|
Baki.A is a worm that spreads by copying itself to local and removable drives. It also disables some security-related processes on the compromised computer.
Remove the Worm Using Spyware Doctor!
Sponsored Links:
Free Download Now:
Baki.A Removal:
To remove Baki.A, please follow the instruction:
- Terminate the processes in Task Manager:
lsass.exe
Music.exe
Open.exe
smss.exe
- Click Start > Run. Type REGEDIT. Then click OK. Navigate to the subkeys and delete the values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"kb" = "C:\WINDOWS\system32\drivers\AUTO.TXT"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\"Default" = "C:\WINDOWS\pchealth\ERRORREP\QHEADLES\smss.exe" "%1" %*"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\"NoFolderOptions" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\"NoControlPanel" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer
\"LimitSystemRestoreCheckpointing" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer\"DisableMSI" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\"DisableConfig" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\"DisableSR" = "1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"Hidden" = "0"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"HideFileExt" = "1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"ShowSuperHidden" = "0"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\"NoFolderOptions" = "1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\"HideClock" = "1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\"NoControlPanel" = "1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\"NoDrives" = "1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\"NoFind" = "1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\"NoRun" = "1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\"NoShellSearchButton" = "1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\WinOldApp\"Disable" = "1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"Hidden" = "1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"HideFileExt" = "0"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"ShowSuperHidden" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Userinit" = "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\fonts\services.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\batfile\shell\open\command\"Default" = "C:\WINDOWS\ime\imjp8_1\applets\lsass.exe" "%1" %*"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\comfile\shell\open\command\"Default" = "C:\WINDOWS\pchealth\ERRORREP\QHEADLES\smss.exe" "%1" %*"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\"Default" = "File Folder"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\piffile\shell\open\command\"Default" = "C:\WINDOWS\ime\imjp8_1\applets\lsass.exe" "%1" %*"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug\"Auto" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug\"Debugger" = "C:\WINDOWS\mui\smss.exe""
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\"AlternateShell" = "C:\WINDOWS\mui\smss.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"LegalNoticeCaption" = "KIBAKI TOSHA KIBAKI TENA"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"LegalNoticeText" = "KIBAKI FOR PRESIDENT VOTE"
Registry management is too hard? Download Registry Mechanic, and you will find it too easy!
- Remove the files in Explorer if exist:
%DriveLetter%\Open.exe
%DriveLetter%\AUTORUN.INF
%SystemDrive%\Documents and Settings\All Users\Documents\Music.exe
%SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\Startup\Empty.pif
%Windows Dir%\ime\imjp8_1\applets\lsass.exe
%Windows Dir%\mui\smss.exe
%Windows Dir%\pchealth\ERRORREP\QHEADLES\smss.exe
%Windows Dir%\Autorun.inf
%Windows Dir%\SoftWareProtector\Error_out.pr
Spyware Doctor can automatically remove the worm. Even if you remove it manually, we recommend you should use Spyware Doctor to make sure it's completely removed from your system and will not be reinstalled by itself.
More
Removal Instructions for Emerging Adware & Spyware
| 
