Tuesday, November 15, 2011

BSQXITA virus removal


What does this virus do?

a.  When you log into your OS account, a folder will pop up like My Documents, Windows folder itself, or any other folders.

b.  When the infection goes deeper, the only thing you can see is whatever that folder has popped out and its contents.  No desktop, no start button, and a lot of no other things.

When you experienced something like this, then you can suspect that that is BSQXITA virus (I am not sure if it is called by any other names by other antiviruses software out in the market but that is the name I have seen).

This tutorial will show you the way to recover from that infection and to totally eradicate said malware.  The steps will involve removing related registry entries as well as physically removing those file infections in the harddrive.  Here goes:

a.  When you are already logged and a folder (with its contents) automatically appears and nothing else, you need to kill the Explorer process.  Explorer is Windows shell and the reason why I said to kill it is because the Explorer loaded by your OS upon logon has something extra.  You will learn what later.  So press Ctrl+Alt+Del and go to Task Manager, then search for Explorer.exe, right-click, choose Kill Process Tree.

b.  Everything disappers at this time except with the task manager.  Do not close it and instead click File, New Task (Run) then type explorer and hit Enter. After that everything is proper.  All we need to do now is start removing the infections, both files and registry entries.

c.  Click Start, Run and type MSCONFIG then hit Enter.  Once inside MSCONFIG, go to Startup Tab and look for these entries:  BSQXITA.EXE and NETSFIGX.EXE.  Untick those so it won’t be auto-loaded next time.   Click apply, then close.  It will ask you to restart, choose Exit without Restart!

d.  Click Start, Run and type REGEDIT then hit Enter.  We will now clean registry entries made by this virus.  Go to these locations (HKLM means HKEY_LOCAL_MACHINE):

- HKLM\Software\Microsoft\Windows\CurrentVersion\Run (delete entries for those two files mentioned above).

Optionally, you can also clean the startupreg as shown in MSCONFIG.  Go to:
- HKLM\Software\Microsoft\Shared Tools\MSConfig\startupreg
Delete the files that is being autoloaded there that seems suspicious like the BSQXITA.EXE and NETSFIGX.EXE entries

Now in letter a above, I have said to kill Explorer exe because it does an extra thing, right?  The next registry entry is responsible for that.  Navigate to:

- HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon

Under “shell” entry, you will see something like this:  Explorer.exe System3_.exe

The reason why during initial logon, a folder is popping up and nothing else is because of that entry.  Explorer is auto-loading another exe into processes and that System3_.exe (sometimes the name may change) is a virus component that halts any other more execution.  That is also the reason why I want you, in letter a above, to kill the first instance of Explorer.exe in the process in task manager.  Because by killing that first process, you are also killing the related processes it has loaded.  Letter b reloads a “clean” instance of Explorer which is the OS shell and that one is loaded without any extra baggage.

Now, under that shell entry, remove the extra commands. Double-click it and leave only Explorer.exe
Just to make sure that everything is cleaned, still inside the registry, go back to My Computer and hit F3 (search) and type BSQX and search for it.  Delete every occurrence.  To resume searching after it find one entry and you deleted it, hit F3 again.  When it reached the end, go back to the top by clicking My Computer and this time do not hit F3 as it will resume searching for BSQXITA.EXE.  You need to look for another this time, i.e., NETSFIGX.  To do a fresh search, press Ctrl+F.  Remove all occurences of that item.

RECAP:

a.  We have loaded a fresh clean Explorer shell
b.  We have killed processes relating to this virus
c.  We have cleaned registry entries so that virus won't be loaded again next time we logged on

All that is left is to remove the physical files in the harddrive. Those files are actuall inside Windows\System32 and \Users\Administrator (for system3_.exe).  But if you have the time, open explorer and search for those files.  Ensure that in advance, Search hidden Files and Folders is ticked.  Delete all those infections.

If for one reason or another, the system won’t allow you to delete a file, use unlocker, a tool created by Fredirick “Nitch” Collomb http://ccollomb.free.fr/unlocker/


Goodluck on your end!

No comments:

Post a Comment