xxx

February 4, 2008

Sub7@Chatx.net Virus - Easy Solution

Filed under: Support


source: The Power of Information Technology

 

Are you wondering why your hard disk or flash disk opens up in a new window when you double click it? And when you right click on the icon, the name "Sub7@Chatx.net" appears? Then probably you are infected with a virus. This virus mainly is a trojan that corrupts the autorun.inf of every disk drive.

Here are simple steps to cure the virus:

1.)  Run Task Manager (Ctrl-Alt-Del or right click on Taskbar)
2.)  Stop wscript.exe process if available by highlighting the process name and
      clicking End Process
3.)  Then terminate explorer.exe process
4.)  In Task Manager, click on File -> New Task (Run…)
5.)  Type “cmd” into the textfield and click OK
6.)  Type the following command one by one by pressing Enter after every line:
         del c:autorun.* /f /s /q /a
         del d:autorun.* /f /s /q /a del
         e:autorun.* /f /s /q /a
      c, d and e represents each drive letter on Windows system. If there are more
      drives or partitions infected, continue entering the commands, changing the
      drive letter only
7.)  In Task Manager, click on File -> New Task (Run…)
8.)  Type “regedit” into the textfield and click OK
9.)  Navigate to the registry key:
         HKEY_LOCAL_MACHINE -> SOFTWARE -> Microsoft -> Windows NT ->
         CurrentVersion -> Winlogon
10.) Check the value name and value data for the key:
       Incorrect: Userinit = "userinit.exe,autorun.exe"
       Correct:   Userinit = "C:WINDOWSsystem32userinit.exe,” (comma included)

8 Comments »

The URI to TrackBack this entry is: http://mikekrismac.blogsome.com/2008/02/04/www/trackback/

  1. Correct: Userinit = “C:WINDOWSsystem32userinit.exe,” (comma included)

    Kindly check this.. it should be like this:

    Correct: Userinit = “C:WINDOWSsystem32userinit.exe,” (comma included)
    without the it will cause your PC to log in and log off since it would not be able to locate the directory that was specified

    Comment by ako — February 28, 2008 @ 4:30 pm

  2. very easy!

    1).Download this file from my website and double click on it. Here is the link
    http://autorunvirus.googlepages.com/Removesub7chatx.netVirus.vbs

    OR

    Copy below code.
    Paste in notepad or Wordpad.
    Save As yourname.VBS
    Double click on it to run that script.

    Dim ObjFileSys, VirusFileNames, Dimension

    CONST FolderSystem32 = 1
    VirusFileNames = Array(“autorun.inf”,”mma.bat”,”mma.rar”,”mma.reg”,”mma.vbs”)

    Set ObjFileSys = CreateObject(“Scripting.FileSystemObject”)

    Call DeleteRegistry()
    Call CleanSystem32()
    Call CleanAllDrives

    Set ObjFileSys = Nothing
    MsgBox “Done”
    WScript.Quit

    Sub CleanSystem32()
    Dim SysFolder
    Set SysFolder = ObjFileSys.GetSpecialFolder(FolderSystem32)
    For Dimension = LBound(VirusFileNames) To UBound(VirusFileNames)
    if ObjFileSys.FileExists(SysFolder.Path & VirusFileNames(Dimension)) Then DeleteThisFile SysFolder.Path & VirusFileNames(Dimension)
    Next
    Set SysFolder = Nothing
    End Sub
    Sub CleanAllDrives()
    Dim Drive, Drives
    Set Drives = ObjFileSys.Drives
    For Each Drive in Drives
    For Dimension = LBound(VirusFileNames) To UBound(VirusFileNames)
    if ObjFileSys.FileExists(Drive.Path & VirusFileNames(Dimension)) Then DeleteThisFile Drive.Path & VirusFileNames(Dimension)
    Next
    Next
    Set Drives = Nothing
    End Sub
    Function DeleteThisFile(FileName)
    Dim File
    Set File = ObjFileSys.GetFile(FileName)
    File.attributes =0
    File.Delete True
    Set File = Nothing
    End Function
    Sub DeleteRegistry()
    Dim WSHShell, SysFolder
    Set SysFolder = ObjFileSys.GetSpecialFolder(FolderSystem32)
    Set WSHShell = WScript.CreateObject(“WScript.Shell”)

    WshShell.RegWrite “HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonUserinit”, SysFolder.Path & “userinit.exe”

    WScript.DisconnectObject WSHShell
    Set WSHShell = Nothing
    End Sub

    2). Restart your system and right-click on your drives to verify that this virus has been removed.

