JaiZBlog

"If you have an apple and I have an apple and we exchange these apples then you and I will still each have one apple. But if you have an idea and I have an idea and we exchange these ideas, then each of us will have two ideas." ...GBS

Subscribe
14 June 2007

Fix Worm.Win32.VB.el virus infected systems

Posted by Jaisal Abdurrahman

These days several computers infected with Worm.Win32.VB.el virus.
By installing a good updated anti virus(Kasper sky,nod32,avg),we can remove the virus easily.but after removal we will face some problems in our computer such as cannot view hidden files and folders,cannot open partitions by double click....etc

Problem that will occur in hidden files and folders :-

when we want to view hidden and system files on the Windows XP SP2 and for this purpose normally we are going to Tools/Folder Options/View and removing tick from Hide Protected operating system files and checking Show hidden files and folders
option. But the windows doesn't show them anyway. if we are check once again view settings
and the system automatically checks the
Hide hidden files and folders option.

Reason for the above problem:-

Scan system with Kaspersky Anti-Virus 6.0.1.411 and it will find several infected areas
with
Worm.Win32.VB.el and several files like sal.xls.exe. it will remove the infected files when we are giving permission to delete .
To solve this problem Go to the following registry key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Folder\Hidden\SHOWALL


DELETE the value CheckedValue in the right window. (Its type should be REG_SZ and data should be 2.)

Now create a new DWORD value called CheckedValue (same as above, except that the type is REG_DWORD). Modify the value data to 1 (0x00000001).

This should let you change the "Hidden Files and Folders" option.

Aand also the virus creates a hidden file named autorun.inf in whole disks.this file containing things like this or similar :
[AutoRun]
open=sal.xls.exe
shellexecute=sal.xls.exe
shell\Auto\command=sal.xls.exe
shell=Auto
[VVflagRun]
aabb=kdkfjdkfk11


The problem will be solved if just deleted this file but we cannot view the hidden files.

So we can use one of the folowing ways to delete the hidden file.
1)use Total Commander to see the autorun.inf file and delete it.
2)Unhide files by going to Start->Run and type"regsvr32 /u occache.dll"and hit OK.
logoff and relogon ur pc ..
open your drive and delete "autorun.inf" file
after deleting the file re hide files - Start->Run and type in "regsvr32 occache.dll" and hit OK.
(make sure you have cleaned the virus before doing this steps)
3)Open nero and explore the files in the effected disk.Open the autorun.inf and remove the contents which written in the file and save it .{if you cant save the file the go to the properties of the file and uncheck read only (all tasks from nero)}

If you are getting the error message
"the c:\ application cannot be run in win32 mode"

or similar while opening a drive, use the following method .

go to Start >Run then type CMD
in command prompt type cd c:\ (or d:\,e:\ depending on your error message )
Type
C:\>attrib -S -H -R autorun.inf
delete the file by typing C:\>del autorun.inf or open your drive and delete the autorun.inf
Restart Your PC Thats all


Still not fixed ?? , contact me
jaizalmk@yahoo.com
jaisal@live.com
jaizal@gmail.com















Low-Cost Secure VPN Solutions Over DSL

Saudi Arabia Contact : 00966559344474 mail@jaizal.com

13 comments:

DeepZ said...

thanx man..info was very helpful
the hidden folder problem is solved.
but i still cant open partitions with double click..
any solution

Jaisal Abdurrahman said...

2)Unhide files by going to Start->Run and type"regsvr32 /u occache.dll"and hit OK.
logoff and relogon ur pc ..
open your drive and delete "autorun.inf" file
after deleting the file Rehide files - Start->Run and type in "regsvr32 occache.dll" and hit OK.

(make sure you have cleaned virus before doing this.)

Dushyant said...

Thanks mate. Fantastic post. I had that hidden files problem and now it's completely solved. Thanks again.

nociv said...

hei..thanks for the info...very helpful..but i to still have that partition problem..and..there are no autorun.inf :( do you know why ?

punit said...

well i culd open drives wen i cleaned pc wit kaspersky anti virus......... but wat abt that autorun.inf file??? where is it? neways great work by u brother......... take a bow!!!!!!!!!!

Jaisal Abdurrahman said...

@Dushyant
welcome my friend.happy to know that you fixed .

@ nociv
Hello nociv,use the following methord

Unhide files by going to Start->Run and type"regsvr32 /u occache.dll"and hit OK.
logoff and relogon ur pc (must)and make sure you enabled show hidden files from folder option..
open your drive and delete "autorun.inf" file
after deleting the file Rehide files - Start->Run and type in "regsvr32 occache.dll" and hit OK

@ punit
Thats good thing.if you can open your drives by double click,then u dont have the aoutorun.inf ...so dont mind it !!!

stormrider said...

Hey guys, I've got it on a memory stick and it has changed it mode to read only. I can see the virus files (autorun.ini and this sys.vbs file, but cannot delete it and cannot change rights to read/write. Please could You give any solution?

Jaisal Abdurrahman said...

@ stormrider

Just backup your files and format your memmory stick

stormrider said...

Thanks for a prompt reply. I've tried this already but I can't. When I'm trying to format it says: disk is protected from writing. I tried on Linux as well, but I cannot mount read/write, because it checks the disk access rights and says no. I used ZoneAlarm and it found the virus, but of course cannot delete it as well.

Jaisal Abdurrahman said...

try this http://drivers.softpedia.com/get/Other-DRIVERS-TOOLS/Others/Sony-EzRecover.shtml
and make sure you don't have a write protect switch on memory stick

stormrider said...

it helped. thank you very much.

Anonymous said...

thnx jaz it was more helpful
but be sure i already found the file dword exist i just changed value from 0 to 1
any way you helped me to fix big problem
see you
mohamed mabrouk

Anonymous said...

I use a live Ubuntu or Linux cd to remote viruses like this, very easy just stick the disk in and boot it up. You get full read/write access to everything on the hard drives in that pc, regardless of any NTFS permissions set, and whats more all hidden and system files show automatically. Windows viruses do not affect Linux. This virus also tends to speard via USB memory sticks too, using the Autorun file. Just use linux to delete the infected files, very easy to do. If you use an uninfected Windows PC to clean the USB memory stick then make sure you hold down shift before inserting USB, and keep holding it down untill the new hardware is installed, this stops the autorun. Also make sure you have something like the NOD32 installed before inserting any USB memory sticks, as it cleans them automatically, but remeber to always hold down shift first.

Post a Comment