WinXPert: February 2015

Thursday, February 26, 2015

How to remove 8.vbs

Removal instructions for 8.vbs

Analysis:

Type of file: VBEFile
Description:
Location:
Size: 244639 b
MD5: 4B49BAE63D537E82425791C81CB9F5D6

Known system changes:

Values added:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\85ce27c90f0ba2b98ceb888e2ca7acde: ""C:\Documents and Settings\Administrator\Local Settings\Temp\google.exe" .."
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\85ce27c90f0ba2b98ceb888e2ca7acde: ""C:\Documents and Settings\Administrator\Local Settings\Temp\google.exe" .."
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Documents and Settings\Administrator\Local Settings\Temp\google.exe: "C:\Documents and Settings\Administrator\Local Settings\Temp\google.exe:*:Enabled:google.exe"
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Documents and Settings\Administrator\Local Settings\Temp\google.exe: "C:\Documents and Settings\Administrator\Local Settings\Temp\google.exe:*:Enabled:google.exe"
HKU\S-1-5-21-1644491937-790525478-725345543-1003\Environment\SEE_MASK_NOZONECHECKS: "1"

Files added:
C:\Documents and Settings\Administrator\Local Settings\Temp\0013.jpg
C:\Documents and Settings\Administrator\Local Settings\Temp\google.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\google.exe.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\meme.exe
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\85ce27c90f0ba2b98ceb888e2ca7acde.exe

Manual Removal Instructions for 8.vbs:

How to remove 7.vbs

Removal instructions for 7.vbs

Analysis:

Type of file: VBSFile
Description:
Location: C:\Documents and Settings\Administrator\Local Settings\Temp\
Size: 148972 b
MD5: C4E5AE1B43F99BA0E342E187A0A51969

Known system changes:

Keys added:
HKLM\SOFTWARE\7

Values added:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7: "wscript.exe //B "C:\DOCUME~1\Admini~1\LOCALS~1\Temp\7.vbs""
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7: "wscript.exe //B "C:\DOCUME~1\Admini~1\LOCALS~1\Temp\7.vbs""
HKLM\SOFTWARE\7\: "false - 10/25/2014"

Files added:
C:\Documents and Settings\Owner\Local Settings\Temp\7.vbs
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\7.vbs
F:\7.vbs
F:\How to remove 7.vbs.lnk
F:\7.lnk

Files [attributes?] modified:
F:\How to remove 7.vbs.lnk

Manual Removal Instructions for 7.vbs:

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

Make sure you create a System Restore point before proceeding:

1. Use Task Manager to terminate the malicious process wscript.exe.

2. Delete the 7.vbs from these locations.

    %Temp%
   Startup folder
    Root directory of USB drives

    Tutorial: How to delete startup entries

3. Repair the registry using this reg script. Note that registry key/data 5 is random and takes the filename of the vbs file.

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"7"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"7"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\7]

4. Delete all *.lnk located at the root directory of your external drives. Replace DRIVE with the correct drive letter assignment of your external drives.

DEL DRIVE:\*.LNK

5. Unhide all hidden files and folders using this commands: Replace DRIVE with the correct drive letter assignment of your external drives.

ATTRIB DRIVE:\*.* -S -H /S /D

6. Update your antivirus/antimalware program and perform a full scan of the computer.

All my tutorials are based on my own research. If you find this tutorial useful, please comment or share. You can also help fund my continued work by making a donation. Thank you and GOD bless!

To GOD be the glory!

All content ("Information") contained in this report is the copyrighted work of WinXPert: Virus and Malware Removal.

The Information is provided on an "as is" basis. WinXPert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, WinXPert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.

Copyright © 2014-2015 WinXPert. All rights reserved. All other trademarks are the sole property of their respective owners.

How to remove 5.vbe

Removal instructions for 5.vbe

Analysis:

Type of file: VBEFile
Description:
Location: C:\Documents and Settings\Administrator\Local Settings\Temp\
Size: 83124 b
MD5: B179B4A5ED68DB6A409E979092866C89

This is the 5th of a series of eight worm samples.