    3). If the Sub7@Chatx.net still remains after restart, try repeating the whole process again.

    Comment by Vipul Patel — March 7, 2008 @ 6:48 am

  3. Yes you are right thanks for that

    very easy!

    1).Download this file from my website and double click on it. Here is the link
    http://autorunvirus.googlepages.com/Removesub7chatx.netVirus.vbs

    OR

    Copy below code.
    Paste in notepad or Wordpad.
    Save As yourname.VBS
    Double click on it to run that script.

    Dim ObjFileSys, VirusFileNames, Dimension

    CONST FolderSystem32 = 1
    VirusFileNames = Array(“autorun.inf”,”mma.bat”,”mma.rar”,”mma.reg”,”mma.vbs”)

    Set ObjFileSys = CreateObject(“Scripting.FileSystemObject”)

    Call DeleteRegistry()
    Call CleanSystem32()
    Call CleanAllDrives

    Set ObjFileSys = Nothing
    MsgBox “Done”
    WScript.Quit

    Sub CleanSystem32()
    Dim SysFolder
    Set SysFolder = ObjFileSys.GetSpecialFolder(FolderSystem32)
    For Dimension = LBound(VirusFileNames) To UBound(VirusFileNames)
    if ObjFileSys.FileExists(SysFolder.Path & VirusFileNames(Dimension)) Then DeleteThisFile SysFolder.Path & VirusFileNames(Dimension)
    Next
    Set SysFolder = Nothing
    End Sub
    Sub CleanAllDrives()
    Dim Drive, Drives
    Set Drives = ObjFileSys.Drives
    For Each Drive in Drives
    For Dimension = LBound(VirusFileNames) To UBound(VirusFileNames)
    if ObjFileSys.FileExists(Drive.Path & VirusFileNames(Dimension)) Then DeleteThisFile Drive.Path & VirusFileNames(Dimension)
    Next
    Next
    Set Drives = Nothing
    End Sub
    Function DeleteThisFile(FileName)
    Dim File
    Set File = ObjFileSys.GetFile(FileName)
    File.attributes =0
    File.Delete True
    Set File = Nothing
    End Function
    Sub DeleteRegistry()
    Dim WSHShell, SysFolder
    Set SysFolder = ObjFileSys.GetSpecialFolder(FolderSystem32)
    Set WSHShell = WScript.CreateObject(“WScript.Shell”)

    WshShell.RegWrite “HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonUserinit”, SysFolder.Path & “userinit.exe,”

    WScript.DisconnectObject WSHShell
    Set WSHShell = Nothing
    End Sub

    Comment by Vipul Patel — March 12, 2008 @ 8:00 am

  4. it works! tnx vipul patel..

    Comment by dino — March 23, 2008 @ 8:25 pm

  5. The thing is, once PC starts “Logon” and “Logoff” cycle, how to log in to run the given scripts?
    Please help. Though the data is secure, as it is in separate partition, but windows logs off immediately upon logging on. Please help !

    Harsh

    Comment by Harsh Gharpure — March 25, 2008 @ 4:31 pm

  6. The thing is, I had tried the solution before having suggestion of Vipul.
    Now the PC logs off immediately after login. How to overcome that? Pl help

    harsh

    Comment by Harsh Gharpure — March 25, 2008 @ 4:39 pm

  7. I tried this. But when I logged on my pc immediately logged off. How I overcome from this?

    Comment by Akshay — April 11, 2008 @ 8:27 am

  8. i tried this. But when I logged on my pc immediately logged off. How I can overcome from this? help me pls asap.. tnx

    Comment by aren — May 2, 2008 @ 6:20 pm

RSS feed for comments on this post.

Leave a comment

Line and paragraph breaks automatic, e-mail address never displayed, HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>



Anti-spam measure: please retype the above text into the box provided.