Windows Script Host Question.

[Roy]

Hello Group
I have just removed a malware Trojan called TAGA LIPA ARE!
FS6519.dll.vbs trojan
Now I have another problem after having remove this file I can't
remove the autoplay in my C and D drive and when I double click the
drives I am prompted by the signage Windows Script Host
it says that it can't open the drive because they can't find the
script file "C:\F56519.dll.vbs."
I can't open the C and D drive usually by double clicking, but only by
right clicking and click open
How can enable it without the risk of inviting the malware that I
have just removed.
TIA
Roy

 

[Ramesh, MS-MVP]

FS6519.dll.vbs, Autoplay and TAGA LIPA ARE! TROJAN:
http://www.mapuaownage.com/forums/showthread.php?p=73191

--
Regards,

Ramesh Srinivasan, Microsoft MVP [Windows Shell/User]
Windows® Troubleshooting http://www.winhelponline.com


Hello Group
I have just removed a malware Trojan called TAGA LIPA ARE!
FS6519.dll.vbs trojan
Now I have another problem after having remove this file I can't
remove the autoplay in my C and D drive and when I double click the
drives I am prompted by the signage Windows Script Host
it says that it can't open the drive because they can't find the
script file "C:\F56519.dll.vbs."
I can't open the C and D drive usually by double clicking, but only by
right clicking and click open
How can enable it without the risk of inviting the malware that I
have just removed.
TIA
Roy

 

[Roy]

FS6519.dll.vbs, Autoplay and TAGA LIPA ARE! TROJAN:http://www.mapuaownage..com/forums/showthread.php?p=73191

--
Regards,

Ramesh Srinivasan, Microsoft MVP [Windows Shell/User]
Windows® Troubleshootinghttp://www.winhelponline.com


Hello Group
I have just removed a malware Trojan called TAGA LIPA ARE!
FS6519.dll.vbs trojan
Now I have another problem after having remove this file I can't
remove the autoplay in my C and D drive and when I double click the
drives I am prompted by the signage Windows Script Host
it says that it can't open the drive because they can't find the
script file "C:\F56519.dll.vbs."
I can't open the C and D drive usually by double clicking, but only by
right clicking and click open
How can enable it without the risk of inviting the malware that I
have just removed.
TIA
Roy

Hello Ramesh
I have already removed that pesky malware but in the process loss the
functionality of the mouse as I indicated in my post above.
My concern now is how to regain the normal performance of my PC
without being bugged by that Windows Script Host etc

Roy

 

[Ramesh, MS-MVP]

Roy,

Can you check if there is an autorun.inf file present in the drives root folder?

--
Regards,

Ramesh Srinivasan, Microsoft MVP [Windows Shell/User]
Windows® Troubleshooting http://www.winhelponline.com

FS6519.dll.vbs, Autoplay and TAGA LIPA ARE! TROJAN:http://www.mapuaownage.com/forums/showthread.php?p=73191

--
Regards,

Ramesh Srinivasan, Microsoft MVP [Windows Shell/User]
Windows® Troubleshootinghttp://www.winhelponline.com


Hello Group
I have just removed a malware Trojan called TAGA LIPA ARE!
FS6519.dll.vbs trojan
Now I have another problem after having remove this file I can't
remove the autoplay in my C and D drive and when I double click the
drives I am prompted by the signage Windows Script Host
it says that it can't open the drive because they can't find the
script file "C:\F56519.dll.vbs."
I can't open the C and D drive usually by double clicking, but only by
right clicking and click open
How can enable it without the risk of inviting the malware that I
have just removed.
TIA
Roy

Hello Ramesh
I have already removed that pesky malware but in the process loss the
functionality of the mouse as I indicated in my post above.
My concern now is how to regain the normal performance of my PC
without being bugged by that Windows Script Host etc

Roy

 

[Roy]

Roy,

Can you check if there is an autorun.inf file present in the drives root folder?

--
Regards,

Ramesh Srinivasan, Microsoft MVP [Windows Shell/User]
Windows® Troubleshootinghttp://www.winhelponline.com

FS6519.dll.vbs, Autoplay and TAGA LIPA ARE! TROJAN:http://www.mapuaownage.com/forums/showthread.php?p=73191
Ramesh Srinivasan, Microsoft MVP [Windows Shell/User]
Windows® Troubleshootinghttp://www.winhelponline.com

"Roy" <[email protected]> wrote in messagenews:[email protected]...

