WinXPert

Thursday, February 26, 2015

How to remove 8.vbs

Removal instructions for 8.vbs

Analysis:

Type of file: VBEFile
Description:
Location:
Size: 244639 b
MD5: 4B49BAE63D537E82425791C81CB9F5D6

Known system changes:

Values added:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\85ce27c90f0ba2b98ceb888e2ca7acde: ""C:\Documents and Settings\Administrator\Local Settings\Temp\google.exe" .."
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\85ce27c90f0ba2b98ceb888e2ca7acde: ""C:\Documents and Settings\Administrator\Local Settings\Temp\google.exe" .."
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Documents and Settings\Administrator\Local Settings\Temp\google.exe: "C:\Documents and Settings\Administrator\Local Settings\Temp\google.exe:*:Enabled:google.exe"
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Documents and Settings\Administrator\Local Settings\Temp\google.exe: "C:\Documents and Settings\Administrator\Local Settings\Temp\google.exe:*:Enabled:google.exe"
HKU\S-1-5-21-1644491937-790525478-725345543-1003\Environment\SEE_MASK_NOZONECHECKS: "1"

Files added:
C:\Documents and Settings\Administrator\Local Settings\Temp\0013.jpg
C:\Documents and Settings\Administrator\Local Settings\Temp\google.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\google.exe.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\meme.exe
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\85ce27c90f0ba2b98ceb888e2ca7acde.exe

Manual Removal Instructions for 8.vbs:

How to remove 7.vbs

Removal instructions for 7.vbs

Analysis:

Type of file: VBSFile
Description:
Location: C:\Documents and Settings\Administrator\Local Settings\Temp\
Size: 148972 b
MD5: C4E5AE1B43F99BA0E342E187A0A51969

Known system changes:

Keys added:
HKLM\SOFTWARE\7

Values added:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7: "wscript.exe //B "C:\DOCUME~1\Admini~1\LOCALS~1\Temp\7.vbs""
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7: "wscript.exe //B "C:\DOCUME~1\Admini~1\LOCALS~1\Temp\7.vbs""
HKLM\SOFTWARE\7\: "false - 10/25/2014"

Files added:
C:\Documents and Settings\Owner\Local Settings\Temp\7.vbs
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\7.vbs
F:\7.vbs
F:\How to remove 7.vbs.lnk
F:\7.lnk

Files [attributes?] modified:
F:\How to remove 7.vbs.lnk

Manual Removal Instructions for 7.vbs:

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

Make sure you create a System Restore point before proceeding:

1. Use Task Manager to terminate the malicious process wscript.exe.

2. Delete the 7.vbs from these locations.

    %Temp%
   Startup folder
    Root directory of USB drives

    Tutorial: How to delete startup entries

3. Repair the registry using this reg script. Note that registry key/data 5 is random and takes the filename of the vbs file.

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"7"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"7"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\7]

4. Delete all *.lnk located at the root directory of your external drives. Replace DRIVE with the correct drive letter assignment of your external drives.

DEL DRIVE:\*.LNK

5. Unhide all hidden files and folders using this commands: Replace DRIVE with the correct drive letter assignment of your external drives.

ATTRIB DRIVE:\*.* -S -H /S /D

6. Update your antivirus/antimalware program and perform a full scan of the computer.

All my tutorials are based on my own research. If you find this tutorial useful, please comment or share. You can also help fund my continued work by making a donation. Thank you and GOD bless!

To GOD be the glory!

All content ("Information") contained in this report is the copyrighted work of WinXPert: Virus and Malware Removal.

The Information is provided on an "as is" basis. WinXPert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, WinXPert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.

Copyright © 2014-2015 WinXPert. All rights reserved. All other trademarks are the sole property of their respective owners.

How to remove 5.vbe

Removal instructions for 5.vbe

Analysis:

Type of file: VBEFile
Description:
Location: C:\Documents and Settings\Administrator\Local Settings\Temp\
Size: 83124 b
MD5: B179B4A5ED68DB6A409E979092866C89

This is the 5th of a series of eight worm samples.

Known system changes:
Keys added:
HKLM\SOFTWARE\5

Values added:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5: "wscript.exe //B "C:\DOCUME~1\Admini~1\LOCALS~1\Temp\5.vbe""
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5: "wscript.exe //B "C:\DOCUME~1\Admini~1\LOCALS~1\Temp\5.vbe""
HKLM\SOFTWARE\5\: "false - 10/25/2014"

Files added:
C:\Documents and Settings\Owner\Local Settings\Temp\5.vbe
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\5.vbe
F:\5.vbe
F:\Analysis.lnk
F:\Covers.lnk

Files [attributes?] modified:
F:\Analysis.lnk

Manual Removal Instructions for 5.vbe:

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

Make sure you create a System Restore point before proceeding:

1. Use Task Manager to terminate the malicious process wscript.exe.

2. Delete the 5.vbe from these locations.

    %Temp%
   Startup folder
    Root directory of USB drives

    Tutorial: How to delete startup entries

3. Repair the registry using this reg script. Note that registry key/data 5 is random and takes the filename of the vbe file.

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"5"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"5"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\5]

4. Delete all *.lnk located at the root directory of your external drives. Replace DRIVE with the correct drive letter assignment of your external drives.

DEL DRIVE:\*.LNK

5. Unhide all hidden files and folders using this commands: Replace DRIVE with the correct drive letter assignment of your external drives.

ATTRIB DRIVE:\*.* -S -H /S /D

6. Update your antivirus/antimalware program and perform a full scan of the computer.

All my tutorials are based on my own research. If you find this tutorial useful, please comment or share. You can also help fund my continued work by making a donation. Thank you and GOD bless!

To GOD be the glory!

All content ("Information") contained in this report is the copyrighted work of WinXPert: Virus and Malware Removal.

The Information is provided on an "as is" basis. WinXPert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, WinXPert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.

Copyright © 2014-2015 WinXPert. All rights reserved. All other trademarks are the sole property of their respective owners.

How to remove 4.vbe

Removal instructions for 4.vbe

Analysis:

Type of file: VBEFile
Description:
Location: C:\Documents and Settings\Administrator\Local Settings\Temp\
Size: 35955 b
MD5: 1308BF64650E66B81CE1DE853C304C12

Known system changes:

Keys added:
HKLM\SOFTWARE\4

Values added:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4: "wscript.exe //B "C:\DOCUME~1\Admini~1\LOCALS~1\Temp\4.vbe""
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4: "wscript.exe //B "C:\DOCUME~1\Admini~1\LOCALS~1\Temp\4.vbe""
HKLM\SOFTWARE\4\: "false - 10/25/2014"

Files added:
C:\Documents and Settings\Administrator\Local Settings\Temp\4.vbe
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\4.vbe
F:\4.vbe
F:\My File.lnk
F:\Bubblews.lnk

Files [attributes?] modified:
F:\My File.lnk

Manual Removal Instructions for 4.vbe:

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

Make sure you create a System Restore point before proceeding:

1. Use Task Manager to terminate the malicious process wscript.exe.

2. Delete the 1.vbe from these locations.

    %Temp%
   Startup folder
    Root directory of USB drives

    Tutorial: How to delete startup entries

3. Delete all *.lnk located at the root directory of your external drives. Replace DRIVE with the correct drive letter assignment of your external drives.

    DEL DRIVE:\*.LNK

4. Repair the registry using this reg script. Note that registry key/data 4 is random and takes the filename of the vbe file.

    Windows Registry Editor Version 5.00

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "4"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "4"=-
    [-HKEY_LOCAL_MACHINE\SOFTWARE\4]

5. Unhide all hidden files and folders using this commands: Replace DRIVE with the correct drive letter assignment of your external drives.

    ATTRIB DRIVE:\*.* -S -H /S /D

6. Update your antivirus/antimalware program and perform a full scan of the computer.

All my tutorials are based on my own research. If you find this tutorial useful, please comment or share. You can also help fund my continued work by making a donation. Thank you and GOD bless!

To GOD be the glory!

All content ("Information") contained in this report is the copyrighted work of WinXPert: Virus and Malware Removal.

The Information is provided on an "as is" basis. WinXPert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, WinXPert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.

Copyright © 2014-2015 WinXPert. All rights reserved. All other trademarks are the sole property of their respective owners.

How to remove 3.vbe

Removal instructions for 3.vbe

Analysis:

Type of file: VBEFile
Description:
Location: C:\Documents and Settings\Administrator\Local Settings\Temp\
Size: 70650 b
MD5: FDAD2912CB7A669D34A4CBCB0F7895F1

Known system changes:

Files added:
C:\Documents and Settings\Administrator\Local Settings\Temp\3.vbe
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\3.vbe
F:\3.vbe
F:\Document.lnk
F:\Photos.lnk

Files [attributes?] modified:
F:\Document.lnk

Manual Removal Instructions for 3.vbe:

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

Make sure you create a System Restore point before proceeding:

1. Use Task Manager to terminate the malicious process wscript.exe.

2. Delete the 3.vbe (random filename) from these locations.

    %Temp%
   Startup folder
    Root directory of USB drives

    Tutorial: How to delete startup entries

3. Delete all *.lnk located at the root directory of your external drives. Replace DRIVE with the correct drive letter of your external drives.

    DEL DRIVE:\*.LNK

4. Unhide all hidden files and folders using this commands: Replace DRIVE with the correct drive letter of your external drives. Do steps 3 and 4 to all your infected USB drives.

