Virus alert: Sysres.vbs (malware)


Threat name: Vbs.Autorun.FM

Type: Malware

Filename: [Win32Root]\sysres.vbs

Threat :Whenever a removable drive is inserted, the following files are copied over:

Autorun.inf
ntdir.vbs

Manual Solution:

  1. Reboot System into safe mode
  2. Go to C:\Windows and look for Sysres.vbs and delete.
  3. Go to Regedit and search for Sysres.vbs and delete all values that it has.
  4. Also in Regedit search for ntdir.vbs and radz_services.vbs and delete all value that it has.
  5. Do reboot

Other Related Topics:

How to remove a Trojan, Virus, Worm, or other Malware.

How to remove sowar.vbs and sysres.vbs.

Share and Enjoy:
  • Digg
  • del.icio.us
  • Facebook
  • Google
  • Furl
  • Reddit
  • Smarking
  • StumbleUpon
  • Technorati
  • TwitThis
  • YahooMyWeb
  • Simpy
  • Propeller
  • Fark
  • LinkedIn
  • Live
  • Mixx

10 Comments »

  1. thanks so much, will pass it on!

    Comment by Jan Tallent — September 19, 2008 @ 8:18 pm

  2. Autorun.inf
    ntdir.vbs
    radz_services.vbs
    c:\windows\sysres.vbs

    Manual Solution:

    1. Reboot System into safemode
    2. Click My Computer –> Tools –> Folder options –> View –> tick: show hidden files and folders –> untick: Hide extensions for known file types –> untick: Hide protected operating system files (Recommended)
    3. Goto C:\Windows and look for Sysres.vbs and delete.
    4. Goto regedit and search for Sysres.vbs and delete all values that it has.
    5. Also in regedit search for ntdir.vbs and radz_services.vbs and delete all value that it has.
    6. Insert your WindowsXP Prof SP2 or SP3 Installer CD.
    7. Navigate on I386 folder and copy Ntdetect.com
    8. Overwrite C:\Ntdetect.com
    9. Restart and boot to your WinXP SP2 or SP3 installer CD
    10. Select “R” for REPAIR
    11. Choose 1: C
    12. C:\Windows prompt will appear then type “FIXMBR”
    13. Answer “Y” for Yes
    14. Type Exit
    15. Voila, your computer is fully restored

    Comment by electrogoodie — September 23, 2008 @ 3:16 am

  3. @electrogoodie Thanks man for the detailed solution! you are the man!

    Comment by admin — September 23, 2008 @ 4:33 am

  4. The author of the said malware speaks. He has his antidote and just visit his website. You know why he created such script? Just to protect the ff:

    * Internet Explorer HOMEPAGE – Protect from Pornographic Websites.
    * Task Manager – Protect from Disable.
    * Registry – Protect from Disable.
    * Flash Drives/USB – To Protect from Auto running of Virus.
    * Local Drives – To Protect from Auto running of Virus.

    Comment by electrogoodie — September 27, 2008 @ 12:57 pm

  5. where can i found regedit?

    Comment by jay — November 2, 2008 @ 8:43 pm

  6. Start -> Run -> type regedit or press Start+R and type regedit and press ok

    Comment by admin — November 2, 2008 @ 9:21 pm

  7. as for my experience the other vbs file was ntidr.vbs instead of NTDIR.vbs

    everything was the same

    thanks

    Comment by securityguy — January 12, 2009 @ 4:26 am

  8. what if i cant enter into run. error disabled administrator

    Comment by NENEL — February 2, 2009 @ 6:21 pm

  9. sir i incounter typr of virus sowar.vbs and auto.vbs
    new folder.exe

    Comment by NENEL — February 2, 2009 @ 6:24 pm

  10. [...] With A Forum Website | Forum Website | UK Dedicated Servers | SEO Web Hosting | Cloud Computing Virus alert: Sysres.vbs (malware) | Web Developers Help For Dummies Security Through Minimalization | Info Carnivore Top 10 People Who Changed The Face Of Internet | [...]

    Pingback by RealTime - Questions: "Facebook smiley face virus?" — December 1, 2010 @ 7:52 am

RSS feed for comments on this post. TrackBack URL

Leave a comment