Command.exe removal
McAfee: W32/Mobler.worm
Avira: TR/Crypt.CFI.Gen
Quickheal: Worm.Mobler.l
Discovered very recently in September 2009, the specialty of this virus is that it is executed whenever a file with a .exe format is being run in the system by the User. This can be done by editing the registry. Rest of the damages done by this virus include
Manual instructions to remove comand.exe:
Posts that might help you here:
Safe mode booting, Enabling Registry, Enabling Command Prompt.
Avira: TR/Crypt.CFI.Gen
Quickheal: Worm.Mobler.l
Discovered very recently in September 2009, the specialty of this virus is that it is executed whenever a file with a .exe format is being run in the system by the User. This can be done by editing the registry. Rest of the damages done by this virus include
- Dropping a copy of it in every drive to make sure it is executed every time the drive is opened.
- Adding images consisting of the .jpg.exe extension. These files appear similar to an image but launch the virus when they're executed.
- Modifying the Registry.
- The mallware is capable of hiding itself such that it doesn't get noticed by the User.
- Adds a registry value to hide the extensions of all the .exe files.
Manual instructions to remove comand.exe:
- Begin with rebooting your system in the Safe Mode. This is because Windows does not allow you to open any suspicious .exe file in this mode except the trusted ones. Go to Start --> Run and type "regedit".
- Navigate to the following points
HKEY_LOCAL_MACHINE\Software\Classes\.exe
Look for the value "nevershowext" on your right-hand side and delete that value.
By doing so, we're removing the barrier created by the virus to stop us from viewing the extensions of any file.HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open\command
Delete the entry containing the valueDefault = "%Driveletter%:\comand.exe "%1" %*"
This entry was created by the virus in order to auto-execute itself whenever we launch an application with the .exe extension. After you're done with this, reboot your computer once again for the changes to take place. - As soon as you restart your computer, don't forget that the malware is still present in your drives. Lets take the help of the Command Prompt to delete the virus. Go to Start --> Run and type "cmd". Once it is opened, execute the following commands (press the return key after every line)
- %DriveLetter%: (here drive letter implies to all the drives in your computer like C, D, E,F, etc..)
- attrib -r -a -s -h
- del comand.exe
- cd C:\System32\oobe\html\mouse\images
- attrib -r -a -s -h
- del bulzano.jpg.exe
- del bulzanom.jpg.exe
- del heidelb.jpg.exe
- del heidelbm.jpg.exe
- del paris.jpg.exe
- del parism.jpg.exe
- del pisa.jpg.exe
- del pisam.jpg.exe
These are all the unnecessary files created by the virus that might help the virus to launch again - %DriveLetter%: (here drive letter implies to all the drives in your computer like C, D, E,F, etc..)
- Now you're done. Sit back and enjoy
Posts that might help you here:
Safe mode booting, Enabling Registry, Enabling Command Prompt.