Jump to content

AutoIt virus?

FredrikIdestam
 Share

Recommended Posts

TehWhale Universalist

TehWhale

Posted
Posted (edited)

Don't ask me how I know. I did not make this virus, But I do know how it was made, don't bug me. I am only here to help you.

This virus hides itself in the startup folder, and then edits the .inf in the windows directory to launch it at startup. It also loads with the windows shell, Explorer.exe. It also has startup locations in the registry.

This code will enable your stuff. This virus continueously writes to the registry to not all stuff. So you need to suspend the process.

I use this program:

http://technet.microsoft.com/en-us/sysinte...s/bb896653.aspx

(It seems that the virus will close the name with Process. So, make your own autoit script, with a CPU Killer loop, but will keep the window open. Like this:)

Opt("WinTitleMatchMode", 2)
While 1
If WinExists("Process") Then WinSetTitle("Process", "", "moo")
WEnd

If it somehow is faster, which its most likely not, add WinSetState("Process", "", @SW_SHOW)

Download it, and it's an .exe no installing. Run it, and suspend the processes:

Angelina Julie video tape.avi.exe obviously,

CSRSS.exe

System.exe

WinLogon.exe

THEN! Close all these processes. make sure Winlogon.exe is the right one, not the REAL system one.

Now, put this in an AutoIt script.

RegWrite("HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon", "Shell", "REG_SZ", "explorer.exe")
        RegWrite("HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL", "CheckedValue", "REG_DWORD", "1")
        RegWrite("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced", "SuperHidden", "REG_DWORD", 1)
        RegWrite("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced", "ShowSuperHidden", "REG_DWORD", 1)
        RegWrite("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced", "HideFileExt", "REG_DWORD", 0)
        RegWrite("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced", "Start_ShowRun", "REG_DWORD", 1)
        RegWrite("HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System", "DisableCMD", "REG_DWORD", 0)

Go delete the Autorun.inf in your windows directory, go into msconfig, and delete ALL STARTUP VALUES. Search your computer for the 4 process's listed above, and then use Unlocker to remove those files. Right click, Unlock, and IF it says no locking handle found, then choose Remove now, or Remove at next boot. This SECURELY DELETES THESE FILES. After you have done all this, restart your computer.

Following this above guide carefully WILL remove this virus from your computer.

Edited by Alienware
  • Replies 80
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

FredrikIdestam Seeker

FredrikIdestam

Posted
  • Author
Posted

So you have booted into safe mode, Probably via your Administrator account, What are you left with?

Does this Mal hide/kill ALL types of windows?

Does your shell even load?

Is this mal obvious? ie when you were in normal booted windows, did it give any sort of indication of existence::

Periodic Distorted sounds - If a window did actually appear, did it seem as if certain controls were flickering rapidly?

Distorted effects when attempting to use the keyboard?

If your shell does still operate, then have you attempted to use SmOke_N's Script discussed in the previous topic?

BTW:: check the General tab, it should display the actual location of this exe

Posted Image

This Mal hide/kill only some windows which can help to remove this virus.

i don't know about shell. what is shell?

in normal mode it starts itself in background.

i don't know controls. which controls?

i can use my Keyboard and mouse without any problem.

i have not tried any script. what is a script?

the file exists in every drive like in c: D: e: F:

i am not a programmer and i know only a few about computer softwares.

FredrikIdestam Seeker

FredrikIdestam

Posted
  • Author
Posted

Don't ask me how I know. I did not make this virus, But I do know how it was made, don't bug me. I am only here to help you.

This virus hides itself in the startup folder, and then edits the .inf in the windows directory to launch it at startup. It also loads with the windows shell, Explorer.exe. It also has startup locations in the registry.

This code will enable your stuff. This virus continueously writes to the registry to not all stuff. So you need to suspend the process.

I use this program:

http://technet.microsoft.com/en-us/sysinte...s/bb896653.aspx

(It seems that the virus will close the name with Process. So, make your own autoit script, with a CPU Killer loop, but will keep the window open. Like this:)

Opt("WinTitleMatchMode", 2)
While 1
If WinExists("Process") Then WinSetTitle("Process", "", "moo")
WEnd

Download it, and it's an .exe no installing. Run it, and suspend the processes:

Angelina Julie video tape.avi.exe obviously,

CSRSS.exe

System.exe

WinLogon.exe

THEN! Close all these processes. make sure Winlogon.exe is the right one, not the REAL system one.

Now, put this in an AutoIt script.

