Enter your Keyword, Search here,

Manual Removal of W32/Druzgl.D, W32.SillyFDC Worm

Manual Removal of W32/Druzgl.D Worm.
W32/Druzgl.D is a worm. The worm will infect Windows systems.
This worm first appeared on December 9, 2008.

Other names of W32/Druzgl.D Worm:
This Worm is also known as Win32.Druzgl.d, W32.SillyFDC.
Damage Level : High/Medium
Distribution Level: Unknown
/Low
No Auto Removal Tool for W32/Druzgl.D Worm
Worm Manual Removal Instructions
Recommend Removal from Safe Mode:

How to Start in Safe mode:
Restart your Computer, Press F8 Repeatedly, when your Screen turns on, Select Safe mode, press enter.
The Infected Files Can be Seen in these folders and names also Running in Tasks
End the Following Active Process Before Removal
When W32.SillyFDC is executed, it may copy itself to the following folder locations:
  • %Program Files\Microsoft Common\wuauclt.exe
  • %System%
  • %Windir%
  • %Temp%
  • %UserProfile%
  • %ProgramFiles%
  • %SystemDrive%
  • %CommonProgramFiles%
  • %CurrentFolder%
Using any of the following file names with a .com or .exe extension:
  1. password_viewer.exe
  2. CALC or calc
  3. mscalc.exe
  4. startupfolder
  5. config_
  6. startupfolder.com
  7. config_.com
How to Delete the Autorun.inf files

Go to Start > Run, type "cmd"
At the command prompt, type "cd\", this will change to C:\
Type "attrib" (C:\>attrib), it will display files with attributes. Take note on attribute of autorun.inf.
Usually it has SHR.(System, Hidden, Read Only)
Type “attrib -s -h -r C:\autorun.inf”, it will remove System, Hidden and Read-Only attribute
Type "edit autorun.inf" it will open DOS Editor and display contents as follows

---
[autorun]
open=file.exe
shell\Open\Command=file.exe
shell\open\Default=1
shell\Explore\Command=file.exe
shell\Autoplay\command=file.exe
---

Take note of the file/path that it runs.
Ex: open=file.exe where file.exe is the filename of the file that autoruns.
Exit DOS Editor.

Back at the command prompt type "attrib -s -h -r file.exe", where file.exe is the file that was called on DOS editor to autorun.
Ex: C:\>attrib -s -h -r file.exe.
If it is located on different directory include the path.
Ex: C:\>attrib -s -h -r c:\Windows\file.exe

Type "del file.exe". If it is located on different directory include the path.
Ex: C:\>del c:\Windows\file.exe
Type "del autorun.inf"
Type "del c:\Windows\autorun.inf
Type "del c:\Windows\password_viewer.exe
Type "del c:\Douments and Settings\(Your User Name)\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf
Exit command prompt by typing "exit"
  • If you have any of these files in running process from task manger, end the process before removal.
  • Note: if task manager is disabled, Download the following file, Click to Download - Enable Registry.reg
  • Open it with Regedit.exe [%system32\regedit.exe], then it Confirms Add to registry Yes or No, Confirm Yes, then click Ok.
Manual Removal From Registry
Click Start, Run,Type regedit,Click OK.
Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor.
  • Download and run this UnHookExec.inf, and then continue with the removal.
  • Save it to your Windows desktop. Do not run it at this time, download it only.
  • After booting into the Safe Mode or VGA Mode.
  • Right-click the UnHookExec.inf file and click Install.
  • [This is a small file. It does not display any notice or boxes when you run it.]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\"load"
Delete any values associated with the worm (Value name Above Listed File Names)

Search Registry For Virus File Names listed above to remove completely,
Edit Menu - Find
, enter Keyword and remove all value that find in search.

Exit the Registry Editor,
Restart your Computer.

Recommended Removal Tools:
Killbox (Freeware)

No comments :

Post a Comment

Comment on this Post!!

More Posts that you may be interested...