Version: 13.2g
Revision: 122 Build 12c
How to remove W32 – Explorer.exe
Introduction: recently, my computer was attacked by a bunch of spammers. But, guess what? One of the email had an infected attachment. So, I decided to analyze the source and write an article to revert the infection. Anyway, you don’t have to worry… I am testing it on my Virtual Server. Its pretty sealed and protected!
All of my Windows Files and everything else are Fake! These malware are stupid and they are only written by idiots to fool your computer and steal your privacy! Also, there is a warning: take care of your computer! Especially, looking at your emails and downloading attachments. Any of these unknown email, there is a chance that your computer is going to get really Sick!
Now, if you’re infected with “W32/ExploreZip.pak” virus, then please print this article and disconnect your computer from the internet! After that, you’ll need to take a deep breath and take it easy…
——————————————-
Warning: if you’re on a server, you’ll need to tell your company to shut down all active computers! If you don’t, this infection will spread itself into another computer by LAN connections – mostly, the server’s “Shared Documents”.
Overview: This particular Worm travels, by sending email messages to random users. It drops the file: “explore.exe” and modifies either the “WIN.INI” or modifies the Registry. However, this malware is still active and I am not sure how it comes into my inbox (Gmail). But, the user who sent the attachment, he / she is a very stupid user!
What you’ll need for this procedure…
——————————————–
Notepad++ [http://notepad-plus.sourceforge.net]
1.] Click Start >> Run >> Type: REGEDIT
2.] Wait for the registry to appear and navigate yourself to these locations and look for this registry binary. However, you’ll need to be very careful!
HKEY_CURRENT_USER\Software\Microsoft\WindowsNT\CurrentVersion\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Notes: if the binaries doesn’t exist, you’ll need to expand “Windows” directories and look into another folder called: Run.
Binary to locate and remove: run=C:\WINNT\System32\Explore.exe
Notes: You’ll need to do the same to these files, if they exist within the registry library.
File Name: explore, zipped_f, zipped_files or _setup
3.] Reboot your computer, then remove the following file: “C:\WINNT\System32\Explore.exe” from your “System32″ Folders.
4.] Repeat Step 3 for “_SETUP.EXE and ZIPPED_FILES.EXE”.
5.] Find this file: “WIN.INI” and remove either of these commands, if they exist.
run=c:\winnt\system32\explore.exe
run=c:\winnt\_setup.exe
6.] Scan your computer with Avira Antivirus or Kaspersky.
After that, just clear computer’s temporary files with CCleaner.
7.] Finish!
Copyrighted By Lair360
Version: 32.1c
Revision: 41 Build 32
VBScript – Show hidden devices in Windows Device Manager
Introduction: when you’re trying to uninstall any devices in Windows Device Manager, you will need to display your hidden drivers so that you can remove it! However, some users doesn’t know where to deactivate the hidden settings. But, don’t panic, this guide will help you if you’re stuck or confuse…
Windows OS: Windows XP Pro Sp2+ and Home Edition Sp2+
1.] Download notepad++ from the original author or from a mirror and install the software.
——————————-
http://sourceforge.net/projects/notepad-plus/
http://filehippo.com/download_notepad/
——————————-
2.] Copy this “VBScript” code and save it as a “.vbs” extension.
VBScript – Display hidden devices
—Copy Source Code—
'Author: Lair360
'Version: 13.2
'Revision: 35 Build 16
'VBScript - Display hidden devices
Wscript.Echo "This script will enable hidden devices"
'-------------------------------------------
Const HKEY_LOCAL_MACHINE = &H80000002
Const REG_SZ = 1
'-------------------------------------------
strComputer = "."
Set objRegistry = GetObject("winmgmts:\\" & strComputer & "\root\default:StdRegProv")
'-------------------------------------------
strKeyPath = "SYSTEM\CurrentControlSet\Control\Session Manager\Environment\"
strValueName = "devmgr_show_nonpresent_devices"
strValue = 1
'-------------------------------------------
objRegistry.SetStringValue HKEY_LOCAL_MACHINE, strKeyPath, strValueName, strValue
WScript.Echo "Operation Completed..." & _
vbNewLine & "Please reboot your computer..."
