Jump to content
Sign in to follow this  
ripdad

Virus Cleaning Tool - av.exe - v0.5

Recommended Posts

ripdad

Virus Cleaning Tool - av.exe - v0.5

av.exe is a rogue anti-virus. it has infected a ton of computers in the last few weeks.

many websites that are infected with it - comes through java with your web browser.

first attempts to deal with the virus by most, ended up in failure, mainly because one

can delete the virus, but not know how to deal with the mess it left behind. it has

manifested itself in many different forms over the past year. do a search for it on

yahoo or google - you'll see what i mean.

Not sure why -- but most Legit Anti-Viruses are not detecting it. The only one

that has attempted to do so is --> http://www.malwarebytes.org

Do a check on Norton Anti-Virus Forum and you'll see how upset their customers are.

They range from home users to Corporate IT's. Something's wrong with this picture!

* symptoms are a half dozen popups that want to sell you their fake product.

* if you kill it in task manager -- then delete it -- you can't start anything,

except to right-click on a file and left-click "start" (something that shouldn't be)

* Firewall and Anti-Virus OverRide

* Firewall and Anti-Virus Disabled

* Internet Settings Changed to Include Virus Startup on IE and FF

* Is NOT in the RUN keys - executes when you click on any program via shell

This program attempts to reverse most variants (not all - still a work in progress) of this virus.

every week another variant of this virus is released. you might have to modify it as this happens.

anyone is welcome to help develop this program - because, it will only get worse.

i've only tested it on XP-sp2. Would someone be willing to test it on Win7 and Vista? TIA!

If you decide to test on another OS - hopefully it will be in a virtual environment.

I've tested this code many times and it works like it's suppose to in XP.

If you want to nit-pik at the code -- have at it! I need it double-checked anyways!

Usual Disclaimer: Use At Your Own Risk!

