malicious script

  ROYALPAT 13:35 19 Jul 2004
Locked

on start up on xp my norton virus checker opens up a MALICIOUS SCRIPT ERROR C:\DRIVERS\POSTOOB.NEC\E:VBS
IT GIVES 4 OPTIONS WHICH I WONT LIST HERE HOWEVER I AM AT PRESENT CHOOSING TO BLOCK IT.
DOES ANYONE KNOW WHAT THIS IS AN HOW CAN I DEAL WITH IT
MANY THANKS

  Sethhaniel 15:49 19 Jul 2004

This worm spreads via email and mIRC. It sends a copy of itself to all lists in the infected user's address book. The worm also sends a copy of itself to the users in mIRC disguised as "A List Of Hacked Porno site passwords". If the current system date is April 20 or December 25, the worm deletes all files and subdirectories in the current directory.

Solution:

Left-Click the START button and select RUN
Type REGEDIT and click the OK button
Find the following registry entries by clicking the box with a ‘+’ in it beside that entry:
HKEY_CURRENT_USERS\Software\Micorsoft\WindowsCurrentVersion\Run\ScanRegistry. Click the value "C:\Windows\calc.vbs" and press "Delete"

HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsCurrentVersion\Run\. Click the value "C:\Windows\sys.vbs" and press "Delete"

HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsCurrentVersion\RunServices\. Click the value "C:\Windows\temp.vbs" and press "Delete".

HKEY_CURRENT_USER\Software\Microsoft\WindowsCurrentVersion\. Click the value "Sent?" and press "Delete"
Right-Click the START button and select FIND. Find each of these files in Drive c:\. When found, click it and press "Delete" to delete them:
C:\Windows\system\list.vbs
C:\Windows\system\explorer.vbs
C:\Windows\list.vbs
C:\Windows\temp\list.vbs
C:\Windows\winsck.vbs
C:\Windows\calc.vbs
C:\Windows\win.vbs
C:\Windows\tmp.vbs
C:\Windows\fax.vbs
C:\Windows\cod.cod
C:\pornlist.txt
Left-Click the START button and select RUN Type SYSEDIT and click the OK button.
Click the window “c:\Windows\win.ini” and highlight and delete the following lines: run=C:\Windows\win.vbs
Click the window “c:\Windows\system.ini” and highlight and delete the text “C:\Windows\fax.vbs” which is found after “shell=Explorer.exe”.
Scan your system with Trend antivirus and delete all files detected as VBS_TUNE.E. To do this Trend customers must download the latest pattern file and scan their system. Other email users may use Trend HouseCall, a free online virus scanner.

This thread is now locked and can not be replied to.

Elsewhere on IDG sites

WPA2 hack: How secure is your Wi-Fi?

Add Depth Of Field to a photo using Tilt Shift Blur in Photoshop

iPhone tips & tricks

Les meilleures tablettes 2017