Known system changes:
Keys added:
HKLM\SOFTWARE\5

Values added:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5: "wscript.exe //B "C:\DOCUME~1\Admini~1\LOCALS~1\Temp\5.vbe""
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5: "wscript.exe //B "C:\DOCUME~1\Admini~1\LOCALS~1\Temp\5.vbe""
HKLM\SOFTWARE\5\: "false - 10/25/2014"

Files added:
C:\Documents and Settings\Owner\Local Settings\Temp\5.vbe
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\5.vbe
F:\5.vbe
F:\Analysis.lnk
F:\Covers.lnk

Files [attributes?] modified:
F:\Analysis.lnk

Manual Removal Instructions for 5.vbe:

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

Make sure you create a System Restore point before proceeding:

1. Use Task Manager to terminate the malicious process wscript.exe.

2. Delete the 5.vbe from these locations.

    %Temp%
   Startup folder
    Root directory of USB drives

    Tutorial: How to delete startup entries

3. Repair the registry using this reg script. Note that registry key/data 5 is random and takes the filename of the vbe file.

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"5"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"5"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\5]

4. Delete all *.lnk located at the root directory of your external drives. Replace DRIVE with the correct drive letter assignment of your external drives.

DEL DRIVE:\*.LNK

5. Unhide all hidden files and folders using this commands: Replace DRIVE with the correct drive letter assignment of your external drives.

ATTRIB DRIVE:\*.* -S -H /S /D

6. Update your antivirus/antimalware program and perform a full scan of the computer.

All my tutorials are based on my own research. If you find this tutorial useful, please comment or share. You can also help fund my continued work by making a donation. Thank you and GOD bless!

To GOD be the glory!

All content ("Information") contained in this report is the copyrighted work of WinXPert: Virus and Malware Removal.

The Information is provided on an "as is" basis. WinXPert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, WinXPert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.

Copyright © 2014-2015 WinXPert. All rights reserved. All other trademarks are the sole property of their respective owners.

How to remove 4.vbe

Removal instructions for 4.vbe

Analysis:

Type of file: VBEFile
Description:
Location: C:\Documents and Settings\Administrator\Local Settings\Temp\
Size: 35955 b
MD5: 1308BF64650E66B81CE1DE853C304C12

Known system changes:

Keys added:
HKLM\SOFTWARE\4

Values added:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4: "wscript.exe //B "C:\DOCUME~1\Admini~1\LOCALS~1\Temp\4.vbe""
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4: "wscript.exe //B "C:\DOCUME~1\Admini~1\LOCALS~1\Temp\4.vbe""
HKLM\SOFTWARE\4\: "false - 10/25/2014"

Files added:
C:\Documents and Settings\Administrator\Local Settings\Temp\4.vbe
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\4.vbe
F:\4.vbe
F:\My File.lnk
F:\Bubblews.lnk

Files [attributes?] modified:
F:\My File.lnk

Manual Removal Instructions for 4.vbe:

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

Make sure you create a System Restore point before proceeding:

1. Use Task Manager to terminate the malicious process wscript.exe.

2. Delete the 1.vbe from these locations.

    %Temp%
   Startup folder
    Root directory of USB drives

    Tutorial: How to delete startup entries

3. Delete all *.lnk located at the root directory of your external drives. Replace DRIVE with the correct drive letter assignment of your external drives.

    DEL DRIVE:\*.LNK

4. Repair the registry using this reg script. Note that registry key/data 4 is random and takes the filename of the vbe file.

    Windows Registry Editor Version 5.00

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "4"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "4"=-
    [-HKEY_LOCAL_MACHINE\SOFTWARE\4]

5. Unhide all hidden files and folders using this commands: Replace DRIVE with the correct drive letter assignment of your external drives.

    ATTRIB DRIVE:\*.* -S -H /S /D

6. Update your antivirus/antimalware program and perform a full scan of the computer.

All my tutorials are based on my own research. If you find this tutorial useful, please comment or share. You can also help fund my continued work by making a donation. Thank you and GOD bless!

To GOD be the glory!

All content ("Information") contained in this report is the copyrighted work of WinXPert: Virus and Malware Removal.

The Information is provided on an "as is" basis. WinXPert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, WinXPert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.

Copyright © 2014-2015 WinXPert. All rights reserved. All other trademarks are the sole property of their respective owners.