Executable is at this link

; Virus Cleaning Tool - av.exe, ave.exe - v0.5
; Released: April 19, 2010 - by ripdad
;
If Not (@OSVersion = 'WIN_XP') Then
    MsgBox(16, 'Virus Cleaning Tool - av.exe', 'This Program has only been tested on Windows XP' & @CRLF & @CRLF & 'Click OK to Exit', 15)
    Exit
EndIf
;
Local $answer = MsgBox(4, 'Virus Cleaning Tool - av.exe', 'Kill and Clean "av.exe virus" ?')
If $answer = 7 Then Exit
;
; [ - Target Virus Files - ]
Local $Virus1 = 'av.exe'
Local $Virus2 = 'ave.exe'
Local $VSFile1 = 'WRblt8464P'
Local $VSFile2 = 'T115idJ1tP4Dl'
;
; [- Target Registry Mainkey and Subkeys -]
Local $TargetMainkey = 'HKU'
Local $TargetSubKey1 = '.exe'
Local $TargetSubKey2 = 'secfile'
Local $TargetSubKey3 = '\Software\Microsoft\Windows\CurrentVersion\Policies\System'
Local $TargetSubKey3Value = 'DisableTaskMgr'
;
; [- Set Defaults -]
Global $Virus = ''
Local $VirusPath = ''
Local $VSFile = ''
Local $count1 = 1
Local $count2 = 1
Local $count3 = 1
Local $count4 = 1
;
; Check if virus is active
If ProcessExists($Virus1) Then $Virus = $Virus1; primary virus
If ProcessExists($Virus2) Then $Virus = $Virus2; alias-1
;
Select
    Case ($Virus = ''); If $Virus equals null (empty string)
        $answer = MsgBox(4, 'Virus Cleaning Tool - av.exe', 'The virus is Not Active' & @CRLF & @CRLF & 'Continue with Cleaning Registry?')
        If $answer = 7 Then Exit
    Case Else; Get the Necessary Information on Variant
        $ProcessPath = _ProcessGetPath($Virus); Get full path with filename
        If $Virus = $Virus1 Then $VirusPath = StringTrimRight($ProcessPath, 6); primary virus path
        If $Virus = $Virus2 Then $VirusPath = StringTrimRight($ProcessPath, 7); alias-1 virus path
        If FileExists($VirusPath & $VSFile1) Then $VSFile = $VSFile1; "Virus Support File" Variant #1
        If FileExists($VirusPath & $VSFile2) Then $VSFile = $VSFile2; "Virus Support File" Variant #2
EndSelect
;
Local $Logfile = FileOpen(@DesktopDir & '\VCT-AV.log', 1)
Sleep(1000)
;
; Get an exact count of subkeys (every system is different)
Do
    $InitCount = RegEnumKey($TargetMainkey, $count1)
    If @error <> 0 Then ExitLoop
    $count1 += 1
Until @error
;
; We have the count - Now we can loop and search through the subkeys for matches and delete those affected
;
TrayTip('Virus Cleaning Tool - av.exe', 'Pre-Cleaning Registry', 5, 1); # Stage 1 #
Do
    $subkey1 = RegEnumKey($TargetMainkey, $count2)
    $count3 = 1
    $count4 = 1
    Do
        $subkey2 = RegEnumKey($TargetMainkey & '\' & $subkey1, $count3)
        If @error <> 0 Then ExitLoop
        If ($subkey2 = $TargetSubKey1) Or ($subkey2 = $TargetSubKey2) Then
            RegDelete($TargetMainkey & '\' & $subkey1 & '\' & $subkey2); Delete Matched Keys
            FileWriteLine($Logfile, 'DELETED: ' & $TargetMainkey & '\' & $subkey1 & '\' & $subkey2); and Log it
        EndIf
        $count3 += 1
    Until @error
    Do
        $rev = RegEnumVal($TargetMainkey & '\' & $subkey1 & $TargetSubKey3, $count4)
        If @error <> 0 Then ExitLoop
        If $rev = $TargetSubKey3Value Then
            RegDelete($TargetMainkey & '\' & $subkey1 & $TargetSubKey3, $rev); Delete Matched Valuename
            FileWriteLine($Logfile, 'DELETED: ' & $TargetSubKey3Value); and Log it
        EndIf
        $count4 += 1
    Until @error
    $count2 += 1
Until $count2 = $count1
Sleep(1000)
;
$PID = ProcessExists($Virus)
;
; Terminate the Virus if Active - (if not active, then skips this stage and goes to Stage 3)
If $PID Then
    TrayTip('Virus Cleaning Tool - av.exe', 'Terminating Virus', 15, 1); # Stage 2 #
    ProcessClose($PID); Kill Virus Process
    Sleep(1000)
    $attrib = ('attrib -s -h -r ' & '"' & $ProcessPath & '"')
    Run(@ComSpec & ' /c ' & $attrib, '', @SW_HIDE); Remove Attributes
    Sleep(2000)
    If FileExists($ProcessPath) Then FileMove($ProcessPath, $ProcessPath & '.bak', 1); Rename in Case Fail
    Sleep(2000)
    If FileExists($ProcessPath & '.bak') Then FileDelete($ProcessPath & '.bak'); Delete if Not Locked
    Sleep(1000)
    If Not FileExists($ProcessPath) Then
        If Not FileExists($ProcessPath & '.bak') Then FileWriteLine($Logfile, 'DELETED VIRUS: ' & $ProcessPath); Check if Deleted and Log it
    EndIf
    If FileExists($ProcessPath & '.bak') Then FileWriteLine($Logfile, 'RENAMED VIRUS: ' & $ProcessPath & '.bak'); Should Not Happen - But Just In Case
    If FileExists($ProcessPath) Then FileWriteLine($Logfile, 'RENAME FAILED - DELETE FAILED: ' & $ProcessPath); Should Not Happen - But Just In Case
    Sleep(1000)
    If ProcessExists($VSFile) Then ProcessClose($VSFile); Kill "Virus Support File" if Active
    Sleep(1000)
    If ($VSFile = '') Then
    Else
        If FileExists($VirusPath & $VSFile) Then
            $attrib = ('attrib -s -h -r ' & '"' & $VirusPath & $VSFile & '"')
            Run(@ComSpec & ' /c ' & $attrib, '', @SW_HIDE); Remove Attributes
            Sleep(2000)
            FileMove($VirusPath & $VSFile, $VirusPath & $VSFile & '.bak', 1); Rename in Case Fail
            Sleep(2000)
            FileDelete($VirusPath & $VSFile & '.bak'); Delete if Not Locked
            Sleep(1000)
            If Not FileExists($VirusPath & $VSFile & '.bak') Then FileWriteLine($Logfile, 'DELETED VSF: ' & $VirusPath & $VSFile)
            If FileExists($VirusPath & $VSFile & '.bak') Then FileWriteLine($Logfile, 'RENAMED VSF: ' & $VirusPath & $VSFile & '.bak')
        EndIf
    EndIf
EndIf
;
; Directly Restore Windows Default Settings in Registry
Sleep(1000)
TrayTip('Virus Cleaning Tool - av.exe', 'Restoring: AntiVirusOverride', 5, 1); # Stage 3 #
Sleep(1000)
RegWrite('HKLM\SOFTWARE\Microsoft\Security Center', 'AntiVirusOverride', 'REG_DWORD', '0')
FileWriteLine($Logfile, 'Restored: AntiVirusOverride')
TrayTip('Virus Cleaning Tool - av.exe', 'Restoring: FirewallOverride', 5, 1)
Sleep(1000)
RegWrite('HKLM\SOFTWARE\Microsoft\Security Center', 'FirewallOverride', 'REG_DWORD', '0')
FileWriteLine($Logfile, 'Restored: FirewallOverride')
TrayTip('Virus Cleaning Tool - av.exe', 'Restoring: FireWallAutoStart', 5, 1)
Sleep(1000)
RegWrite('HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess', 'Start', 'REG_DWORD', '2')
FileWriteLine($Logfile, 'Restored: FireWallAutoStart')
TrayTip('Virus Cleaning Tool - av.exe', 'Restoring: EnableFirewall', 5, 1)
Sleep(1000)
RegWrite('HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile', 'EnableFirewall', 'REG_DWORD', '1')
FileWriteLine($Logfile, 'Restored: EnableFirewall')
TrayTip('Virus Cleaning Tool - av.exe', 'Restoring: StartMenuInternet\FIREFOX.EXE', 5, 1)
Sleep(1000)
RegWrite('HKLM\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command', '', 'REG_SZ', '"' & @ProgramFilesDir & '\Mozilla Firefox\firefox.exe"')
FileWriteLine($Logfile, 'Restored: StartMenuInternet\FIREFOX.EXE')
TrayTip('Virus Cleaning Tool - av.exe', 'Restoring: StartMenuInternet\FIREFOX.EXE -safe-mode', 5, 1)
Sleep(1000)
RegWrite('HKLM\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command', '', 'REG_SZ', '"' & @ProgramFilesDir & '\Mozilla Firefox\firefox.exe" -safe-mode')
FileWriteLine($Logfile, 'Restored: StartMenuInternet\FIREFOX.EXE -safe-mode')
TrayTip('Virus Cleaning Tool - av.exe', 'Restoring: StartMenuInternet\IEXPLORE.EXE', 5, 1)
Sleep(1000)
RegWrite('HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command', '', 'REG_SZ', '"' & @ProgramFilesDir & '\Internet Explorer\iexplore.exe"')
FileWriteLine($Logfile, 'Restored: StartMenuInternet\IEXPLORE.EXE')
TrayTip('Virus Cleaning Tool - av.exe', 'Restoring Done', 5, 1)
Sleep(1000)
FileClose($Logfile)
TrayTip('', '', 5)
MsgBox(64, 'Virus Cleaning Tool - av.exe', ' - Finished - ' & @CRLF & @CRLF & 'VCT-AV.log is on Your Desktop' & @CRLF & @CRLF & 'Please Restart Your Computer', 30)
Exit; All Done
;
; Some Code I Borrowed! - Not Sure Where? - Thanks!
Func _ProcessGetPath($PID)
    If IsString($PID) Then $PID = ProcessExists($PID)
    $Path = DllStructCreate('char[1000]')
    $dll = DllOpen('Kernel32.dll')
    $handle = DllCall($dll, 'int', 'OpenProcess', 'dword', 0x0400 + 0x0010, 'int', 0, 'dword', $PID)
    $ret = DllCall('Psapi.dll', 'long', 'GetModuleFileNameEx', 'long', $handle[0], 'int', 0, 'ptr', DllStructGetPtr($Path), 'long', DllStructGetSize($Path))
    $ret = DllCall($dll, 'int', 'CloseHandle', 'hwnd', $handle[0])
    DllClose($dll)
    Return DllStructGetData($Path, 1)
EndFunc
;

v0.2

1. corrected "c:\program files" to @ProgramFilesDir

2. corrected valuename (Default) access to blank string ""

v0.3

1. added Restore Task Manager

2. added Code for another variant

3. added File Attributes Removal

v0.4 Updated to include "ave.exe" alias

v0.5 Updated Made a few code improvements and fixed a minor issue

Notice: I'm finished with updating this particular code - check website for details

I will leave this one here as an example.

Edited by ripdad

"The mediocre teacher tells. The Good teacher explains. The superior teacher demonstrates. The great teacher inspires." -William Arthur Ward

Share this post


Link to post
Share on other sites
nugame

I am a consultant and work with people on computers. I have experienced this pesky one many times. I have been able to remove if worked on early enough. I have seen the extent of the damage. I would like to work with you on this. I have xp, vista, 7, 2003, and 2003. I have client to see this Friday with this same problem.

Virus Cleaning Utility - av.exe - v0.1

av.exe is a rouge anti-virus. it has infected a ton of computers in the last few weeks.

many websites that are infected with it - comes through java with your web browser.

first attempts to deal with the virus by most, ended up in failure, mainly because one

can delete the virus, but not know how to deal with the mess it left behind. it has

manifested itself in many different forms over the past year. do a search for it on

yahoo or google - you'll see what i mean.

Not sure why -- but most Legit Anti-Viruses are not detecting it. The only one

that has attempted to do so is --> http://www.malwarebytes.org

Do a check on Norton Anti-Virus Forum and you'll see how upset their customers are.

They range from home users to Corporate IT's. Something's wrong with this picture!

* symptoms are a half dozen popups that want to sell you their fake product.

* if you kill it in task manager -- then delete it -- you can't start anything,

except to right-click on a file and left-click "start" (something that shouldn't be)

* Firewall and Anti-Virus OverRide

* Firewall and Anti-Virus Disabled

* Internet Settings Changed to Include Virus Startup on IE and FF

* Is NOT in the RUN keys - executes when you click on any program via shell

This program attempts to reverse most variants (not all - still a work in progress) of this virus.

every week another variant of this virus is released. you might have to modify it as this happens.

anyone is welcome to help develop this program - because, it will only get worse.

i've only tested it on XP-sp2. Would someone be willing to test it on Win7 and Vista? TIA!

If you decide to test on another OS - hopefully it will be in a virtual environment.

I've tested this code many times and it works like it's suppose to in XP.

If you want to nit-pik at the code -- have at it! I need it double-checked anyways!

