Donald Duck virus created using Visual Basic programming language and detected as VbWorm.QXE. One of the characteristics of this virus is the word "Duck Feather."
Duck Feather hide folders / subfolders in the flash disk, and is to duplicate files with the name of the folder / subfolder is to trick users. To clean up, see the following:
1. Should disconnect the computer that will be cleaned from the network (if connected to the Local Are Network / LAN).
2. Disable "System Restore" for a while during the cleaning process takes place (if using Windows ME / XP).
3. Turn off the virus that is active in memory, to turn the virus is to use tools such as the replacement taks manager procexp, then turn off the virus which has the icon "folder."
4. Repair the Windows registry that has been altered by a virus. To accelerate the process copy the script below in the program with a notepad and then save the name repair.inf. Run the file by:
* Click the right repair.inf
* Click on the Install
Signature = "$ $ Chicago"
Provider = Vaksincom Oyee
AddReg = UnhookRegKey
DelReg = del
HKLM, Software \ CLASSES \ batfile \ shell \ open \ command ,,,"""% 1 ""% * "
HKLM, Software \ CLASSES \ comfile \ shell \ open \ command ,,,"""% 1 ""% * "
HKLM, Software \ CLASSES \ exefile \ shell \ open \ command ,,,"""% 1 ""% * "
HKLM, Software \ CLASSES \ piffile \ shell \ open \ command ,,,"""% 1 ""% * "
HKLM, Software \ CLASSES \ regfile \ shell \ open \ command, "regedit.exe"% 1 ""
HKLM, Software \ CLASSES \ scrfile \ shell \ open \ command ,,,"""% 1 ""% * "
HKLM, SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon, Shell, 0, "Explorer.exe"
HKLM, SYSTEM \ ControlSet001 \ Control \ SafeBoot, AlternateShell, 0, "cmd.exe"
HKLM, SYSTEM \ ControlSet002 \ Control \ SafeBoot, AlternateShell, 0, "cmd.exe"
HKLM, SYSTEM \ CurrentControlSet \ Control \ SafeBoot, AlternateShell, 0, "cmd.exe"
HKLM, SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ SuperHidden, UncheckedValue, 0x00010001, 1
HKLM, SOFTWARE \ Microsoft \ Command Processor, AutoRun, 0,
HKLM, SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ Hidden \ SHOWALL, CheckedValue, 0x00010001, 1
HKLM, SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ Hidden \ SHOWALL, DefaultValue, 0x00010001, 2
HKCU, Software \ Microsoft \ Command Processor, AutoRun, 0,
HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ System, DisableRegistryTools
HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ System, DisableTaskMgr
HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer, NoFolderOptions
HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer, NOFind
HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer, NORun
HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ WinOldApp
HKLM, SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ PAYXX.exe
HKCU, Software \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon, Shell
HKLM, SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ Hidden \ HideFileExt
HKLM, SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ Hidden \ ShowFullPath
HKLM, SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ Hidden \ ShowFullPathAddress
HKLM, SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ Hidden \ SuperHidden
HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer, NoFolderOptions
HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ System, DisableRegistryTools
5. Find and delete duplicate files created by the virus. To accelerate the process should use the search function "of Windows Search" with the first display of hidden files.
If the Folder Options not appear, LogOff computer should first and then show hidden files. After the duplicate files found, delete the file that has the characteristics:
* Using the folder icon
* File size 53 KB
EXE extension *
* File Type "Application"
6. Show return the file / folder on the Flash Disk, which is hidden. To show the hidden files, you can use alternative tools such as bebarapa Batch File Utility or by using the ATTRIB command.
Here's how to display the files / folders are hidden by using the ATTRIB:
* Click the "Start"
* Click "Run"
* Type in "cmd" and press "Enter"
* Move the cursor position to drive Flash Disk
* Then type the game is really good-h-r / d and then press "enter"
7. For optimal cleaning to prevent infection and re-scan, the antivirus software up-to-date and have been able to detect the virus.
Post a Comment