How to remove 3.vbe

Removal instructions for 3.vbe

Analysis:

Type of file: VBEFile
Description:
Location: C:\Documents and Settings\Administrator\Local Settings\Temp\
Size: 70650 b
MD5: FDAD2912CB7A669D34A4CBCB0F7895F1

Known system changes:

Files added:
C:\Documents and Settings\Administrator\Local Settings\Temp\3.vbe
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\3.vbe
F:\3.vbe
F:\Document.lnk
F:\Photos.lnk

Files [attributes?] modified:
F:\Document.lnk

Manual Removal Instructions for 3.vbe:

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

Make sure you create a System Restore point before proceeding:

1. Use Task Manager to terminate the malicious process wscript.exe.

2. Delete the 3.vbe (random filename) from these locations.

    %Temp%
   Startup folder
    Root directory of USB drives

    Tutorial: How to delete startup entries

3. Delete all *.lnk located at the root directory of your external drives. Replace DRIVE with the correct drive letter of your external drives.

    DEL DRIVE:\*.LNK

4. Unhide all hidden files and folders using this commands: Replace DRIVE with the correct drive letter of your external drives. Do steps 3 and 4 to all your infected USB drives.

    ATTRIB DRIVE:\*.* -S -H /S /D

5. Update your antivirus/antimalware program and perform a full scan of the computer.

NOTE: This sample does not create startup registry keys.

All my tutorials are based on my own research. If you find this tutorial useful, please comment or share. You can also help fund my continued work by making a donation. Thank you and GOD bless!

To GOD be the glory!

All content ("Information") contained in this report is the copyrighted work of WinXPert: Virus and Malware Removal.

The Information is provided on an "as is" basis. WinXPert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, WinXPert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.

Copyright © 2014-2015 WinXPert. All rights reserved. All other trademarks are the sole property of their respective owners.

How to remove 2.vbe

Removal instructions for 2.vbe

Add caption

Analysis:

Type of file: VBEFile
Description:
Location: C:\Documents and Settings\Administrator\Local Settings\Temp\
Size: 74479 b
MD5: 1328B272E5FA80B1F4B5E47840EFED04

Known system changes:

Files added:
C:\Documents and Settings\Administrator\Local Settings\Temp\2.vbe
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\2.vbe
F:\2vbe
F:\Document.lnk
F:\Music.lnk

Files [attributes?] modified:
F:\Document.lnk

Manual Removal Instructions for 2.vbe:

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

Make sure you create a System Restore point before proceeding:

1. Use Task Manager to terminate the malicious process wscript.exe.

2. Delete the 2.vbe (random filename) from these locations.

    %Temp%
   Startup folder
    Root directory of USB drives

    Tutorial: How to delete startup entries

3. Delete all *.lnk located at the root directory of your external drives. Replace DRIVE with the correct drive letter of your external drives.

    DEL DRIVE:\*.LNK

4. Unhide all hidden files and folders using this commands: Replace DRIVE with the correct drive letter of your external drives. Do steps 3 and 4 to all your infected USB drives.

    ATTRIB DRIVE:\*.* -S -H /S /D

5. Update your antivirus/antimalware program and perform a full scan of the computer.

NOTE: This sample does not create startup registry keys.

All my tutorials are based on my own research. If you find this tutorial useful, please comment or share. You can also help fund my continued work by making a donation. Thank you and GOD bless!

To GOD be the glory!

All content ("Information") contained in this report is the copyrighted work of WinXPert: Virus and Malware Removal.

The Information is provided on an "as is" basis. WinXPert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, WinXPert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.

Copyright © 2014-2015 WinXPert. All rights reserved. All other trademarks are the sole property of their respective owners.

How to remove 1.vbe

Removal instructions for 1.vbe

Analysis:

Type of file: VBEFile
Description:
Location: C:\Documents and Settings\Administrator\Local Settings\Temp\
Size: 30211 b
MD5: C7E1090127561E8A518D5A508059027E

This is the first of a series of eight worm samples.

Known system changes:
Keys added:
HKLM\SOFTWARE\1

Values added:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1: "wscript.exe //B "C:\DOCUME~1\Admini~1\LOCALS~1\Temp\1.vbe""
HKLM\SOFTWARE\1\: "false - 10/25/2014"

Files added:
C:\Documents and Settings\Administrator\Local Settings\Temp\1.vbe
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\1.vbe
F:\1.vbe
F:\New Text Document.lnk
F:\New Folder.lnk

Files [attributes?] modified:
F:\New Text Document.lnk

Manual Removal Instructions for 1.vbe:

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

Make sure you create a System Restore point before proceeding:

1. Use Task Manager to terminate the malicious process wscript.exe.

2. Delete the 1.vbe from these locations.

    %Temp%
   Startup folder
    Root directory of USB drives

    Tutorial: How to delete startup entries

3. Repair the registry using this reg script. Note that registry key 1 is random and takes the filename of the vbe file.

    Windows Registry Editor Version 5.00
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "1"=-

    [-HKEY_LOCAL_MACHINE\SOFTWARE\1]

4. Delete all *.lnk located at the root directory of your external drives Replace DRIVE with the correct drive letter assignment of your external drives.

    DEL DRIVE:\*.LNK

5. Unhide all hidden files and folders using this commands: Replace DRIVE with the correct drive letter assignment of your external drives.

    ATTRIB DRIVE:\*.* -S -H /S /D

6. Update your antivirus/antimalware program and perform a full scan of the computer.

All my tutorials are based on my own research. If you find this tutorial useful, please comment or share. You can also help fund my continued work by making a donation. Thank you and GOD bless!

To GOD be the glory!

All content ("Information") contained in this report is the copyrighted work of WinXPert: Virus and Malware Removal.

The Information is provided on an "as is" basis. WinXPert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, WinXPert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.

Copyright © 2014-2015 WinXPert. All rights reserved. All other trademarks are the sole property of their respective owners.

Sunday, February 22, 2015

How to block VBS Worms

Simple solutions for blocking malwares in Windows

I've been talking about manual malware removal in most of my blog, now we talk about prevention. As the saying goes, "a byte of prevention better than a megabyte of cure." This technique is not limited to blocking wscript.exe, which we will be discussing later, but to any application as long as you know the file name. I've been using this procedure way back in 2009 to remove any unknown malware.

For starters, we use what's built in with Windows (I'll discuss 3rd party apps later) using Group Po;icy Editor, some registry tweaks and using a small VBS file to terminate all running scripts a few seconds after Windows startup.

I. Group Policy Editor

Launch gpedit.msc
Go to User Configuration | Administrative Templates | System and double click on Don't run selected Windows applications

Enable and click on Show... button

Click Add...

Type the filename of the application you want to block, wscript.exe in our example and click OK

Wscript.exe is now added to our list. Click OK

Click OK

Exit gpedit.msc

Now let's test if our restriction works by running a vbs file.

That's is. Now you can easily remove any worm in your system by doing a full scan with an updated antivirus.

II. Registry Tweaks

Blocking program execution

This technique is similar to what gpedit.msc would do when you don't allow an application from executing. We will be using two registry scripts to accomplish this. One is for blocking and another for unblocking.

Copy/paste the following and save it as Block.reg. Just like in How to block or prevent malware from running Part 1, we'll be using wscript.exe as our example.

Windows Registry Editor Version 5.00

; Block an application
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"DisallowRun"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun]
"1"="wscript.exe"

Running a VBS File with restrictions

Merge this to your registry to block wscript.exe. Log-out and log-in for the changes to take effect. Once wscript.exe or any program or malware is blocked, you can now easily remove infections easily by doing a scan.

When you're done with scanning and your system is already clean from infections, you can unblock wscript.exe by using the next registry script. Save the following as Unblock.reg.

Windows Registry Editor Version 5.00

; Unblock an application
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"DisallowRun"=-
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun]
"1"=-

Note that this technique is not limited to VBS worms. I used this method for removing malwares like Daprosy worms, or any unknown trojan that can't be deleted easily because it's locked by a running process. Sometimes, only gpedit.msc, taskman, regedit and cmd are all you need to remove low to medium malware threats.

Making Notepad the default file handler for VBS files

Another way to prevent VBS worms from running is to use Notepad instead of WScript as VBE and VBS files default file handler. This way the worm would open in Notepad instead of executing making it easier to remove.

Copy/paste the following and save it as "Open VBE VBS with Notepad.reg"

Windows Registry Editor Version 5.00

;Open VBE/VBS file with Notepad by WinXPert
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VBEFile\Shell\Open\Command]
@=hex(2):22,00,25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,\
00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,4e,00,\
6f,00,74,00,65,00,70,00,61,00,64,00,2e,00,65,00,78,00,65,00,22,00,20,00,25,\
00,31,00,00,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command]
@=hex(2):22,00,25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,\
00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,4e,00,\
6f,00,74,00,65,00,70,00,61,00,64,00,2e,00,65,00,78,00,65,00,22,00,20,00,25,\
00,31,00,00,00

Opening a VBS File with Open VBE VBS with Notepad.reg merged to registry.

