Removal tool for W32/VBSAuto-C, VBS/Slogod.X (Startup.scr, winxp.exe, winjpg.jpg, M.p.jpg) WORM
March 21, 2010 by admin
Filed under Removal Tips,Tools and Videos
1,321 views 20 Comments
Severity Level : 4/10
Alias:
- W32/VBSAuto-C [Sophos]
- Script.Autorun.apd [McAfee]
- NOT Detected [Kaspersky Lab]
- Worm:VBS/Slogod.X [Microsoft]
M.p.jpg (MD5 : 6535e9edb9645ecb77abde2de4ae67f7) – VirusTotal Report : (Click Here)
File System Modifications
The following files were created in the system:
- %system%\Startup.scr
- %system%\Sys.dat
- %system%\winjpg.jpg
- %system%\winxp.exe
Note:
- %system% is a variable that refers to the System folder. By default, this is “C:\Windows\System” (Windows 95/98/Me), “C:\Winnt\System32″ (Windows NT/2000), or “C:\Windows\System32″ (Windows XP).
- ? = Random file name.
Memory Modifications
There were new processes created in the system:
Process Name |
Process Filename |
| Startup.scr | %system%\Startup.scr |
| winxp.exe | %system%\ winxp.exe |
Registry Modifications
The newly created or modified Registry Value is:
[HKEY_CLASSES_ROOT\exefile\shell\Open application]
[HKEY_CLASSES_ROOT\exefile\shell\Open application\command]
[HKEY_CLASSES_ROOT\exefile\shell\Open application\command]
@=”C:\\WINDOWS\\system32\\winxp.exe”
[HKEY_CLASSES_ROOT\exefile\shell\Scan for virus,s]
[HKEY_CLASSES_ROOT\exefile\shell\Scan for virus,s\command]
[HKEY_CLASSES_ROOT\exefile\shell\Scan for virus,s\command]
@=”C:\\WINDOWS\\system32\\wscript.exe /E:vbs C:\\WINDOWS\\system32\\winjpg.jpg”
[HKEY_CURRENT_USER\Software\Win]
[HKEY_CURRENT_USER\Software\Win]
“klg”=hex:01,
[HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host]
[HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings]
[HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings]
“DisplayLogo”=dword:00000000
[HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings]
“Timeout”=dword:00000000
[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]
“C:\\WINDOWS\\system32\\Shell32.DLL”=”Windows Shell Common Dll”
[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]
“C:\\WINDOWS\\system32\\Wscript.exe”=”Microsoft (R) Windows Based Script Host”
[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]
“C:\\WINDOWS\\system32\\winxp.exe”=”winxp”
[HKEY_LOCAL_MACHINE\SOFTWARE\Win]
[HKEY_LOCAL_MACHINE\SOFTWARE\Win]
“nck”=hex:e4,0e,a0,02,ad,2a,e5,57,26,c3,cd,74,fa,93,5b,67,
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\Open application]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\Open application\command]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\Open application\command]
@=”C:\\WINDOWS\\system32\\winxp.exe”
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\Scan for virus,s]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\Scan for virus,s\command]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\Scan for virus,s\command]
@=”C:\\WINDOWS\\system32\\wscript.exe /E:vbs C:\\WINDOWS\\system32\\winjpg.jpg”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{36E0783A-90B6-BC95-68C5-BE20436E47EA}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{36E0783A-90B6-BC95-68C5-BE20436E47EA}]
“stubpath”=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,73,79,73,74,65,6d,33,32,5c,53,74,61,72,74,75,70,2e,73,63,72,20,73,00,
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“regdiit”=”C:\\WINDOWS\\system32\\winxp.exe”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“CTFMON”=”C:\\WINDOWS\\system32\\wscript.exe /E:vbs C:\\WINDOWS\\system32\\winjpg.jpg”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\00hoeav.com]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\00hoeav.com]
“Debugger”=”C:\\WINDOWS\\system32\\winxp.exe”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\0w.com]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\0w.com]
“Debugger”=”C:\\WINDOWS\\system32\\winxp.exe”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.EXE]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.EXE]
“Debugger”=”C:\\WINDOWS\\system32\\winxp.exe”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.EXE]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.EXE]
“Debugger”=”C:\\WINDOWS\\system32\\winxp.exe”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safebox.EXE]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safebox.EXE]
“Debugger”=”C:\\WINDOWS\\system32\\winxp.exe”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.EXE]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.EXE]
“Debugger”=”C:\\WINDOWS\\system32\\winxp.exe”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\6.bat]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\6.bat]
“Debugger”=”C:\\WINDOWS\\system32\\winxp.exe”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\6fnlpetp.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\6fnlpetp.exe]
“Debugger”=”C:\\WINDOWS\\system32\\winxp.exe”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\6x8be16.cmd]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\6x8be16.cmd]
“Debugger”=”C:\\WINDOWS\\system32\\winxp.exe”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a2cmd.EXE]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a2cmd.EXE]
“Debugger”=”C:\\WINDOWS\\system32\\winxp.exe”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a2free.EXE]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a2free.EXE]
