Removal instructions for 8.vbs
Analysis:
Type of file: VBEFile
Description:
Location:
Size: 244639 b
MD5: 4B49BAE63D537E82425791C81CB9F5D6
Known system changes:
Values added:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\85ce27c90f0ba2b98ceb888e2ca7acde: ""C:\Documents and Settings\Administrator\Local Settings\Temp\google.exe" .."
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\85ce27c90f0ba2b98ceb888e2ca7acde: ""C:\Documents and Settings\Administrator\Local Settings\Temp\google.exe" .."
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Documents and Settings\Administrator\Local Settings\Temp\google.exe: "C:\Documents and Settings\Administrator\Local Settings\Temp\google.exe:*:Enabled:google.exe"
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Documents and Settings\Administrator\Local Settings\Temp\google.exe: "C:\Documents and Settings\Administrator\Local Settings\Temp\google.exe:*:Enabled:google.exe"
HKU\S-1-5-21-1644491937-790525478-725345543-1003\Environment\SEE_MASK_NOZONECHECKS: "1"
Files added:
C:\Documents and Settings\Administrator\Local Settings\Temp\0013.jpg
C:\Documents and Settings\Administrator\Local Settings\Temp\google.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\google.exe.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\meme.exe
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\85ce27c90f0ba2b98ceb888e2ca7acde.exe
Manual Removal Instructions for 8.vbs:
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:
Make sure you create a System Restore point before proceeding:
1. Use Task Manager to terminate the malicious process google.exe.
2. Delete the following files:
%Temp%\google.*
%Temp%\meme.exe
%Temp%\0013.jpg
%UserProfile%\Start Menu\Programs\Startup\85ce27c90f0ba2b98ceb888e2ca7acde.exe
Tutorial: How to delete startup entries
3. Repair the registry using this reg script. Note that registry key/data 85ce27c90f0ba2b98ceb888e2ca7acde is random.
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"85ce27c90f0ba2b98ceb888e2ca7acde"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"85ce27c90f0ba2b98ceb888e2ca7acde"=-
4. Remove google.exe from your firewall exceptions using this command.at the CMD Prompt.
netsh firewall delete allowedprogram google.exe
5. Update your antivirus program and perform a full scan of the computer.
NOTE: The worm displays a nude photo at first run.
No comments:
Post a Comment