'VBScript Ends
'Url:http://lair360.co.uk
—End Source Code—
Copyright By Lair360
3.] Activate the script and reboot your computer.
4.] After reboot, navigate from your desktop and take a look at your hidden drivers and unknown devices!
Start >> Right Click: My Computer >> Manage >> Device Manager
Notes: you’ll need to click: View >> Show hidden devices to see all drivers (which was override by the script).
5.] Done!
Notes: if you want to stop displaying hidden devices, just copy this script and save it as a “.vbs” extension. After that, just execute the script and reboot your computer…
VBScript – Stop displaying hidden devices
—Copy Source Code—
'Author: Lair360
'Version: 13.2
'Revision: 35 Build 16
'VBScript - Display hidden devices
Wscript.Echo "This script will disable hidden devices"
'-------------------------------------------
Const HKEY_LOCAL_MACHINE = &H80000002
Const REG_SZ = 1
'-------------------------------------------
strComputer = "."
Set objRegistry = GetObject("winmgmts:\\" & strComputer & "\root\default:StdRegProv")
'-------------------------------------------
strKeyPath = "SYSTEM\CurrentControlSet\Control\Session Manager\Environment\"
strValueName = "devmgr_show_nonpresent_devices"
strValue = 0
'-------------------------------------------
objRegistry.SetStringValue HKEY_LOCAL_MACHINE, strKeyPath, strValueName, strValue
WScript.Echo "Operation Completed..." & _
vbNewLine & "Please reboot your computer..."
'VBScript Ends
'Url:http://lair360.co.uk
—End Source Code—
Copyright By Lair360
Version: 13.4
Revision: 43 Build 16
Clear ‘Recent Documents’ – Log off
Introduction: sometime in our lives, we don’t want to fiddle or modify our registry library – just to delete windows ‘recent documents’. Instead, there is a script which does this job for you…
1.] Download notepad++ from the original author or from a mirror and install the software.
——————————-
http://sourceforge.net/projects/notepad-plus/
http://filehippo.com/download_notepad/
——————————-
2.] Copy this script into your notepad and save it as a “.vbs” extension.
Enable – Clear Recentdoc @ log off
—Copy Source Code—
'Author: Lair360
'Version: 13.2
'Revision: 35 Build 16
'Clear Recentdoc @ log off
'-------------------------------------------
On Error Resume Next
Wscript.Echo "This script will clear all recentdoc @ log off"
Dim objShell, objFileSystem
Set globalnews=WScript.CreateObject("WScript.Shell")
nret1=globalnews.Run("cmd /C reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ /v ClearRecentDocsOnExit /t REG_DWORD /d 1 /f",0,TRUE)
nret2=globalnews.Run("cmd /C reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ /v ClearRecentDocsOnExit /t REG_DWORD /d 1 /f",0,TRUE)
'-------------------------------------------
WScript.Echo "Please reboot your computer or log off..."
'VBScript Ends
—End Source Code—
Copyright 2001-2009 Lair360
Enable – Clear Recentdoc @ log off
—Copy Source Code—
'Author: Lair360
'Version: 13.2
'Revision: 35 Build 16
'Clear Recentdoc @ log off
'-------------------------------------------
On Error Resume Next
Wscript.Echo "This script will disable: clear all recentdoc @ log off"
Dim objShell, objFileSystem
Set globalnews=WScript.CreateObject("WScript.Shell")
nret1=globalnews.Run("cmd /C reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ /v ClearRecentDocsOnExit /t REG_DWORD /d 0 /f",0,TRUE)
nret2=globalnews.Run("cmd /C reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ /v ClearRecentDocsOnExit /t REG_DWORD /d 0 /f",0,TRUE)
'-------------------------------------------
WScript.Echo "Please reboot your computer or log off..."
'VBScript Ends
—End Source Code—
Copyright By Lair360