Hello Group
I have just removed a malware Trojan called TAGA LIPA ARE!
FS6519.dll.vbs trojan
Now I have another problem after having remove this file I can't
remove the autoplay in my C and D drive and when I double click the
drives I am prompted by the signage Windows Script Host
it says that it can't open the drive because they can't find the
script file "C:\F56519.dll.vbs."
I can't open the C and D drive usually by double clicking, but only by
right clicking and click open
How can enable it without the risk of inviting the malware that I
have just removed.
TIA
Roy

Hello Ramesh
I have already removed that pesky malware but in the process loss the
functionality of the mouse as I indicated in my post above.
My concern now is how to regain the normal performance of my PC
without being bugged by that Windows Script Host etc

Roy- Hide quoted text -

- Show quoted text -

Ramesh I can only find one file in the registry editor that is
in ,,,,HKEYUSERS....\Software\Microsoft\Search Assistant
\ACMru5603 ....
Is this related to the autoplay ?

 

[Roy]

Roy,

Can you check if there is an autorun.inf file present in the drives root folder?
Ramesh Srinivasan, Microsoft MVP [Windows Shell/User]
Windows® Troubleshootinghttp://www.winhelponline.com

"Roy" <[email protected]> wrote in messagenews:[email protected]...

FS6519.dll.vbs, Autoplay and TAGA LIPA ARE! TROJAN:http://www.mapuaownage.com/forums/showthread.php?p=73191
--
Regards,
Ramesh Srinivasan, Microsoft MVP [Windows Shell/User]
Windows® Troubleshootinghttp://www.winhelponline.com
Hello Group
I have just removed a malware Trojan called TAGA LIPA ARE!
FS6519.dll.vbs trojan
Now I have another problem after having remove this file I can't
remove the autoplay in my C and D drive and when I double click the
drives I am prompted by the signage Windows Script Host
it says that it can't open the drive because they can't find the
script file "C:\F56519.dll.vbs."
I can't open the C and D drive usually by double clicking, but only by
right clicking and click open
How can enable it without the risk of inviting the malware that I
have just removed.
TIA
Roy

Hello Ramesh
I have already removed that pesky malware but in the process loss the
functionality of the mouse as I indicated in my post above.
My concern now is how to regain the normal performance of my PC
without being bugged by that Windows Script Host etc

Roy- Hide quoted text -

- Show quoted text -

Ramesh I can only find one file in the registry editor that is
in ,,,,HKEYUSERS....\Software\Microsoft\Search Assistant
\ACMru5603 ....
Is this related to the autoplay ?- Hide quoted text -

- Show quoted text -

Further its HKEY_ USERS\DEFAULT\S-1-5-21....etc\software\Microsoft
\SearchAssistant\ACMru5603\
Name ab000 ..TYPE-REG_SZ autorun.inf..
Is this the one?
Roy

 

[Ramesh, MS-MVP]

Nope. Search MRU is stored in that location.

--
Regards,

Ramesh Srinivasan, Microsoft MVP [Windows Shell/User]
Windows® Troubleshooting http://www.winhelponline.com

Roy,

Can you check if there is an autorun.inf file present in the drives root folder?
Ramesh Srinivasan, Microsoft MVP [Windows Shell/User]
Windows® Troubleshootinghttp://www.winhelponline.com

"Roy" <[email protected]> wrote in messagenews:[email protected]...

FS6519.dll.vbs, Autoplay and TAGA LIPA ARE! TROJAN:http://www.mapuaownage.com/forums/showthread.php?p=73191
--
Regards,
Ramesh Srinivasan, Microsoft MVP [Windows Shell/User]
Windows® Troubleshootinghttp://www.winhelponline.com
Hello Group
I have just removed a malware Trojan called TAGA LIPA ARE!
FS6519.dll.vbs trojan
Now I have another problem after having remove this file I can't
remove the autoplay in my C and D drive and when I double click the
drives I am prompted by the signage Windows Script Host
it says that it can't open the drive because they can't find the
script file "C:\F56519.dll.vbs."
I can't open the C and D drive usually by double clicking, but only by
right clicking and click open
How can enable it without the risk of inviting the malware that I
have just removed.
TIA
Roy