; Virus Cleaning Utility - av.exe - v0.1
;
; [ - Target Virus File - ]
;
$Virus = 'av.exe'
;
; [- Target Mainkey and Subkeys -]
;
$mainkey = "HKU"
$Key1 = '.exe'
$Key2 = 'secfile'
;
; [ - Some HouseKeeping - ]
;
If Not (@OSVersion = 'WIN_XP') Then
    MsgBox(16, 'Virus Cleaning Utility - av.exe', 'This Program has only been tested on Windows XP' & @CRLF & @CRLF & 'Click OK to Exit', 15)
    Exit
EndIf
$answer = MsgBox(4, 'Virus Cleaning Utility - av.exe', 'Kill and Clean: ' & $Virus & ' ?')
If $answer = 7 Then Exit
;
If Not ProcessExists($Virus) Then
    $answer = MsgBox(4, 'Virus Cleaning Utility - av.exe', $Virus & ' does not exist' & @CRLF & @CRLF & 'Continue with cleaning registry?')
    If $answer = 7 Then Exit
EndIf
;
$Logfile = FileOpen(@DesktopDir & '\VCT-AV.log', 1)
;
$count1 = 1
$count2 = 1
$count3 = 1
;
; Lets see how many subkeys we're dealing with - so we can get an exact count
;
Do
    $InitCount = RegEnumKey($mainkey, $count1)
    If @error <> 0 Then ExitLoop
    $count1 += 1
Until @error
;
; Now we can loop through the subkeys for a $Key1 and $Key2 match and delete those affected
;
TrayTip("Virus Cleaning Tool - av.exe", 'Pre-Cleaning Registry', 5, 1)
Do
    $subkey1 = RegEnumKey($mainkey, $count2)
    $count3 = 1
    Do
        $subkey2 = RegEnumKey($mainkey & '\' & $subkey1, $count3)
        If @error <> 0 Then ExitLoop
        If ($subkey2 = $Key1) Or ($subkey2 = $Key2) Then
            RegDelete($mainkey & '\' & $subkey1 & '\' & $subkey2); Delete Matched Keys
            FileWriteLine($Logfile, 'DELETED: ' & $mainkey & '\' & $subkey1 & '\' & $subkey2); and Log it
        EndIf
        $count3 += 1
    Until @error
    $count2 += 1
Until $count2 = $count1
Sleep(1000)
;
; Get Virus Path - (Some Code I Borrowed! - Not Sure Where? - Thanks!)
;
$ProcessPath = _ProcessGetPath($Virus)
;
Func _ProcessGetPath($PID)
    If IsString($PID) Then $PID = ProcessExists($PID)
    $Path = DllStructCreate('char[1000]')
    $dll = DllOpen('Kernel32.dll')
    $handle = DllCall($dll, 'int', 'OpenProcess', 'dword', 0x0400 + 0x0010, 'int', 0, 'dword', $PID)
    $ret = DllCall('Psapi.dll', 'long', 'GetModuleFileNameEx', 'long', $handle[0], 'int', 0, 'ptr', DllStructGetPtr($Path), 'long', DllStructGetSize($Path))
    $ret = DllCall($dll, 'int', 'CloseHandle', 'hwnd', $handle[0])
    DllClose($dll)
    Return DllStructGetData($Path, 1)
EndFunc
;
; Terminate the Silly Virus
;
$PID = ProcessExists($Virus)
;
If $PID Then
    TrayTip("Virus Cleaning Tool - av.exe", 'Terminating Virus', 10, 1)
    $VirusPath = StringTrimRight($ProcessPath, 6)
    ProcessClose($PID); Kill Virus Process
    Sleep(1000)
    If FileExists($ProcessPath) Then FileMove($ProcessPath, $ProcessPath & '.bak', 1); Rename in Case Fail
    Sleep(1000)
    If FileExists($ProcessPath & '.bak') Then FileDelete($ProcessPath & '.bak'); Delete if Not Locked
    Sleep(1000)
    If ProcessExists('WRblt8464P') Then ProcessClose('WRblt8464P'); Kill Possible Secondary Process
    Sleep(1000)
    If FileExists($VirusPath & 'WRblt8464P') Then FileMove($VirusPath & 'WRblt8464P', $VirusPath & 'WRblt8464P' & '.bak', 1); Rename in Case Fail
