vshost32.exe removal


Another worm recently detected attacking the Instant Messaging Applications. The name would've already made you clear of what this worm does. But thats not all, this one has a better capability than the one we discussed earlier here. That one attacks only the Yahoo Messenger but this one looks like it can take over almost all the Instant Messaging programs. Skype, Windows Live messenger, AOL Instant Messenger(AIM) and obviously Yahoo! were being affected when this one was checked out. This worm creates a file named "vshost32.exe" which again creates a copy of itself and the Autorun.inf file in every drive that it finds which can be accessed. The worm sends messages to the different users present at a platform or lets just say the friends list of the person who uses it. It also connects to several servers from where a few more malicious programs are fetched to the computer. To be run regularly at the Startup, the worm injects itself into Winlogon.exe which is a very crucial process that is given the first priority to be run at the logging in of any account. The worm also acts as a Trojan by stealing the private information of the User of these Instant Messaging applications. The private data is accumulated by the virus and sent to the servers when they're contacted. This is done by recording every mouse-click and the key-stroke of the administrator when these programs are run. All this requires a lot of work-load for the processor and thus a lot of  increase in the processor activity can be observed. Now lets take a look at the removal instructions of this worm.

Manual instructions to remove vshost32.exe:

  1. Lets begin by booting the system in Safe Mode. If you're not able to do this, click here for further help. 
  2. After you do that, open your registry. Start-->Run and type "regedit". We'll need to remove the injected virus so that it wouldn't be executed again at the next startup.
  3. Navigate to the following key

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]

    Look for the entry with the name "Userinit". You'll need to modify its value. Open it and you'll find the path "Userinit = %System%\userinit.exe,%Temp%\vshost32.exe". Remove the portion "%Temp%\vshost32.exe" from it and save it. Your registry might actually be free form this Trojan-worm. But just to be sure, search the registry by using keys Ctrl+F and searching for the value "vshost32.exe". Delete only the path from any entry that you find and restart your computer for the changes to work.
  4. Do not open any drive or directory after the boot up. Open the Command Prompt by typing "cmd" in the Start--> Run box. You'll need to go to every drive to delete the worm. For example, to navigate to the drive "D", type "D:" in the Command Prompt and type "dir /w/a" in order to see all the content present in that drive. You'll definitely see the presence of an autorun.inf file in the drive. Remove its attributes by typing "attrib -r -a -s -h" in the CMD and delete it using the del command(del autorun.inf). In the same way, delete even the worm i.e type "del vshost32.exe" to remove the worm from that drive or you can even perform a simple windows search. 
  5. After making sure that all the copies of the worm is deleted from the drives, restart your computer and open it in the normal mode. Open the Start--> Run again and type "%temp%". Delete all the files that are present in that folder. The file "Perflib_Perfdata_XX" may not get deleted but it has nothing to do with our worm, so you don't need to worry much.
  6. Now you are free from the worm. Happy chatting..!

Note: Do not click any suspicious link that you receive through an Instant Message from an unknown person because this is one way by which most of such worms are being spread. 

Posts that might help you in this:
Enabling registry, Command prompt, Safe mode booting and enabling "hidden files and folders" option.
Get the best security software for your compter here!

powered by Blogger | WordPress by Newwpthemes | Converted by BloggerTheme