incorporates the Damage Cleanup Engine and Template.
This tool supports the following features:
o Scan for and clean all malware/virus infected files in all local hard drives
II. File List
o fix.bat - the main batch file
o syscl3an.com - the executable module
o readme.txt - this file
o lpt$vpn.XXX - malware pattern file (see Requirements)
o ssapiptn.da5 - spyware pattern file (see Requirements)
o TestTool.exe - executable for vulnerability assessment
o TMVAmain.ptn - vulnerability pattern file
o TSCTest.ini - configuration file
o tsc.exe - official Damage Cleanup Engine
o tsc.ini - configuration file
o tsc.ptn - pattern file
o regini.exe - Windows tool for registry application
III. Requirements
1. Download the latest pattern file lpt$vpn.XXX in ZIP format as
lptXXX.ZIP from the following location:
<http://www.trendmicro.com/download/pattern.asp>
This file must be saved in the same folder where you run
this fix package.
2. This tool is designed to run under Windows 2000/XP/2003.
IV. How to Use
1. Explore the root directory (e.g. c:\) and copy all the above-mentioned list of files into this folder.
2. Download latest malware and spyware pattern files.
Extract the downloaded ZIP pattern files into the created folder.
3. Close all applications running on your system, including any
antivirus software.
4. Run the batch file, fix.bat, by either:
a. Double-clicking the tool in Windows Explorer.
b. Executing it via command prompt using syntax based on the
aforementioned parameters.
5. Enable any antivirus software that is installed on your system and
perform a manual scan.
NOTE: This fix tool generates the log file, SYSCLEAN.LOG, in its
current folder.
V. History:
Version 1.0.1000 - First release
Version 1.1.1000 - Update fixtool
Version 1.2.1000 - Support WORM_DOWNAD.AD
Version 1.3.1000 - Support vulnerability assessment and enhance system cleanup.
Version 1.4.1000 - Added enhanced support for Japanese OS
Version 1.5.1000 - Support malware that kills Sysclean (com/exe).
VI. Compatibility
This tool has been tested under the following platforms:
Windows 2000
Windows XP Home and Professional
Windows 2003
VII. Known Issues
o Please update patches of your Microsoft Operating System first before running this fixtool, or else re-infection may occur.
o It is highly recommended to empty all your Internet Explorer's Browsing history after running this fixtool.
o This fixtool uses a windows tool named regini.exe and in some Windows 2000 this file is not existing, if this happen,
please download or copy this file from other system to execute this fixtool successfully.
o This fixtool will create a policy that will prevent the system from Scheduling New Task, drag and drop new task, and task execution.
The reason behind this is because this malware can create task that will execute its behavior every hour.
After cleaning, user may opt to return this to normal by ff. the instructions:
1. Start the service for Task Scheduler.
Instruction: Click Start>Run, then type services.msc. On right pane of the pop-up window, right click 'Task Scheduler' then press Start.
2. Delete the ff. registry values inside "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Task Scheduler5.0" by using registry editor:
"DragAndDrop", "Execution" and "Task Creation"
Instruction: Click Start>Run, then type regedit. On the pop-up window go to "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Task Scheduler5.0"
then on the right pane delete the ff. value name "DragAndDrop", "Execution" and "Task Creation".
VIII. Additional Resources
This Fixtool for WORM_DOWNAD supports certain WORM_DOWNAD variants, for more information about the variants that are related with this package please visit the Trend Micro