strawberry virus

Discussion in 'NOD32 version 2 Forum' started by jezreel, Oct 24, 2007.

Thread Status:
Not open for further replies.
  1. jezreel
    Offline

    jezreel Registered Member

    hi sir,

    Many of our clients here in the Philippines have encoutered this problem. Every time they boot up their computer they always encouter a message appear like this..
    "PROMISE?? I am still waiting for the strawberry coming from my baguio pls. Help!."
    This is serious problem rigth now here in our country. This virus was detect by NOD32 but cannot be deleted. We cannot give you a screen shot because the message happens
    during boot up. we need a emmediate response regarding this problem as soon as possible.


    Thanks

    Jezreel Q. Lobo
    TSG- Technology Support Group
    Valueline Systems & Solurions Corp
    # 23 J& L bldg. Matalino st.
    Diliman Quezon City 1100
    Philippines
  2. ASpace
    Offline

    ASpace Guest

    If NOD32 detects something , it should be able to clean it as well .
    Try in Safe Mode first
  3. The Hammer
    Offline

    The Hammer Registered Member

    What's Eset calling this "strawberry virus" anyway?
  4. jezreel
    Offline

    jezreel Registered Member


    we try to safe mode but we can't deleted this virus


    Mode of Transfer: USB, Fixed/Portable HDD

    Target: Internet Explorer, Registry, MSConfig, Autorun.inf

    Effects: Every Mass Storage Device linked to the infected PC will be inserted with an autorun file which will trigger the Windows Scripting Service to run its main file “FS6519.dll.vbs”, which is marked as a system file and is in the root directory of the Drive.
  5. jezreel
    Offline

    jezreel Registered Member

    The eset did not reply to solve this problem. we will wait until tomorrow on how to come up this unsolve virus.
  6. ASpace
    Offline

    ASpace Guest

  7. anotherjack
    Offline

    anotherjack Registered Member

    If it's an actual VBS file, you should be able to just stop the WSCRIPT.EXE or CSCRIPT.EXE process in task manager, then delete the file itself. If you have any VBScript programming experience, open the VBS file in a text editor and you can see what it does and take it from there. The odds are that it's put itself in the HKLM....Run registry key so that it starts up automatically when the system starts. If that's the case, delete that entry from the registry and remove the autorun.inf file from the removable media.
  8. aigle
    Offline

    aigle Registered Member

  9. louiemsp
    Offline

    louiemsp Registered Member

    Maybe the virus itself was already deleted by Nod32 all you have to do now is to edit the registry...

    Removing Autostart Entry from the Registry

    Removing autostart entries from the registry prevents the malware from executing at startup.

    If the registry entry below is not found, the malware may not have executed as of detection. If so, proceed to the succeeding solution set.

    1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
    2. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>
    Windows>CurrentVersion>Run
    3. In the right panel, locate and delete the entry:
    WindowNT = "%System%\exiplorer.exe"
    (Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

    Removing Added Registry Entries

    1. Still in the Registry Editor, in the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>
    Windows NT>CurrentVersion>Winlogon
    2. In the right panel, locate and delete the entry:
    LegalNoticeCaption = "PROMISEo_O"
    3. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>
    Windows NT>CurrentVersion>Winlogon
    4. In the right panel, locate and delete the entry:
    LegalNoticeText = "I am still waiting for the strawberry coming from my Baguio! Pls.. Help!"
    5. Close Registry Editor.

    Restoring AUTORUN.INF

    1. Right-click Start then click Search... or Find..., depending on the version of Windows you are running.
    2. In the Named input box, type:
    AUTORUN.INF
    3. In the Look In drop-down list, select a drive, then press Enter.
    4. Select the file, then open using Notepad.
    5. Check if the following lines are present in the file:
    [autorun]
    shellexecute= {Malware file name}.exe
    6. If the lines are present, delete the file.
    7. Repeat steps 3 to 6 for AUTORUN.INF files in the remaining removable drives.
    8. Close Search Results.
  10. thanatos_theos
    Offline

    thanatos_theos Registered Member

  11. thanatos_theos
    Offline

    thanatos_theos Registered Member

    Were you able to remove the worm?

    thanatos
Thread Status:
Not open for further replies.