![]() ![]() If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart. Run FRST/FRST64 and press the Fix button just once and wait. NOTE: => It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.ģ. Save notepad as fixlist.txt to your Desktop. HKCU\.\Run: - C:\Users\barbieri\AppData\Roaming\COOL.vbs () ![]() Quote from: fbrbrazil on October 05, 2013, 08:40:07 AM The is anyone sees these new virus (cool.vbs)? I spent a few hours to get rid of these worm. The information is collected using WMI Services (like "set colitems = objwmiservice.execquery("select * from win32_operatingsystem",48)") After a decoding I can see the script send a few information to a http server named "" on port 991. These virus appears to create a simple and long string with a modified base 64 encoding. It also copy itself to C:\Users\\AppData\Roaming to every user on computer. The script itself include a few keys to the windows' registry to autostart on S.O. it appears when the user click on the link, they execute the cool.vbs script. These links points to "wbscript /b cool.vbs
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |