How to delete a virus from a Drive-By java attack incase you clicked run

This is a guide for those who did click 'run' java or in my case didnt but got the virus anyway! I am writing this guide as a result of getting hacked.. pretty stupid on my part and i know its my own fault.

This guide was done on windows 7, i will mention minor differences for XP whilst going through it but i have never used vista and therefore can't comment about that.. i'm pretty sure its the same as the windows 7 way though. anyway here goes:

step 1:
first you're going to want to go to your desktop, best to do this with minimal programs running so you can do this as quickly as possible.

step 2: Click on your start menu, and in the search bar type, "msconfig"(on XP, use "run.." and type the same thing). this is shown clearly in the picture below:



step 3: a window will pop up which is the microsoft startup configuration, do not fiddle with any of the settings in here as you could end up doing some damage and I am in no way liable for that As shown in the picture below click the startup tab:



step 4: in the list, one of the items will have a dodgey name or a replica name to that of a system 32 file,also the manufacturer will be "unknown." At this point you must realise that anything in this list you disable will not effect your computer dramatically. as you can see on mine the only things i have on startup are my wireless adapter and my antivirus just so i don't have to start them up manually. Anyway back to the dodgey file... this file is the file you want to delete, hover other the path and either use your memory or write the path down.

Step 5: You need to follow this path and delete the program at the end which will be a .exe program. Sometimes whilst following the path you may not see one of the folders stated, this is because its a hidden folder to see this you must go to start and open control panel, then go to appearances and personalisation(for XP please PM me for alternative route for this):



Step 6: A window will popup called folder options simply find in the list the hidden files and folders section and check the statement that says,"Show hidden files, folders and drives." This is shown below:



Step 7: When you have shown hidden folders and followed the path, you will find a folder which holds a .exe program which has something to do with Java, i have had many with strange names such as: "MerchantGuide.exe","Javaload.exe","AutoBot.exe" This is the file you want to delete: so richt click and click delete.. DON'T FORGET TO EMPTY YOUR RECYCLE BIN AFTER AS WELL!the picture below shows an example:



Step 8: It should all be deleted now but quickly search the name of the corrupt file you have just deleted in the search box again, incase it has replicated, if it has simply delete at the other location too and empty your recycle bin again.


So that is my guide to those of you silly enough to have clicked run on the java application or like me got the virus anyway. If somebody disagrees with this guide or thinks this doesnt delete the virus please let me know but i have a pretty good knowledge of computers and think this is a 99% concrete way of getting rid of the virus. It has worked for me a few times as i did not have antivirus for a while.

Thanks for reading, hope it helps and good luck getting rid of those viruses.

 

Good stuff to know

 

I'm pretty sure this works never failed me so far.. at the end of the day.. the basics are, it's an exe program and they have to be running to remote into your computer.. or keylog you. So if you dont start the .exe file up at startup it wont run, and then if you delete it.. it will never run.

 

Keep bumping this up so others can see.

 

will do

 

Yeah

 

Are you sure, I'm quite sure they put it into more places.



As you can see there are many places you can install it.

Plus, a good firewall can help prevent it from forwarding the information. But I'm quite sure the first part works, but I'd guess you'd have to restart your PC and hope you removed the program from the list.

Edit:

And for XP users:



Click on classic view.



Folder options



Go to view, then then "Hidden files and folders". Put it on show hidden files and folders, then apply.

 

easiest solution is to boot into safe-mode, do a system restore. Then Download Blink Personal/Professional security as your av.

 

yes but this is why at the end i state that you need to search the file name again to check it hasn't replicated or been sent to more than one location.. the point it if you disable it in the startup menu.. it won't run without you double clicking it.. and therefore the hacker won't be able to remote into your computer.

May i ask why you have this program too? may seem dodgey to others that you have it..

 

excuse double post, site went down for maintenance as i clicked submit..

 

no double clicking needed, could just use a polymorphic regeneration engine to alter filenames, it's nice when it just keeps outputting itself and allowing you to create the processes necesary for running them. or ./ wmf esc codelings as an extreme example.

I'm certain you're running your system as administrator...

Like I said before:
unplug ur pc.
plug it back in
hit the power switch
rapidly press f8 untill your system beeps
boot into safe mode
do a system restore
reboot
eeye.com and get blink personal security. Update it.

 

thanks for the advice, will try this later..

 

no problem. Meanwhile I'm going to document a quick time configuration tutorial for using the ntp daemon for automatic time configuration.

 

Doing this method is very low effectivness because if the keylogger / RAT is encrypted or merged into a windows file then it won't show up in either of those places.

Malwarebytes is the best idea for getting rid of Keyloggers / Rats.

 

Malwarebytes has 41 exploits.
Blink has 0, it's vuln scanner, Retina also has 0.
Furthermore; blink is the only av that'll stop magic lantern, the baddest av of them all. I'll put all my chips on eeye, doesn't take long on google to find that their credibility is through the roof.

 

thanks again for the advice guys, with regards to the effectiveness of my method, you have to remember these people aren't hardcore hackers.. they are hacking for runescape items.. sad i know and they won't be using any high tech viruses..

 

Well I'm attempting to show you what the general person does to set it up. It only took me five seconds of browsing to find a tutorial with pictures.

 

There are many alternative for doing this, and the guide itself, although it had a lot of pictures, lacked neatness. I would say this deserver 5/10

 

I'm sorry, but this isn't a high tech virus. They are only remote administrative tools(RAT), and you can download them very easily if you put enough effort into finding them . And I am 99% sure people who are bright enough to setup a Java Drive-by can setup a RAT. I can find guides that a child with no experience on the internet can utilize. Anyways, I understand you are trying to help but you need to go a bit more in depth.

 

starting to wish i haden't written this guide.. :S