“Debugger”=”C:\\WINDOWS\\system32\\winxp.exe”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a2service.EXE]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a2service.EXE]
“Debugger”=”C:\\WINDOWS\\system32\\winxp.exe”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a2upd.EXE]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a2upd.EXE]
“Debugger”=”C:\\WINDOWS\\system32\\winxp.exe”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\abk.bat]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\abk.bat]
“Debugger”=”C:\\WINDOWS\\system32\\winxp.exe”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Adobe Gamma Loader.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Adobe Gamma Loader.exe]
“Debugger”=”C:\\WINDOWS\\system32\\winxp.exe”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\algsrvs.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\algsrvs.exe]
“Debugger”=”C:\\WINDOWS\\system32\\winxp.exe”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\algssl.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\algssl.exe]
“Debugger”=”C:\\WINDOWS\\system32\\winxp.exe”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Angry.bat]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Angry.bat]
“Debugger”=”C:\\WINDOWS\\system32\\winxp.exe”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Anti-Trojan.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Anti-Trojan.exe]
“Debugger”=”C:\\WINDOWS\\system32\\winxp.exe”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ANTIARP.EXE]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ANTIARP.EXE]
“Debugger”=”C:\\WINDOWS\\system32\\winxp.exe”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\antihost.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\antihost.exe]
“Debugger”=”C:\\WINDOWS\\system32\\winxp.exe”
Removal Tools :
Download W32/VBSAuto-C – VBS/Slogod.X WORM Remover Tool that provided by VirusExperts.org from Here.
%Temp%\cvasds1.dll
%Temp%\cvasds2.dll
Related posts:
- Removal tool for Mal/FakeAV-BW, Generic FakeAlert!hr, Packed.Win32.Krap.an (winupdate.exe, exec.exe, ppal.exe, MSe5ad.exe) Malware
- Removal tool for Suspect-1B!E4800A5BF6F6, Mal/FakeAV-BW (ave.exe) Malware
- Removal tool for Mal/FakeAV-CO, Downloader-CEW (Vvavia.exe, Vdl.exe, Vdk.exe, Vdj.exe) Malware
- Removal tool for Sus/Delf-J, Trojan.Heur.GZ.kGX@bKStsDeG (Foto_253.com, javahr.exe, javahr2.exe, javahu.exe) Trojan
- Removal tool for Win32.Genome.aocx (outlook.exe, brazilian.exe, sysinternals.exe) Trojan-Downloader
thinks
thanks my brother …
all thankful to you
i used it and it was perfect
but i want to ask you is there any problem with node antivirus installed befor
thank you
Hi saeed,
there is no problem with installing nod32 before because the removal is not effect anything with your system only remove the virus, nothing will be installed.
hi admin, thank you for the programme, the winxp.exe i guess it’s removed, but i still can’t open my task manager, is there a problem or somthing plzzzz help me
hi omarrrio,
Try this to enable the task manager : http://www.virusexperts.org/wp-content/uploads/2009/06/enable_taskmanager.reg
thnx alot
hi admin..thx for the information, dont know why my AVG still detects winxp.exe and when i search the file manually i dont get any, plus my system restore isnt opening..is there any way to solve this problem..PLZ help…
hi Dani,
first of all you are so welcome.
- I want you first to go to start>run>and write “msconfig” then press enter and tell me if msconfig will open or not.
- when you search, see under “look in” open “more advanced options” then check the “search hidden files and folders” then search for winxp.exe
if you found the file “winxp.exe” please put it in a RAR file then submit it here: http://www.virusexperts.org/submit-a-threat/
because maybe its a new version of winxp.exe virus, I’ll make a removal for it and post about it.
hello admin. i did used your software for removing the virus. but now my anti-virus, system restore and msconfig isnt working tooo….so help me out.
Did you use Combofix or not ?
hmm…no i dont use combofix. n yes now my msconfig is working and i hav disabke the startuo commad of the virus. but still system restore isnt working..is there any way to remove the virus
if your msconfig is working now, I think you removed the virus but the damage that made from the virus is still there.
Try to use combofix to fix most of your system problem if you didnot use it. you can download it from here :
* BleepingComputer.com
* ForoSpyware.com
It doesn’t work, the removal don’t find any of the files he expected, AND the virus “c:\windows\system32\winxp.exe” still detected by avast free edition, in the process “c:\windows\system32\wscript.exe”. Please, help !!
Amine, there is more than one version of winxp.exe.
could you please put your winxp.exe in compressed file and submit to us to make new removal for it.
Very thanks
Welcome.
Dear Admin,
We owe it to you….thank you very much your antivirus removal program works like a charm but there is something you might overlooked in writing this program. The virus doesn’t reside only in drive C:\ but to any drives you have in your computer, I happen to see in my drive D:\ a copy of “M.p.jpg” and also my drive D:\ doesn’t open with a double click, I have to open it by right click then Explore.
Dear Colbi,
Thank you so much for your comment and feedback, soon we will update the removal.
thanks
worked like a charm.
fantastic work much appreciated