Thursday, February 26, 2015

How to remove 8.vbs

Removal instructions for 8.vbs


Analysis:


Type of file: VBEFile
Description:
Location:
Size: 244639 b
MD5: 4B49BAE63D537E82425791C81CB9F5D6

Known system changes:

Values added:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\85ce27c90f0ba2b98ceb888e2ca7acde: ""C:\Documents and Settings\Administrator\Local Settings\Temp\google.exe" .."
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\85ce27c90f0ba2b98ceb888e2ca7acde: ""C:\Documents and Settings\Administrator\Local Settings\Temp\google.exe" .."
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Documents and Settings\Administrator\Local Settings\Temp\google.exe: "C:\Documents and Settings\Administrator\Local Settings\Temp\google.exe:*:Enabled:google.exe"
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Documents and Settings\Administrator\Local Settings\Temp\google.exe: "C:\Documents and Settings\Administrator\Local Settings\Temp\google.exe:*:Enabled:google.exe"
HKU\S-1-5-21-1644491937-790525478-725345543-1003\Environment\SEE_MASK_NOZONECHECKS: "1"

Files added:
C:\Documents and Settings\Administrator\Local Settings\Temp\0013.jpg
C:\Documents and Settings\Administrator\Local Settings\Temp\google.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\google.exe.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\meme.exe
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\85ce27c90f0ba2b98ceb888e2ca7acde.exe

Manual Removal Instructions for 8.vbs:


If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

Make sure you create a System Restore point before proceeding:

1.  Use Task Manager to terminate the malicious process google.exe.

2.  Delete the following files:

    %Temp%\google.*
    %Temp%\meme.exe
    %Temp%\0013.jpg
    %UserProfile%\Start Menu\Programs\Startup\85ce27c90f0ba2b98ceb888e2ca7acde.exe

    Tutorial:  How to delete startup entries 

3.  Repair the registry using this reg script.  Note that registry key/data 85ce27c90f0ba2b98ceb888e2ca7acde is random.

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"85ce27c90f0ba2b98ceb888e2ca7acde"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"85ce27c90f0ba2b98ceb888e2ca7acde"=-

4.  Remove google.exe from your firewall exceptions using this command.at the CMD Prompt.

    netsh firewall delete allowedprogram google.exe

5.  Update your antivirus program and perform a full scan of the computer.

NOTE:  The worm displays a nude photo at first run.

Posted by at
Labels: , , , , , , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)