strawberry virus

Discussion in 'NOD32 version 2 Forum' started by jezreel, Oct 24, 2007.

Thread Status:
Not open for further replies.
  1. jezreel

    jezreel Registered Member

    Joined:
    Oct 23, 2007
    Posts:
    4
    hi sir,

    Many of our clients here in the Philippines have encoutered this problem. Every time they boot up their computer they always encouter a message appear like this..
    "PROMISE?? I am still waiting for the strawberry coming from my baguio pls. Help!."
    This is serious problem rigth now here in our country. This virus was detect by NOD32 but cannot be deleted. We cannot give you a screen shot because the message happens
    during boot up. we need a emmediate response regarding this problem as soon as possible.


    Thanks

    Jezreel Q. Lobo
    TSG- Technology Support Group
    Valueline Systems & Solurions Corp
    # 23 J& L bldg. Matalino st.
    Diliman Quezon City 1100
    Philippines
     
    jezreel, Oct 24, 2007
    #1
  2. ASpace

    ASpace Guest

    If NOD32 detects something , it should be able to clean it as well .
    Try in Safe Mode first
     
    ASpace, Oct 24, 2007
    #2
  3. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,752
    Location:
    Toronto Canada
    What's Eset calling this "strawberry virus" anyway?
     
    The Hammer, Oct 24, 2007
    #3
  4. jezreel

    jezreel Registered Member

    Joined:
    Oct 23, 2007
    Posts:
    4

    we try to safe mode but we can't deleted this virus


    Mode of Transfer: USB, Fixed/Portable HDD

    Target: Internet Explorer, Registry, MSConfig, Autorun.inf

    Effects: Every Mass Storage Device linked to the infected PC will be inserted with an autorun file which will trigger the Windows Scripting Service to run its main file “FS6519.dll.vbs”, which is marked as a system file and is in the root directory of the Drive.
     
    jezreel, Oct 24, 2007
    #4
  5. jezreel

    jezreel Registered Member

    Joined:
    Oct 23, 2007
    Posts:
    4
    The eset did not reply to solve this problem. we will wait until tomorrow on how to come up this unsolve virus.
     
    jezreel, Oct 24, 2007
    #5
  6. ASpace

    ASpace Guest

    ASpace, Oct 24, 2007
    #6
  7. anotherjack

    anotherjack Registered Member

    Joined:
    Jun 13, 2003
    Posts:
    224
    Location:
    Louisiana
    If it's an actual VBS file, you should be able to just stop the WSCRIPT.EXE or CSCRIPT.EXE process in task manager, then delete the file itself. If you have any VBScript programming experience, open the VBS file in a text editor and you can see what it does and take it from there. The odds are that it's put itself in the HKLM....Run registry key so that it starts up automatically when the system starts. If that's the case, delete that entry from the registry and remove the autorun.inf file from the removable media.
     
    anotherjack, Oct 24, 2007
    #7
  8. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    aigle, Oct 24, 2007
    #8
  9. louiemsp

    louiemsp Registered Member

    Joined:
    Oct 24, 2007
    Posts:
    2
    Maybe the virus itself was already deleted by Nod32 all you have to do now is to edit the registry...

    Removing Autostart Entry from the Registry

    Removing autostart entries from the registry prevents the malware from executing at startup.

    If the registry entry below is not found, the malware may not have executed as of detection. If so, proceed to the succeeding solution set.

    1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
    2. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>
    Windows>CurrentVersion>Run
    3. In the right panel, locate and delete the entry:
    WindowNT = "%System%\exiplorer.exe"
    (Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

    Removing Added Registry Entries

    1. Still in the Registry Editor, in the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>
    Windows NT>CurrentVersion>Winlogon
    2. In the right panel, locate and delete the entry:
    LegalNoticeCaption = "PROMISEo_O"
    3. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>
    Windows NT>CurrentVersion>Winlogon
    4. In the right panel, locate and delete the entry:
    LegalNoticeText = "I am still waiting for the strawberry coming from my Baguio! Pls.. Help!"
    5. Close Registry Editor.

    Restoring AUTORUN.INF

    1. Right-click Start then click Search... or Find..., depending on the version of Windows you are running.
    2. In the Named input box, type:
    AUTORUN.INF
    3. In the Look In drop-down list, select a drive, then press Enter.
    4. Select the file, then open using Notepad.
    5. Check if the following lines are present in the file:
    [autorun]
    shellexecute= {Malware file name}.exe
    6. If the lines are present, delete the file.
    7. Repeat steps 3 to 6 for AUTORUN.INF files in the remaining removable drives.
    8. Close Search Results.
     
    louiemsp, Oct 24, 2007
    #9
  10. thanatos_theos

    thanatos_theos Registered Member

    Joined:
    Apr 28, 2007
    Posts:
    582
    thanatos_theos, Oct 24, 2007
    #10
  11. thanatos_theos

    thanatos_theos Registered Member

    Joined:
    Apr 28, 2007
    Posts:
    582
    Were you able to remove the worm?

    thanatos
     
    thanatos_theos, Oct 25, 2007
    #11
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...