December 30, 2010

How to remove Worm_Lamin.AC

First I suggest you to follow prevention is better than cure proverb as it is better to safe than trying clean up after the system getting infected. We have to be very careful in clicking the unknown links, enable pop-up blocker, Turn on firewall on your system, getting the Anti-virus updated are some of the basic things we need to make sure that they are done to safe guard our system.

Manual removal of the worm : 

Step 1: We need to turn the system restore off.
Step 2: Delete all the files and processes that belong to the worm from task manager processes tab
Step 3: Some times you will not be able to download the files from the locations found from the processes tab or using process explorer, at that time restart the system in safe mode and and try to remove the files.
Step 4: Enable Registry Editor
Step 5: Delete the registry values from the path 


  • In HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
    • Shell = %Program Files%\Microsoft Office\OFFICE11\WINWORD.EXE
  • In HKEY_CLASSES_ROOT\exefile
    • NeverShowExt =
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
    • EnableLUA = 0
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\{Application name}
    • Debugger = cmd.exe /c del    
      
  • Delete the registry keys 
    • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\
      • Svc
    • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\
      • FWCFG
    • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
      • WinDefend
    • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center              
     
  • Restore this modified registry values in the files 
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced From: SuperHidden = 0
    To: SuperHidden = 1
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc 
  • From: Type = 4
    To: Type = 20 
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess
  • From: Type = 4To: Type = 20 
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv
  • From: Type = 4To: Type = 20 
  • There will be another location with the same path change the value from type 4 to 20.

Search and delete the keys in the following location for different files %Program Files%\Microsoft Office\OFFICE11\ control.ini 
Drvics32.dll
hjwgsd.dll
jwiegh.dll
PUB60SP.mrc
ruimsbbe.dll
smss.exe
yofc.dll
remote.ini


After doing this please scan your computer using any good updated anti-virus program.

0 comments:

Post a Comment

Related Posts Plugin for WordPress, Blogger...

Search This Blog

Followers

Categories

There was an error in this gadget
Twitter Delicious Facebook Digg Stumbleupon Favorites More