We use cookies to ensure that we give you the best experience on our website. By continuing to browse, we are assuming that you have no objection in accepting cookies. You can change your cookie settings at any time.

Close

BullGuard Support

Vi er her 24/7 for at hjælpe dig.


Send en e-mail til vores support team og får svar i løbet af 24 timer.


 

 

How to remove Worm.VB.Ymeak.A



THREAT NAME

Worm.VB.Ymeak.A

 

CLEAN INSTRUCTIONS
1. Restart the system in Safe mode.

 

2. Open Windows Explorer and go to C:\Documents and Settings\All users\Start Menu\Programs\Startup.

 

3. Locate and delete the svchost.exe file.

 

4. Navigate to C:\Windows folder.

 

5. Locate and delete the b.exe file.


SYMPTOMS
1. You can't open cmd, ipconfig, netstat, ping, regedit, regedt32, taskkill, taskmgr and tracert.

2. Your P2P file sharing program may launch itself automatically.

3. You may find a directory called "_" (underscore) in the shared folder of your P2P application.

 

4. Increased network activity.


DESCRIPTION
1. When executed it will create a copy of itself in C:\Documents and Settings\All users\Start Menu\Programs\Startup
with the name svchost.exe.

2. It shows a fake message saying The setup file is corrupted.

3. After that it will launch the svchost.exe copy and the original instance will end the execution.

4. This one will search the C:\Windows folder for the following applications:


winlog.exe
p2pnetworking.exe
scvhost.exe
winlogi.exe
p2pnetwork.exe

5. If it can't find any of those then it will drop a file (backdoor) called b.exe in the C:\Windows folder.

6. It will create a subfolder called "_" in the shared folder of the following P2P applications:


BearShare
Limewire
Morpheus
Shareaza

7. It opens the following programs for exclusive access, in order to prevent detection:


cmd.exe
ipconfig.exe
netstat.exe
ping.exe
regedit.exe
regedt32.exe
taskkill.exe
taskmgr.exe
tracert.exe


Author:
The BullGuard Team



00: 00: 00: 00
Dage Timer Minutter Sekunder
Close