Samker's Computer Forum - SCforum.info
SCF Support Area: => ### PC Help Center !!! ### => Topic started by: meghana on 25. September 2007., 05:39:20
-
Hi ,
My PC has got infected by W32/Hakaglan.Worm.Gen
As per the post of Samker,
I ran the following script on my pc.
On Error Resume Next
Set shl = CreateObject("WScript.Shell")
Set fso = CreateObject("scripting.FileSystemObject")
shl.RegDelete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools"
shl.RegDelete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr"
shl.RegDelete
But it is giving compilaton error on my pc.
Script: C:\RESTORE.VBS
Line: 4
Char:1
Error:Expected Statement
Code:800A0400
Source: Microsoft VBScript compilation error
Can anybody give solution of this problem.
Thanks,
Meghana
-
Hi again Meghana,
We are here to help you and We will do our best to fix this, as soon as possible.
How this look to me now, it's possible to this Virus is damaged some things at registers. But to fix this right we will need more information's from your system provided by some special tools.
You will need to follow this steps and provide us asked information's:
First of all, download HijackThis: http://scforum.info/index.php/topic,785.0.html after that install them to your PC and run. When you run it you will have option to save log file. Provide us that log (just simple copy - paste).
Second step is to make Kaspersky Online Scan (provide us that log also): http://scforum.info/index.php/topic,744.0.html
Third step is to provide us description how you PC work now and what kind of problems you have?
After that we will have a loot of helpfully information from your PC about that problem.
Regards,
Samker
-
Hi Samker,
Sure i will follow the steps provided by you.
But i think it will not allow me to install Kaspersky Online Scan .
Whenever i tried to install new version of AV,
it shows me message :- some files of Nortans are conflicting.
so remove the Nortans before installing this S/W.
And it is not allowing me to uninstall Nortans.
I tried to install Mccafe and Nortans AV 8.0
Anyways i will execute these steps today evening ,
and tell you the results.
Thanks,
Meghana
-
Hi Samker,
Sure i will follow the steps provided by you.
But i think it will not allow me to install Kaspersky Online Scan .
Whenever i tried to install new version of AV,
it shows me message :- some files of Nortans are conflicting.
so remove the Nortans before installing this S/W.
And it is not allowing me to uninstall Nortans.
I tried to install Mccafe and Nortans AV 8.0
Anyways i will execute these steps today evening ,
and tell you the results.
Thanks,
Meghana
I think that you will not have problem with this since this is only Online Scan, anyway if you have problem with Kaspersky try to provide us log from McAfee or Symantec Online scan (you have link to both in our Help Center).
One more question: which Norton version you use, is't updated and did he work Ok right now?
I'll wait your reply and logs.
Samker
P.S.
During Online scaning Turn of AutoProtect (of your AntiVirus)!
-
Hi Samker,
Sorry for the dealy.
I tried to install HijackThis. But the virus didn't allow me to do so.
Yesterday i got another script.
*************************************************************************
' DESCRIPTION
'
' This script is designed to help you remove:
' 1/ W32/Hakaglan.worm.gen (http://vil.nai.com/vil/content/v_142233.htm)
' 2/ BackDoor-AVW (http://vil.nai.com/vil/content/v_103064.htm)
' 3/ Keylog-Perfect (http://vil.nai.com/vil/content/v_100257.htm)
' 4/ NTRootKit-W (http://vil.nai.com/vil/content/v_139108.htm)
