Recently, Microsoft's MS06-040 high-risk vulnerability was exploited to spread the virus-"magic wave (Worm. mocbot. a) "and" magic wave Variant B (Worm. mocbot. b) the virus is spreading abnormally, and many netizens have tried it in succession, resulting in system paralysis and failure to work properly. Some anti-virus tools on the Internet cannot effectively clear the virus.
Therefore, we provide the safest and safest way to manually remove the magic wave virus, so that the virus will not continue to go viral. Because manual cleanup requires a better understanding of the operating system, netizens who are not very familiar with this aspect should try to perform manual cleanup under the guidance of experts.
Restart to enter safe mode.
1. Open Registry Editor. Click Start> Run, Enter REGEDIT, and press Enter
2. on the left-side pane, double-click HKEY_LOCAL_MACHINE> SYSTEM> CurrentControlSet> Services.
3. On the left panel, find and delete the following keys: "wgareg" magic wave (Worm. Mocbot. a), "wgavm
"Magic wave Variant B (Worm. Mocbot. B)
Recover the EnableDCOM and RestrictAnonymous registry project
1. In the Registry Editor, on the left-side panel, double-click: HKEY_LOCAL_MACHINE> SOFTWARE> Microsoft> Ole.
2. In the right pane, find the following project: IEnableDCOM = "N"
3. Right-click the project and choose EnableDCOM = "Y"
Delete registry project about managing shared items
1. In the Registry Editor, on the left-side panel, double-click: HKEY_LOCAL_MACHINE> SYSTEM> CurrentControlSet> Services> lanmanserver> parameters.
2. In the left-side pane, find and delete the following items:
A. autoscaling wks = "dword: 00000000"
B. AutoShareServer = "dword: 00000000"
3. In the Registry Editor, on the left-side panel, double-click: HKEY_LOCAL_MACHINE> SYSTEM> CurrentControlSet> Services> lanmanworkstation> parameters.
4. In the left-side pane, find and delete the following items:
A. autoscaling wks = "dword: 00000000"
B. AutoShareServer = "dword: 00000000"
Magic wave (Worm. Mocbot. a, also known as WORM_IRCBOT.JL) deletes the added or modified registry project
1. In the Registry Editor, on the left-side panel, double-click: HKEY_LOCAL_MACHINE> SOFTWARE> Microsoft> Security Center.
2. in the right pane, find the project: o firewalldisableno== "dword: 00000001" o AntiVirusOverride = "dword: 00000001" o antivirusdisableno=" dword: 00000001 "o FirewallDisableOverride =" dword: 00000001"
3. On the left-side pane, double-click HKEY_LOCAL_MACHINE> SOFTWARE> Microsoft> WindowsFirewall> DomainProfile.
4. In the right pane, find the project: EnableFirewall = "dword: 00000000"
5. On the left-side pane, double-click HKEY_LOCAL_MACHINE> SOFTWARE> Policies> Microsoft> WindowsFirewall> StandardProfile.
Magic wave Variant B (Worm. Mocbot. B, also known as WORM_IRCBOT.JK) deletes the added or modified registry project:
1. In the Registry Editor, on the left-side panel, double-click: HKEY_LOCAL_MACHINE> SOFTWARE> Microsoft> Security Center.
2. In the right pane, find and delete the following items ::
Antivirusdisableno133 = "dword: 00000001"
AntiVirusOverride = "dword: 00000001"
Firewalldisablenoworkflow = "dword: 00000001"
FirewallDisableOverride = "dword: 00000001"
3. On the left-side pane, double-click HKEY_LOCAL_MACHINE> SYSTEM> CurrentControlSet> Services> SharedAccess.
4. In the right pane, find the project: Start = "dword: 00000004"
5. Right-click the registry project and select change project value: Start = "dword: 00000002"
6. On the left-side pane, double-click HKEY_LOCAL_MACHINE> SOFTWARE> Policies> Microsoft> WindowsFirewall> DomainProfile.
7. In the panel on the right, find and delete the following project: EnableFirewall = "dword: 00000000"
8. On the left-side pane, double-click HKEY_LOCAL_MACHINE> SOFTWARE> Policies> Microsoft> WindowsFirewall> StandardProfile.
9. In the panel on the right, find and delete the following project: EnableFirewall = "dword: 00000000"
10. Disable Registry Editor
Add Windows ME/XP cleanup instructions
Users running Windows ME and XP must disable system restoration to scan infected systems. Users running other Windows versions do not need to handle the above additional instructions.
Anti-virus tool recommendation: Use Trend Micro Anti-Virus products to scan the system and delete all detected magic waves (Worm. mocbot. a, also known as WORM_IRCBOT.JL), magic wave Variant B (Worm. mocbot. b, also known as WORM_IRCBOT.JK. Trend Micro users must download the latest virus pattern file before scanning the system.
Other Internet users can use Housecall, which is a free online virus scan by Trend Micro. Apply patches this virus uses known vulnerabilities to download and install patches. Avoid using affected products before installing the corresponding patches. We recommend that you download the key patches released by the vendor.
6. In the right pane, find the project: EnableFirewall = "dword: 00000000"
7. On the left-side pane, double-click HKEY_LOCAL_MACHINE> SYSTEM> CurrentControlSet> Services> SharedAccess.
8. Find the following items on the right panel: Start = "dword: 00000004"
9. Right-click the project and choose Start = "dword: 00000002"
10. Disable Registry Editor.
Magic wave Variant B (Worm. Mocbot. B, also known as WORM_IRCBOT.JK) deletes the added or modified registry project:
1. In the Registry Editor, on the left-side panel, double-click: HKEY_LOCAL_MACHINE> SOFTWARE> Microsoft> Security Center.
2. In the right pane, find and delete the following items ::
Antivirusdisableno133 = "dword: 00000001"
AntiVirusOverride = "dword: 00000001"
Firewalldisablenoworkflow = "dword: 00000001"
FirewallDisableOverride = "dword: 00000001"
3. On the left-side pane, double-click HKEY_LOCAL_MACHINE> SYSTEM> CurrentControlSet> Services> SharedAccess.
4. In the right pane, find the project: Start = "dword: 00000004"
5. Right-click the registry project and select change project value: Start = "dword: 00000002"
6. On the left-side pane, double-click HKEY_LOCAL_MACHINE> SOFTWARE> Policies> Microsoft> WindowsFirewall> DomainProfile.
7. In the panel on the right, find and delete the following project: EnableFirewall = "dword: 00000000"
8. On the left-side pane, double-click HKEY_LOCAL_MACHINE> SOFTWARE> Policies> Microsoft> WindowsFirewall> StandardProfile.
9. In the panel on the right, find and delete the following project: EnableFirewall = "dword: 00000000"
10. Disable Registry Editor
Add Windows ME/XP cleanup instructions
Users running Windows ME and XP must disable system restoration to scan infected systems. Users running other Windows versions do not need to handle the above additional instructions.
Anti-virus tool recommendation: Use Trend Micro Anti-Virus products to scan the system and delete all detected magic waves (Worm. mocbot. a, also known as WORM_IRCBOT.JL), magic wave Variant B (Worm. mocbot. b, also known as WORM_IRCBOT.JK. Trend Micro users must download the latest virus pattern file before scanning the system.
Other Internet users can use Housecall, which is a free online virus scan by Trend Micro. Apply patches this virus uses known vulnerabilities to download and install patches. Avoid using affected products before installing the corresponding patches. We recommend that you download the key patches released by the vendor.