Hello Ramesh
I have already removed that pesky malware but in the process loss the
functionality of the mouse as I indicated in my post above.
My concern now is how to regain the normal performance of my PC
without being bugged by that Windows Script Host etc

Roy- Hide quoted text -

- Show quoted text -

Ramesh I can only find one file in the registry editor that is
in ,,,,HKEYUSERS....\Software\Microsoft\Search Assistant
\ACMru5603 ....
Is this related to the autoplay ?- Hide quoted text -

- Show quoted text -

Further its HKEY_ USERS\DEFAULT\S-1-5-21....etc\software\Microsoft
\SearchAssistant\ACMru5603\
Name ab000 ..TYPE-REG_SZ autorun.inf..
Is this the one?
Roy

 

[Roy]

Nope. Search MRU is stored in that location.

--
Regards,

Ramesh Srinivasan, Microsoft MVP [Windows Shell/User]
Windows® Troubleshootinghttp://www.winhelponline.com

Roy,
Can you check if there is an autorun.inf file present in the drives root folder?
--
Regards,
Ramesh Srinivasan, Microsoft MVP [Windows Shell/User]
Windows® Troubleshootinghttp://www.winhelponline.com
FS6519.dll.vbs, Autoplay and TAGA LIPA ARE! TROJAN:http://www.mapuaownage.com/forums/showthread.php?p=73191
--
Regards,
Ramesh Srinivasan, Microsoft MVP [Windows Shell/User]
Windows® Troubleshootinghttp://www.winhelponline.com
Hello Group
I have just removed a malware Trojan called TAGA LIPA ARE!
FS6519.dll.vbs trojan
Now I have another problem after having remove this file I can't
remove the autoplay in my C and D drive and when I double click the
drives I am prompted by the signage Windows Script Host
it says that it can't open the drive because they can't find the
script file "C:\F56519.dll.vbs."
I can't open the C and D drive usually by double clicking, but onlyby
right clicking and click open
How can enable it without the risk of inviting the malware that I
have just removed.
TIA
Roy
Hello Ramesh
I have already removed that pesky malware but in the process loss the
functionality of the mouse as I indicated in my post above.
My concern now is how to regain the normal performance of my PC
without being bugged by that Windows Script Host etc
Roy- Hide quoted text -
- Show quoted text -

Ramesh I can only find one file in the registry editor that is
in ,,,,HKEYUSERS....\Software\Microsoft\Search Assistant
\ACMru5603 ....
Is this related to the autoplay ?- Hide quoted text -

- Show quoted text -

Further its HKEY_ USERS\DEFAULT\S-1-5-21....etc\software\Microsoft
\SearchAssistant\ACMru5603\
Name ab000 ..TYPE-REG_SZ autorun.inf..
Is this the one?
Roy- Hide quoted text -

- Show quoted text -

Thanks but there is only one autorun.inf being located...

 

[Ramesh, MS-MVP]

Roy,

You need to check the drive's root folder, not in the registry. Other than that I don't have any ideas. But will look into this, since this is becoming a frequently asked question of late.

--
Regards,

Ramesh Srinivasan, Microsoft MVP [Windows Shell/User]
Windows® Troubleshooting http://www.winhelponline.com

Further its HKEY_ USERS\DEFAULT\S-1-5-21....etc\software\Microsoft
\SearchAssistant\ACMru5603\
Name ab000 ..TYPE-REG_SZ autorun.inf..
Is this the one?
Roy- Hide quoted text -

- Show quoted text -

Thanks but there is only one autorun.inf being located...

 

[Ramesh, MS-MVP]

More information: Here is the source code of that nasty script. It creates a file named autorun.inf (in each of the drives listed) with the following contents:

- - -
[autorun]
shellexecute=wscript.exe FS6519.dll.vbs
- - -
Refer: http://forum.grisoft.cz/freeforum/read.php?4,91852,91854

It also sets the following attributes to the autorun.inf file:

- Archive
- System
- Hidden
- ReadOnly

That's the reason you need to show hidden *and* protected files in Windows Explorer, in order to see/delete the file in Explorer.

So you need to delete the script itself, then delete the autorun.inf files, and run a thorough scan.

--
Regards,

Ramesh Srinivasan, Microsoft MVP [Windows Shell/User]
Windows® Troubleshooting http://www.winhelponline.com


Roy,

You need to check the drive's root folder, not in the registry. Other than that I don't have any ideas. But will look into this, since this is becoming a frequently asked question of late.

