1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
2. In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>Win
CurrentVersion>Run
3. In the right panel, locate and delete the entry:
MsServer = "msfir80.exe"
4. In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>Wi
CurrentVersion>Run
5. In the right panel, locate and delete the entry:
IMJPMIG8.2 = "msime80.exe"
6. Close Registry Editor.
Restoring AUTORUN.INF
1. Open the dropped AUTORUN.INF using Notepad. Click Start>Run, type this text string in the Open input box then press Enter:
{Malware path}\autorun.inf
2. Delete the following entries created by the malware:
[AutoRun]
open=sal.xls.exe
shellexecute=sal.xls.exe
shell\Auto\command=sal.xls.exe
shell=Auto
[VVflagRun]
aabb=kdkfjdkfk11
3. Close AUTORUN.INF and click Yes when prompted to save.
Unhide files by going to Start->Run and type in regsvr32 /u occache.dll and hit OK. Rehide files - Start->Run and type in regsvr32 occache.dll and hit OK.
Go to the following registry key:
HKLM\Software\Microsoft\Windows\CurrentV
DELETE the value CheckedValue in the right window. (Its type should be REG_SZ and data should be 2.)
Now create a new DWORD value called CheckedValue (same as above, except that the type is REG_DWORD). Modify the value data to 1 (0x00000001).
This should let you change the "Hidden Files and Folders" option.
Please report your results.
No comments:
Post a Comment