RegWrite("HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon", "Shell", "REG_SZ", "explorer.exe")
        RegWrite("HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL", "CheckedValue", "REG_DWORD", "1")
        RegWrite("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced", "SuperHidden", "REG_DWORD", 1)
        RegWrite("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced", "ShowSuperHidden", "REG_DWORD", 1)
        RegWrite("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced", "HideFileExt", "REG_DWORD", 0)
        RegWrite("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced", "Start_ShowRun", "REG_DWORD", 1)
        RegWrite("HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System", "DisableCMD", "REG_DWORD", 0)

Go delete the Autorun.inf in your windows directory, go into msconfig, and delete ALL STARTUP VALUES. Search your computer for the 4 process's listed above, and then use Unlocker to remove those files. Right click, Unlock, and IF it says no locking handle found, then choose Remove now, or Remove at next boot. This SECURELY DELETES THESE FILES. After you have done all this, restart your computer.

Following this above guide carefully WILL remove this virus from your computer.

thanks for the tutorial but i am not a programmer and i tried like you said. when i restarted my pc speed was good but when i open a drive it started again.
TehWhale Universalist

TehWhale

Posted
Posted (edited)

thanks for the tutorial but i am not a programmer and i tried like you said. when i restarted my pc speed was good but when i open a drive it started again.

Did you search your computer, like I said, EVERYWHERE, for the .exe's I told you about? Well, use this code. I just thought about it, when searching it opens it right? I do belive, but use this code AFTER you have done all the steps ABOVE, and then restart.

FileDelete("A:\autorun.inf")
FileDelete("B:\autorun.inf")
FileDelete("C:\autorun.inf")
FileDelete("D:\autorun.inf")
FileDelete("E:\autorun.inf")
FileDelete("F:\autorun.inf")
FileDelete("G:\autorun.inf")
FileDelete("H:\autorun.inf")
FileDelete("I:\autorun.inf")
FileDelete("J:\autorun.inf")
FileDelete("K:\autorun.inf")
FileDelete("L:\autorun.inf")

If you have anymore drives, then do the same. Make sure to follow the above steps AGAIN, and then use that code BEFORE YOU RESTART.

Good luck with the virus. I'm 100% sure this will remove it all if you follow my instructions. One more time to clarify. Do the same thing as you did before, in my other post, but before you restart, put this in an AutoIt script, run it, and then restart.

Edited by Alienware
FredrikIdestam Seeker

FredrikIdestam

Posted
  • Author
Posted

Did you search your computer, like I said, EVERYWHERE, for the .exe's I told you about? Well, use this code. I just thought about it, when searching it opens it right? I do belive, but use this code AFTER you have done all the steps ABOVE, and then restart.

FileDelete("A:\autorun.inf")
FileDelete("B:\autorun.inf")
FileDelete("C:\autorun.inf")
FileDelete("D:\autorun.inf")
FileDelete("E:\autorun.inf")
FileDelete("F:\autorun.inf")
FileDelete("G:\autorun.inf")
FileDelete("H:\autorun.inf")
FileDelete("I:\autorun.inf")
FileDelete("J:\autorun.inf")
FileDelete("K:\autorun.inf")
FileDelete("L:\autorun.inf")

If you have anymore drives, then do the same. Make sure to follow the above steps AGAIN, and then use that code BEFORE YOU RESTART.

Good luck with the virus. I'm 100% sure this will remove it all if you follow my instructions. One more time to clarify. Do the same thing as you did before, in my other post, but before you restart, put this in an AutoIt script, run it, and then restart.

where to write this code?
FredrikIdestam Seeker

FredrikIdestam

Posted
  • Author
Posted

Create an AutoIt script, put it in the AutoIt script, and run it after you have done my other post, before you restart.

but i dont know how to create a script and what the script is?

i am not a programmer and don't know anything about it.

tell me more about it.

thanks.

Nevin Polymath

Nevin

Posted
Posted

Yeah, he doesn't know a thing about programming. He just came to the forum because the virus is supposedly written in this language. As if that makes any sense....

TehWhale Universalist

TehWhale

Posted
Posted

can any of you send me a program which will remove the virus automatically?

I will try once I get back from school. I'm posting before school so. It most likely will need you do some stuff because I can't automate downloading and installing without some user input. I will try though.
  • Moderators
SmOke_N Universalist

SmOke_N

Posted
  • Moderators
Posted

can any of you send me a program which will remove the virus automatically?

I took a look at this thing. This is proof in the pudding so to speak, that poorly writing something has an ever lasting effect.

This "should" remove it, it could take a while in the final stages because it's going to search your drives for the initial avi and executable that you downloaded (being that we don't know where you downloaded them to).

Understand that by downloading this and running it, you accept all responsibilities of what ever could occur from it.

It only changes a few of the registry settings back to default that the virus deletes/writes to. The other ones, I can't be sure what you had, so I'm leaving them alone.