    ATTRIB DRIVE:\*.* -S -H /S /D

5. Update your antivirus/antimalware program and perform a full scan of the computer.

NOTE: This sample does not create startup registry keys.

All my tutorials are based on my own research. If you find this tutorial useful, please comment or share. You can also help fund my continued work by making a donation. Thank you and GOD bless!

To GOD be the glory!

All content ("Information") contained in this report is the copyrighted work of WinXPert: Virus and Malware Removal.

The Information is provided on an "as is" basis. WinXPert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, WinXPert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.

Copyright © 2014-2015 WinXPert. All rights reserved. All other trademarks are the sole property of their respective owners.

How to remove 2.vbe

Removal instructions for 2.vbe

Add caption

Analysis:

Type of file: VBEFile
Description:
Location: C:\Documents and Settings\Administrator\Local Settings\Temp\
Size: 74479 b
MD5: 1328B272E5FA80B1F4B5E47840EFED04

Known system changes:

Files added:
C:\Documents and Settings\Administrator\Local Settings\Temp\2.vbe
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\2.vbe
F:\2vbe
F:\Document.lnk
F:\Music.lnk

Files [attributes?] modified:
F:\Document.lnk

Manual Removal Instructions for 2.vbe:

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

Make sure you create a System Restore point before proceeding:

1. Use Task Manager to terminate the malicious process wscript.exe.

2. Delete the 2.vbe (random filename) from these locations.

    %Temp%
   Startup folder
    Root directory of USB drives

    Tutorial: How to delete startup entries

3. Delete all *.lnk located at the root directory of your external drives. Replace DRIVE with the correct drive letter of your external drives.

    DEL DRIVE:\*.LNK

4. Unhide all hidden files and folders using this commands: Replace DRIVE with the correct drive letter of your external drives. Do steps 3 and 4 to all your infected USB drives.

    ATTRIB DRIVE:\*.* -S -H /S /D

5. Update your antivirus/antimalware program and perform a full scan of the computer.

NOTE: This sample does not create startup registry keys.

All my tutorials are based on my own research. If you find this tutorial useful, please comment or share. You can also help fund my continued work by making a donation. Thank you and GOD bless!

To GOD be the glory!

All content ("Information") contained in this report is the copyrighted work of WinXPert: Virus and Malware Removal.

The Information is provided on an "as is" basis. WinXPert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, WinXPert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.

Copyright © 2014-2015 WinXPert. All rights reserved. All other trademarks are the sole property of their respective owners.

How to remove 1.vbe

Removal instructions for 1.vbe

Analysis:

Type of file: VBEFile
Description:
Location: C:\Documents and Settings\Administrator\Local Settings\Temp\
Size: 30211 b
MD5: C7E1090127561E8A518D5A508059027E

This is the first of a series of eight worm samples.

Known system changes:
Keys added:
HKLM\SOFTWARE\1

Values added:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1: "wscript.exe //B "C:\DOCUME~1\Admini~1\LOCALS~1\Temp\1.vbe""
HKLM\SOFTWARE\1\: "false - 10/25/2014"

Files added:
C:\Documents and Settings\Administrator\Local Settings\Temp\1.vbe
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\1.vbe
F:\1.vbe
F:\New Text Document.lnk
F:\New Folder.lnk

Files [attributes?] modified:
F:\New Text Document.lnk

Manual Removal Instructions for 1.vbe:

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

Make sure you create a System Restore point before proceeding:

1. Use Task Manager to terminate the malicious process wscript.exe.

2. Delete the 1.vbe from these locations.

    %Temp%
   Startup folder
    Root directory of USB drives

    Tutorial: How to delete startup entries

3. Repair the registry using this reg script. Note that registry key 1 is random and takes the filename of the vbe file.

    Windows Registry Editor Version 5.00
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "1"=-

    [-HKEY_LOCAL_MACHINE\SOFTWARE\1]

4. Delete all *.lnk located at the root directory of your external drives Replace DRIVE with the correct drive letter assignment of your external drives.

    DEL DRIVE:\*.LNK

5. Unhide all hidden files and folders using this commands: Replace DRIVE with the correct drive letter assignment of your external drives.

    ATTRIB DRIVE:\*.* -S -H /S /D

6. Update your antivirus/antimalware program and perform a full scan of the computer.

All my tutorials are based on my own research. If you find this tutorial useful, please comment or share. You can also help fund my continued work by making a donation. Thank you and GOD bless!

To GOD be the glory!

All content ("Information") contained in this report is the copyrighted work of WinXPert: Virus and Malware Removal.

The Information is provided on an "as is" basis. WinXPert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, WinXPert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.

Copyright © 2014-2015 WinXPert. All rights reserved. All other trademarks are the sole property of their respective owners.