Wednesday, October 30, 2013

Rogue script ulbloqmeed.vbs removal


This is a rogue VBS script that uses flash media as its primary method of spreading. I stumbled upon it today and decided to write about it because it's not detected by most antivirus software and malware cleaners. It's not a real virus, it's a VBS script that messes with the data on your flash media by making all files and folders hidden and creating shortcuts with the same names as your files and folders. The shortcuts basically start the script that then gets inside the registry and creates keys for itself. The script may have different names, but the removal procedure is the same for all.

The removal itself is quite manual and I will describe the steps.
  • First off, kill the wscript.exe process that is running in the background, using Task Manager. 
  • Then start regedit in elevated mode and find any entries with "ulbloqmeed" and delete them. 
  • Close regedit. 
  • It is also wise to start msconfig and look for startup entries of this script here. Uncheck those entries and restart the computer. 
  • Now search the entire system partition for "ulbloqmeed", it will mainly be found inside %LOCALAPPDATA%\Temp - delete the file here when you find it.
This should get rid of the script running in the background and clean the system. Now all that's left is cleaning the flash media that brought it here in the first place.
  • Turn on the ability to see hidden files in windows explorer. 
  • Open the flash media drive to see the files and folders, you will now see two sets of files - the ones you originally had there that are now "hidden" and their visible shortcut duplicates that were created by the script.
  • Delete all of the shortcut files. 
  • Open CMD in elevated mode and run this command:
attrib -r -s -h /s /d [flash drive letter]:\

Assuming the flash drive letter is E: - the command will look like this:

attrib -r -s -h /s /d E:\

This will force the removal of the "hidden" attribute off of the files and folders inside the flash drive.

2 comments:

  1. 360 Total security spotted it as soon, as I inserted the flash drive.

    ReplyDelete
  2. But thanks a lot for the removal info anyway:)

    ReplyDelete