 00 73 00 6B 00 73 00 5C 00 64 00 6D 00 61 00 64 00 6D 00 69 00 6E 00 5F 00 31 00 2E 00 65 00 78 00 65 00 00 00 00"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
\"DisableRegistryTools" = "0x00000001"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
\"DisableTaskMgr" = "0x00000001"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
\"NoDriveTypeAutoRun" = "0x00000001"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\WinOldApp
\"Disabled" = "0x00000001"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Sheli" = "63 00 3A 00 5C 00 77 00 69 00 6E 00 64 00 6F 00 77 00 73 00 5C 00 74 00 61 00 73 00 6B 00 73 00 5C 00 64 00 6D 00 61 00 64 00 6D 00 69 00 6E 00 5F 00 31 00 2E 00 65 00 78 00 65 00 00 00 00"

HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\"{default}" = "00 00 C3"

HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel\"Connection Settings" = "0x00000001"

HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel\"ConnectionsTab" = "0x00000001"

HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel\"GeneralTab" = "0x00000001"

HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel\"HomePage" = "0x00000001"

HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel\"Settings" = "0x00000001"

HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\"NoFolderOptions" = "0x00000001"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.reg\"(default)" = "74 00 78 00 74 00 66 00 69 00 6C 00 65 00 00 00 05"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder

\SuperHidden\"ValueName" = "53 00 68 00 6F 00 77 00 53 00 75 00 70 00 65 00 72 00 48 00 69 00 64 00 64 00 65 00 6E 00 00 00 03"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder

\SuperHidden\Policy\DontShowSuperHidden\"(default)" = "00 00 C3"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Userinit" = "43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 5C 00 73 00 79 00 73 00 74 00 65 00 6D 00 33 00 32 00 5C 00 75 00 73 00 65 00 72 00 69 00 6E 00 69 00 74 00 2E 00 65 00 78 00 65 00 2C 00 63 00 3A 00 5C 00 77 00 69 00 6E 00 64 00 6F 00 77 00 73 00 5C 00 74 00 61 00 73 00 6B 00 73 00 5C 00 64 00 6D 00 61 00 64 00 6D 00 69 00 6E 00 5F 00 31 00 2E 00 65 00 78 00 65 00 00 00 39"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\"AlternateShell" = "63 00 3A 00 5C 00 77 00 69 00 6E 00 64 00 6F 00 77 00 73 00 5C 00 73 00 79 00 73 00 74 00 65 00 6D 00 33 00 32 00 5C 00 4D 00 73 00 4D 00 70 00 45 00 6E 00 67 00 2E 00 65 00 78 00 65 00 00 00 05"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\"AlternateShell" = "63 00 3A 00 5C 00 77 00 69 00 6E 00 64 00 6F 00 77 00 73 00 5C 00 73 00 79 00 73 00 74 00 65 00 6D 00 33 00 32 00 5C 00 4D 00 73 00 4D 00 70 00 45 00 6E 00 67 00 2E 00 65 00 78 00 65 00 00 00 05"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Explorer\Advanced\"Hidden" = "0x00000002"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Explorer\Advanced\"HideFileExt" = "0x00000001"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Explorer\Advanced

\"ShowSuperHidden" = "0x00000000"

Navigate to and restore the following registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shell\find
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shell\explore
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot

6. Exit registry editor and restart the computer



Custom Search

 

 
 
eXTReMe Tracker
Anti Virus - Spyware Removal - Trojan Removal - Registry Repair

         About DARFUN INC © Copyright darfuns.com
                 DARFUN CORPORATION. 2004 est