    Sleep(1000)
    If FileExists($VirusPath & 'WRblt8464P' & '.bak') Then FileDelete($VirusPath & 'WRblt8464P' & '.bak'); Delete if Not Locked
    Sleep(1000)
    If Not FileExists($ProcessPath) Then FileWriteLine($Logfile, 'RENAMED: ' & $ProcessPath & ' to ' & 'av.exe.bak'); Check if Renamed and Log it
    If Not FileExists($ProcessPath & '.bak') Then FileWriteLine($Logfile, 'DELETED: ' & $ProcessPath & '.bak'); Check if Deleted and Log it
    If FileExists($ProcessPath & '.bak') Then FileWriteLine($Logfile, 'RENAMED ONLY: ' & $ProcessPath & '.bak'); Should Not Happen - But Just In Case
    If FileExists($ProcessPath) Then FileWriteLine($Logfile, 'RENAME FAILED - DELETE FAILED: ' & $ProcessPath); Should Not Happen - But Just In Case
EndIf
;
; Undoing the Mess - Restoring Settings
;
Sleep(1000)
TrayTip("Virus Cleaning Tool - av.exe", 'Restoring: AntiVirusOverride', 5, 1)
Sleep(1000)
RegWrite('HKLM\SOFTWARE\Microsoft\Security Center', 'AntiVirusOverride', 'REG_DWORD', '0')
FileWriteLine($Logfile, 'Restored: AntiVirusOverride')
TrayTip("Virus Cleaning Tool - av.exe", 'Restoring: FirewallOverride', 5, 1)
Sleep(1000)
RegWrite('HKLM\SOFTWARE\Microsoft\Security Center', 'FirewallOverride', 'REG_DWORD', '0')
FileWriteLine($Logfile, 'Restored: FirewallOverride')
TrayTip("Virus Cleaning Tool - av.exe", 'Restoring: FireWallAutoStart', 5, 1)
Sleep(1000)
RegWrite('HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess', 'Start', 'REG_DWORD', '2')
FileWriteLine($Logfile, 'Restored: FireWallAutoStart')
TrayTip("Virus Cleaning Tool - av.exe", 'Restoring: EnableFirewall', 5, 1)
Sleep(1000)
RegWrite('HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile', 'EnableFirewall', 'REG_DWORD', '1')
FileWriteLine($Logfile, 'Restored: EnableFirewall')
TrayTip("Virus Cleaning Tool - av.exe", 'Restoring: StartMenuInternet\FIREFOX.EXE', 5, 1)
Sleep(1000)
RegWrite('HKLM\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command', '(Default)', 'REG_SZ', '"C:\Program Files\Mozilla Firefox\firefox.exe"')
FileWriteLine($Logfile, 'Restored: StartMenuInternet\FIREFOX.EXE')
TrayTip("Virus Cleaning Tool - av.exe", 'Restoring: StartMenuInternet\FIREFOX.EXE -safe-mode', 5, 1)
Sleep(1000)
RegWrite('HKLM\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command', '(Default)', 'REG_SZ', '"C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode')
FileWriteLine($Logfile, 'Restored: StartMenuInternet\FIREFOX.EXE -safe-mode')
TrayTip("Virus Cleaning Tool - av.exe", 'Restoring: StartMenuInternet\IEXPLORE.EXE', 5, 1)
Sleep(1000)
RegWrite('HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command', '(Default)', 'REG_SZ', '"C:\Program Files\Internet Explorer\iexplore.exe"')
FileWriteLine($Logfile, 'Restored: StartMenuInternet\IEXPLORE.EXE')
TrayTip("Virus Cleaning Tool - av.exe", 'Restoring Done', 5, 1)
Sleep(1000)
FileClose($Logfile)
TrayTip("", "", 5)
MsgBox(64, 'Virus Cleaning Utility - av.exe', ' - Finished - ' & @CRLF & @CRLF & 'VCT-AV.log is on Your Desktop' & @CRLF & @CRLF & 'Please Restart Your Computer', 30)
Exit
;


