80 replies to this topic

[TehWhale]

Don't ask me how I know. I did not make this virus, But I do know how it was made, don't bug me. I am only here to help you.

This virus hides itself in the startup folder, and then edits the .inf in the windows directory to launch it at startup. It also loads with the windows shell, Explorer.exe. It also has startup locations in the registry.

This code will enable your stuff. This virus continueously writes to the registry to not all stuff. So you need to suspend the process.

I use this program:

http://technet.microsoft.com/en-us/sysinte...s/bb896653.aspx

(It seems that the virus will close the name with Process. So, make your own autoit script, with a CPU Killer loop, but will keep the window open. Like this:)

Opt("WinTitleMatchMode", 2)
While 1
If WinExists("Process") Then WinSetTitle("Process", "", "moo")
WEnd

If it somehow is faster, which its most likely not, add WinSetState("Process", "", @SW_SHOW)
Download it, and it's an .exe no installing. Run it, and suspend the processes:

Angelina Julie video tape.avi.exe obviously,
CSRSS.exe
System.exe
WinLogon.exe

THEN! Close all these processes. make sure Winlogon.exe is the right one, not the REAL system one.
Now, put this in an AutoIt script.

        RegWrite("HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon", "Shell", "REG_SZ", "explorer.exe")
        RegWrite("HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL", "CheckedValue", "REG_DWORD", "1")
        RegWrite("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced", "SuperHidden", "REG_DWORD", 1)
        RegWrite("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced", "ShowSuperHidden", "REG_DWORD", 1)
        RegWrite("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced", "HideFileExt", "REG_DWORD", 0)
        RegWrite("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced", "Start_ShowRun", "REG_DWORD", 1)
        RegWrite("HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System", "DisableCMD", "REG_DWORD", 0)

Go delete the Autorun.inf in your windows directory, go into msconfig, and delete ALL STARTUP VALUES. Search your computer for the 4 process's listed above, and then use Unlocker to remove those files. Right click, Unlock, and IF it says no locking handle found, then choose Remove now, or Remove at next boot. This SECURELY DELETES THESE FILES. After you have done all this, restart your computer.



Following this above guide carefully WILL remove this virus from your computer.

Edited by Alienware, 18 September 2008 - 10:15 PM.

[FredrikIdestam]

So you have booted into safe mode, Probably via your Administrator account, What are you left with?
Does this Mal hide/kill ALL types of windows?
Does your shell even load?
Is this mal obvious? ie when you were in normal booted windows, did it give any sort of indication of existence::
Periodic Distorted sounds - If a window did actually appear, did it seem as if certain controls were flickering rapidly?
Distorted effects when attempting to use the keyboard?

If your shell does still operate, then have you attempted to use SmOke_N's Script discussed in the previous topic?

BTW:: check the General tab, it should display the actual location of this exe

This Mal hide/kill only some windows which can help to remove this virus.
i don't know about shell. what is shell?
in normal mode it starts itself in background.
i don't know controls. which controls?
i can use my Keyboard and mouse without any problem.
i have not tried any script. what is a script?
the file exists in every drive like in c: D: e: F:

i am not a programmer and i know only a few about computer softwares.

[FredrikIdestam]

Don't ask me how I know. I did not make this virus, But I do know how it was made, don't bug me. I am only here to help you.

This virus hides itself in the startup folder, and then edits the .inf in the windows directory to launch it at startup. It also loads with the windows shell, Explorer.exe. It also has startup locations in the registry.

This code will enable your stuff. This virus continueously writes to the registry to not all stuff. So you need to suspend the process.

I use this program:

http://technet.microsoft.com/en-us/sysinte...s/bb896653.aspx

(It seems that the virus will close the name with Process. So, make your own autoit script, with a CPU Killer loop, but will keep the window open. Like this:)

Opt("WinTitleMatchMode", 2)
While 1
If WinExists("Process") Then WinSetTitle("Process", "", "moo")
WEnd

Download it, and it's an .exe no installing. Run it, and suspend the processes:

Angelina Julie video tape.avi.exe obviously,
CSRSS.exe
System.exe
WinLogon.exe

THEN! Close all these processes. make sure Winlogon.exe is the right one, not the REAL system one.
Now, put this in an AutoIt script.