--
Regards,

Ramesh Srinivasan, Microsoft MVP [Windows Shell/User]
Windows® Troubleshooting http://www.winhelponline.com

Further its HKEY_ USERS\DEFAULT\S-1-5-21....etc\software\Microsoft
\SearchAssistant\ACMru5603\
Name ab000 ..TYPE-REG_SZ autorun.inf..
Is this the one?
Roy- Hide quoted text -

- Show quoted text -

Thanks but there is only one autorun.inf being located...

 

[Roy]

More information: Here is the source code of that nasty script. It creates a file named autorun.inf (in each of the drives listed) with the following contents:

- - -
[autorun]
shellexecute=wscript.exe FS6519.dll.vbs
- - -
Refer:http://forum.grisoft.cz/freeforum/read.php?4,91852,91854

It also sets the following attributes to the autorun.inf file:

- Archive
- System
- Hidden
- ReadOnly

That's the reason you need to show hidden *and* protected files in Windows Explorer, in order to see/delete the file in Explorer.

So you need to delete the script itself, then delete the autorun.inf files, and run a thorough scan.

--
Regards,

Ramesh Srinivasan, Microsoft MVP [Windows Shell/User]
Windows® Troubleshootinghttp://www.winhelponline.com


Roy,

You need to check the drive's root folder, not in the registry. Other than that I don't have any ideas. But will look into this, since this is becoming a frequently asked question of late.

--
Regards,

Ramesh Srinivasan, Microsoft MVP [Windows Shell/User]
Windows® Troubleshootinghttp://www.winhelponline.com

Further its HKEY_ USERS\DEFAULT\S-1-5-21....etc\software\Microsoft
\SearchAssistant\ACMru5603\
Name ab000 ..TYPE-REG_SZ autorun.inf..
Is this the one?
Roy- Hide quoted text -

- Show quoted text -

Thanks but there is only one autorun.inf being located...

Hello Ramesh
I tried the drivers folder but could not find it either....
as I am not sure what you mean by the so called drive folder could
you please give me the precise path to reach that area?
TIA

 

[Ramesh, MS-MVP]

Try:
How do I enable Windows to Show/Hide all files?:
http://www.winxptutor.com/showallfiles.htm

After you enable Windows to show hidden *and* protected system files, follow these steps:

1. Open Task Manager (taskmgr.exe) and terminate all instances of wscript.exe processes.

2. Open My Computer, right-click the C:\ drive in My Computer, and choose "open"

3. Delete the two files named "Autorun.inf" and "FS6519.dll.vbs"

4. Similarly, delete the two files in the other drives also.

5. Start MSCONFIG.EXE, click the Startup tab and uncheck "FS6519.dll.vbs" and click OK

6. Delete the file "FS6519.dll.vbs" from C:\Windows, if present

7. Restart Windows

--
Regards,

Ramesh Srinivasan, Microsoft MVP [Windows Shell/User]
Windows® Troubleshooting http://www.winhelponline.com

More information: Here is the source code of that nasty script. It creates a file named autorun.inf (in each of the drives listed) with the following contents:

- - -
[autorun]
shellexecute=wscript.exe FS6519.dll.vbs
- - -
Refer:http://forum.grisoft.cz/freeforum/read.php?4,91852,91854

It also sets the following attributes to the autorun.inf file:

- Archive
- System
- Hidden
- ReadOnly

That's the reason you need to show hidden *and* protected files in Windows Explorer, in order to see/delete the file in Explorer.

So you need to delete the script itself, then delete the autorun.inf files, and run a thorough scan.

--
Regards,

Ramesh Srinivasan, Microsoft MVP [Windows Shell/User]
Windows® Troubleshootinghttp://www.winhelponline.com


Roy,

You need to check the drive's root folder, not in the registry. Other than that I don't have any ideas. But will look into this, since this is becoming a frequently asked question of late.

--
Regards,

Ramesh Srinivasan, Microsoft MVP [Windows Shell/User]
Windows® Troubleshootinghttp://www.winhelponline.com

Further its HKEY_ USERS\DEFAULT\S-1-5-21....etc\software\Microsoft
\SearchAssistant\ACMru5603\
Name ab000 ..TYPE-REG_SZ autorun.inf..
Is this the one?
Roy- Hide quoted text -

- Show quoted text -

Thanks but there is only one autorun.inf being located...