Let us know the outcome.

Common sense plays a role in the basics of understanding AutoIt... If you're lacking in that, do us all a favor, and step away from the computer.

ChromeFan Universalist

ChromeFan

Posted
Posted (edited)

I took a look at this thing. This is proof in the pudding so to speak, that poorly writing something has an ever lasting effect.

This "should" remove it, it could take a while in the final stages because it's going to search your drives for the initial avi and executable that you downloaded (being that we don't know where you downloaded them to).

Understand that by downloading this and running it, you accept all responsibilities of what ever could occur from it.

It only changes a few of the registry settings back to default that the virus deletes/writes to. The other ones, I can't be sure what you had, so I'm leaving them alone.

Let us know the outcome.

you are great man, you also helped me recently. and for this i want to say you a big

Posted Image

i hope the problem of Mr: FredrikIdestam will get resolve very soon by this file (Provided by you).

i have a idea, why don't you create a GraphicalUI for it and Put it in Example Scripts? Maybe many more people will come and need this because as i know this infected file was viewed by around 1000 people and they may also need it.

-

-

Edited by ChromeFan
Website: www.cerescode.comForum: www.forum.cerescode.comIRC: irc.freenode.net , Channel: #Ceres--------------------Autoit Wrappers, Great additions to your script (Must See) (By: Valuater)Read It Befor Asking Question Click Here...--------------------Join Monoceres's Forums http://www.monoceres.se--------------------There are three kinds of people: Those who make things happen, those who watch things happen, and those who ask, ‘What happened?’” –Casey Stengel
  • Moderators
SmOke_N Universalist

SmOke_N

Posted
  • Moderators
Posted

you are great man, you also helped me recently. and for this i want to say you a big

i hope the problem of Mr: FredrikIdestam will get resolve very soon by this file (Provided by you).

i have a idea, why don't you create a GraphicalUI for it and Put it in Example Scripts? Maybe many more people will come and need this because as i know this infected file was viewed by around 1000 people and they may also need it.

-

-

Why do more work that isn't necessary? Just run the exe, acknowledge and wait till its done. Can't get too much easier than that.

Common sense plays a role in the basics of understanding AutoIt... If you're lacking in that, do us all a favor, and step away from the computer.

ChromeFan Universalist

ChromeFan

Posted
Posted

Why do more work that isn't necessary? Just run the exe, acknowledge and wait till its done. Can't get too much easier than that.

dear, i don't mean that. i was just saying to make it with GUI and post it in example scripts because many people are infected by this virus. your script will help them. my problem was solved but some people who Know a little about computers they (Like this Person) will be not able to understand the whole procedure. you have done a good work which needs much credit. ...and posting it in example scripts will also show other new users on how to create Removers for such viruses. let me know what you want to say now!

Website: www.cerescode.comForum: www.forum.cerescode.comIRC: irc.freenode.net , Channel: #Ceres--------------------Autoit Wrappers, Great additions to your script (Must See) (By: Valuater)Read It Befor Asking Question Click Here...--------------------Join Monoceres's Forums http://www.monoceres.se--------------------There are three kinds of people: Those who make things happen, those who watch things happen, and those who ask, ‘What happened?’” –Casey Stengel
  • Moderators
SmOke_N Universalist

SmOke_N

Posted
  • Moderators
Posted

I'm sure I don't have that virus. Is that the reason for this

I can hear search engine started (I guess), and then that happens.

No idea... there aren't anything but standard calls in it.

Common sense plays a role in the basics of understanding AutoIt... If you're lacking in that, do us all a favor, and step away from the computer.

  • Moderators
SmOke_N Universalist

SmOke_N

Posted
  • Moderators
Posted

dear, i don't mean that. i was just saying to make it with GUI and post it in example scripts because many people are infected by this virus. your script will help them. my problem was solved but some people who Know a little about computers they (Like this Person) will be not able to understand the whole procedure. you have done a good work which needs much credit. ...and posting it in example scripts will also show other new users on how to create Removers for such viruses. let me know what you want to say now!

I don't want to say anything. They don't need to "know" how. What I did, anyone that knows anything about autoit an do.

They don't need a GUI, and I don't need to waste anymore time on it than I have.

Common sense plays a role in the basics of understanding AutoIt... If you're lacking in that, do us all a favor, and step away from the computer.

Mobius Universalist

Mobius

Posted
Posted

I don't want to say anything. They don't need to "know" how. What I did, anyone that knows anything about autoit an do.

They don't need a GUI, and I don't need to waste anymore time on it than I have.

Well said SmOke_N, you have created a binary that can help people and Chromefan wants you to make a gui for it?!?!

Tool

wtfpl-badge-1.png

Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...