And here is the companion script to revert VBE/VBS handling back to it's default settings. Save this one as "Open VBE VBS with WScript (Default).reg"

Windows Registry Editor Version 5.00

;Open VBE/VBS file with WScript.exe (default)
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VBEFile\Shell\Open\Command]
@=hex(2):22,00,25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,\
00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,57,00,\
53,00,63,00,72,00,69,00,70,00,74,00,2e,00,65,00,78,00,65,00,22,00,20,00,22,\
00,25,00,31,00,22,00,20,00,25,00,2a,00,00,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command]
@=hex(2):22,00,25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,\
00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,57,00,\
53,00,63,00,72,00,69,00,70,00,74,00,2e,00,65,00,78,00,65,00,22,00,20,00,22,\
00,25,00,31,00,22,00,20,00,25,00,2a,00,00,00

Running a VBS File with default file handler

III. Killing wscript process at every Windows startup

What we'll do here is to add a small batch file or a vbs file at Windows Startup folder. What these utilities would do is to terminate any wscript processes that started with Windows after a 10 second delay. If none is detected, it will ternimate itself and not remain in running memory. This is a sort of set it and forget it option. Not the most elegant of codes but it works.

If a wscript process is detected and terminated, you can easily do a full scan with an updated antivirus.

For this script, I'll use Batch Enhancer (BE.EXE) from NDOS 6,0, yup from the good old DOS days. Copy BE.EXE to your Windows folder. It will provide us with a 10 second delay. You can also use NIRCMD to get the job done.

Copy/paste the following and save it as VBS Killer.bat or VBS Killer.cmd.

@ECHO OFF
COLOR 17
CLS
TITLE - VBS WORM KILLER
ECHO VBS WORM KILLER
ECHO.
BE DELAY 180
TASKLIST.EXE > "%TEMP%\IT.LOG"
FIND /I "WSCRIPT.EXE" "%TEMP%\IT.LOG" >NUL
IF NOT ERRORLEVEL 1 (
    ECHO WSCRIPT.EXE Detected. Terminating process...
    TASKKILL.EXE /F /IM "WSCRIPT.EXE"
    ECHO.
    ECHO A VBS worm was detected running in your system. Scan your PC.
    ECHO.
    START www.winxpert3.blogspot.com
    PAUSE
    )

Create a shortcut of this file to your Windows Startup folder.

Note: You can also use this batch file to kill a VBS worm in case you inadvertently got infected again while working with your USB Flash drives.

To be continued...

Please visit my blog on manual malware removal

All my tutorials are based on my own research. If you find this tutorial useful, please comment or share. You can also help fund my continued work by making a donation. Thank you and GOD bless!

To GOD be the glory!

All content ("Information") contained in this report is the copyrighted work of WinXPert: Virus and Malware Removal.

The Information is provided on an "as is" basis. WinXPert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, WinXPert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.

Copyright © 2015 WinXPert. All rights reserved. All other trademarks are the sole property of their respective owners.

Saturday, February 21, 2015

How to remove VBS_WORM (50)

Removal instructions for VBS_WORM (50)

Analysis:

Type of file: VBSFile
Description:
Location: C:\Users\WinXPert\AppData\Local\Temp\
Size: 133703 b
MD5: BF42CC6BDAB6539B6D4E5126EC66FDF4

Keys added:
HKLM\SOFTWARE\Microsoft\Tracing\wscript_RASAPI32
HKLM\SOFTWARE\Microsoft\Tracing\wscript_RASMANCS
HKLM\SOFTWARE\VBS_WORM (50)

Values added:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VBS_WORM (50): "wscript.exe //B "C:\Users\WinXPert\AppData\Local\Temp\VBS_WORM (50).vbs""
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VBS_WORM (50): "wscript.exe //B "C:\Users\WinXPert\AppData\Local\Temp\VBS_WORM (50).vbs""
HKLM\SOFTWARE\VBS_WORM (50)\: "false"

Files added:
%Temp%\VBS_WORM (50).vbs
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\VBS_WORM (50).vbs
F:\VBS_WORM (50).VBS

Manual Removal Instructions for VBS_WORM (50):

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

Make sure you create a System Restore point before proceeding:

1. Use Task Manager to terminate the malicious process wscript.exe.

2. Delete the VBS_WORM (50).VBS from these locations.

   %Temp%
   Startup folder
    Root directory of USB drives

    Tutorial: How to delete startup entries

3. Repair the registry using this reg script. Note that registry key VBS_WORM (44) is random and takes the filename of the vbs file.

