Some annoyances...

I will try to post information about how to fix some computer problems when I come across them. Part of the reason is that some times it appears that this information is obscured in some sites containing forums or other unrelated information. Lastly, some of this information was in some sites but may not be there anymore, so I will not hurt to have it here.

This information applies to Windows XP. This is some variant of VBS.LoveLetter worm. There are a number of them, and you may adapt this method to clean them up. If you open the Task manager (Ctrl+Alt+Del), click in the "processes" tab. click in the "image name" tab. to alphabetically order the entries if you see one or more copies of the process named "wscript.exe" you got this visual basic worm running. It infects your system through the usb-flash drives, or CD drives. To prevent this infection, you should disable autorun in all drives. This does not cause any problems. All it does is that it will no longer try to open any external drive or CD and show its contents automatically. May be if you need to install software from a CD you will have to click in "my computer" navigate to the drive that contains the software, and execute the setup program.

This virus can be cleaned manually: To do this

1- open the Task manager (Ctrl+Alt+Del), click in the "processes" tab. click in the "image name" tab. to alphabetically order the entries all copies of the process named "wscript.exe shall be terminated (select and pres "Del" ) if you see the process named "iboot.exe it shall also be terminated (select and pres "Del")

2-Fix the registry It is important that you stopped the processes mentioned in 1. Hopefully, you have backups of all your visual basic projects. The next step will delete all the files with extension vbs.

3-Fix the registry It is important that you stopped the processes mentioned in 1. Hit Start hit Run and Type "regedit" (no quotation marks). Look under HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MsKernel32

This information applies to Windows XP. This virus infects .pdf .txt .doc files .dat .xls (among others). Having a lot of pdf documents makes you a target for this virus. This virus hides your "file.pdf" file and it creates a visible "file .pdf" (NOTE the SPACE between file name and the extension) and an executable file "file.exe" with the same file name. If you have our folder options set to display hidden files and folders, and also to show "system files", and also set so it does NOT "hide extensions of known types" Unfortunately, this virus can not be removed manually because it is able to very quickly infect many files, and it is not an easy task to find them all. I used to have AVG (free version), updated, and with all its features active and it happily let this worm enter in my external HDD. I do not know if the worm disables the AVG antivirus. AVG did not detect any virus. Since the infection was in an external HDD, I could easily try NOD32 in another computer. This time I could remove the virus. 11,000 infected files. you will notice that the folders that used to contain some pdf files now are full of executable files. This means that you have the infection. The "file.exe" can be deleted. The visible "file .pdf" is just a shortcut to the executable so you will execute the virus every time you click on a pdf file. The size of this is just 512 bytes. The executable is 4k bytes VERY IMPORTANT: the file that appears hidden "file.pdf" is your original pdf file. DO not delete this file, because you will loose your pdf file I do not know for sure what antivirus other than NOD32 can remove this worm. One thing is certain. The antivirus will leave your pdf files hidden AND the short cut created by the virus. You can perform a search for "a .pdf" and cut and paste them in a folder. Then you have to manually set the attributes of the hidden files to be able to "see" your pdf documents again. Note that the hidden attribute is grayed out.

After the antivirus removes the threat, you need to do this:

1-Use the Search tool for all files "*. pdf" in D drive

2-When the search finishes, order the results by size, so that all the 20 byte files that the virus created appear first.

3-Select ONLY the small 20 byte files, (there might be thousands of them) cut and paste these files in folder that you create to collect all these files in the C drive.

4-Repeat this until all the files created by the virus are removed from your D drive. This requires that you search for * .xls" and for "* .doc" etc.

5- Move the folder to the D drive and search on the C drive. Cut and paste the files to the folder. When you do not find any more files, compress the folder. Do not delete anything until you are sure that there are no valuable files in it.

The files that you cut and paste where shortcuts to the virus executable. Now you must recover your real documents that the virus has hidden as system, read only files.

To do this you need to do the following:

1-Click START

2-Type cmd

3- Type d: press enter

4- type cd\ press enter

5-Type attrib -s -h -r *.pdf /s press enter

6-Type attrib -s -h -r *.doc /s press enter repeat this command for the *.xls and other files affected

7- Type c: press enter

8- type cd\ press enter

9- repeat the steps 5 and 6 on the c drive.

This should have set all your .pdf, .doc and .xls files with attributes "not system", "not hidden", "not read only" This is it.

Office: Room K408 Faculty of Science Mahidol University
Phone: (662) 201-5353

Jump to: Home Page