# Click Start > Run.
# Type regedit
# Click OK.
Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool, and then continue with the removal.
# Navigate to and delete the following registry entries:
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"faizal" = "wscript.exe C:\WINDOWS\system32\faizal.js"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WinLogon\"LegalNoticeCaption" = "FAIZAL"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WinLogon\"LegalNoticetext" = "You have been infected by FAIZAL virus"
* HKEY_ALL_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives\"ShowSuperHidden" = "0"
# Restore the following registry entry, if necessary:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Window Title" = "faizal"
# Exit the Registry Editor.
Note: If the risk creates or modifies registry subkeys or entries under HKEY_CURRENT_USER, it is possible that it created them for every user on the compromised computer. To ensure that all registry subkeys or entries are removed or restored, log on using each user account and check for any HKEY_CURRENT_USER items listed above.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment