Favorite Set as home Contact Us
Google
Home | More Virus Remove Process...
Free antivirus software,Free antivirus,Trojan Removal Instructions,Spyware remove Instructions
      How to remove VBS_GEDZA.A
How to remove VBS_GEDZA.A
Author:VBS_GEDZA.A Hits: UpdateTime:2008-8-15 9:57:58

How to remove VBS_GEDZA.A

VBS_GEDZA.A remover

VBS_GEDZA.A removal process


For remove VBS_GEDZA.A virus,please clean/delete all VBS_GEDZA.A infected files and Delete/Modify any values VBS_GEDZA.A added to the registry as following:

VBS_GEDZA.A infected a majority of my zip files, my system folder and dropped a couple payloads (deleted Estigma.hta from my C: Drive).
 malware drops several copies of itself as the following files in the Windows system folder:

BACKUP.VBS
FILE.VBS
GEDZAC.VBS
HTA.VBS
ISRAFEL.VBS
JS.VBS
KERNEL32.WIN
MOUSE_CONFIGURATOR.WIN
TEMPLATE.HTM
UPDATE.BIN
WINMGD.WIN
It also drops a copy of itself the file SATTERRA.JPG.VBS in the Windows Temp folder.

It then drops the following components in the Windows system folder:

REGSRV.EXE (detected as TROJ_KILLAV.BT)
SENDI.EXE (detected as WORM_GEDZA.A)
PKZIP.EXE
FILEZIP.ZIP
When an HTML file infected with VBS_GEDZA.A is executed, it continuously displays an ActiveX warning prompt window until the user finally chooses to enable ActiveX. With this procedure, the malware prods the current user to enable ActiveX execution.

It creates the following registry entries to enable it to run at every Windows startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
CurrentVersion\Run
Kernel32="%System%\Kernel32.win"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
CurrentVersion\Run
Israfel="%System%\Israfel.vbs"

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 95, 98 and ME, C:\WINNT\System32 on Windows NT and 2000, and C:\Windows\System32 on Windows XP.)

It then adds the following registry entries so that it can execute its dropped .WIN file:

HKEY_LOCAL_MACHINE\Software\CLASSES\.win
"winfile"

HKEY_LOCAL_MACHINE\Software\CLASSES
winfile\ScriptEngine
"VBScript"

It modifies the following WIN.INI entry to trigger its automatic execution:

[Windows]
run = %System%\mouse_configurator.win

It also modifies the following SYSTEM.INI entry to trigger its automatic execution:

[boot]
shell = Explorer.exe %System%\winmgd.win

This malware disables the registry by performing the following:


Change the association of registry files by setting the key HKCR\regfile\shell\open to “GEDZAC”
Set registry value HKCR\regfile\shell\open\command to “GEDZAC”
Disable registry tools by setting the following registry policies:
HKEY_CURRENT_USER\Software\Microsoft\
WindowsNT\CurrentVersion\Policies\System\
DisableRegistryTools = “1”

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\System\
DisableRegistryTools = “1”

HKEY_LOCAL_MACHINE\Software\Microsoft\
WindowsNT\CurrentVersion\Policies\System\
DisableRegistryTools = “1"

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Policies\System\
DisableRegistryTools = “1”

it modifies the following registry entries:

HKEY_CURRENT_USER\Identities\<Identity Code>\Software\Microsoft\
Outlook Express\5.0\Mail
Wide Stationary Name = %System%\Template.htm

HKEY_CURRENT_USER\Identities\<Identity Code>\Software\Microsoft\
Outlook Express\5.0\Mail
Compose Use Stationery = dword:00000001

HKEY_CURRENT_USER\Identities\<Identity Code>\Software\Microsoft\
Outlook Express\5.0\Mail
Message Send HTML = dword:00000001

HKEY_CURRENT_USER\Identities\<Identity Code>\Software\Microsoft\
Outlook Express\5.0\Mail
Stationary Name = %System%\Template.htm

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\
CurrentVersion\Windows Messaging Subsystem\Profiles\
Microsoft Outlook Internet Settings\0a0d020000000000c000000000000046
001e0360 = Template

HKEY_CURRENT_USER\Software\Microsoft\
Windows Messaging Subsystem\Profiles\
Microsoft Outlook Internet Settings\0a0d020000000000c000000000000046
001e0360 = Template

HKEY_CURRENT_USER\Software\Microsoft\
Office\10.0\Common\MailSettings
NewStationery = Template

HKEY_CURRENT_USER\Software\Microsoft\
Office\8.0\Outlook\Options\Mail
EditorPreference = dword:00020000

HKEY_CURRENT_USER\Software\Microsoft\
Office\9.0\Outlook\Options\Mail
EditorPreference = dword:00020000

HKEY_CURRENT_USER\Software\Microsoft\
Office\10.0\Outlook\Options\Mail
EditorPreference = dword:00020000

It also creates the following registry entry:

HKEY_LOCAL_MACHINE\Software\GEDZAC LABS
Israfel Parent = %Windows%\SYSTEM\hta.vbs

The following text strings can be found in the malware body:

Israfel Worm - GEDZAC LABS 2003

VBS/Israfel by MachineDramon/GEDZAC

 

 


No Other remove tool or remove process:

For successful remove VBS_GEDZA.A virus,you may also need do as following:
1. Temporarily Disable System Restore .

2. Update the virus definitions. Reboot computer in SafeMode;

3. Delete the IE temp files,some VBS_GEDZA.A temp file exisit there.

4.If you failed to remove VBS_GEDZA.A,please go to our remove help forum:http://help.antiviruses123.com

End Of The Article How to remove VBS_GEDZA.A remove process
No correlative howtoremove
Sponsors
Hot Antivirus Article
Elite Antivirus Article
Sponsors
Contact Us
Copyright 2006-2007 Free Antivirus Program