If your browser keeps opening on its own with websites like thenewpaedia.com, it is quite likely that you have a trojan/backdoor program nissan.exe.
This exe resides in your recycle-bin. It makes entries in the system registry so it gets loaded everytime someone logs in. The exe remains in memory all the time and detects any registry modification on a key and writes back its own values.
First let's see where the exe resides. It probably resides in a path like "C:\RECYCLER\S-1-5-21-3028898713-0813311981-684376638-1852\nissan.exe".
Open a command-prompt,
C:\>
C:\>cd \
C:\>cd "Recycler"
C:\>dir /a hsr *.*
You should now see an entry for nissan.exe. This exe has to be removed. Right now, it will not be possible as this exe is already loaded in memory.
Now lets see where in the registry the entry exists for loading the exe:
Open regedit.exe
Navigate to "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon"
Here you should see an entry named 'Taskman' having a value like "C:\RECYCLER\S-1-5-21-3028898713-0813311981-684376638-1852\nissan.exe".
We need to somehow get this entry deleted.
We cannot delete it right now as the nissan.exe will detect the 'delete' and will immediately write back the value.
How to get rid of this:
1. Create a user on the system who is not an Administrator
2. Log off from any account which may have Admin rights.
3. Log in as a regular (non-admin user).
4. Navigate to Windows\System32 folder and do a RunAs->Administrator on
- Regedt32.exe
- Cmd.exe
- TaskMgr.exe
5. Switch to TaskMgr instance which you started in Step 4. Kill all instances of
Explorer.exe
6. Now switch to Regedit instance and search for Nissan.exe and remove all values where it shows up. Do a find for 'nissan.exe' a few times just to make sure.
7. Switch to command prompt instance and del all entries of nissan.exe by running
C:\>
C:\>cd \
C:\>cd "Recycler"
C:\>dir /a hsr *.*
This will display exactly where nissan.exe is for e.g.
"C:\RECYCLER\S-1-5-21-3028898713-0813311981-684376638-1852\nissan.exe".
Now to delete the entries:
C:\>attrib -hsr "C:\RECYCLER\S-1-5-21-3028898713-0813311981-684376638-1852\nissan.exe"
C:\>del "C:\RECYCLER\S-1-5-21-3028898713-0813311981-684376638-1852\nissan.exe"
Do a dir nissan.exe and check if you missed out any entry.
By now all entries which launch the exe should have been removed.
I have a suspicion that USB drives get affected and when such 'affected' drives auto-run, the system gets infected. I would therefore recommend that you disable AUTORUN on all drives. Follow the instructions in the link:
Disable autorun
Tuesday, December 22, 2009
Subscribe to:
Posts (Atom)