+- Parsi Coders (http://parsicoders.com)
+-- انجمن: Security and influence (http://parsicoders.com/forumdisplay.php?fid=59)
+--- انجمن: Security (http://parsicoders.com/forumdisplay.php?fid=60)
+--- موضوع: How to Clean Virus Stuxnet ‘Harddisk-eaters’ (/showthread.php?tid=288)
How to Clean Virus Stuxnet ‘Harddisk-eaters’ - Amin_Mansouri - 05-12-2011
Stuxnet Virus, or also known as Winsta, devouring all the vacant land on the hard drive until it is full.
The virus initially spread from various porn sites, pirated programs and content ‘gray’ other was quite disturbing. Here are the steps eradicate the virus, such as antivirus Vaksincom spoken by the analyst Adi Saputra:
1. Using Dr. Web CureIt
Adi suggested the victim Winsta aka Stuxnet it to download the virus removal software. Removal Tools called Dr.Web CureIt it can be downloaded from the site FreeDrWeb.com
2. Registry Fix
Later, Adi suggested improvements to the modified Windows regitri by the virus. How, first of all, copy the script below into Wordpad files.
[Version]
Signature = “$ Chicago $”
Provider = Vaksincom Oyee
[DefaultInstall]
AddReg = UnhookRegKey
DelReg = del
[UnhookRegKey]
HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced, ShowSuperHidden, 0×00010001, 1
HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced, SuperHidden, 0×00010001, 1
HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced, HideFileExt, 0×00010001, 0
HKLM, SOFTWARE \ CLASSES \ batfile \ shell \ open \ command ,,,”"”% 1 “”% * ”
HKLM, SOFTWARE \ CLASSES \ comfile \ shell \ open \ command ,,,”"”% 1 “”% * ”
HKLM, SOFTWARE \ CLASSES \ exefile \ shell \ open \ command ,,,”"”% 1 “”% * ”
HKLM, SOFTWARE \ CLASSES \ piffile \ shell \ open \ command ,,,”"”% 1 “”% * ”
HKLM, SOFTWARE \ CLASSES \ regfile \ shell \ open \ command,,, “regedit.exe”% 1 “”
HKLM, SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon, Shell, 0, “Explorer.exe”
[Del]
HKLM, SYSTEM \ CurrentControlSet \ Services \ MRxCls
HKLM, SYSTEM \ CurrentControlSet \ Services \ MRxNet
HKLM, SYSTEM \ ControlSet001 \ Services \ MRxCls
HKLM, SYSTEM \ ControlSet002 \ Services \ MRxNet
HKLM, SYSTEM \ CurrentControlSet \ Services \ Enum \ Root \ LEGACY_MRXClS
HKLM, SYSTEM \ CurrentControlSet \ Services \ Enum \ Root \ LEGACY_MRXNET
HKLM, SYSTEM \ ControlSet001 \ Services \ Enum \ Root \ LEGACY_MRXClS
HKLM, SYSTEM \ ControlSet002 \ Services \ Enum \ Root \ LEGACY_MRXNET
Then, save the file with the name ‘repair.inf’. Use the option to Save as type Text Document to avoid mistakes. Then, right-click the file ‘repair.inf’, select ‘Install’ and restart the computer.
“Clean up temporary files, this is for to prevent the rest of the trojan that tries to be active again. Use tools such as the ATF Cleaner or use the Windows feature of the Disk Clean-Up,” wrote Adi.
3. Emergency Solutions
In addition, here is the script that can be used in emergencies to prevent Winsta not re-infect. Save the following script with the name Winsta.bat (file type: Text)
@ Echo off
del / f c: \ windows \ system32 \ winsta.exe
brake rd c: \ windows \ system32 \ winsta.exe
md c: \ windows \ system32 \ winsta.exe
del / f c: \ windows \ system32 \ drivers \ mrxnet.sys
brake rd c: \ windows \ system32 \ drivers \ mrxnet.sys
md c: \ windows \ system32 \ drivers \ mrxnet.sys
del / f c: \ windows \ system32 \ drivers \ mrxcls.sys
brake rd c: \ windows \ system32 \ drivers \ mrxcls.sys
md c: \ windows \ system32 \ drivers \ mrxcls.sys
attrib + r + h + s c: \ windows \ system32 \ winsta.exe
attrib + r + h + sc: \ windows \ system32 \ drivers \ mrxnet.sys
attrib + r + h + sc: \ windows \ system32 \ drivers \ mrxnet.sys
When finished, double click the file Winsta.bat generated. For optimal cleaning and prevent re-infection, re-scan using updated antivirus and recognize this virus very well.
Incoming search terms:
mrxcls sys
mrxnet sys
how toclean the hard disk from viruses
winsta batch file
windows\system32\winsta exe
windowS/SYSTEM32/WINSTA EXE
stuxnet virus download
stuxnet registry keys
mrxnet sys mrxcls sys
C:\WINDOWS\system32\Drivers\mrxcls sys