Mystery Virus Warning

  Kirbster 04:10 12 Mar 2004

I'm runnning XP Pro. Upon startup of my PC I receive the following dialogue box called 'Trend SystemCLeaner' containing the following message:

'Virus Found: VBS_FREELINK'

I have PC-cillin 2002 and a virus scan shows my system as virus-free. Is this a genuine virus and if so does it pose any threat to my system and what steps could I take to remove it?


  ianeon 04:46 12 Mar 2004

Run a check scan with another product such as Panda, or AVG, if you are starting to have doubts about your present programme - nearly all companies provide free check ups

  temp003 05:58 12 Mar 2004

The virus is supposed to create a registry entry to run itself every time the computer starts up.

It may be that your AV has removed the virus file(s) (hence scan is clear) but has not cleared the registry entry. When Windows tries to load the file at startup (even though it may not be there), your AV stops it (before Windows finds out the file is not there anyway).

The offending files can be rundll.vbs, rundll32.vbs, links.vbs, or links*.vbs (where * stands for any letter or letters).

First disable System Restore (you will lose all restore points).

Then use the search function to search for the above files. Before you do so, you must enable file extensions to be shown, because there are legitimate files called rundll etc with different file extensions.

Open search or My Computer, click Tools, Folder Options, View tab, untick "hide file extensions for known file types", better tick "Show hidden files and folders" as well. Click OK. Then search for the files rundll.vbs, rundll32.vbs and links*.vbs.

If any of them show up, delete them (probably none).

Then to remove registry entry, you can use msconfig startup tab to untick any box that refers to those files in the command column. But it's better to permanently remove the entries.

If you don't mind going into registry, click Start, Run, type regedit and press Enter.

Be careful in the registry, take it slowly.

On the left, expand to HKEY Local Machine\ software\ microsoft\ windows\ current version \run

Highlight Run by single-clicking it. To the right, look for an entry called rundll, and the data column refers to any of the above .vbs files.

If you find it, right click the name of the entry and select delete. Confirm deletion.

This should be the only key where the entry appears, but just double check the following.

Underneath the key Run, if there's a key called RunOnce, check that key as well.

Then expand and check HKEY Current User\ Software\ Microsoft\ Windows\ Current Version \Run, and RunOnce keys.

If you find any reference to the above .vbs files, delete the entries on the right hand side.

Exit regedit. Restart to see if the warning appears.

  Kirbster 07:12 12 Mar 2004

I did as was said above. The search came up with nothing but I found registry entries for rundll.vbs, rundll32.vbs and links.vbs which I deleted.

The message was still there on startup but that's good enough for me.

Thanks for your help.

This thread is now locked and can not be replied to.

Elsewhere on IDG sites

Honor 9 Lite review

How Social Media has Propelled Political Graphic Design and Art in the Last Decade

The best kids apps for iPhone & iPad 2018

HomePod d’Apple : date de sortie, prix et fiche technique