' 5/ W32/Bagle.ea (http://vil.nai.com/vil/content/v_139038.htm)
'*************************************************************************
Option Explicit
' SCRIPT CONFIGURATION
Dim WshShell, DocDir, TmpDir, WinDir, SysDir
Dim strComp, strLogs, arrProcs(10), arrFiles(51)
Set WshShell = WScript.CreateObject("WScript.Shell")
DocDir = WshShell.ExpandEnvironmentStrings("%UserProfile%") & chr(92)
TmpDir = WshShell.ExpandEnvironmentStrings("%Temp%") & chr(92)
WinDir = WshShell.ExpandEnvironmentStrings("%WinDir%") & chr(92)
SysDir = WinDir & "system32"
strComp = "." ' Can be changed to name of remote computer
strLogs = ""
' Process Names (in lowercase)
arrProcs(0) = "rvhost.exe"
arrProcs(1) = "ssvichosst.exe"
arrProcs(2) = "sscviihost.exe"
arrProcs(3) = "new folder.exe"
arrProcs(4) = "hinhem.scr"
arrProcs(5) = "blastclnnn.exe"
arrProcs(6) = "skcvhost.exe"
arrProcs(7) = "systems.exe"
arrProcs(8) = "hidr.exe"
arrProcs(9) = "m_hook.sys"
' W32/Hakaglan.worm.gen (nhattruongquang, nhatquanglan
arrFiles(0) = WinDir & "RVHOST.exe"
arrFiles(1) = WinDir & "SSVICHOSST.exe"
arrFiles(2) = WinDir & "SSCVIIHOST.exe"
arrFiles(3) = WinDir & "Tasks\At1.job"
arrFiles(4) = SysDir & "nhatquanglan9.exe"
arrFiles(5) = SysDir & "nhatquanglan11.exe"
arrFiles(6) = SysDir & "SSVICHOSST.exe"
arrFiles(7) = SysDir & "SSCVIIHOST.exe"
arrFiles(8) = SysDir & "New Folder.exe"
arrFiles(9) = SysDir & "hinhem.scr"
arrFiles(10) = SysDir & "blastclnnn.exe"
arrFiles(11) = SysDir & "autorun.ini"
arrFiles(12) = SysDir & "setting.ini"
arrFiles(13) = SysDir & "setting.xls"
arrFiles(14) = SysDir & "setting.doc"
' BackDoor-AVW
arrFiles(15) = WinDir & "services.exe"
arrFiles(16) = WinDir & "ktd32.atm"
arrFiles(17) = WinDir & "system\sservice.exe"
arrFiles(18) = SysDir & "fservice.exe"
arrFiles(19) = SysDir & "server.exe"
arrFiles(20) = SysDir & "reginv.dll"
arrFiles(21) = SysDir & "winkey.dll"
' Keylog-Perfect
arrFiles(22) = SysDir & "SKCVHOST.exe"
arrFiles(23) = SysDir & "SKCVHOSTr.exe"
arrFiles(24) = SysDir & "SKCVHOSThk.dll"
arrFiles(25) = SysDir & "SYSTEMS.exe"
arrFiles(26) = SysDir & "SYSTEMShk.dll"
arrFiles(27) = SysDir & "SYSTEMShk.dll"
arrFiles(28) = SysDir & "apps.dat"
arrFiles(29) = SysDir & "bpk.bin"
arrFiles(30) = SysDir & "bpk.dat"
arrFiles(31) = SysDir & "bpk.exe"
arrFiles(32) = SysDir & "bpkch.dat"
arrFiles(33) = SysDir & "bsdhooks.dll"
arrFiles(34) = SysDir & "inst.dat"
arrFiles(35) = SysDir & "inst.tmp"
arrFiles(36) = SysDir & "kw.dat"
arrFiles(37) = SysDir & "mc.dat"
arrFiles(38) = SysDir & "pk.bin"
arrFiles(39) = SysDir & "rinst.dat"
arrFiles(40) = SysDir & "rinst.exe"
arrFiles(41) = SysDir & "titles.dat"
arrFiles(42) = SysDir & "web.dat"
arrFiles(43) = SysDir & "web.dll"
arrFiles(44) = SysDir & "keystrokes.html"
arrFiles(45) = SysDir & "websites.html"
arrFiles(46) = SysDir & "chats.html"
arrFiles(47) = SysDir & "report.txt"
' W32/Bagle.ea
arrFiles(48) = DocDir & "Application Data\hidires\hidr.exe"
arrFiles(49) = DocDir & "Application Data\hidires\m_hook.sys"
arrFiles(50) = SysDir & "wintems.exe"
' RESTORE REGISTRY
' W32/Hakaglan.worm.gen
delRegVal "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools"
delRegVal "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr"
delRegVal "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NofolderOptions"
delRegVal "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares\shares"
delRegVal "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Yahoo Messengger"
setRegVal "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell", "Explorer.exe", "REG_SZ"
delRegVal "HKLM\SYSTEM\ControlSet001\Services\Schedule\AtTaskMaxHours"
