VALUE HAS A VALUE IF ITS VALUE IS VALUED

This virus/worm installs itself in autorun.inf and once double click it will spread itself unto your system. Furthermore, it copies itself through all the shared folders on your computers throughout the network and installs itself in the registry entries remotely.

Here are indication that your computer is infected with this virus.

• This virus/worm blocks the task manager

The worm changes the registry to prevent running task manager and editing registry for harder detection.

• It automatically restarts the computer when you try to go to the command prompt.

• It duplicates itself to different locations of the shared folders. The duplicated virus/worm uses a FOLDER icon with an .exe file extension. WARNING! DO NOT double click these folders.

• It autostart via registry keys Windows->Run and add itself to WinNT->WinLogon->Explorer.exe

How to remove the virus

You can use NOD32 or any strong antovirus programs to remove this virus but if you don’t have a anti-virus or your antivirus can’t remove this virus try following the steps below to remove it manually.

• Boot your system in Safe Mode Command Prompt Only

• After you log-in the command prompt will be opened (LOG-IN AS ADMINISTRATOR).

• Type CD C:\WINDOWS\SYSTEM32 (I assume that your Windows System files are located at Drive C)

• Type DIR /ah, this will display all hidden files on this directory folder. You will see the following files which is used by the virus to spread itself: AUTORUN.INI, BLASTCLNNN.EXE, and SCVHOST.EXE

• Type ATTRIB -H -R -S SCVHOST.EXE

• Type ATTRIB -H -R -S BLASTCLNNN.EXE

• Type ATTRIB -H -R -S AUTORUN.INI

• Type DEL SCVHOST.EXE

• Type DEL BLASTCLNNNN.EXE

• Type DEL AUTORUN.INI

• Type CD\

• Type ATTRIB -H -R -S AUTORUN.INF

• Type DEL AUTORUN.INF

After following the steps on removing the virus/worm files, the virus should now be removed from the registry of your system.

• At the command prompt type REGEDIT and press ENTER key. This will run the Registry Editor

• From the registry, look for the keys: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, you will see an entry Yahoo! Messengger (it’s spelled like this) with a value c:\windows\system32\scvhost.exe, Delete this entry.

• Look again for the key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, there’s an entry named: SHELL, it has a value = Explorer.exe SCVHOST.EXE , DON’T delete this entry!!! Just edit this entry and REMOVE the SCVHOST.EXE so that Explorer.exe will be the only value that remains from this registry entry.

After carefully following all the steps restart your computer on normal mode and the virus should now be gone.