Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Password_viewer.exe And Autorun.inf


  • Please log in to reply
1 reply to this topic

#1 comebackata2

comebackata2

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:12:22 PM

Posted 25 January 2008 - 10:35 AM

Hey
I tried alot of things to remove password_viewer.exe and autorun.inf based from what I read and this is what I've done so far...

1.) I downloaded PRT.exe by iSergiwa Software and ran it. because some guy said that it would delete autorun.inf

2.) I enabled view hidden files and deleted password_viewer.exe in safe mode(safe mode only) and I emptied the recycle bin then restarted my pc

3.) In both taskmanager and process explorer password_viewer.exe no longer exists but when i run cmd my pc shutsdown automatically


4.) I searched both files and found no results except that I found 2 autorun.inf files in my hp folder
but both of them seems to be related to hp stuff


so here are my questions
1.) what does password_viewer.exe do?
2.) what does autorun.inf do?
3.) did I just made the condition worse?
4.) how do I make command prompt work again?

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,907 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:22 PM

Posted 26 January 2008 - 06:21 PM

There are no shortcuts or guarantees when it comes to malware removal. Sometimes it takes several efforts with different tools to do the job. Even then, with some types of malware infections, the task can be arduous. In some instances an infection may have caused so much damage to your system that it cannot be successfully cleaned or repaired. In those cases, recovery is not possible and the only option is to reformat/reinstall the OS.

From what I can find, this infection drops several malware files and modifies your registry.

This step involves making changes in the registry. Always back up your registry before making any changes.

Go to Start Run and type: regedit
  • Click OK.
  • On the left side, click to highlight My Computer at the top.
  • Go up to File Export
    • Make sure in that window there is a tick next to "All" under Export Branch.
      Leave the "Save As Type" as "Registration Files".
      Under "Filename" put RegBackup.
  • Choose to save it to C:\
  • Click save and then go to File Exit.
Or you can download and use ERUNT which is an excellent free tool that allows you to to take a snapshot (backup) of your registry before making changes and restore it when needed.

Reboot your computer in "Safe Mode" using the F8. To do this restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A boot menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Go to Start > Run and type: regedit
Press "OK" and navigate to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

In the right hand pane, double-click on Userinit
In the 'Edit String' box, make sure "Value data:" reads exactly (including the comma on the end) as follows: C:\WINDOWS\system32\userinit.exe,
Edit if it does not and press "OK" when done.

Now in the right hand pane again, double-click on Shell
In the 'Edit String' box, make sure "Value data:" reads exactly: Explorer.exe
Edit if it does not and press "OK" when done.
Exit regedit.

Go to Start > Run and type: cmd
  • press Ok.
  • At the command prompt, type in your primay drive location, usually C:
  • You may need to change the directory. If so type: cd \
  • Hit Enter.
  • Type: attrib -s -h -r -a autorun.inf
  • Hit Enter.
  • Type: dir
  • Hit Enter. This will allow you to see and confirm the Autorun files.
  • Type: del autorun.inf
  • Hit Enter.
  • Repeat the above commands for each drive on your computer.
Now search for and remove password_viewer.exe
  • At the command prompt, type in your primay drive location, usually C:
  • Type: dir /s password_viewer.exe
  • Hit Enter.
  • If the file is present, type: del password_viewer.exe
  • Hit Enter.
  • Repeat the above commands for each drive on your computer.
  • Then repeat the above commands to search for and delete bar311.exe, photos.zip.exe, pc-off.bat on each drive.
  • Exit the command prompt and reboot your computer normally.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users