Windows Registry Editor Version 5.00

;BF42CC6BDAB6539B6D4E5126EC66FDF4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VBS_WORM (50)"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VBS_WORM (50)"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wscript_RASMANCS]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wscript_RASAPI32]
[-HKEY_LOCAL_MACHINE\SOFTWARE\VBS_WORM (50)]

4. Delete all *.lnk located at the root directory of your external drives. Replace DRIVE with the correct drive letter assignment of your external drives.

DEL DRIVE:\*.LNK

5. Unhide all hidden files and folders using this commands: Replace DRIVE with the correct drive letter assignment of your external drives.

ATTRIB DRIVE:\*.* -S -H /S /D

6. Update your antivirus program and perform a full scan of the computer.

All my tutorials are based on my own research. If you find this tutorial useful, please comment or share. You can also help fund my continued work by making a donation. Thank you and GOD bless!

Pinoy Tech RAMBO

To GOD be the glory!

All content ("Information") contained in this report is the copyrighted work of WinXPert: Virus and Malware Removal.

The Information is provided on an "as is" basis. WinXPert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, WinXPert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.

Copyright © 2015 WinXPert. All rights reserved. All other trademarks are the sole property of their respective owners.

How to remove VBS_WORM (49)

Removal instructions for VBS_WORM (49)

Analysis:

Type of file: VBSFile
Description:
Location: C:\Users\WinXPert\AppData\Local\Temp\
Size: 99473 b
MD5: C13DEF035FEA2919DEA2272ED8960921

Keys added:
HKLM\SOFTWARE\Microsoft\Tracing\wscript_RASAPI32
HKLM\SOFTWARE\Microsoft\Tracing\wscript_RASMANCS
HKLM\SOFTWARE\VBS_WORM (49)
HKLM\SOFTWARE\VBS_WO~1

Values added:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VBS_WORM (49): "wscript.exe //B "C:\Users\WinXPert\AppData\Local\Temp\VBS_WORM (49).vbs""
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VBS_WORM (49): "wscript.exe //B "C:\Users\WinXPert\AppData\Local\Temp\VBS_WORM (49).vbs""
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VBS_WO~1: "wscript.exe //B "C:\Users\WinXPert\AppData\Local\Temp\VBS_WO~1.vbs""
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VBS_WO~1: "wscript.exe //B "C:\Users\WinXPert\AppData\Local\Temp\VBS_WO~1.vbs""
HKLM\SOFTWARE\VBS_WORM (49)\: "false"
HKLM\SOFTWARE\VBS_WO~1\: "false"

Files added:
%Temp%\VBS_WORM (49).vbs
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\VBS_WORM (49).vbs
F:\VBS_WORM (49).VBS
%Temp%\VBS_WO~1.vbs
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\VBS_WO~1.vbs
F:\VBS_WO~1.VBS
F:\File.lnk
F:\Folder.lnk

Files [attributes?] modified:
F:\File.lnk
F:\Folder.lnk

Manual Removal Instructions for VBS_WORM (49):

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

Make sure you create a System Restore point before proceeding:

1. Use Task Manager to terminate the malicious process wscript.exe.

2. Delete the VBS_WORM (49).VBS from these locations.

   %Temp%
   Startup folder
    Root directory of USB drives

    Tutorial: How to delete startup entries

3. Repair the registry using this reg script. Note that registry key VBS_WORM (44) is random and takes the filename of the vbs file.

Windows Registry Editor Version 5.00

;C13DEF035FEA2919DEA2272ED8960921
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VBS_WORM (49)"=-
"VBS_WO~1"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VBS_WORM (49)"=-
"VBS_WO~1"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wscript_RASMANCS]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wscript_RASAPI32]
[-HKEY_LOCAL_MACHINE\SOFTWARE\VBS_WORM (49)]
[-HKEY_LOCAL_MACHINE\SOFTWARE\VBS_WO~1]

4. Delete all *.lnk located at the root directory of your external drives. Replace DRIVE with the correct drive letter assignment of your external drives.

DEL DRIVE:\*.LNK

5. Unhide all hidden files and folders using this commands: Replace DRIVE with the correct drive letter assignment of your external drives.

ATTRIB DRIVE:\*.* -S -H /S /D

6. Update your antivirus program and perform a full scan of the computer.

All my tutorials are based on my own research. If you find this tutorial useful, please comment or share. You can also help fund my continued work by making a donation. Thank you and GOD bless!

Pinoy Tech RAMBO

To GOD be the glory!

All content ("Information") contained in this report is the copyrighted work of WinXPert: Virus and Malware Removal.

The Information is provided on an "as is" basis. WinXPert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, WinXPert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.

Copyright © 2015 WinXPert. All rights reserved. All other trademarks are the sole property of their respective owners.

How to remove VBS_WORM (48)

Removal instructions for VBS_WORM (48)

Analysis:

Type of file: VBSFile
Description:
Location: C:\Users\WinXPert\AppData\Local\Temp\
Size: 16115 b
MD5: 550A472B7F06D1B7F1714C615D9595E0

Keys added:
HKLM\SOFTWARE\Microsoft\Tracing\wscript_RASAPI32
HKLM\SOFTWARE\Microsoft\Tracing\wscript_RASMANCS
HKLM\SOFTWARE\VBS_WORM (48)

Values added:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VBS_WORM (48): "wscript.exe //B "C:\Users\WinXPert\AppData\Local\Temp\VBS_WORM (48).vbs""
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VBS_WORM (48): "wscript.exe //B "C:\Users\WinXPert\AppData\Local\Temp\VBS_WORM (48).vbs""
HKLM\SOFTWARE\VBS_WORM (48)\: "false"

Files added:
%Temp%\VBS_WORM (48).vbs
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\VBS_WORM (48).vbs
F:\VBS_WORM (48).VBS
F:\File.lnk
F:\Folder.lnk

Files [attributes?] modified:
F:\File.lnk
F:\Folder.lnk

Manual Removal Instructions for VBS_WORM (48):

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

Make sure you create a System Restore point before proceeding:

1. Use Task Manager to terminate the malicious process wscript.exe.

2. Delete the VBS_WORM (48).VBS from these locations.

   %Temp%
   Startup folder
    Root directory of USB drives

    Tutorial: How to delete startup entries

3. Repair the registry using this reg script. Note that registry key VBS_WORM (44) is random and takes the filename of the vbs file.

Windows Registry Editor Version 5.00

;550A472B7F06D1B7F1714C615D9595E0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VBS_WORM (48)"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VBS_WORM (48)"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wscript_RASMANCS]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wscript_RASAPI32]
[-HKEY_LOCAL_MACHINE\SOFTWARE\VBS_WORM (48)]

4. Delete all *.lnk located at the root directory of your external drives. Replace DRIVE with the correct drive letter assignment of your external drives.

DEL DRIVE:\*.LNK

5. Unhide all hidden files and folders using this commands: Replace DRIVE with the correct drive letter assignment of your external drives.

ATTRIB DRIVE:\*.* -S -H /S /D

6. Update your antivirus program and perform a full scan of the computer.

All my tutorials are based on my own research. If you find this tutorial useful, please comment or share. You can also help fund my continued work by making a donation. Thank you and GOD bless!

Pinoy Tech RAMBO

To GOD be the glory!

All content ("Information") contained in this report is the copyrighted work of WinXPert: Virus and Malware Removal.

The Information is provided on an "as is" basis. WinXPert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, WinXPert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.

Copyright © 2015 WinXPert. All rights reserved. All other trademarks are the sole property of their respective owners.

How to remove VBS_WORM (47)

Removal instructions for VBS_WORM (47)

Analysis:

Type of file: VBSFile
Description:
Location: C:\Users\WinXPert\AppData\Local\Temp\
Size: 14267 b
MD5: 7D6673BFD91B7BA266A551702AD5F5BD

Keys added:
HKLM\SOFTWARE\Microsoft\Tracing\wscript_RASAPI32
HKLM\SOFTWARE\Microsoft\Tracing\wscript_RASMANCS
HKLM\SOFTWARE\VBS_WORM (47)

Values added:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VBS_WORM (47): "wscript.exe //B "C:\Users\WinXPert\AppData\Local\Temp\VBS_WORM (47).vbs""
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VBS_WORM (47): "wscript.exe //B "C:\Users\WinXPert\AppData\Local\Temp\VBS_WORM (47).vbs""
HKLM\SOFTWARE\VBS_WORM (47)\: "false"

Files added:
%Temp%\VBS_WORM (47).vbs
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\VBS_WORM (47).vbs
F:\VBS_WORM (47).VBS
F:\File.lnk
F:\Folder.lnk

Files [attributes?] modified:
F:\File.lnk
F:\Folder.lnk

Manual Removal Instructions for VBS_WORM (47):

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

Make sure you create a System Restore point before proceeding:

1. Use Task Manager to terminate the malicious process wscript.exe.

2. Delete the VBS_WORM (47).VBS from these locations.

   %Temp%
   Startup folder
    Root directory of USB drives

    Tutorial: How to delete startup entries

3. Repair the registry using this reg script. Note that registry key VBS_WORM (44) is random and takes the filename of the vbs file.

Windows Registry Editor Version 5.00

;7D6673BFD91B7BA266A551702AD5F5BD
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VBS_WORM (47)"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VBS_WORM (47)"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wscript_RASMANCS]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wscript_RASAPI32]
[-HKEY_LOCAL_MACHINE\SOFTWARE\VBS_WORM (47)]
4. Delete all *.lnk located at the root directory of your external drives. Replace DRIVE with the correct drive letter assignment of your external drives.

DEL DRIVE:\*.LNK

5. Unhide all hidden files and folders using this commands: Replace DRIVE with the correct drive letter assignment of your external drives.

ATTRIB DRIVE:\*.* -S -H /S /D

6. Update your antivirus program and perform a full scan of the computer.

All my tutorials are based on my own research. If you find this tutorial useful, please comment or share. You can also help fund my continued work by making a donation. Thank you and GOD bless!

Pinoy Tech RAMBO

To GOD be the glory!

All content ("Information") contained in this report is the copyrighted work of WinXPert: Virus and Malware Removal.

The Information is provided on an "as is" basis. WinXPert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, WinXPert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.

Copyright © 2015 WinXPert. All rights reserved. All other trademarks are the sole property of their respective owners.

How to remove VBS_WORM (46)

Removal instructions for VBS_WORM (46)

Analysis:

Type of file: VBSFile
Description:
Location: C:\Users\WinXPert\AppData\Local\Temp\
Size: 14267 b
MD5: E7907A4F9637F53D0A8F93D9BB40F8A2

Keys added:
HKLM\SOFTWARE\Microsoft\Tracing\wscript_RASAPI32
HKLM\SOFTWARE\Microsoft\Tracing\wscript_RASMANCS
HKLM\SOFTWARE\VBS_WORM (46)

Values added:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VBS_WORM (46): "wscript.exe //B "C:\Users\WinXPert\AppData\Local\Temp\VBS_WORM (46).vbs""
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VBS_WORM (46): "wscript.exe //B "C:\Users\WinXPert\AppData\Local\Temp\VBS_WORM (46).vbs""
HKLM\SOFTWARE\VBS_WORM (46)\: "false"

Files added:
%Temp%\VBS_WORM (46).vbs
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\VBS_WORM (46).vbs
F:\VBS_WORM (46).VBS
F:\File.lnk
F:\Folder.lnk

Files [attributes?] modified:
F:\File.lnk
F:\Folder.lnk

Manual Removal Instructions for VBS_WORM (46):

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

Make sure you create a System Restore point before proceeding:

1. Use Task Manager to terminate the malicious process wscript.exe.

2. Delete the VBS_WORM (46).VBS from these locations.

   %Temp%
   Startup folder
    Root directory of USB drives

    Tutorial: How to delete startup entries

3. Repair the registry using this reg script. Note that registry key VBS_WORM (44) is random and takes the filename of the vbs file.

Windows Registry Editor Version 5.00

;E7907A4F9637F53D0A8F93D9BB40F8A2
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VBS_WORM (46)"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VBS_WORM (46)"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wscript_RASMANCS]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wscript_RASAPI32]
[-HKEY_LOCAL_MACHINE\SOFTWARE\VBS_WORM (46)]

4. Delete all *.lnk located at the root directory of your external drives. Replace DRIVE with the correct drive letter assignment of your external drives.

DEL DRIVE:\*.LNK

5. Unhide all hidden files and folders using this commands: Replace DRIVE with the correct drive letter assignment of your external drives.

ATTRIB DRIVE:\*.* -S -H /S /D

6. Update your antivirus program and perform a full scan of the computer.

All my tutorials are based on my own research. If you find this tutorial useful, please comment or share. You can also help fund my continued work by making a donation. Thank you and GOD bless!

Pinoy Tech RAMBO

To GOD be the glory!

All content ("Information") contained in this report is the copyrighted work of WinXPert: Virus and Malware Removal.

The Information is provided on an "as is" basis. WinXPert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, WinXPert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.

Copyright © 2015 WinXPert. All rights reserved. All other trademarks are the sole property of their respective owners.