Monday, April 21, 2014

Exploit:JS/Neclu.M – What It Does and How to Remove?

 

 

What Does Exploit:JS/Neclu.M Mean?


Type: Trojan
SubType: Exploit
Exploit:vulnerability
JS:   JavaScript 
Neclu:the name of a group of Trojan with particular task and capability
M:    variant number (it’s just no more than a number)

In short, Exploit:JS/Neclu.M is Script virus that attacks JavaScript vulnerability. To put it more specifically, Exploit:JS/Neclu.M exploits a Help ActiveX Control Related Topics Cross Site Scripting




How Dangerous Can Exploit:JS/Neclu.M Be?


What Exploit:JS/Neclu.M attacks has indicated that the Trojan horse is alive on the Internet. Besides, PC users should know that the JS technology is what helps us to log into various accounts without re-typing password and account name all over again, which is beneficial and a great help when some forget; while such technology can be utilized by cyber criminals maliciously to record log-in credentials. In other word, identity theft and information loss will be incurred.

As a Trojan horse, Exploit:JS/Neclu.M is capable of opening up a backdoor. The program is also created to allow remote and unsolicited access from a remote server or the cyber criminal directly to the collected information. In passing, it would bring in additional items, especially Trojan to earn extra money or simply cooperate to make a fully automated remote compromise as what Exploit-HelpZonePass , JS/Exploit-DragDrop.c and VBS/Psyme did.




How Exploit:JS/Neclu.M Enters A Computer?


Once a vulnerability or bug is found on a web site and the computer is connected to the page, Exploit:JS/Neclu.M would inject script code into an existing browser window and executes it. Active Scripting can entertain PC users, but it could now be the helper to allow the execution and further damages.




Why Exploit:JS/Neclu.M Cannot Be Removed Automatically?


With the browser techniques, Exploit:JS/Neclu.M manages to infiltrate into a machine and call the build-in processes casually to run errands (vicious ones). As a consequence, even though installed anti-virus program detect the Trojan horse due to the virulent attribute code, it is not capable of exterminating Exploit:JS/Neclu.M when some background processes are protecting it, or the processes generated by the Trojan horse that resemble the system ones so much to confuse the affected machine, such as EXPLORER.EXE.

Therefore, the below manual removal method is recommended. Follow up to help yourself. Should there be any emergency that needs expert help, please do feel free to contact Global PC Support Center and get one-to-one assistance.
live chat to get expert help in removing Exploit:JS/Neclu.M


Expert Removal Thread to Remove Exploit:JS/Neclu.M


A - Please log off / disconnect the Internet.




B – end the processes related to Exploit:JS/Neclu.M.
(tip: if you are not able to access Task Manager with the key combination, please access Run box from Start menu and type “CMD”; hit Enter key to put in “taskkill.exe /im msblast.exe” or “taskkill.exe /im teekids.exe” or “taskkill.exe /im penis32.exe”)

Access Task Manager > View > select columns > tick "PID" and "Path name" > go to open up System Information > end the process with path name directing to  Exploit:JS/Neclu.M's path(according to the threat alert) or the path that doesn't belong to system.




C – Remove temp files created by Exploit:JS/Neclu.M.
(tip: if one owns Windows XP, it is suggested to execute the following steps after closing down System Restore function: right click on “My Computer”/”Computer” > Property > navigate to System Restore tab > tick “Turn off System Restore”)

  1. Press Win key and R key together, you’ll get a pop-up Run box.
  2. Type “%Temp%” in the box and hit Enter key, you’ll be led to all temp files.
  3. Remove the ones that are not loaded by system.
  4. When done, return to the previous menu to click open “Temporary Internet Files”.
  5. Locate the folder ”Content.[the browser you are using]+[the version you are using] ”, for example, content.ie5.
  6. Remove all the files there (except index.dat).



D – Rectify winSo.dll file.
  1. Navigate to C:\Windows\System32 and look for winSo.dll file.
  2. Remove it and then create a new text file to name it as “winSo.dll”.
  3. Right click on it to select its properties and change it to “read only”.



E – show hidden files and folders to remove the ones created by Exploit:JS/Neclu.M.

Windows 7/XP/Vista- Control Panel > user accounts and family safety > Folder Options > View tab > tick ‘Show hidden files and folders’ > non-tick ‘Hide protected operating system files (Recommended)’ > OK button.

Windows 8 - Windows Explorer > View tab > tick ‘File name extensions’ and ‘Hidden items’ > OK button.
  • Access the detected path and remove all the items there.
  • Access the following folders to remove the items generated on the day when  Exploit:JS/Neclu.M was firstly detected:
C:\Windows
C:\Windows\System32
C:\windows\winstart.bat
C:\windows\wininit.ini
C:\windows\Autoexec.bat
C:\Users\[your username]\Documents\
C:\users\user\appdata\local\
C:\Program Files\



Exploit:JS/Neclu.M Affection Symptoms

  1. The PC performance will be dragged down considerably due to the multiple and strange processes.
  2. Browser hijacking and redirecting problem could happen and take victims to some spam sites.
  3. More affections might be detected.
  4. More unknown items are found in local disk.
  5. Error messages about malfunctions would popup.
Be noted that Exploit:JS/Neclu.M manages to open up a backdoor and it is making extra money by alleviating additional vicious infiltration. Therefore, it is very likely to be harassed by other virus that could make the removal more difficult and would result in some unexpected problems.  The more the time you are waiting or wasting, the more the damages and virus will be detected on the infected machine. If it is the case and you don’t know what to do, consult the professionals from VilmaTech Online Support and get quick fix.
live chat to get expert help in removing Exploit:JS/Neclu.M

Reference:

http://blog.vilmatech.com/removal-exploitjsneclu-m-disables-anti-virus-program-steals-information/



No comments: