Removing the virus VirusRemoval.vbs

-
I found my home computer and a few thumb drives infected with this virus. The only indication that something was not right was that whenever I plug in my multi-card reader into my USB port, a message will pop up saying that the drive is empty or something to that effect; or in other words, something was trying to write to my multi-card slots. So I examined my thumb drives and SD cards and found these hidden files VirusRemoval.vbs and Autorun.inf on it.

Luckily this virus doesn't do anything more damaging than changing the home page of Internet Explorer and propagating itself onto portable drives. And I was able to remove it with a few simple steps.

Symptoms of the virus:
If a computer is infected, then the following are true.

  1. The file VirusRemoval.vbs can be found in the Windows system folder c:\Windows\System32\ as a hidden, readonly file.

  2. The HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon\ registry entry will be set to start up the VirusRemoval.vbs script every time a user logs on.

If a thumb drive is infected, then the following are true.
  1. The drive will have the VirusRemoval.vbs file.

  2. The drive will have an Autorun.inf file set to run the VirusRemoval.vbs script.

Here are the steps I did to remove the virus.


Terminate the running virus process

  1. On Windows XP, right click on the Task Bar and choose Task Manager.

    The Windows Task Manager appears.

  2. Click the Processes tab if it is not displayed. Scroll through the processes and look for the process wscript.exe in the list. Select the process as shown below.



  3. Click End Process to kill the process.

    The message appears.


  4. Click Yes.

    The wscript.exe process is terminated.

Stop the virus from starting up
  1. Click Start > Run. Type in regedit. Click OK.

    The Registry Editor appears.

  2. Expand the key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon\ and choose Userinit.



  3. Double click Userinit.

    The Edit String dialog box appears.


  4. Select all the text in the Value data field. Press CTRL+C to copy to the Clipboard. Paste it into a text editor e.g. Notepad.



  5. In the text editor, remove the string C:\WINDOWS\system32\wscript.exe C:\WINDOWS\system32\virusRemoval.vbs as shown below. Press CTRL+A and CTRL+C to copy the remaining text to the Clipboard.



  6. In the Edit String dialog box, clear all the Value data text and press CTRL+V to paste the edited text into the Value data field.

  7. Click OK.

Delete the virus
  1. Open up a Command Prompt window. Change directory to the C:\Windows\System32\.

    C:\> CD C:\Windows\System32

  2. List all hidden *.vbs files.

    C:\> dir /a *.vbs
  3. Change the VirusRemoval.vbs file to read-write and visible.

    C:\> attrib -r -a -h -s VirusRemoval.vbs

  4. Now you can delete the virus.

    C:\> del virusremoval.vbs


Remove the virus from infected portable drives
On infected portable drives, simply repeat the previous steps to open up a Command Prompt to the root folder of the portable drive. And change the virus script file to read-write and visible, then delete it. You may want to remove the Autorun.inf file also.

Comments

Post a Comment

Popular posts from this blog

Image background removal using Krita

-
Image
Like other image editing software such as Gimp or Photoshop , Krita has similar tools to remove the background of an image non-destructively using transparency masks. The following steps show how: Open up an image in Krita . In the Layers pane on the right, mouse right click on the paint layer. A pop up menu appears . Choose Add | Transparency Mask . A transparency mask sub layer is created underneath the paint layer . Draw a selection polygon roughly around the foreground object in the image using the Polygonal Selection Tool , as shown below. Then in the File menu, click Select | Invert Selection . Choose Black as the foreground color. Choose a Brush e.g. Basic-1 Ink . Make sure the transparency mask layer is selected or active. Then paint over the background. Choose Select | Deselect to remove the selection polygon. The marching ants selection polygon is removed . Make the brush size smaller and zoom closer  to the background - foreground boundary. Brush over the r
Read more

Create an embossed text effect using Inkscape

-
Image
I learnt how to use Inkscape to create a 3-D embossed effect on text objects simply by using the text object's fill blur property. An example of the effect is shown in the image below. The following steps show how the effect was created on an existing text vector drawing. In Inkscape , open up the Fill and Stroke pane by selecting Object | Fill and Stroke  in the menu bar. Press F1 . Click on the text object. The text object is selected with handles around it . Press CTRL+C . The selected text object is copied to the clipboard . Press CTRL+V twice. The text object is duplicated twice . Press F8 . Click on one of the text object. In the Fill and Stroke pane, click the Fill tab. Change the selected text object's  fill color to black . In the Fill and Stroke pane, adjust the Blur property to define the emboss effect e.g. 10 . The selected text object is blurred . Press F8 . Click on another text object. In the Fill and Stroke pane, click the Fill tab. Adju
Read more

How to copy and paste the color from one object to another using Inkscape

-
Image
In Inkscape , it is possible to copy the color from one object to another object using the Pick Color   tool. This saves a bit of time since you don't have to note down the source color and type in the new RGB color values in some dialog box.  To illustrate how to do this, see the following steps. In Inkscape , click the Pick Color tool    icon in the left tool bar or press F7 on the keyboard. The cursor changes to an eye dropper . Hover the cursor over the object with the source color e.g. green S , as shown below. Then press CTRL+C . The color underneath the cursor is copied over to the clipboard . Then click the Select and transform objects tool or press F1 . Now click on the object to be changed, e.g. blue G , as shown below. Press CTRL+V . The selected object's color is changed from blue to green. 
Read more