Virus Removal Techniques
Special Case: Remove java.dll
Initial Symptoms:
- Internet Explorer browser hangs
- Computer slow down
- The temporary folder shows the following files %MS%HCopy.tmp which cannot be deleted
i.e.
%System%\%MS%HCopy.tmp
%System%\%MS%UCopy.tmp - Click here to see its screenshot
- Computer restarts frequently, the XP (blue) theme changes into Classic (pale yellow) theme before restarting
- The blue dead screen prompts
- When inserting the infected removable drive in the system, the old folders are automatically hidden while making visible to the exe files with the same name as of the folder and their icons.
Source:
Infected Removable drivesRemovable drive doesn't contain Recycler folder by default. But the compromised removable drive contains this.
Precautions:
- Turn off the autoplay features on the removable drives (Try Tweak UI)
Click here to see how to turn off autoplay features using Tweak UI - In the sytem with autoplay enabled hold the shift key when inserting the pen drive to bypass the autoplay features
- Remove the recycler folder and the autorun.inf from the removable drive
CURE
- Disable the system restore on all the drives
- Remove the three files
%System%\mfc48.dll
%Windows%\java\classes\java.dll
%System%\kernel32.sys - Use the free commander to view all the files with ease and to delete them
- Unhook the entries made by java.dll and mfc48.dll using tool autorun or tool Hijackthis
- Update the antivirus program
- Run the full scan
- Remove the recycler folder and the autorun.inf from the removable drive and from the command prompt type to view the original hidden folders by typing X:\dir/ah where X: is the location of the removable disk. Click here for more on unhiding the hidden folders from command prompt
Once the system is infected, the antivirus program can detect the virus, but can neither delete nor quarantine the virus from the system. Moreover the system file protection does not allow the easy deletion of the above file mentioned. Therefore they should be deleted from another system.
The detailed information on this virus can be obtained from http://www.ca.com/securityadvisor/virusinfo/virus.aspx?id=63475