Comments for Nilpo.com http://www.nilpo.com Ask the Windows Guru! Fri, 05 Sep 2008 23:53:09 +0000 http://wordpress.org/?v=2.3.1 Comment on Removing Desktop_.ini Virus (W32.Fujacks.E) by Nilpo http://www.nilpo.com/2007/08/windows-xp/removing-desktop_ini-virus-w32fujackse/#comment-12552 Nilpo Fri, 05 Sep 2008 08:09:00 +0000 http://www.nilpo.com/2007/08/windows-xp/removing-desktop_ini-virus-w32fujackse/#comment-12552 There are several other variants of this virus. Their startup entries may be found under either or both of the following keys: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run The entry may look like any of the following: "svohost" = "FuckJacks.exe" "Fuckjacks" = "FuckJacks.exe" "svcshare"="spoclsv.exe" "logo1_.exe"="C:\WINDOWS\logo_1.exe" "ati3evx.exe" = "C:\WINDOWS\ati3evx.exe" "svohost" = "C:\WINDOWS\system32\FuckJacks.exe" "System Boot Check" = "%System%\sysload3.exe" "svchost" = "%Windir%\svchost.exe" "EXPLORER" = "C:\Program Files\Common Files\System\wab32res.exe..." In addition to the information found in this article, you should also look for and delete the following registry key, if it exists: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasautol You should also look for and delete the following registry value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{21LYYSYS-9421-2126-L2Y1-L2Y1Y1S3Y1S4}\"StubPath" = "%System%\[RANDOM].exe" There are several other variants of this virus. Their startup entries may be found under either or both of the following keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

The entry may look like any of the following:

“svohost” = “FuckJacks.exe”
“Fuckjacks” = “FuckJacks.exe”
“svcshare”=”spoclsv.exe”
“logo1_.exe”=”C:\WINDOWS\logo_1.exe”
“ati3evx.exe” = “C:\WINDOWS\ati3evx.exe”
“svohost” = “C:\WINDOWS\system32\FuckJacks.exe”
“System Boot Check” = “%System%\sysload3.exe”
“svchost” = “%Windir%\svchost.exe”
“EXPLORER” = “C:\Program Files\Common Files\System\wab32res.exe…”

In addition to the information found in this article, you should also look for and delete the following registry key, if it exists:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasautol

You should also look for and delete the following registry value:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{21LYYSYS-9421-2126-L2Y1-L2Y1Y1S3Y1S4}\”StubPath” = “%System%\[RANDOM].exe”

]]> Comment on Removing Desktop_.ini Virus (W32.Fujacks.E) by Prakash http://www.nilpo.com/2007/08/windows-xp/removing-desktop_ini-virus-w32fujackse/#comment-12549 Prakash Fri, 05 Sep 2008 06:29:07 +0000 http://www.nilpo.com/2007/08/windows-xp/removing-desktop_ini-virus-w32fujackse/#comment-12549 Hi, After trying to remove Desktop_.ini as per given instruction by you,,, virus could not remove permanantly. “svcshare”=”%System%\Drivers\spoclsv.exe” This value could not found in registry. What is next solution for removing Desktop_.ini virus. Prakash Hi,

After trying to remove Desktop_.ini as per given instruction by you,,, virus could not remove permanantly.

“svcshare”=”%System%\Drivers\spoclsv.exe”

This value could not found in registry. What is next solution for removing Desktop_.ini virus.

Prakash

]]> Comment on Force Files to Download Instead of Opening by Nilpo http://www.nilpo.com/2007/11/apache/force-files-to-download-instead-of-opening/#comment-11730 Nilpo Mon, 25 Aug 2008 18:08:25 +0000 http://www.nilpo.com/2007/11/apache/force-files-to-download-instead-of-opening/#comment-11730 No problem at all. I'm glad you found this tip helpful! No problem at all. I’m glad you found this tip helpful!