Hello Ramesh
I tried the drivers folder but could not find it either....
as I am not sure what you mean by the so called drive folder could
you please give me the precise path to reach that area?
TIA

 

[Roy]

Try:
How do I enable Windows to Show/Hide all files?:http://www.winxptutor.com/showallfiles.htm

After you enable Windows to show hidden *and* protected system files, follow these steps:

1. Open Task Manager (taskmgr.exe) and terminate all instances of wscript..exe processes.

2. Open My Computer, right-click the C:\ drive in My Computer, and choose"open"

3. Delete the two files named "Autorun.inf" and "FS6519.dll.vbs"

4. Similarly, delete the two files in the other drives also.

5. Start MSCONFIG.EXE, click the Startup tab and uncheck "FS6519.dll.vbs"and click OK

6. Delete the file "FS6519.dll.vbs" from C:\Windows, if present

7. Restart Windows

--
Regards,

Ramesh Srinivasan, Microsoft MVP [Windows Shell/User]
Windows® Troubleshootinghttp://www.winhelponline.com

More information: Here is the source code of that nasty script. It creates a file named autorun.inf (in each of the drives listed) with the following contents:

- - -
[autorun]
shellexecute=wscript.exe FS6519.dll.vbs
- - -
Refer:http://forum.grisoft.cz/freeforum/read.php?4,91852,91854

It also sets the following attributes to the autorun.inf file:

- Archive
- System
- Hidden
- ReadOnly

That's the reason you need to show hidden *and* protected files in Windows Explorer, in order to see/delete the file in Explorer.

So you need to delete the script itself, then delete the autorun.inf files, and run a thorough scan.
Ramesh Srinivasan, Microsoft MVP [Windows Shell/User]
Windows® Troubleshootinghttp://www.winhelponline.com

Roy,

You need to check the drive's root folder, not in the registry. Other than that I don't have any ideas. But will look into this, since this is becoming a frequently asked question of late.
Ramesh Srinivasan, Microsoft MVP [Windows Shell/User]
Windows® Troubleshootinghttp://www.winhelponline.com

Further its HKEY_ USERS\DEFAULT\S-1-5-21....etc\software\Microsoft
\SearchAssistant\ACMru5603\
Name ab000 ..TYPE-REG_SZ autorun.inf..
Is this the one?
Roy- Hide quoted text -
- Show quoted text -

Thanks but there is only one autorun.inf being located...

Hello Ramesh
I tried the drivers folder but could not find it either....
as I am not sure what you mean by the so called drive folder could
you please give me the precise path to reach that area?
TIA- Hide quoted text -

- Show quoted text -

Ramesh I had done already this direction when I removed the file
Autorun.inf" and "FS6519.dll.vbs" during my removal of the " TAGA LIPA
ARE " Trojan.
As you suggested I followed your procedures to the letter and I can't
find anymore of this abovementioned files.
Therefore I am at a loss how can I return back to normal where the
Autoplay is already removed from the C and D drive of my PC and when I
double click the mouse I can immediately open the two drives.
Have a nice weekend !

 

[Ramesh, MS-MVP]

Roy,

If you've removed the file from Startup, and from the root of each hard drive, then you're set. Follow-up with a Malware scan just in case.

--
Regards,

Ramesh Srinivasan, Microsoft MVP [Windows Shell/User]
Windows® Troubleshooting http://www.winhelponline.com

Try:
How do I enable Windows to Show/Hide all files?:http://www.winxptutor.com/showallfiles.htm

After you enable Windows to show hidden *and* protected system files, follow these steps:

1. Open Task Manager (taskmgr.exe) and terminate all instances of wscript.exe processes.

2. Open My Computer, right-click the C:\ drive in My Computer, and choose "open"

3. Delete the two files named "Autorun.inf" and "FS6519.dll.vbs"

4. Similarly, delete the two files in the other drives also.

5. Start MSCONFIG.EXE, click the Startup tab and uncheck "FS6519.dll.vbs" and click OK

6. Delete the file "FS6519.dll.vbs" from C:\Windows, if present

7. Restart Windows

--
Regards,

Ramesh Srinivasan, Microsoft MVP [Windows Shell/User]
Windows® Troubleshootinghttp://www.winhelponline.com

More information: Here is the source code of that nasty script. It creates a file named autorun.inf (in each of the drives listed) with the following contents:

- - -
[autorun]
shellexecute=wscript.exe FS6519.dll.vbs
- - -
Refer:http://forum.grisoft.cz/freeforum/read.php?4,91852,91854

It also sets the following attributes to the autorun.inf file:

- Archive
- System
- Hidden
- ReadOnly

That's the reason you need to show hidden *and* protected files in Windows Explorer, in order to see/delete the file in Explorer.

So you need to delete the script itself, then delete the autorun.inf files, and run a thorough scan.
Ramesh Srinivasan, Microsoft MVP [Windows Shell/User]
Windows® Troubleshootinghttp://www.winhelponline.com

Roy,

You need to check the drive's root folder, not in the registry. Other than that I don't have any ideas. But will look into this, since this is becoming a frequently asked question of late.
Ramesh Srinivasan, Microsoft MVP [Windows Shell/User]
Windows® Troubleshootinghttp://www.winhelponline.com

Further its HKEY_ USERS\DEFAULT\S-1-5-21....etc\software\Microsoft
\SearchAssistant\ACMru5603\
Name ab000 ..TYPE-REG_SZ autorun.inf..
Is this the one?
Roy- Hide quoted text -
- Show quoted text -

Thanks but there is only one autorun.inf being located...

Hello Ramesh
I tried the drivers folder but could not find it either....
as I am not sure what you mean by the so called drive folder could
you please give me the precise path to reach that area?
TIA- Hide quoted text -

- Show quoted text -

Ramesh I had done already this direction when I removed the file
Autorun.inf" and "FS6519.dll.vbs" during my removal of the " TAGA LIPA
ARE " Trojan.
As you suggested I followed your procedures to the letter and I can't
find anymore of this abovementioned files.
Therefore I am at a loss how can I return back to normal where the
Autoplay is already removed from the C and D drive of my PC and when I
double click the mouse I can immediately open the two drives.
Have a nice weekend !

 

[Roy]

Roy,

If you've removed the file from Startup, and from the root of each hard drive, then you're set. Follow-up with a Malware scan just in case.

--
Regards,

Ramesh Srinivasan, Microsoft MVP [Windows Shell/User]
Windows® Troubleshootinghttp://www.winhelponline.com

Try:
How do I enable Windows to Show/Hide all files?:http://www.winxptutor.com/showallfiles.htm

After you enable Windows to show hidden *and* protected system files, follow these steps:

1. Open Task Manager (taskmgr.exe) and terminate all instances of wscript.exe processes.

2. Open My Computer, right-click the C:\ drive in My Computer, and choose "open"

3. Delete the two files named "Autorun.inf" and "FS6519.dll.vbs"

4. Similarly, delete the two files in the other drives also.

5. Start MSCONFIG.EXE, click the Startup tab and uncheck "FS6519.dll.vbs" and click OK

6. Delete the file "FS6519.dll.vbs" from C:\Windows, if present

7. Restart Windows
Ramesh Srinivasan, Microsoft MVP [Windows Shell/User]
Windows® Troubleshootinghttp://www.winhelponline.com

"Roy" <[email protected]> wrote in messagenews:[email protected]...

More information: Here is the source code of that nasty script. It creates a file named autorun.inf (in each of the drives listed) with the following contents:
- - -
[autorun]
shellexecute=wscript.exe FS6519.dll.vbs
- - -
Refer:http://forum.grisoft.cz/freeforum/read.php?4,91852,91854
It also sets the following attributes to the autorun.inf file:
- Archive
- System
- Hidden
- ReadOnly
That's the reason you need to show hidden *and* protected files in Windows Explorer, in order to see/delete the file in Explorer.
So you need to delete the script itself, then delete the autorun.inf files, and run a thorough scan.
--
Regards,
Ramesh Srinivasan, Microsoft MVP [Windows Shell/User]
Windows® Troubleshootinghttp://www.winhelponline.com
Roy,
You need to check the drive's root folder, not in the registry. Otherthan that I don't have any ideas. But will look into this, since this is becoming a frequently asked question of late.
--
Regards,
Ramesh Srinivasan, Microsoft MVP [Windows Shell/User]
Windows® Troubleshootinghttp://www.winhelponline.com
Further its HKEY_ USERS\DEFAULT\S-1-5-21....etc\software\Microsoft
\SearchAssistant\ACMru5603\
Name ab000 ..TYPE-REG_SZ autorun.inf..
Is this the one?
Roy- Hide quoted text -
- Show quoted text -
Thanks but there is only one autorun.inf being located...

