Friday, February 20, 2015

How to terminate a process

Before attempting to do any malware removal, it is best to terminate the malware processes first to make your job easier. I always remove malware in Normal Mode first so I'll be teaching you how to accomplish that.

Terminating a malicious process. More than one way to skin a cat.

Your options are numerous. We can start with what Windows already has provided us. Task Manager and Taskkill.

Using Task Manager

You may have already know how to lauch Task Manager. Ctrl+Alt+Del, Ctrl-Shift+Esc, Right click on Taskbar and Start Task Manager, Launch it via Run [Win+R], etc

Launch Task Manager
Go to the Processes tab
Hightlight the process you want to terminate
Click on the End Process tab at the lower right corner
or Right Click on the process and Select either End Process or End Process Tree

Using Taskkill

The syntax for TASKKILL for terminating a process is

TASKKILL /F /IM ProcessName.exe

Lets's do a quick demo. Launch Notepad and run the following

TASKKILL /F /IM Notepad.exe

You can run this command at the CMD Prompt or with the Run [Win+R]

Using 3rd Party Utilities

No need for too much explanations here, I'll just provide my screenshots. These are better alternatives to Task Manager

If you find this tutorial useful, please comment, share or email me. You can also make a donation to my PayPal account to help me continue my work. Thank you.

arnaldo.austria@gmail.com
Pinoy Tech RAMBO

To GOD be the glory!

All content ("Information") contained in this report is the copyrighted work of WinXPert: Virus and Malware Removal.

The Information is provided on an "as is" basis. WinXPert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, WinXPert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.

Copyright © 2014-2015 WinXPert. All rights reserved. All other trademarks are the sole property of their respective owners.

Thursday, February 19, 2015

How to delete startup entries

Here's a technique I use to delete malwares located at the Startup folder using System Explorer. Do this after terminating the malware first.

Note that you can go directly to the Startup folder, enable show hidden and system files and delete whatever malicious file is located there. But with System Explorer, you can terminate the malware, delete other startup items the malware may have added to your system.

Monday, February 16, 2015

How to Remove a VBS Worm

In this tutorial, I'll be removing a worm that hides files and create shortcuts on all files located at the root directory of any external drives.

MD5 - bf42cc6bdab6539b6d4e5126ec66fdf4

Virustotal scan

Worm script.

Here is what the worm does to your external drives.

First, we have to terminate the malicious WScript.exe process used by the worm. Note that not all VBS files are malicious in nature.

You may use any of the following to terminate a process.

Task Manager
System Explorer
Process Explorer
DTaskManager or any similar utility
TASKKILL

I'll be using System Explorer throughout my manual malware removal tutorials. You may use any app you like, it's more of a personal preference.

Right-click on WSCRIPT.EXE and End Process.

or you can use TASKKILL. The systax is:

TASKKILL /F /IM WSCRIPT.EXE

Using Windows Task Manager to terminate a process. Highlight wscript.exe and click on End Process.

Deleting the Startup entry from the Startup folder.

Right-click on VBS_WORM (50).vbs and click Delete Item

Deleting HKLM and HKCU entries.

Right-click on VBS_WORM (50) and Open Item Key in Regedit

Take note of the location (path) of the worm first before deleting it in regedit

Delete both HKLM and HKCU Run entries.

Use Explorer to navigate to the location of the worm and delete it.

At the CMD Prompt, unhide the hidden files on your external drives.

In case the worm that infected your system also hides and create shortcuts of your folders, use the following command instead:

G: *
ATTRIB -S -H /S /D \*.*

* Change drive letter accordingly.

Delete the worm and shortcuts.

Repairing leftover registry entries.

Copy and paste the following and save it as FIX.REG. Double click on the file or Merge to the registry file. Click YES when prompted.

Windows Registry Editor Version 5.00

;BF42CC6BDAB6539B6D4E5126EC66FDF4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VBS_WORM (50)"=-

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VBS_WORM (50)"=-

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wscript_RASAPI32]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wscript_RASMANCS]
[-HKEY_LOCAL_MACHINE\SOFTWARE\VBS_WORM (50)]

NOTE: This is specific to this strains of worm. In case the worm was renamed, it uses the new filename as the registry key, so you have to change FIX.REG accordingly.

Update your antivirus program and perform a full scan of the computer.

If you find this tutorial useful, please comment, share or email me. You can also make a donation to my PayPal account to help me continue my work. Thank you.

WinXPert

arnaldo.austria@gmail.com

https://www.facebook.com/groups/pinoytechrambo

To GOD be the glory!

All content ("Information") contained in this report is the copyrighted work of WinXPert: Virus and Malware Removal.

The Information is provided on an "as is" basis. WinXPert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, WinXPert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.

How to recover Windows password (Part 1)

You've been lock out of your PC. You know you've typed the correct password but still it says your password is incorrect.

Giving up already? Well don't because there are may ways to replace or recover your lost password.

If you can log on to another Administrator account, this procedure might do the trick.

1. At the log-on screen, do the following

[CTRL] + [ALT] + [DEL]
[DEL]

Type Administrator and hit Enter.

Note if your other Administrator account have a password, simply supply the correct one.

2. If you were successful in step 1 then launch CMD and type the following

NET USER

This command will list all USERS in your system.

3. Select the Account Username in question. For example if your account name is WinXPert, type this command

NET USER WINXPERT *

Type the password for the user:
Retype the password to confirm:

Just type password.and hit Enter
and retype the password.and hit Enter

Note that what you type will not be visible

4. Log out and Log in to your account with the new password.

Manual removal instructions for VBS_WORM (49).VBS

MD5 - C13DEF035FEA2919DEA2272ED8960921

Virustotal Scan

1. Terminate WScript.exe process.

2. Delete Startup Items: Startup folder, HKLM and HKCU.

3. Delete the VBS files.

Using Everything to locate the VBS worms.

4. Delete the VBS file and Shortcuts in your extenal drive.

5. Repair the registry.

Copy and paste the following to Notepad and save it as fix.reg. Merge fix.reg to your registry.

Windows Registry Editor Version 5.00
;C13DEF035FEA2919DEA2272ED8960921
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VBS_WORM (49)"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VBS_WORM (49)"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wscript_RASAPI32]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wscript_RASMANCS]
[-HKEY_LOCAL_MACHINE\SOFTWARE\VBS_WORM (49)]

NOTE: This is specific to this strains of worm. In case the worm was renamed, it uses the new filename as the registry key, so you have to change fix.reg accordingly.

6. Unhide your folder and files in your external drive.

7. Scan with an updated antivirus.

Using Qihoo 360 TS to scan and fix your external drive (bypassing steps 4 and 6).

If you find this tutorial useful, please comment, share or email me. You can also make a donation to my PayPal account to help me continue my work. Thank you.

WinXPert

arnaldo.austria@gmail.com

https://www.facebook.com/groups/pinoytechrambo

To GOD be the glory!

Related articles:

Ultimate Guide in Removing VBS Worms

All content ("Information") contained in this report is the copyrighted work of WinXPert: Virus and Malware Removal.

Wednesday, February 11, 2015

Removal instructions for 1.vbe

Virustotal Scan

Analysis:

Type of file: VBEFile
Description:
Location: C:\Documents and Settings\Administrator\Local Settings\Temp\
Size: 30211 b
MD5: C7E1090127561E8A518D5A508059027E

Known system changes:

Keys added: HKLM\SOFTWARE\1

Values added:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1: "wscript.exe //B "C:\DOCUME~1\Admini~1\LOCALS~1\Temp\1.vbe""
HKLM\SOFTWARE\1\: "false - 10/25/2014"

Files added:
C:\Documents and Settings\Owner\Local Settings\Temp\1.vbe
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\1.vbe
F:\1.vbe
F:\New Text Document.lnk
F:\New Folder.lnk

Files [attributes?] modified:
F:\New Text Document.lnk

Manual Removal Instructions for 1.vbe:
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:
Make sure you create a System Restore point before proceeding:

1. Use Task Manager to terminate the malicious process wscript.exe.

2. Delete the 1.vbe from these locations.

%Temp%
%UserProfile%\Start Menu\Programs\Startup
Root directory of USB drives

3. Repair the registry using this reg script. Note that registry key 1 is random and takes the filename of the vbe file.

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"1"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\1]

4. Delete all *.lnk located at the root directory of your external drives. Replace DRIVE with the correct drive letter assignment of your external drives.

DEL DRIVE:\*.LNK

5. Unhide all hidden files and folders using this commands: Replace DRIVE with the correct drive letter assignment of your external drives.

ATTRIB DRIVE:\*.* -S -H /S /D

6. Update your antivirus/antimalware program and perform a full scan of the computer.

All content ("Information") contained in this report is the copyrighted work of WinXPert: Virus and Malware Removal.
The Information is provided on an "as is" basis. WinXPert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, WinXPert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.
Copyright © 2014-2015 WinXPert. All rights reserved. All other trademarks are the sole property of their respective owners.

Sunday, February 8, 2015

Cloning with DriveImageXML

Download DriveImageXML here