Friday, October 5, 2007

ISDLL.DLL.VBS ... The worm that spreads thru ur pendrive

Is ur system slow and nothing seems to happen when u double click ur c drive or any other drive except ur cd rom drive.. and even if it opens it opens in a new window..

bad new for u..

Ur system is infected and the culprit is a file name ISDLL.DLL.VBS
This is a script file virus.

How did it get tinside ur system
-------------------------------------
Via ur pendrive / mobile

but who ran the script in the first place?
------------------------------------------
sadly the answer is U urself did it.

How it acts
----------------
There are a lot of worms today that spread using pendrives - one of the most famous one is
win32/ahkheap.a (famous bcoz it shows the user something is wrong as they cannot browse certain sites like orkut,youtube etc.. and prevents firefox from opening so users are aware of their system's problem.

This one spreads the same way when a pen drive is plugged into a infected system the virus
makes a copy of itself inside the pendive in the recycler folder as the file autorun.exe
(if u check the properties it has microsoft as the company name with arabic written or some boxes appear after microsoft [if arabic language pack is not installed] and the size is around 32kb or so).

How to remove it
-----------------------

step1: Bring up ur task manager by pressing these buttons together Ctrl + Shift + Esc .
or use process explorer from microsoft sysinternals
step 2: Now stop all instances of wscipt.exe from the process tab (right click on the image name wscript.exe and select stop process tree) make sure u have stopped all wscript.exe.
step2a: Now select folder options and make sure that u can see all hidden and protecte operating system files (detailed instructions available on this topic here
http://dennyphilip.blogspot.com/2007/08/show-hidden-files-and-folders.html)
if u cannot see ur folder options at all (where did the folder options go??) follow instructions in this page and come back to this page
http://dennyphilip.blogspot.com/2007/08/no-folder-options.html)

step 3: Once this is done open my computer and after it is open press these keys together Ctrl+F to bring the search pane up on ur "My computer".
now make sure u have checked hidden files,protected operating system files,search system files (all the three in arow should be checked).
step 4: search for isdll..dll.vbs or isdll*.* by typing any one of these in the search bar.
wait for all the results to appear and select the results by pressing Ctrl + A or cleck and drag a selection box around the results delete all instances of isdll.dll.vbs files by pressing shift +Del buttons together if u r unable to see any file redo step2a agian.
if are denied access to the file redo step2
even after doing it right if u cant see the files open file location by the right click menu on the file
then follow instructions given here.
http://dennyphilip.blogspot.com/2007/08/manualy-unhide-files.html
then search for autorun.exe inside the recycler folder in all removable media including ur pendrives and mobile delete it.

step4: Now go the search bar and search for autorun.inf in all ur harddisks(say c:,D:,E: etc)and ur pendive or any other devices connected to ur pc . delete the files in the root (i.e in c: the autorun .inf in C: [file path will be c:\autorun.exe]) delete the files in the root of all the files except in cd roms (in cd roms they help to launch a file say a set up file when u put a cd in the drive no harm there and the worm doesn't have cd writing capabilities at least yet).
now once u have deleted all these file delete any system restore points u have made earlier and create a new one( as the virus may have copies of itself stored in the system backup).

restart ur system and check if all u can open c: by double clicking the icon in my computer if it opens ur are good to go and u have cleaned ur system manually. Congrats. If not read this post again carefully and do exactlt as it is said i f u have questions.please post in the comments section below by clicking comments and a popup will open with space for writing ur comment.

No comments:

Post a Comment

Was the post useful to u or whether u need clarification regarding what was posted.
feel free to ask new questions as well.

plese use the close this window to close this do not press the [x] button sometimes the post just doesn't appear.