' BackDoor-AVW
delRegVal "HKCR\CLSID\{1D1B2879-99FF-11E3-8D96-D7ACAC95952A}"
delRegVal "HKCR\TypeLib\{1D1B286C-99FF-11E3-8D96-D7ACAC95952A}"
delRegVal "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}"
' Keylog-Perfect
delRegVal "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bpk"
delRegVal "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SYSTEMS"
' NTRootKit-W
delRegVal "HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_M_HOOK"
delRegVal "HKLM\SYSTEM\ControlSet001\Services\m_hook"
delRegVal "HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_M_HOOK"
' W32/Bagle.ea
delRegVal "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\drvsyskit"
If strLogs <> "" Then
WScript.Echo "Scanning in process: " & VBCrLf & VBCrLf & strLogs
strLogs = ""
End If
Sub setRegVal(Target, Value, Reg)
On Error Resume Next
WshShell.RegWrite Target, Value, Reg
If Err = 0 Then
strLogs = strLogs & ".. Set value of " & Target & " to " & Value & VBCrLf
End If
Err.Clear
On Error Goto 0
End Sub
Sub delRegVal(Target)
On Error Resume Next
WshShell.RegDelete Target
If Err = 0 Then
strLogs = strLogs & ".. Deleted value: " & Target & VBCrLf
End If
Err.Clear
On Error Goto 0
End Sub
' KILL 'EM
Dim objWMI : Set objWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComp & "\root\cimv2")
Dim objFSO : Set objFSO = WScript.CreateObject("Scripting.FileSystemObject")
If Err = 0 Then
KillProcs
Set objWMI = Nothing
Set objFSO = Nothing
End If
Err.Clear
Sub KillProcs
' Variables
Dim objProc, objFile
Dim strFile, i
' Kill process if running
Dim colProc : Set colProc = objWMI.ExecQuery("Select Name from Win32_Process")
For Each objProc in colProc
For i=0 to UBound(arrProcs)
If arrProcs(i) = LCase(CStr(objProc.Name)) Then
objProc.Terminate()
strLogs = strLogs & ".. Terminated process: " & arrProcs(i) & VBCrLf
Exit For
End If
Next
Next
Set colProc = Nothing
Set objProc = Nothing
' Delete file
For i=0 to UBound(arrFiles)
RemoveFile arrFiles(i)
Next
' Delete folder
If objFSO.FolderExists(DocDir & "Application Data\hidires") Then
Dim objFolder : Set objFolder = objFSO.GetFolder(DocDir & "Application Data\hidires")
objFolder.Attributes = 0
objFolder.Delete
Set objFolder = Nothing
End If
' Empty TEMP folder
RemoveTmpFolder TmpDir
If strLogs <> "" Then
WScript.Echo "Scanning in process: " & VBCrLf & VBCrLf & strLogs
End If
End Sub
Sub RemoveTmpFolder(Target)
On Error Resume Next
Dim tmpDir : Set tmpDir = objFSO.GetFolder(Target)
Dim tmpFolder, tmpFile
For Each tmpFile In tmpDir.Files
tmpFile.Attributes = 0
tmpFile.Delete
Next
For Each tmpFolder In tmpDir.SubFolders
RemoveTmpFolder tmpFolder.Path
tmpFolder.Attributes = 0
tmpFolder.Delete
Next
Set tmpDir = Nothing
Set tmpFolder = Nothing
Set tmpFile = Nothing
On Error Goto 0
End Sub
Sub RemoveFile(Target)
On Error Resume Next
If objFSO.FileExists(Target) Then
Dim objFile : Set objFile = objFSO.GetFile(Target)
objFile.attributes = 0
objFile.Delete
Set objFile = Nothing
strLogs = strLogs & ".. Deleted file: " & Target & VBCrLf
End If
On Error Goto 0
End Sub
' BYE
WScript.Echo "Done!"
WScript.Quit
I ran this script and the problem got solved.
After running this script i restarted my machine
And the installed HijackThis.
Ran it and checked the log.
There was no entry of SCVHOST.exe.
Task manager and Registry editor was enabled.
SCVHOST.exe was gone from C:\Windows.
The a1t.job was gone from schedule Task.
Then i installed Kaspersky and scanned the pc.
The virus was gone.
Thanks for your help and quick respoce.
Hope this script will be useful for other users.
Thanks a lot,
Meghana