        RegWrite("HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon", "Shell", "REG_SZ", "explorer.exe")
        RegWrite("HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL", "CheckedValue", "REG_DWORD", "1")
        RegWrite("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced", "SuperHidden", "REG_DWORD", 1)
        RegWrite("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced", "ShowSuperHidden", "REG_DWORD", 1)
        RegWrite("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced", "HideFileExt", "REG_DWORD", 0)
        RegWrite("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced", "Start_ShowRun", "REG_DWORD", 1)
        RegWrite("HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System", "DisableCMD", "REG_DWORD", 0)

Go delete the Autorun.inf in your windows directory, go into msconfig, and delete ALL STARTUP VALUES. Search your computer for the 4 process's listed above, and then use Unlocker to remove those files. Right click, Unlock, and IF it says no locking handle found, then choose Remove now, or Remove at next boot. This SECURELY DELETES THESE FILES. After you have done all this, restart your computer.



Following this above guide carefully WILL remove this virus from your computer.

thanks for the tutorial but i am not a programmer and i tried like you said. when i restarted my pc speed was good but when i open a drive it started again.

[TehWhale]

thanks for the tutorial but i am not a programmer and i tried like you said. when i restarted my pc speed was good but when i open a drive it started again.

Did you search your computer, like I said, EVERYWHERE, for the .exe's I told you about? Well, use this code. I just thought about it, when searching it opens it right? I do belive, but use this code AFTER you have done all the steps ABOVE, and then restart.

FileDelete("A:\autorun.inf")
FileDelete("B:\autorun.inf")
FileDelete("C:\autorun.inf")
FileDelete("D:\autorun.inf")
FileDelete("E:\autorun.inf")
FileDelete("F:\autorun.inf")
FileDelete("G:\autorun.inf")
FileDelete("H:\autorun.inf")
FileDelete("I:\autorun.inf")
FileDelete("J:\autorun.inf")
FileDelete("K:\autorun.inf")
FileDelete("L:\autorun.inf")

If you have anymore drives, then do the same. Make sure to follow the above steps AGAIN, and then use that code BEFORE YOU RESTART.


Good luck with the virus. I'm 100% sure this will remove it all if you follow my instructions. One more time to clarify. Do the same thing as you did before, in my other post, but before you restart, put this in an AutoIt script, run it, and then restart.

Edited by Alienware, 18 September 2008 - 10:31 PM.

[FredrikIdestam]

Did you search your computer, like I said, EVERYWHERE, for the .exe's I told you about? Well, use this code. I just thought about it, when searching it opens it right? I do belive, but use this code AFTER you have done all the steps ABOVE, and then restart.

FileDelete("A:\autorun.inf")
FileDelete("B:\autorun.inf")
FileDelete("C:\autorun.inf")
FileDelete("D:\autorun.inf")
FileDelete("E:\autorun.inf")
FileDelete("F:\autorun.inf")
FileDelete("G:\autorun.inf")
FileDelete("H:\autorun.inf")
FileDelete("I:\autorun.inf")
FileDelete("J:\autorun.inf")
FileDelete("K:\autorun.inf")
FileDelete("L:\autorun.inf")

If you have anymore drives, then do the same. Make sure to follow the above steps AGAIN, and then use that code BEFORE YOU RESTART.


Good luck with the virus. I'm 100% sure this will remove it all if you follow my instructions. One more time to clarify. Do the same thing as you did before, in my other post, but before you restart, put this in an AutoIt script, run it, and then restart.

where to write this code?

[TehWhale]

Create an AutoIt script, put it in the AutoIt script, and run it after you have done my other post, before you restart.

[FredrikIdestam]

Create an AutoIt script, put it in the AutoIt script, and run it after you have done my other post, before you restart.

but i dont know how to create a script and what the script is?
i am not a programmer and don't know anything about it.
tell me more about it.
thanks.

[TehWhale]

So, you read my post, and did what it said, but you don't know what a script is? Do you have Autoit installed?

[Richard Robertson]

Ah, this is part of the problem. The infected user doesn't understand AutoIt, so suggesting these scripts will do no good. If a script is suggested, perhaps the suggester could compile it first.

