October 28, 2010

How to remove Samok.vbs and b-b2g virus totally?

Just a short story, yesterday I was assigned to repair an old cranky computer in our office staff and it was almost five months when I last check his unit. I wonder what the problem with the unit is because the user is always complaining to it. When I begin checking, doing basic task to detect threat infection I already know that the PC was on controlled by virus. 

The problem, I couldn’t fire up a scan because the Avast license was expired yet and it keep asking a new key. Another problem was the bad CD ROM that could not read CD’s.  I was force to insert my Flash Drive to run some tools and there, I found samok.vbs and other suspicious files using an Autorun revealer tool. (my screenshot for it was missing because the virus infects my documentation files.)

Have you encountered this kind of threat in your computer named” Samok.vbs and b-b2g (aka. Madforelmo)? Well, it’s time for you to know that this is not a peanut like threat that could infect your PCs. Probably, the threat was invented by a Filipino, a Cebuano or bisaya that the term “samok” means troublesome or conflict in our own dialect. I don’t know with b-b2g / madforelmo, I think it’s the pseudonym or initials of the one who created the virus. The virus was transmitted through USB Drives with autorun files.

If you are not familiar of what samok.vbs is, do then consider the following information:
Samok and b-b2g virus compose of this files:
.samol.vbs
.autorun.inf
.b-b2g
.D58403.EXE
.MK.COM

Signs that your system is infected with Samok. vbs :

1.       >Taskmanager is disabled
2.       >Regedit is disabled
3.       >Folder view options in explorer is disabled
4.       >RUN menu in startup and run in taskmanager  is missing
5.       >Windows script becomes unresponsive
6.       >An added Time extension in the taskbar name : madforelmo( suppose to be AM/PM)
7.       >When you right click your Mouse you will see the b-b2g and owning! Text


(I don’t know why the virus add the owning text, it seems that virus maker  is a Dota player. Owning!Dominating!,rampage.hahaha)


How to stop Samok.vbs and b-b2g virus?

If my Avast 4.8 could run then probably, this virus was already dead but it’s not available in my situation so I do the manual way to stop it:

1. Since, you can’t open the taskmanager, I try the MS Config Tool. To open the Msconfig without                 using the Run which is missing also. We will try it using the Notepad.
                To open MSConfig:
1.       Open the Notepad. Type this : Start MSconfig.exe  and save it in any name in your desktop with .bat file extension.
2.       Next, close the notepad and double click the bat file. Wait a seconds till it will opened the msconfig tool
3.       In the msconfig go to in the start-up tab, then unchecked the following files as shown:

4.       After your done, close the msconfig and just choose restart later.

2. Next, you need to download the following tools:
 a. USB Virus Scan (need key PM me)–  Could also fix your disabled registry, taskmanager, view folder option in the explorer  and other fixing purpose. 
 b.Autoruns or HijackThis- View all autorun process and delete it directly
 c. Avast 4.8 Home Edition or 5.0 free edition –Could detect Samok.vbs , autrun.inf ,D5403.exe andb-     b2g threat. (optional for complete threat removal).

3. Now after you have download the USB Virus Scan and Autoruns or Hijack, install it in your infected PC using USB drive. (but backup first your file in your USB)

4. Run the USB Virus Scan and minimize it.

5. Run Autoruns or HijackThis and find the following registry values and delete them.
>Samok.vbs
>D58403.exe

6. While scanning open the USB Virus Scan and click on the FixSystem menu, click check all then, press the APPLY button.(the regedit  / registry must work).


7. To open the Registry, open the notepad type: regedit.exe and save it as a .bat file(same in step 1)

8. Open the bat file and wait until it will open the registry.

9. In the resgistry, find the following and delete it.

Delete this to remove the b-b2g and owned! menu in mouse right click.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shell\explore] Default) = "Owned!"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shell\open] (Default) = "b-b2g"

To disable samok.vbs completely on startup, delete this:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] autoMe = "wscript.exe "%Windir%\samok.vbs""

Delete this to restore the time extension (AM/PM)
[HKEY_CURRENT_USER\Control Panel\International] –s1159 = "b-b2g"
      • s2359 = "madforelmo"

10. To restore the Run windows at the start up programs, go to gpedit.msc > Administrative Template >Start Menu and taskbar > on the right double click Remove Run Menu form Start up > choose disable>restart pc

After you have done all manual steps to remove samok.vbs and b-b2g virus. Install Avast free edition and run a Boot Time Scan. I promise all those Samok.vbs and B-b2g element will be removed. Combofix and USB Virus Scan can also kill the threat.


Avast Samok and B-B2g Detection :


USB Virus Scan detect Samok.vbs, Autorun.inf and  mk.com: