Computers Tips and Notes

Several weeks ago my computer got infected by a virus. I had a hard time removing the virus since as it still has no formal name as most of the anti-virus makers up to know have still not identified it. Try searching for a “remover” for this virus in google and you can see that you cannot find any. (Send me a message if you can find one) Luckily there are instructions on several websites on how to remove it. But there are only a few of these websites that bear such instructions. Probably the reason for this is because this virus is locally made. (made in the Philippines)

Before giving you instructions on how to remove it, let us first check if your computer is infected by determining the symptoms.

SYMPTOMS: 1.) Your internet explorer title bar has the message “TTMS NAA NA DIRE! DONT WORRY IM NOT A CORRUPT LIKE YOU!!” 2.) If you go to “Start” > “Run” and type “regedit.” A message will pop up that says “Registry editing is disabled by your administrator.” 3.) In windows explorer you can see a file or several files called “TTMS???.vbs.dll” (The question mark stands for numbers, like TTMS123.vbs.dll) This file is also present in your c:\windows directory)

HOW TO REMOVE IT IN YOUR COMPUTER Step 1 - Delete the virus file in the registry

a.) Go to Doug Knox’s page to download a Registry enable/disable tool. (The tool requires you to reboot in order that you could access the registry) b.) After you have rebooted and has logged in to windows, press CTRL+ALT+DEL it will bring up the task manager. Go to “Processes Select “WSCRIPT.EXE” and click “End Process” c.) Go to START > RUN > then type “Regedit” d.) Once you are in the registry editor go to EDIT > FIND type “TTMS*” it will bring you to all files with the words “TTMS” click on the file and press delete. Do this again and again until you have deleted everything related to the TTMS virus. (Take note if you have an important program with a file with the words TTMS0 be careful about doing this but I do no know of any important program that has this)

e.) To change the annoying message in your Internet explorer title bar, in the registry editor, do the following: 1.) In the left panel, go to: HKEY_CURRENT_USERS>SOFTWARE>Microsoft>Internet Explorer>Main 2.) In the right panel, locate and modify the entry: From Window Title = “TTMS IS IN YOUR PC, DON’T WORRY I’M NOT CORRUPT AS YOU!” 3.) Change the value to Window title = “Microsoft Internet Explorer” 4.) In the left panel, locate the following: HKEY_USERS>%USERID%>SOFTWARE>Microsoft>Internet Explorer>Main NOTE: %USERID% is the current user ID in the registry. 5.) In the right panel, locate and modify the entry: From Window Title = “TTMS IS IN YOUR PC, DON’T WORRY I’M NOT CORRUPT AS YOU!”, Change the value to Window title = “Microsoft Internet Explorer”

STEP 2 - Make sure you disable “System Restore” in case you go back to a restore point, you might reactivate the virus. You can do this by going to START > SETTINGS > CONTROL PANEL > SYSTEM > SYSTEM RESTORE and check “Turn of system restore in all hard drives”

STEP 3 - Eradicate all virus strains. a.) Make your windows explorer show hidden files by going to WINDOWS EXPLORER > TOOLS > FOLDER OPTIONS > VIEW > HIDDEN FILES AND FOLDERS Click on “Show hidden files and folders” b.) Go to C drive by right clicking and selecting Open. Take note, do not double click the drive to prevent the virus from activating. c.) Tthere are usually 1 to 4 files which starts with “TTMS”. Delete all these files. d.) See if there is an “autorun.inf” in the hard drives. If you see ‘[autorun]shellexecute=wscript.exe TTMS831.dll.vbs’. in the autorun.inf (You can open this via notepad) thene delete the file. e.) Do all of the above steps for all the other hard disks. especially for you C:\Windows folder.

Tags: internet