Well it is quite obvious however.
I ll include manual removal instructions. Please follow the steps carefully.
There will be 2 executable files which are Sysinternals Antivirus.exe and svchost.exe. Svchost is invoked by the other executable. There may be another one named alggui.exe
You have to kill these two processes.
First of all you have to do this:
- Start the Task manager by right clicking on the Taskbar.
- Go to Processes.
- Observe the processes.
- Right Click on processes and select End process for Sysinternals Antivirus.exe and alggui.exe. You will not be able to kill the svchost.exe however since there will be more than one and each represents a Valid system process. To find the exact process run by the file which resides in the "Program Files", I recommend you to use the Security Task manager for Windows.Here is the Link
- Use the tool and kill the exact process.
Locating malicious files.
The list of files I have already mentioned. But there are more.
- C:Program Filesskynet.dat
- C:Program Filessvchost.exe
- C:Program Filesalggui.exe
- %UserProfile%DesktopSysinternals Antivirus.lnk
- %UserProfile%Start MenuProgramsSysinternals AntivirusSysinternals Antivirus.lnk
- C:Program Filesadc_w32.dll. You must unregister this. Otherwise it will run again.
- C:Program FilesSysinternals AntivirusSysinternals Antivirus.exe
- %UserProfile%Start MenuProgramsSysinternals Antivirus
- C:Program FilesSysinternals Antivirus
- In variants there will be additional files (Sysinternals Antivirus.exe adc_w32.dll alggui.exe extra1.dat extra2.dat nuar.old skynet.dat svchost.exe wp3.dat wp4.dat dbsinit.exe wispex.html ccsmn.exe ccsmn151.acf csmn151.ltd ccsmn151.lti ccsmn151_0.acb ccsmn151_0.aci ccsmn151_0.mt ccsrr.exe wmharun.log wmrun.log Sysinternals Antivirus.lnk)
You have to search and delete each and every file.
We have to set some additional things in order to see the Hidden and System files which are protected.
- Open My Computer.
- Go to Tools and then Folder Options.
- Click on View tab.
- Under the Option "Hidden Files and Folders", set it to "Show ..."
- Untick the "Hide Protected Operating System Files (Recommended)" as well.
- Now go to C partition and check whether you can see .sys and other hidden files including the System Volume Information folder. If so the procedure was successful. Otherwise you have to edit the registry or have to use the DOS command window to locate and delete these files.
- Use Windows search tool to search the files. Before searching set the More Advanced Options. Check for "All files and Folders". Drop down "More advanced options" and tick the Search System Folders, Search Hidden files and folders, Search Sub-folders options. Then do the search. If you find any file or folder you have to delete it. Before deleting, there is one more thing to do.
- You have to stop the Startup Processes.
- Click on the Start menu and hit on Run. Or type in Run if you have Vista.
- Type in the Run box this. msconfig
- Hit Enter.
- Go to "Startup" tab. Examine the processes and remove the unwanted ones. You can browse for the valid ones.Specially note the Autorun.inf files. You must remove them if exist.Remember the path to each malicious file. Then uncheck the boxes. Hit Apply button. Then OK button.
- Do not Restart the System when you have been asked.
Stopping the System Restore services
- Go to Properties of My Computer.
- Go to System Restore.
- Turn off.
Now you are ready to delete the files.
Click on each file and Click SHIFT+DEL. Do not Right Click and Delete.
Alternative way if Hidden files and folders are now shown
- Get the Run box again and type in cmd and press Enter.
- Type cd and hit Enter.
- Now you will be in the System drive (C: most probably)
- You have to use: cd foldername to move within folders.
- Example: Type cd program files and hit Enter to go in to Program Files.CD denotes Change Directory.
- To change the Partition you have to type Partition: and hit enter.
- Example: D:
- Locate each file and delete Except the adc_w32.dll because we have to Unregister it.
- Go to each location which I have included here as well as shown in the msconfig tool.
- Then use DIR /a /q to get the list of files.
- Type DIR /a /q and hit enter.
- Note: Note the spaces.
- Now if you see the files type this and hit enter.
- attrib -s -h -a -r
- Then type Del with the file name.
- Example: Del alggui.exe
- What the attribute command does is changing the File attributes to normal ( - is used to remove the attributes. S is for System, H is for Hidden, A is for Archive, R is for Read Only).
- Make sure you go to Root of each partition and check for Autorun.inf files (There may be batch files as well - .bat files, exe files etc. Check whether they are valid executables using the browser)
- Now that part is done!
Unregistering the DLL file before Deleting:
- Get the Command Windows again using cmd.
- Type in Regsvr32 /? and hit enter. If you get a Dialog Box that means its functioning.
- If you do not have it obtain from here. Place the file in Windows/System32.
- Type in Regsrv32 /u C:Pathadc_w32.dll and hit enter.
- Path is the path to the file. It may be in the Program Files or Windows or WindowsSystem32. Use Search or Command Windows to find it. (Might be in the Startup in msconfig as well).
- You can run this command without the Command Windows as well. Just enter it in the Run box and hit Enter. If you do properly it will show you a dialog box containing the Success message.