Eliminate Worm
Convert a DOC-XLS to EXE
This worm does not have a name. Icon is the icon used for the uninstaller version of the old file and Office 2003 to top
ATTENTION
FOR THE SUDAH infected, MOHON TO BE premature.
DO NOT USE ANTIVIRUS, AND BECAUSE THE ONLY useless will remove DOCUMENTS YOU. Restore MSWSPLIT.EXE DOCUMENTS WITH YOU THAT YOU CAN DOWNLOAD HERE.
Murder of the system:
1. Go into Safemode with Command Prompt.
2. At the DOS Prompt screen, type explorer followed by enter.
3. Delete the file kspoold.exe or kspooled.exe on the C: \ Windows \ System32.
This is the original source of everything. He will convert all Document (*. doc) and Workbook (*. xls) into executable (*. exe).
4. Go to the Registry and delete key and its contents:
HKLM \ SYSTEM \ CurrentControlSet \ Services \ kspooldaemo n
HKLM \ SYSTEM \ ControlSetxxx \ Service \ kspooldaemon
To lawasnya version does not go in the service but that is in the Startup:
HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Run
HKLM \ Software \ Microsoft \ Windows \ CurrentVersion \ Run
data: print k splooler with value: C: \ Windows \ System32 \ kspoold.exe (When the system is in the C: \ Windows \ System32)
5. Restart to normal.
Removing the remaining kspoold:
After be more, it appeared that some of this worm variant still have tactics to activate itself after removal from the system. Aktivatornya are in the folder MSSETUP. ~ ~ T and active intermediaries with the desktop.ini in the root of each drive.
1. Eliminate or re-edit the desktop.ini in the root of all drives, including Removeable media such as Flash Disk, Floppy.
Use MS-DOS to delete this file. Go to the root of each drive and type attrib + A-S-H-R DESKTOP.INI, DESKTOP.INI that can be removed denan DEL DESKTOP.INI command.
If you love the background picture on your folder, then open DESKTOP.INI with notepad, and delete this part:
PersistMoniker = file: / / MSSETUP.T ~ ~ \ Folder.htt
2. Delete the folder ~ ~ MSSETUP.T together with its contents.
View the folder to restore the damaged Option:
Ternyara this worm make the Folder View Option mwnjadi slightly damaged on:
- Hide extensions for known file types;
- Hide Protected Operating System Files (recommended)
How to recover:
1. Go to registry and change the value:
HKLM \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Adv ance \ Folder \ HideFileExt
Note the data and make sure that valuenya:
CheckedValue = 1
DefaultValue = 1
UncheckedValue = 0
HKLM \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Adv ance \ Folder \ Superhidden
Note the data and make sure that valuenya:
CheckedValue = 0
DefaultValue = 0
UncheckedValue = 1
Thus, you can set back on the View Folder Option you.
Tidak ada komentar:
Posting Komentar