if already infected, then it will automatically create a random file name with the extension. tmp and. exe that will be stored in the directory [C: \ Documents and Settings \% user% \ Local Settings \ Temp] with a different name.
Follow this Way :
1. Disable 'System Restore' during the cleaning process.
2. Disable autorun Windows, so viruses can not be automatically activated when access to the drive / flash disk.
* Click the 'start'
* Click 'run'
* Type 'gpedit.msc' without the quotes. then enter, This will bring up the screen 'Group Policy'
* On the menu 'Computer Configuration and User Configuration', click 'Administrative templates'
* Click the 'System'
* Right click on 'Turn On Autoplay', select 'Properties'. This will bring up the screen 'Tun on propeties Autoplay'
* In the tabulation 'Settings', select 'Enabled'
* In the column 'Tun off Autoplay on "select" All drives "
* Click 'Ok'
3. Turn off the virus, use the tools 'security task manager' and then delete the file [sysmgr.exe, vshost.exe, winservices.exe, *. tmp]
Just a note,. Tmp files that have showed TMP extension [example: 5755.tmp]. Right-click on the file and select 'Remove', then select the option 'Move files to Quarantine'.
4. Repair registry that has been changed by the virus. To speed up the process of removal / how to remove the virus, please copy this script in notepad and save it with the name repair.inf. Execute the following manner: right click at repair.inf and select install.
[Version]
Signature = "$ Chicago $"
Provider = Vaksincom Oyee
[DefaultInstall]
AddReg = UnhookRegKey
DelReg = del
[UnhookRegKey]
HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ batfile \ shell \ open \ command ,,,"""% 1 "% *"
HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ comfile \ shell \ open \ command ,,,"""% 1 "% *"
HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ exefile \ shell \ open \ command ,,,"""% 1 "% *"
HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ piffile \ shell \ open \ command ,,,"""% 1 "% *"
HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ regfile \ shell \ open \ command,,, "reg edit.exe"% 1? "
HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ scrfile \ shell \ open \ command ,,,"""% 1 "% *"
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon, Shell, 0, "Explorer.exe"
HKCU, SessionInformation, ProgramCount, 0 × 00010001.3
HKCU, AppEvents \ Schemes \ Apps \ Explorer \ BlockedPopup \. Curr ent,,, "C: \ WINDOWS \ media \ Windows XP Pop-ups Blocked.wav"
HKCU, AppEvents \ Schemes \ Apps \ Explorer \ EmptyRecycleBin \. C urrent,,, "C: \ Windows \ Media \ Windows XP Recycle.wav"
HKCU, AppEvents \ Schemes \ Apps \ Explorer \ Navigating \. Curren t,,, "C: \ Windows \ Media \ Windows XP Start.wav"
HKCU, AppEvents \ Schemes \ Apps \ Explorer \ SecurityBand \. Curr ent,,, "C: \ WINDOWS \ media \ Windows XP Information Bar.wav"
[del]
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run, Microsoft (R) System Manager
HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Run, help bMaxUserPortWindows Service
HKLM, SYSTEM \ CurrentControlSet \ Services \ TCPIP \ Parameters, MaxUserPort
5. Delete the following viruses:
C: \ vshost.exe [all drives]
C: \ autorun.inf [all drives]
C: \ RECYCLER \ S-1-5-21-9949614401-9544371273-983011715-7040 \ winservices.exe
C: \ Documents and Settings \% user% \ Local Settings \ Temp
A415.tmp [random]
034.exe [random]
Lady_Eats_Her_Shit-www.youtube.com
C: \ WINDOWS \ system32 \ sysmgr.exe
C: \ WINDOWS \ TEMP \ 5755.tmp
C: \ windows \ system32 \ crypts.dll
C: \ windows \ system32 \ msvcrt2.dll
6. For optimal cleaning and prevent reinfection please use the antivirus which can detect and eliminate this virus up to date.
0 comments:
Post a Comment