Infocard.exe Removal

Bitdefender: Worm.P2P.Palevo.DP

These worms have been in existence since a long time. Now you must be wondering why I am saying this. These are those worms which spread through IMs that are exchanged between us using applications such as Yahoo Messenger, MSN messenger, Skype, Gtalk etc. However, this worm targets only the two messengers i.e MSN and Yahoo Messenger. Many versions of such worms have been there in the virus world but this one is very much different from all those. It doesn't send a link like the others. It sends a JPG picture instead. Yes, you've read that correct! Once this picture is double-clicked, the worm launches the malicious code which saves itself in several directories of the target's computer. And through these malicious files, it connects to various servers from where it receives commands and thus acts accordingly. The worm also ads registry values such that it is launched regularly at every startup by all the users sharing the computer. These registry entries are added in such a way that when they are viewed by a normal user, he would assume that they are actually values related to the Windows Firewall. When the user launches the IM client, a copy of the same malicious code is sent in the same form to his friends.

Manual instructions to remove infocard.exe :
  1. Firstly, reboot the computer in Safe Mode.
  2. The worm creates a copy of its malicious code in one of the crucial directories of windows. In order to obtain the path of these directories, we need to look up for it in the registry.
  3. To do so, go to Start --> Run and type "regedit" and navigate to the following entry

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

    In this entry, you'll find a registry key with the name as "Firewall Administrating". Delete this value from it. But before deleting these, make sure that you copy the path of the file into a notepad. Also navigate to the following and delete the same

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run\ [Firewall Administrating = "[FilePath]\infocard.exe"]

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ [Firewall Administrating = "[FilePath]\infocard.exe"]

    Now that you have stopped its startup services, its to restart the system.
  4. After restarting the computer, go to Start and type "cmd" in Run. Navigate to the worm's directory by typing "cd [directory name]". Then remove the attributes of the file by using the command "attrib -r -a -s -h [filename.extension]". This way delete the following files:

    *infocard.exe
    *mds.sys
    *mdt.sys
    *winbrd.jpg

  5. Now that you've deleted all the files related to the worm, reboot the system once again. You'll see that your system is free from infocard.exe.
Posts that might be helpful here:

Enabling Safe Mode booting, enabling the Registry and enabling the Command Prompt.
VShop
Get the best security software for your compter here!

powered by Blogger | WordPress by Newwpthemes | Converted by BloggerTheme