First I suggest you to follow prevention is better than cure proverb as it is better to safe than trying clean up after the system getting infected. We have to be very careful in clicking the unknown links, enable pop-up blocker, Turn on firewall on your system, getting the Anti-virus updated are some of the basic things we need to make sure that they are done to safe guard our system.
Manual removal of the worm :
Step 1: We need to turn the system restore off.
Step 2: Delete all the files and processes that belong to the worm from task manager processes tab
Step 3: Some times you will not be able to download the files from the locations found from the processes tab or using process explorer, at that time restart the system in safe mode and and try to remove the files.
Step 4: Enable Registry Editor
Step 5: Delete the registry values from the path
- In HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
- Shell = %Program Files%\Microsoft Office\OFFICE11\WINWORD.EXE
- In HKEY_CLASSES_ROOT\exefile
- NeverShowExt =
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
- EnableLUA = 0
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\{Application name}
- Debugger = cmd.exe /c del
- Delete the registry keys
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\
- Svc
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\
- FWCFG
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
- WinDefend
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\
- Restore this modified registry values in the files
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced From: SuperHidden = 0
To: SuperHidden = 1 - In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc
- From: Type = 4
To: Type = 20 - In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess
- From: Type = 4To: Type = 20
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv
- From: Type = 4To: Type = 20
- There will be another location with the same path change the value from type 4 to 20.
Search and delete the keys in the following location for different files %Program Files%\Microsoft Office\OFFICE11\ control.ini
Drvics32.dll
hjwgsd.dll
jwiegh.dll
PUB60SP.mrc
ruimsbbe.dll
smss.exe
yofc.dll
remote.ini
After doing this please scan your computer using any good updated anti-virus program.
0 comments:
Post a Comment