|
1/27/2004 a new epidemic virus W32.Novarg@mm (Alias: Novarg.A@mm, MyDoom.A, Shimgapi) has created large destruction, the spreading speed is not less than Sobig.F virus, Twister Virus Definition v508400(2004.1.29) or later can completely remove this virus, and the Realtime Scan Engine of Twister can block the virus to save and run. If you have not Twister Anti-TrojanVirus software, you may use following method to manually remove it.
* Attention:
This method is only tested on Windows 2000/XP/2003/NT. But have some difference on Windows 9x/ME, you may also use Twister Anti-TrojanVirus to remove it on Windows 9x/ME.
(A) How to prevent W32.Novarg@mm/MyDoom.A/Shimgapi virus infections ?
This virus spreading via E-mail, If you receive a E-mail has following features, we suggest you to delete it immediately.
E-mail subject is: Test, Hi, Hello, Mail Delivery System, Mail Transaction Failed, Server Report, Status or Error.
Sometimes E-mail body is random data or is:
- The message contains Unicode characters and has been sent as a binary attachment.
- The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
- Mail transaction failed. Partial message is available.
- test
- NULL
E-mail with attachment, and the name is: document, readme, doc, text, file, data, test, message or body. And the extension is : zip, bat, cmd, exe, scr or pif.
To delete these E-mail can block most infections of this virus. If your computer has been infected, you may use following method to manually remove it.
(B) How to completely remove W32.Novarg@mm(Novarg.A/MyDoom.A/Shimgapi) Virus by hand.
Step 1: Configure Microsoft Windows Explorer to show all files, because most Virus and Trojan horse can hide itself. If you already did it, you may skip this step.
- Click Start, point to Settings, and Control Panel, and then click Folder Options.
- In the Folder Options dialog box, click the View tab.
- In the Advanced settings box, deselect the Hide protected operating system files (Recommended).
- Select the Show hidden files and folders.
- Deselect the Hide file extensions for unknown file types.
- Click OK to save changes.
Step 2: Click Start, and then click Run, enter "regedit" and press Enter to open Registry Editor. Switch to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run key, in the right list, find TaskMon key, if not found means that your computer maybe not be infected, you may skip this step and continue following steps. If found, please double-click it and remember its Data Value, its Data Value is the path and filename, usually it is "C:\WINNT\System32\taskmon.exe", this is not absolute, if your OS is Windows 98 and installed on disk D, then the path is "D:\Windows\System\taskmon.exe", after you remember it, please delete the key of "TaskMon".
And then, to continue to search the key of HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED} in Registry, and delete all of the {E6FB5E20-DE35-11CF-9C87-00AA005127ED} keys.
Step 3: Press Ctrl+Alt+Del, open Task Manager program, click Processes tab, find taskmon.exe process, if found, select it and click End Process to kill it.
Step 4: Open My Computer, go to the path of remembering at step 2, to find taskmon.exe and shimgapi.dll, and delete them.
At the end of the instructions, if all of the steps are completed correctly, then the Trojan has already been completely removed.
|