]]> Comment on Force Files to Download Instead of Opening by Rob http://www.nilpo.com/2007/11/apache/force-files-to-download-instead-of-opening/#comment-11719 Rob Mon, 25 Aug 2008 15:57:05 +0000 http://www.nilpo.com/2007/11/apache/force-files-to-download-instead-of-opening/#comment-11719 Hey, Thanks for the tip! I have been trying to get this result for a few hours now. I have set up HTML email signatures for everyone in my office with a link to download our Vcards, but the vcfs keft displaying in the browser. Thank you very much! Hey,
Thanks for the tip! I have been trying to get this result for a few hours now. I have set up HTML email signatures for everyone in my office with a link to download our Vcards, but the vcfs keft displaying in the browser. Thank you very much!

]]> Comment on Cannot Change Desktop Wallpaper by Nilpo http://www.nilpo.com/2008/03/windows-xp/cannot-change-desktop-wallpaper/#comment-11108 Nilpo Fri, 15 Aug 2008 17:22:32 +0000 http://www.nilpo.com/2008/03/windows-xp/cannot-change-desktop-wallpaper/#comment-11108 Link fixed. Thank you. Link fixed. Thank you.

]]> Comment on Cannot Change Desktop Wallpaper by gtsamis http://www.nilpo.com/2008/03/windows-xp/cannot-change-desktop-wallpaper/#comment-11103 gtsamis Fri, 15 Aug 2008 17:09:36 +0000 http://www.nilpo.com/2008/03/windows-xp/cannot-change-desktop-wallpaper/#comment-11103 Your link to the reg file is not working... Your link to the reg file is not working…

]]> Comment on Creating a Catchall Subdomain in Apache by Apache » Blog Archive » Creating a Catchall Subdomain in Apache http://www.nilpo.com/2007/07/apache/creating-a-catchall-subdomain-in-apache/#comment-10656 Apache » Blog Archive » Creating a Catchall Subdomain in Apache Sun, 10 Aug 2008 00:07:02 +0000 http://www.nilpo.com/2007/07/apache/creating-a-catchall-subdomain-in-apache/#comment-10656 [...] More … [...] […] More … […]

]]> Comment on Scripting the Clipboard Contents in WSH by Nilpo http://www.nilpo.com/2007/08/windows-xp/scripting-the-clipboard-contents-in-wsh/#comment-9319 Nilpo Sun, 27 Jul 2008 07:09:38 +0000 http://www.nilpo.com/2007/08/windows-xp/scripting-the-clipboard-contents-in-wsh/#comment-9319 I agree completely. Unfortunately, since VBScript and WSH are no longer being actively developed it doesn't appear we'll be seeing that feature added. I agree completely. Unfortunately, since VBScript and WSH are no longer being actively developed it doesn’t appear we’ll be seeing that feature added.

]]> Comment on Scripting the Clipboard Contents in WSH by GL http://www.nilpo.com/2007/08/windows-xp/scripting-the-clipboard-contents-in-wsh/#comment-8755 GL Tue, 22 Jul 2008 18:25:55 +0000 http://www.nilpo.com/2007/08/windows-xp/scripting-the-clipboard-contents-in-wsh/#comment-8755 Thanks for the code snippet. If the people at Microsoft would just use their own software for 15 minutes they would see that a wscript get/set clipboard data fn. would be a commonly needed operation. Thanks for the code snippet. If the people at Microsoft would just use their own software for 15 minutes they would see that a wscript get/set clipboard data fn. would be a commonly needed operation.

]]> Comment on Removing VirtuMonde Virus by Virtumonde Removal http://www.nilpo.com/2007/08/windows-xp/removing-virtumonde-virus/#comment-4223 Virtumonde Removal Thu, 24 Apr 2008 19:20:05 +0000 http://www.nilpo.com/2007/08/windows-xp/removing-virtumonde-virus/#comment-4223 combofix is good stuff. I use it all the time in the field. For Virtumonde and the Vundo threat I like to do a system restore first if the computer was recently infected. Then after the restore run spybot, ad-aware, vundofix, highjackthis and then combofix if needed. combofix is good stuff. I use it all the time in the field. For Virtumonde and the Vundo threat I like to do a system restore first if the computer was recently infected. Then after the restore run spybot, ad-aware, vundofix, highjackthis and then combofix if needed.

]]>