Hello Ramesh
I tried the drivers folder but could not find it either....
as I am not sure what you mean by the so called drive folder could
you please give me the precise path to reach that area?
TIA- Hide quoted text -

- Show quoted text -

Ramesh I had done already this direction when I removed the file
Autorun.inf" and "FS6519.dll.vbs" during my removal of the " TAGA LIPA
ARE " Trojan.
As you suggested I followed your procedures to the letter and I can't
find anymore of this abovementioned files.
Therefore I am at a loss how can I return back to normal where the
Autoplay is already removed from the C and D drive of my PC and when I
double click the mouse I can immediately open the two drives.
Have a nice weekend !- Hide quoted text -

- Show quoted text -

Hello Ramesh
I already did a malware scan but still I was unable to recover the
normal functionality of the C and D drive; that is I can't double
click it with the mouse so I can open either of both drives. It
says , cannot find the script D:\ FS6519.dll.vbs... this is funny as I
had already removed it with the S with the malware it then why should
it be needed back ?
There is still the autoplay(which had become the default instead of
Open) in the drop down menu when I right click these drives.

Is there anything more to do to sort this out?
TIA

 

[Ramesh, MS-MVP]

Roy,

This is certainly fixable if followed the steps in correct sequence. Visit one of these security forums and post your HijackThis log for checkup. Experts in these forums can assist you in this matter.

AumHa forums:
http://www.aumha.net

CastleCops forums:
http://castlecops.com/forum67.html

--
Regards,

Ramesh Srinivasan, Microsoft MVP [Windows Shell/User]
Windows® Troubleshooting http://www.winhelponline.com

Roy,

If you've removed the file from Startup, and from the root of each hard drive, then you're set. Follow-up with a Malware scan just in case.

--
Regards,

Ramesh Srinivasan, Microsoft MVP [Windows Shell/User]
Windows® Troubleshootinghttp://www.winhelponline.com

Try:
How do I enable Windows to Show/Hide all files?:http://www.winxptutor.com/showallfiles.htm

After you enable Windows to show hidden *and* protected system files, follow these steps:

1. Open Task Manager (taskmgr.exe) and terminate all instances of wscript.exe processes.

2. Open My Computer, right-click the C:\ drive in My Computer, and choose "open"

3. Delete the two files named "Autorun.inf" and "FS6519.dll.vbs"

4. Similarly, delete the two files in the other drives also.

5. Start MSCONFIG.EXE, click the Startup tab and uncheck "FS6519.dll.vbs" and click OK

6. Delete the file "FS6519.dll.vbs" from C:\Windows, if present

7. Restart Windows
Ramesh Srinivasan, Microsoft MVP [Windows Shell/User]
Windows® Troubleshootinghttp://www.winhelponline.com

"Roy" <[email protected]> wrote in messagenews:[email protected]...

More information: Here is the source code of that nasty script. It creates a file named autorun.inf (in each of the drives listed) with the following contents:
- - -
[autorun]
shellexecute=wscript.exe FS6519.dll.vbs
- - -
Refer:http://forum.grisoft.cz/freeforum/read.php?4,91852,91854
It also sets the following attributes to the autorun.inf file:
- Archive
- System
- Hidden
- ReadOnly
That's the reason you need to show hidden *and* protected files in Windows Explorer, in order to see/delete the file in Explorer.
So you need to delete the script itself, then delete the autorun.inf files, and run a thorough scan.
--
Regards,
Ramesh Srinivasan, Microsoft MVP [Windows Shell/User]
Windows® Troubleshootinghttp://www.winhelponline.com
Roy,
You need to check the drive's root folder, not in the registry. Other than that I don't have any ideas. But will look into this, since this is becoming a frequently asked question of late.
--
Regards,
Ramesh Srinivasan, Microsoft MVP [Windows Shell/User]
Windows® Troubleshootinghttp://www.winhelponline.com
Further its HKEY_ USERS\DEFAULT\S-1-5-21....etc\software\Microsoft
\SearchAssistant\ACMru5603\
Name ab000 ..TYPE-REG_SZ autorun.inf..
Is this the one?
Roy- Hide quoted text -
- Show quoted text -
Thanks but there is only one autorun.inf being located...