Dr SherlockAlways a way

Share this post


Link to post
Share on other sites
ripdad

Hi nugame - Let me know what your findings are - thanks

I've removed it "manually" from several computers.

It takes about an hour or so if I do it right.

It takes less than 15 seconds with this tool.

It's best to work in a virtual invironment when testing.

That way if you mess up - all you need to do is reboot.

All will be as it was before. Nothing is saved in that

invironment.

This is what I use --> http://www.returnilvirtualsystem.com

They have a free version.

Edited by ripdad

"The mediocre teacher tells. The Good teacher explains. The superior teacher demonstrates. The great teacher inspires." -William Arthur Ward

Share this post


Link to post
Share on other sites
ripdad

Updated Code.

Worked on another computer today that had another variant - and added it to the script.

Also, I guess I forgot to mention it - but this program only targets a specific root virus - "av.exe"

It actually comes in about 7 or 8 different variants - but, "av.exe" is the root to all of them.

You'll notice that once it has been cleaned up and you restart your computer, that you might be

bombarded with existing spyware and viruses. Thats what this program does - is get you to a point

of getting back control over your system again so you can run your virus and spyware scanners.

Once done, the scanners should be able to handle the others.

edit:

By the way ...

As I come across other variants - I'll be adding them to the program.

So, pay attention to the version number!

If anyone is having any problems with it - please let me know.

Executable is at this link

Edited by ripdad

"The mediocre teacher tells. The Good teacher explains. The superior teacher demonstrates. The great teacher inspires." -William Arthur Ward

Share this post


Link to post
Share on other sites
rezz

It appears that av.exe has been reincarnated as AV8.exe

Can your script be adapted for this new name??

Share this post


Link to post
Share on other sites
ripdad

If this is what you are referring to ... http://www.bleepingcomputer.com/virus-removal/remove-antivirus8

... then it's in a different class.

There are literally dozens of this class virus -- perhaps a hundred.

I did take a look at a potential script for this type ... but they don't all exhibit alike.

There's just too many - and at the rate they propagate, it would be impossible "for me" to keep up with it.

The best way to handle this class is to boot in safe mode and run SUPERAntiSpyware Portable or MalwareBytes

If this is not the one you're referring to .. then let me know.

Edited by ripdad

"The mediocre teacher tells. The Good teacher explains. The superior teacher demonstrates. The great teacher inspires." -William Arthur Ward

Share this post


Link to post
Share on other sites
rezz

That looks like the same one.

Even in Safe Mode its difficult to deal with. It seems to hijack explorer.exe.

After killing the av8 process, explorer.exe is still unable to run and there is no desktop.

It's possible to use Task Manager and run iexplore and maybe Malwarebytes though, not sure.

Since AV8 adds reg entries for explorer and debugger values I thought something like this should work:

ProcessClose("av8.exe")

;Delete AV 8 registry entries:
RegDelete("HKEY_CURRENT_USER\Software\A88246")
RegDelete("HKEY_CURRENT_USER\Software\WinFD")
RegDelete("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe")
RegDelete("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “AV8")
RegDelete("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform “WinNT-A8I 23.09.2010")
RegDelete("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe ""Debugger"" = ""C:\Program Files\AV8\av8.exe -d”")

FileDelete(@StartMenuDir & "\AV8\Antivirus8.lnk")
FileDelete(@StartMenuDir  & "\AV8\Uninstall.lnk")
DirRemove(@StartMenuDir & "\AV8")
FileDelete(@ProgramsDir & "\AV8\av8.exe")
DirRemove(@ProgramsDir & "\AV8")
FileDelete(@DesktopDir & "\Antivirus8.lnk")

How does that look?

Share this post


Link to post
Share on other sites
Valuater

I have beaten this one a couple of times by using "alt / F4" and then use task manager "run" command just by typing in "explorer.exe"

One time there was a secondary program and I kept using alt/F4 to confuse it untiould get mbam to run

These guys are getting good... Break-it then make a great looking savior tool to Fix-it

8)

Edited by Valuater

NEWHeader1.png

Share this post


Link to post
Share on other sites
ripdad

rezz,

The problem with websites that display info on viruses .. is that they are Not Entirely Accurate about everything.

