wuauclt1.exe/incs.exe/scardclt.exe Removal

Symantec: Backdoor.Dalsk

If you find any of these three files running in your Task Manager's processes tab, then that means your computer is infected with a Worm. A worm is a malicious program that copies itself inside the computer thus taking up your disk's space and memory usage. This worm generally enters a computer either by visiting malicious sites or when another Trojan downloads it. Once executed, the worm creates several copies of itself in the %system32% folder. These files include exe, bak, dll, sys and log formats. During the execution of the worm's processes, the dll files are registered. Log files store the target computer's information. It also has the characteristics of a backdoor since it opens one of the ports and attempts to download malicious files into the computer. These files are again executed by the worm thus exposing the computer to other vulnerabilities. After a while, the files are injected into the Services.exe process so that these files run as services. When a file runs as a service, it becomes difficult for any anti-virus to delete this file. So some anti-viruses may fail to delete these files even after detection which means it becomes your job to delete them. Sounds difficult, doesn't it? Once you go through these instructions, you'll understand how simple it really is!

Manual instructions to delete wuauclt1.exe/incs.exe/scardclt.exe:

  1. Begin by rebooting your computer in the Safe Mode. When the computer boots in the Safe Mode, Windows allows only specific processes to launch. So you won't need to end any processes from the Task Manager in this case. If you have any problems during this process, you can refer to the "Enabling Windows Services" section on the right side. 
  2. Once you're there, go to Start --> Run and type regedit to open the Registry Editor. Navigate and delete these ocations

    * HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\incs
    * HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ipcdr
    * HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\irpfit
    * HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ScardClt

    yes, they seem to look like very important keys. They are actually keys created by the virus to add itself to the Services.exe process. Also search the registry using Ctrl+F for the following files

    * wuauclt1.exe
    * scardclt.exe
    * incs.exe

    Delete the path of any registry key associated with it.
  3. Now that you've stopped the files from launching again, its time to delete the worm completely. To do this, restart your computer again.
  4. After the reboot, go to Start --> Run and type cmd to open the Command Prompt. In the Command Prompt, follow the steps given below to get rid of the worm.
    • cd\
    • cd WINDOWS
    • cd System32
    • attrib -r -a -s -h rshx16.bak
    • del rshx16.bak
    • attrib -r -a -s -h rshx16.dll
    • del  rshx16.dll
    • attrib -r -a -s -h scardclt.exe
    • del scardclt.exe
    • attrib -r -a -s -h ntmsapi16.dll
    • del ntmsapi16.dll
    • attrib -r -a -s -h igxpgb32.dll
    • del igxpgb32.dll
    • attrib -r -a -s -h hid32.dll
    • del hid32.dll
    • attrib -r -a -s -h hid32.bak 
    • del hid32.bak 
    • attrib -r -a -s -h incs.exe
    • del incs.exe
    • attrib -r -a -s -h msvfw16.dll
    • del msvfw16.dll
    • attrib -r -a -s -h dmome.dll
    • del dmome.dll 
    • cd drivers
    • attrib -r -a -s -h irpfit.sys
    • del irpfit.sys
    • attrib -r -a -s -h irpfit.bak
    • del irpfit.bak
    • cd..
    • cd Setup
    • attrib -r -a -s -h hid32.log
    • del hid32.log
    • attrib -r -a -s -h wuauclt1.exe
    • del wuauclt1.exe

    In most cases, you wont be able to delete the dlls. If this happens, you'll need to unregister them. To do this, check your right side for the link in the "Enable Windows Services" section.
  5. Now restart your system and you'll find your system hail and healthy!!

Posts that might help you here:
Enabling Safe Mode booting, Enabling the Registry , Enable Hidden files and folders option and Enabling the Command Prompt.
Get the best security software for your compter here!

powered by Blogger | WordPress by Newwpthemes | Converted by BloggerTheme