Trojan horse Backdoor Computer Virus FVX 
The virus drops the following files into the flash drive (thumb drive or usb drive) - autorun.inf
- RECYCLER\desktop.ini
- UcHelp.exe
The easiest way to remove the virus is to format the USB drive. However if the computer has contacted the virus, then you may have to use the procedure outlined below to remove it. If not, it will start spreading to other USB drive that is plug into the infected computer. To remove the trojan, you need to download PSKILL utility, see below. pskill -t explorer.exe
attrib -s -h c: \ windows \ system32 \ AceExt32.dll
attrib -s -h "c: \ windows \ Downloaded Program Files \ Ext32.dat"
attrib -s -h "c: \ windows \ Downloaded Program Files \ Ext32.dll"
attrib -s -h "c: \ windows \ Downloaded Program Files \ CxUSBKey.exe"
attrib -s -h "c: \ windows \ Downloaded Program Files \ ZipExt32.dll"
del "c: \ windows \ system32 \ AceExt32.dll"
del "c: \ windows \ Downloaded Program Files \ Ext32.dat"
del "c: \ windows \ Downloaded Program Files \ Ext32.dll"
del "c: \ windows \ Downloaded Program Files \ CxUSBKey.exe"
del "c: \ windows \ Downloaded Program Files \ ZipExt32.dll"
start explorer.exe
reg delete HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \
CurrentVersion \ ShellServiceObjectDelayLoad / v ZipExt32 / f
reg delete HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \
CurrentVersion \ ShellServiceObjectDelayLoad / v AceExt32 / f
reg delete HKEY_CLASSES_ROOT \ CLSID \ {35CEC8A3-2BE6-11D2-8773-92E220524140} / f
reg delete HKEY_CLASSES_ROOT \ CLSID \ {35CEC8A3-2BE6-11D2-8773-92E220524150} / f
--- Remove Uchelp.exe on the flash drive (thumb drive): --- PsTools Version in this package: 2.43. PsKill works on NT 4 and higher including Windows Vista. Download PsTools The PsTools kit's PSKILL utility can terminate processes on the local computer and processes on remote systems. Running PsKill with a process ID directs it to kill the process of that ID on the local computer. If you specify a process name PsKill will kill all processes that have that name. usage: pskill [- ] [-t] [\\computer [-u username] [-p password]] where: - Displays the supported options. -t Kill the process and its descendants. \\computer Specifies the computer on which the process you want to terminate is executing. The remote computer must be accessible via the NT network neighborhood. -u username If you want to kill a process on a remote system and the account you are executing in does not have administrative privileges on the remote system then you must login as an administrator using this command-line option. If you do not include the password with the -p option then PsKill will prompt you for the password without echoing your input to the display. -p password This option lets you specify the login password on the command line so that you can use PsList from batch files. If you specify an account name and omit the -p option PsList prompts you interactively for a password. process id Specifies the process ID of the process you want to kill. process name Specifies the process name of the process or processes you want to kill.
|
Post your comment