Avast WEBforum
Other => Viruses and worms => Topic started by: fahim9n on December 11, 2013, 08:36:52 PM
-
1. At first, end the process named 'wscript.exe' from the task manager.
2. Go to my computer. Then, Organize (upper left side on win 7) -> Folder and search options -> View -> untick the Hide protected operating system files -> click OK.
3. Go to C drive. search for .vbs files. wait until the search this completed.
4. You will find two 'COOL.vbs' files. There will be total file path of these files. Keep the searching result window.
5. Go to Start-> cmd.exe . Command prompt will appear.
6. Write the following line-
DEL /F /S /Q /A "the filepath of COOL.vbs\COOl.vbs"
Example: DEL /F /S /Q /A "C:\Users\fahim\AppData\Roaming\COOl.vbs"
7. The both 'COOL.vbs' will be deleted.
8. Restart your PC.
9. Insert your infected USB device and format it. Then your devices will be pathetic COOl.vbs virusfree. :)
-
we already have removal experts here that does that for anyone that need help ....and it is free
http://forum.avast.com/index.php?topic=53253.0
and those who use MCShield USB protector will not have this problem. www.mcshield.net
-
Yes, I saw that. But that is too lengthy process. But I found by myself a lot of easier solution for this. That's why I have posted it.
Thanks
fahim
-
And what of the other stuff that may be present ?
-
Sorry, I didn't get your question.
Thanks
fahim
-
Cool VBS does not come alone. And the suggestion of using MSconfig to start in safe mode is dangerous, you may end up with a non-booting system if the malware has disable safe mode
-
Each system is a story for itself.
-
Cool VBS does not come alone. And the suggestion of using MSconfig to start in safe mode is dangerous, you may end up with a non-booting system if the malware has disable safe mode
This solution doesn't need to get your pc in safe mode. I think, you know very well about /F , /S , /Q and /A .
And I have stated only to remove the COOL.vbs virus. It works!
I have kicked out the virus from 10 PCs through this procedure.
Thanks
fahim
-
Fahim,
Do you have ANY training whatsoever? I don't. Just because I know how to manually remove Ransomware does not mean I should be kicking around helping people. That is beyond words dangerous. I do things in a controlled envirroment. YOu're doing things on a PC w/o knowledge of it and no training. Their is a big difference.
For the safety of you, I strongly recommend you stop before you cause harm to the PC, and potentially have a lawsuit on your hands
-
1. At first, end the process named 'wscript.exe' from the task manager.
2. Go to my computer. Then, Organize (upper left side on win 7) -> Folder and search options -> View -> untick the Hide protected operating system files -> click OK.
3. Go to C drive. search for .vbs files. wait until the search this completed.
4. You will find two 'COOL.vbs' files. There will be total file path of these files. Keep the searching result window.
5. Go to Start-> cmd.exe . Command prompt will appear.
6. Write the following line-
DEL /F /S /Q /A "the filepath of COOL.vbs\COOl.vbs"
Example: DEL /F /S /Q /A "C:\Users\fahim\AppData\Roaming\COOl.vbs"
7. The both 'COOL.vbs' will be deleted.
8. Restart your PC.
9. Insert your infected USB device and format it. Then your devices will be pathetic COOl.vbs virusfree. :)
Also, that plan is flawed. YOu're plugging in an infected USB into a "Clean" system w/o any sort of protection. That will result in the system being re-infected and therefore another infection YOU have to clean.
-
Fahim,
Do you have ANY training whatsoever? I don't. Just because I know how to manually remove Ransomware does not mean I should be kicking around helping people. That is beyond words dangerous. I do things in a controlled envirroment. YOu're doing things on a PC w/o knowledge of it and no training. Their is a big difference.
For the safety of you, I strongly recommend you stop before you cause harm to the PC, and potentially have a lawsuit on your hands
Alan,
What is dangerous in there deleting the COOL.vbs from my PC in that way. Please enlighten me.
Thanks
fahim
-
fahim9n you have already been given several reasons why your methods are dangerous, as asked please refrain from posting malware advice as these areas are for qualified specialists.
-
Okay, I don't know the spefics of cool.vbs other then I know it's a pain in the * to remove.
I do know this. Let's say for giggles I infect your system with ZeroAccess? It's a rootkit that hooks itself into system32 correct? Now, I'm going to start farting around in your system32. Let's say for some reason I accidentaly delete the wrong file and I delete hal.dll (Which if I'm not mistaken is essential for boot-up). You now have a non-bootable system. You've lost ALL of their data, and you just pissed off a bunch of people.
Now let's compare this to cool.vbs Shall we?
As I stated before, you're plugging in an infected USB without protection, since resulting in yet another infection. As I'm sure, the malware has other ties then in the Roaming folder. Now, just because you've gotten that 1 file. Does not mean the malware is gone. Their are certain types of malware that WILL come back.
Congratulation my friend. You've successfully removed and then reinfected a system with the same malware you just "Tried" to remove. On top of this. If there wans't reg keys, the malware would not run, What's the solution. I can take a guess at where at least 1 key is....
Will someone please try to get that file and send it to malwr.com and test it? I'd like to prove thta's it's not simply in the roaming folder.
-
Cool VBS does not come alone. And the suggestion of using MSconfig to start in safe mode is dangerous, you may end up with a non-booting system if the malware has disable safe mode
And I have stated only to remove the COOL.vbs virus. It works!
I have kicked out the virus from 10 PCs through this procedure.
Thanks
fahim
And who acually let you do that? I'd like to give them some advice to let, "Non-Qualified" people fix a computer.
I don't mean to be an ass with that comment, but really; common sense is, you don't fix peoples computer w/o the insight of a remover like Essex, and no training. I don't even dare to help people fix Ransomware issues. Now, I'd say if you were to join a school like GeekU. I'd be all for it if you could prove the system is actually clean
-
Alan,
I have searched the whole system for COOL.vbs . Sorry, I could not find out.
The two places where I found them is in AppData\Roaming and in AppData\Roaming\Microsoft\Windows\Start Menu .
I don't have any training about malware protection.
I was just trying to save my ass as well my friends' from that virus. That's all.
Thanks
fahim
-
Hows the file going to run on boot-up? You didn't look everywhere.
Regedit: HKEY Current User > Software > Microsoft > Windows > Current Version > Run
There should be a key there.
You have not looked everywhere
-
Yes I found out there. But there was given value 0. no exe file or path of exe file.
Thanks
fahim
-
Means they'll be more. Do you still have the virus? If so, zip it, password protect it password should be: infected
Send it to me via google drive, wikisend etc
From there, I can point out everything that the file drops
-
Sorry, I don't have any symptom of that virus now. I have connected two usb devices, 2 android devices, but no sign of making shortcut or something abnormal.
Thanks
fahim
-
Sorry life is busy, we are finishing major assignments in school.
As for your post. As people here and all over would say. Just because they're no symptoms, does NOT mean it's gone. Post an OTL log and MCShield log. I'm sure Essex or Argus or another remover can find something
Also, how does one go about trying to fix a windows activation error on a school computer? The key has been deleted. I told a tech, however. THeir solution is reinstall windows lol