[Nevin]

Yeah, he doesn't know a thing about programming. He just came to the forum because the virus is supposedly written in this language. As if that makes any sense....

[FredrikIdestam]

can any of you send me a program which will remove the virus automatically?

[TehWhale]

can any of you send me a program which will remove the virus automatically?

I will try once I get back from school. I'm posting before school so. It most likely will need you do some stuff because I can't automate downloading and installing without some user input. I will try though.

[SmOke_N]

can any of you send me a program which will remove the virus automatically?

I took a look at this thing. This is proof in the pudding so to speak, that poorly writing something has an ever lasting effect.

This "should" remove it, it could take a while in the final stages because it's going to search your drives for the initial avi and executable that you downloaded (being that we don't know where you downloaded them to).

Understand that by downloading this and running it, you accept all responsibilities of what ever could occur from it.

It only changes a few of the registry settings back to default that the virus deletes/writes to. The other ones, I can't be sure what you had, so I'm leaving them alone.

[attachment=22314:_Remove_...la_Virus.zip]

Let us know the outcome.

[ChromeFan]

I took a look at this thing. This is proof in the pudding so to speak, that poorly writing something has an ever lasting effect.

This "should" remove it, it could take a while in the final stages because it's going to search your drives for the initial avi and executable that you downloaded (being that we don't know where you downloaded them to).

Understand that by downloading this and running it, you accept all responsibilities of what ever could occur from it.

It only changes a few of the registry settings back to default that the virus deletes/writes to. The other ones, I can't be sure what you had, so I'm leaving them alone.

[attachment=22314:_Remove_...la_Virus.zip]

Let us know the outcome.

you are great man, you also helped me recently. and for this i want to say you a big



i hope the problem of Mr: FredrikIdestam will get resolve very soon by this file (Provided by you).

i have a idea, why don't you create a GraphicalUI for it and Put it in Example Scripts? Maybe many more people will come and need this because as i know this infected file was viewed by around 1000 people and they may also need it.

-

-

Edited by ChromeFan, 19 September 2008 - 02:11 PM.

[SmOke_N]

you are great man, you also helped me recently. and for this i want to say you a big



i hope the problem of Mr: FredrikIdestam will get resolve very soon by this file (Provided by you).

i have a idea, why don't you create a GraphicalUI for it and Put it in Example Scripts? Maybe many more people will come and need this because as i know this infected file was viewed by around 1000 people and they may also need it.

-

-

Why do more work that isn't necessary? Just run the exe, acknowledge and wait till its done. Can't get too much easier than that.

[trancexx]

I'm sure I don't have that virus. Is that the reason for this
I can hear search engine started (I guess), and then that happens.

[ChromeFan]

Why do more work that isn't necessary? Just run the exe, acknowledge and wait till its done. Can't get too much easier than that.

dear, i don't mean that. i was just saying to make it with GUI and post it in example scripts because many people are infected by this virus. your script will help them. my problem was solved but some people who Know a little about computers they (Like this Person) will be not able to understand the whole procedure. you have done a good work which needs much credit. ...and posting it in example scripts will also show other new users on how to create Removers for such viruses. let me know what you want to say now!

[SmOke_N]

I'm sure I don't have that virus. Is that the reason for this
I can hear search engine started (I guess), and then that happens.

No idea... there aren't anything but standard calls in it.

[SmOke_N]

dear, i don't mean that. i was just saying to make it with GUI and post it in example scripts because many people are infected by this virus. your script will help them. my problem was solved but some people who Know a little about computers they (Like this Person) will be not able to understand the whole procedure. you have done a good work which needs much credit. ...and posting it in example scripts will also show other new users on how to create Removers for such viruses. let me know what you want to say now!

I don't want to say anything. They don't need to "know" how. What I did, anyone that knows anything about autoit an do.

They don't need a GUI, and I don't need to waste anymore time on it than I have.

[Mobius]

I don't want to say anything. They don't need to "know" how. What I did, anyone that knows anything about autoit an do.

They don't need a GUI, and I don't need to waste anymore time on it than I have.

Well said SmOke_N, you have created a binary that can help people and Chromefan wants you to make a gui for it?!?!

Tool