I had recently encountered this on my PC at work so I decided that I will share to you the steps on how to eliminate this worm on your PC, especially to those who are using USB Flash Drives and Floppy Diskettes.
The Nhatquanglan worm (usually together with the Pooh.vbs worm), slows down your PC and disables Windows Task Manager, Folder Options, Registry, Group Policy Editor, and the like. If you have this symptoms, there is a possibility that you are also infected by the Pooh.vbs worm.
Symptoms taht you're PC is infected by the Nhatquanglan worm:
1. This worm spreads by USB drives though it is possible that other portable media may be involved too.
2. Inability to use Windows Task Manager, the Folder Options, Registry, etc.
3. There is a crappy looking folder icon that is seen (with same name as the original folder), the file size of which is 282 kb.
4. It makes the computer slow down, and no anti-virus as of now seems to catch hold of it.
5. Inability to stop the USB drive from remove hardware safely option.
7. Inability to format the USB drive.
8. The worm is an autorun .exe file and executes and infects every time a USB drive is plugged in.
Steps on how to remove the Nhatquanglan worm:
1. Download HijackThis (free), and the Task Manager fix of the Interra Group (also free), and a program called Spybot Killer.
2. Run the Hijack this (rename it first or it wont start), and fix all files with scvhost.exe (not svchost.exe), run spybot, and then task manager fix. This should cure it. As u learn more about viruses, hijack this is probably the most useful program to have.
3. Reboot, and should run ok.
Pooh.vbs or the W32/DKR worm, is a VisualBasic script that can be detected by some AntiVirus like Norton and McAfee. Pooh.vbs comes with an HTML file (the aikelyu.html) that opens on WIndows Log-on. It exploits the autorun feature in memorycards and copies itself to computers and connected memory cards thereafter. Because it does not spread itself to the internet, it hasn't gained enough notoreity to be included in virus defenses of various programs. Also clean your infected memory cards.
The aikelyu.html file:
The Nhatquanglan worm (usually together with the Pooh.vbs worm), slows down your PC and disables Windows Task Manager, Folder Options, Registry, Group Policy Editor, and the like. If you have this symptoms, there is a possibility that you are also infected by the Pooh.vbs worm.
Symptoms taht you're PC is infected by the Nhatquanglan worm:
1. This worm spreads by USB drives though it is possible that other portable media may be involved too.
2. Inability to use Windows Task Manager, the Folder Options, Registry, etc.
3. There is a crappy looking folder icon that is seen (with same name as the original folder), the file size of which is 282 kb.
4. It makes the computer slow down, and no anti-virus as of now seems to catch hold of it.
5. Inability to stop the USB drive from remove hardware safely option.
7. Inability to format the USB drive.
8. The worm is an autorun .exe file and executes and infects every time a USB drive is plugged in.
Steps on how to remove the Nhatquanglan worm:
1. Download HijackThis (free), and the Task Manager fix of the Interra Group (also free), and a program called Spybot Killer.
2. Run the Hijack this (rename it first or it wont start), and fix all files with scvhost.exe (not svchost.exe), run spybot, and then task manager fix. This should cure it. As u learn more about viruses, hijack this is probably the most useful program to have.
3. Reboot, and should run ok.
Pooh.vbs or the W32/DKR worm, is a VisualBasic script that can be detected by some AntiVirus like Norton and McAfee. Pooh.vbs comes with an HTML file (the aikelyu.html) that opens on WIndows Log-on. It exploits the autorun feature in memorycards and copies itself to computers and connected memory cards thereafter. Because it does not spread itself to the internet, it hasn't gained enough notoreity to be included in virus defenses of various programs. Also clean your infected memory cards.
The aikelyu.html file:
Symptoms that you're PC is infected with Pooh.vbs
1. You cannot open your Local Disk (C:) by clicking it your My Computer and there is a message alert box. If you also try to right-click it, you will notice that the first right-click option is Autoplay.
2. When you're encoding something, let's say, on Microsoft Excel/Word, you will encounter some sort of URL (http://www.freewebtowns...) in the middle of your work... and it also disables some features on your Microsoft Excel or Word and the like.
3. When you log - on to Windows, you will see the aikelyu.html file, located on C:\WINDOWS\system32\aikelyu.html.
If you had created a restore point prior to the detection of your Pooh.vbs, you can have a system restore, and everything will be back to normal.
Download Nod32 and use it to scan for files.
So here are the steps that I had done to remove the Pooh.vbs worm:
1. Reboot your PC and run your PC on SAFE MODE (press F9 during boot-up) and log-in as an Administrator.
2. Also download StartUp ControlPanel. You will use this later. For more informations regarding StartUp Control Panel, go here
3. Open Windows Task Manager ([Ctrl] + [Alt] - [Delete] or [Crtl] + [LShift] - [Esc] ) and go to the Processes tab.
4. Terminate Wscipt.exe and Explorer.exe process.
5. Open Command Prompt (open Run and type cmd)
6. On the Command Prompt, type the following:
del c:\pooh.vbs /f/s/q/a
del d:\pooh.vbs /f/s/q/a (include your other drives and USB drives that have been infected)
del c:\autorun.inf
del d:\autorun.inf (include your other drives and USB drives that have been infected)
del c:\windows\system32\kernell.dll.vbs
del c:\aikelyu.html /f/s/q/a
7. Now use the StartUp Control Panel you had just downloaded earlier to remove the aikelyu.html during Windows startup. Also, to check if that the aikelyu.html file has been deleted, open Microsoft Configuartion (open Run and type msconfig) and select the Startup tab and see if there is still the aikelyu.html with a check on it. If it is still there, uncheck it.
8. Open the Run Dialog Box again and type regedit.
9.
Navigate through: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon on the left pane. After which, on the right pane, check the Shell string has a value of explorer.exe. The corrupted string value has a userinit=userinit.exe combined with explorer.exe, so delete it.
10. To finally check that you had deleted pooh.vbs from your system, go to Control Panel - Folder Options. On the View tab, choose "Show hidden files", uncheck "Hide protected operating system files (Recommended)" and "Hide extensions for known file types". and press OK.
11. Open Windows Explorer ( [Windows] - [E] ), and go to C:\ and find if the pooh.vbs file is still there. Go to C:\WINDOWS\system32 and check if the aikelyu.html file and kernell.dll.vbs file is still there. If they are still present, manually delete them and empty your Recycle Bin.
12. Reboot your PC!
That's all... Hope you can make it.
5 comments:
Steps on how to remove the Nhatquanglan worm:
1. Download HijackThis (free), and the Task Manager fix of the Interra Group (also free), and a program called Spybot Killer.
2. Run the Hijack this (rename it first or it wont start), and fix all files with scvhost.exe (not svchost.exe), run spybot, and then task manager fix. This should cure it. As u learn more about viruses, hijack this is probably the most useful program to have.
3. Reboot, and should run ok.
Pooh.vbs or the W32/DKR worm, is a VisualBasic script that can be detected by some AntiVirus like Norton and McAfee. Pooh.vbs comes with an HTML file (the aikelyu.html) that opens on WIndows Log-on. It exploits the autorun feature in memorycards and copies itself to computers and connected memory cards thereafter. Because it does not spread itself to the internet, it hasn't gained enough notoreity to be included in virus defenses of various programs. Also clean your infected memory cards.
GOOD LUCK LUCK TO ALL
email add: sherwin_kng@yahoo.com
Whenever someone calls me, or I call someone on my iPhone, i cant hear them through the speaker! How do I make it louder? I don't want to put the call ON speaker, and the headphones dont work that much better. HELP? I can't find it on Apple's website!
[url=http://unlockiphone22.com]unlock iphone[/url] [url=http://exeterhistoricalmuseum.com/index.php?option=com_rsgallery2&page=inline&id=33&Itemid=2]unlock iphone[/url]
I give a class on FOREX (Foreign Exchange) and would like to start giving it over the web. How should I go about advertising for free on the internet?
[url=http://forexrobot-review.info]best forex software[/url]
free car facts vin
winter emergency kit for the car
advantage car hire
car maxford mustangs
lambskin car coat
amman car rental
vigilance for driver in car
three wheel car auto
Welche Weisheiten ich persönlich auch lesenwert finde sind [url=http://www.dieversteigerungskobolde.de/sprueche.php]Liebessprüche zum Nachdenken[/url].
Oder kennt Ihr noch andere Seiten mit Sprüchen?
Ich freue mich über jeden Hinweis.
Post a Comment