Analysis
Virustotal scan
SHA256: f7dacc9caf962fde36c35608ecfd8a1a591185d89f9584574f158795b6ae29c0
File name: COOL.vbs
| Keys added:1 |
| HKLM\SOFTWARE\kpcgrhynko |
| Values added:2 |
| HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kpcgrhynko: "wscript.exe //B "C:\Documents and Settings\user\Application Data\kpcgrhynko.vbs""
HKLM\SOFTWARE\kpcgrhynko\: "false - 6/25/2014"
|
| Files added:4 |
C:\Documents and Settings\user\Start Menu\Programs\Startup\kpcgrhynko.vbs
D:\autorun.inf
D:\kpcgrhynko.vbs
Removal
- Terminate wscript.exe process
- Remove the kpcgrhynko.vbs entries from Startup using CCleaner. Take note of the path of the worm. Highlight them and click the Delete button.
- Delete all occurences of kpcgrhynko.vbs including all autorun.inf in all drives.
- Delete HKLM\SOFTWARE\kpcgrhynko with Regedit
- Using fix.reg to remove registry entries. Copy/Paste the following to Notepad and save as fix.reg. Double click on this file or right-click and Merge to Registry.
REGEDIT4
[-HKEY_LOCAL_MACHINE\SOFTWARE\kpcgrhynko]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"kpcgrhynko"=-
- Scan with an updated Antivirus.
