VBS.SOLOW ang name ng malware na ito pag symantec ang gamit niyo adnd
vbs.slow.a pag trendlabs pccilin
di puedeng isystemrstore kasi mayron ng nakasave na "infected" version kaya no use
di kayang madetect ng most imported AV ito,bago kasi sir e
gawa lang dito sisikat ito am sure liuke the 143 virus na gawa ng taga ama
grabe, it cant be detected by antivirus, it has autorun.inf and the ".vbs"
its a vbscript file that writes "TAGA LIPA ARE!" on registry and creates a shell application everytime a disk drive is ben clicked.. im trying to study the file to be able to reverse it
HOW to "REMOVE TAGA LIPA ARE!"
1. Run Task Manager
Windows XP(Press Ctrl+Shift+Esc)
or CTRL + ALT + DEL then look for the "processes" tab, hanapin nyo un process na may name na "Wscript" end process nyo LAHAT.
2. On windows Explorer
Select TOOLS -> Folder Options tapos sa VIEW tab under "hidden files and folders" select nyo show hidden files and folders
next, uncheck hide protected operating system files
3. Browse nyo lahat nang disk drives or flashdrives nyo
( wag double click kasi magrun ulit un "wscript") look for
"autorun.inf" and "FS6519.dll.vbs"
tapos delete nyo un 2 files, select nyo both files and press shift+delete be sure na lahat ng wscript sa task manager nka-end task.
4. Lastly, click start and select run, type nyo "regedit" press ctrl+F search nyo un "taga lipa are" i think 3 beses nyo sya makita, duouble click nyo un then replace it
with "Microsoft Internet Explorer" 3 un mapapalitan nyo jan.. then exit nyo na..thats it!! restart ur PC and then OK na ulit..
mga tatamaan ng malware
FLASHDRIVE
FLOPPY DRIVE
OPTICAL DRIVE
HARDDRIVE
Sa harddrive, C: (also D: E: and other drives if you got one) and the Windows folder. Kung gusto mo mawala ang taga lipa are na message, palitan mo muna yung script na nakasulat sa itaas
WARNING! Wrong manipulation on Windows Registry may damage your Windows. So beware...
Burahin mo ang mga lines na ito sa registry:
"HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunFS651 9",winpath&"FS6519.dll.vbs"
"HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMainWindow Title"
kapag pinindot mo yung drive C: (or D: or E:), the AUTORUN.INF will run automatically and read the process from the autorun.
Kaso, since wala na yung FS6519.DLL.VBS (kung tinanggal mo) it only means na di na ito makakalat.
Basta 2 suspect files lang meron...
AUTORUN.INF
FS6519.DLL.VBS
Tanggalin mo manually yung AUTORUN.INF sa root drive (C: D: E:) para mawala na yang nagba-bug sa screen mo.
only applicable on TAGA LIPA ARE virus... Other viruses has its own instructions. Pero take note of this, AUTORUN.INF should not exist on all root folders (C: D: E:)... Else, it is something malicious.