Hello Ramesh
I tried the drivers folder but could not find it either....
as I am not sure what you mean by the so called drive folder could
you please give me the precise path to reach that area?
TIA- Hide quoted text -

- Show quoted text -

Ramesh I had done already this direction when I removed the file
Autorun.inf" and "FS6519.dll.vbs" during my removal of the " TAGA LIPA
ARE " Trojan.
As you suggested I followed your procedures to the letter and I can't
find anymore of this abovementioned files.
Therefore I am at a loss how can I return back to normal where the
Autoplay is already removed from the C and D drive of my PC and when I
double click the mouse I can immediately open the two drives.
Have a nice weekend !- Hide quoted text -

- Show quoted text -

Hello Ramesh
I already did a malware scan but still I was unable to recover the
normal functionality of the C and D drive; that is I can't double
click it with the mouse so I can open either of both drives. It
says , cannot find the script D:\ FS6519.dll.vbs... this is funny as I
had already removed it with the S with the malware it then why should
it be needed back ?
There is still the autoplay(which had become the default instead of
Open) in the drop down menu when I right click these drives.

Is there anything more to do to sort this out?
TIA

 

[Roy]

Ramesh, MS-MVP;249449 Wrote:

Nope. Search MRU is stored in that location.
Ramesh Srinivasan, Microsoft MVP [Windows Shell/User]
Windows® Troubleshooting 'Welcome to Winhelponline.com'
(http://www.winhelponline.com)

"Roy" <roybasan******.com> wrote in message

Roy,
Can you check if there is an autorun.inf file present in the drives root folder?
--
Regards,
Ramesh Srinivasan, Microsoft MVP [Windows Shell/User]
Windows® Troubleshootinghttp://www.winhelponline.com
"Roy" <royba...******.com> wrote in messagenews:[email protected]...

FS6519.dll.vbs, Autoplay andTAGALIPAARE!

TROJAN:'FS6519.dll.vbs, Autoplay andTAGALIPAARE! TROJAN - Mapua
Ownage : Unofficial Mapua Message Boards'
(http://www.mapuaownage.com/forums/showthread.php?p=73191)

--
Regards,
Ramesh Srinivasan, Microsoft MVP [Windows Shell/User]
Windows® Troubleshootinghttp://www.winhelponline.com
"Roy" <royba...******.com> wrote in messagenews:[email protected]...

Hello Group
I have just removed a malware Trojan calledTAGALIPAARE!
FS6519.dll.vbs trojan
Now I have another problem after having remove this file I can't
remove the autoplay in my C and D drive and when I double click the
drives I am prompted by the signage Windows Script Host
it says that it can't open the drive because they can't find the
script file "C:\F56519.dll.vbs."
I can't open the C and D drive usually by double clicking, but only by
right clicking and click open
How can enable it without the risk of inviting the malware that I
have just removed.
TIA
Roy
Hello Ramesh
I have already removed that pesky malware but in the process loss the
functionality of the mouse as I indicated in my post above.
My concern now is how to regain the normal performance of my PC
without being bugged by that Windows Script Host etc
Roy- Hide quoted text -
- Show quoted text -
Ramesh I can only find one file in the registry editor that is
in ,,,,HKEYUSERS....\Software\Microsoft\Search Assistant
\ACMru5603 ....
Is this related to the autoplay ?- Hide quoted text -
- Show quoted text -

Further its HKEY_ USERS\DEFAULT\S-1-5-21....etc\software\Microsoft
\SearchAssistant\ACMru5603\
Name ab000 ..TYPE-REG_SZ autorun.inf..
Is this the one?
Roy

Hello Roy,

I had the same problem as yours. Double check the "Hide protected
operating file system files" in the Folder options. This should be
unchecked to make the file autorun.inf visible in the root folders of
each drive.

Regards,
Raymund

Hello Group I have sorted out already my problem ...one of the guys
from
http://www.mapuaownage.com/forums/showthread.php?p=73191) did sent me
a ware how to remove it.
http://leerz25.sitesled.com/files/tools/fixes/KILL.[TA].TAGA.LIPA.NOOB.KILLER.by.Leerz.zip
Anyway....thanks for you guys,...... facing this unique malware i is
a mindopening experience ....... and I also learned something from
your iinput...
Sincerely

Roy