Including, string and path formats and missing items / files.

This would probably be more like it ...

If ProcessExists("av8.exe") Then
    ProcessClose("av8.exe")
    If MsgBox(8212, "Prompt", "av8.exe is active - proceed to clean?") = 7 Then Exit
    _CleanAV8()
Else
    If MsgBox(8228, "Prompt", "av8.exe is not active - proceed anyway?") = 7 Then Exit
    _CleanAV8()
EndIf

Func _CleanAV8()
    ; Delete AV 8 registry entries:
    RegDelete("HKEY_CURRENT_USER\Software\A88246")
    RegDelete("HKEY_CURRENT_USER\Software\WinFD")

    ; system subkeys that have valuenames in them are usually not safe to delete -- this one is safe to delete.
    RegDelete("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe")
    RegDelete("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\AV8")

    ; and this one too.
    RegDelete("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent")

    ; the folder is under "All Users" profile - as opposed to "Current User" profile
    ; deletes both files and folder in one line (notice the flag = 1)
    If FileExists(@StartMenuCommonDir & "\AV8") Then DirRemove(@StartMenuCommonDir & "\AV8", 1)

    ; delete a single file under the "Current User"
    If FileExists(@DesktopDir & "\Antivirus8.lnk") Then FileDelete(@DesktopDir & "\Antivirus8.lnk")

    If FileExists(@ProgramFilesDir & "\AV8\av8.exe") Then

        ; rename the virus - just in case it won't delete. (ie: reboot and it cannot start back up)
        FileMove(@ProgramFilesDir & "\AV8\av8.exe", @ProgramFilesDir & "\AV8\av8.bak", 1)

        ; deletes both files and folder
        If DirRemove(@ProgramFilesDir & "\AV8", 1) = 1 Then; If return is 1 - then folder was removed
            MsgBox(8256, "Prompt", "Virus Removed")
        Else
            MsgBox(8208, "Prompt", "Virus Folder Not Removed"); If return is 0 - then folder wasn't removed
        EndIf
    EndIf
    If Not ProcessExists("explorer.exe") Then Run(@WindowsDir & "\explorer.exe")
EndFunc

I've found the best way to start on a virus is to kill explorer.exe first. This will release dll hooks on it.

It's not gentle and elegant. It's brute force and should only be done when dealing with something like a virus.

If explorer doesn't return then ctrl-alt-del to bring up task manager and click "file" "run" and type explorer.exe.

Then, clear the temp folders. Afterwards, you can scan for the little aliens with little interruption.

Sometimes you can't do this at all -- you'll have to go to safe mode then.

You probably know all this, but it doesn't hurt to bounce the ball again. <grin>

-Edit-

I updated the script to run explorer.exe if it's not already running.

-Edit2-

Oops .. made a few corrections

Edited by ripdad

"The mediocre teacher tells. The Good teacher explains. The superior teacher demonstrates. The great teacher inspires." -William Arthur Ward

Share this post


Link to post
Share on other sites
ripdad

Valuater,

These guys are getting good...

Agreed ... it's a shame they waste that talent on malicious code. It doesn't gain them anything tangible.


"The mediocre teacher tells. The Good teacher explains. The superior teacher demonstrates. The great teacher inspires." -William Arthur Ward

Share this post


Link to post
Share on other sites
rezz

Thanks Guys

I'll try to find a sample of AV8 and see if this works to kill it and allow explorer and mbam to finish up the job.

There's another one called ThinkPoint that causes similar problems with removal. With it, just using TM to kill the process allows explorer to run and mbam to finish it up.

Its just a matter of getting into safe mode and using task manager mainly.

Most of my removal is done remotely so any tool that makes it easier than trying to explain to the EU what to do is a good one to have.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×