Home » Forums » Tech Support » General Support

Virus Removal : madforelmo / samok.vbs

No replies
Mon, 07/05/2010 - 11:17
death_sentry20
Offline
Joined: 10/29/2008

Symptoms : Locked Task Manager
: Locked Regedit
: No Folder Options
: Run has been Disabled
: "Open" and "Explore" Values were changed to "b-b2g" and "Owned!"

Sources : USB flash drives infection thru autorun feature of "win32usbservices.exe"

Registry Entries:

* The newly created Registry Values are:

* [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shell\explore]
o (Default) = “Owned!”
* [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shell\open]
o (Default) = “b-b2g”
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
o autoMe = “wscript.exe “%Windir%\samok.vbs”"

Source File is found at %Windir%\samok.vbs”

You can find the technical specifications of the virus here

How to Remove the malware manually:

1. Download combofix .

2. Download tools that enable taskmanager and regedit to Desktop. Restart the computer in Safe Mode (press F8 before the Windows Startup Screen and Select Safe Mode)

3. Select the Administrator Account

4. Copy combofix to desktop and double-click it to run program (follow the combofix instruction)

5. After the combofix had remove malware in your PC, kindly click to Tools>Folder Options

*If Folder Options is not found, run regedit in the RUN command or at the command prompt, changed the values of this keys from 1 to 0

* [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
o NoFolderOptions = 0
o NoRun = 0

7. Click View Tab>Click Show Hidden Files and Folders

8. Browse to C:\Windows\

9. Find the file samok.vbs and Delete the file

10. Run Regedit to Cleanup the Registry (to run Regedit click RUN Type Regedit or in the command prompt type Regedit

Change these Keys to return to defaul AM and PM

* [HKEY_CURRENT_USER\Control Panel\International]
o s1159 = “b-b2g” changed to “am”
o s2359 = “madforelmo” changed to “pm”

Please search this registry entries:

* [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shell\explore]
o (Default) = “Owned!” -> Removed the value
* [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shell\open]
o (Default) = “b-b2g” -> Removed the value
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
o autoMe = “wscript.exe “%Windir%\samok.vbs”" -> Removed the entry

Restart Your Computer.

Top

AddToAny

Share this