Members
  • Total Members: 12816
  • Latest: t114563
Stats
  • Total Posts: 28524
  • Total Topics: 8240
  • Online Today: 815
  • Online Ever: 51419
  • (01. January 2010., 10:27:49)












Author Topic: Compilation Error in Script for W32/Hakaglan.warm.gen  (Read 4282 times)

0 Members and 1 Guest are viewing this topic.

meghana

  • SCF Newbie
  • *
  • Posts: 3
  • KARMA: 0
Compilation Error in Script for W32/Hakaglan.warm.gen
« on: 25. September 2007., 05:39:20 »
Hi ,

My PC has got infected by W32/Hakaglan.Worm.Gen
As per the post of Samker,
I ran the following script on my pc.

On Error Resume Next
Set shl = CreateObject("WScript.Shell")
Set fso = CreateObject("scripting.FileSystemObject")
shl.RegDelete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools"
shl.RegDelete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr"
shl.RegDelete

But it is giving compilaton error on my pc.

Script: C:\RESTORE.VBS
Line: 4
Char:1
Error:Expected Statement
Code:800A0400
Source: Microsoft VBScript compilation error

Can anybody give solution of this problem.

Thanks,
Meghana



Samker's Computer Forum - SCforum.info

Compilation Error in Script for W32/Hakaglan.warm.gen
« on: 25. September 2007., 05:39:20 »




Samker

  • SCF Administrator
  • *****
  • Posts: 7206
  • KARMA: 291
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • SCforum.info - Samker's Computer Forum
Re: Compilation Error in Script for W32/Hakaglan.warm.gen
« Reply #1 on: 25. September 2007., 07:07:16 »
Hi again Meghana,

We are here to help you and We will do our best to fix this, as soon as possible.

How this look to me now, it's possible to this Virus is damaged some things at registers. But to fix this right we will need more information's from your system provided by some special tools.

You will need to follow this steps and provide us asked information's:

First of all, download HijackThis: http://scforum.info/index.php/topic,785.0.html after that install them to your PC and run. When you run it you will have option to save log file. Provide us that log (just simple copy - paste).

Second step is to make Kaspersky Online Scan (provide us that log also): http://scforum.info/index.php/topic,744.0.html

Third step is to provide us description how you PC work now and what kind of problems you have?

After that we will have a loot of helpfully information from your PC about that problem.

Regards,

Samker


meghana

  • SCF Newbie
  • *
  • Posts: 3
  • KARMA: 0
Re: Compilation Error in Script for W32/Hakaglan.warm.gen
« Reply #2 on: 25. September 2007., 08:38:53 »
Hi Samker,

Sure i will follow the steps provided by you.
But i think it will not allow me to install  Kaspersky Online Scan .
Whenever i tried to install new version of AV,
it shows me message :- some files of Nortans are conflicting.
so remove the Nortans before installing this S/W.
And it is not allowing me to uninstall Nortans.

I tried to install Mccafe and Nortans AV 8.0

Anyways i will execute these steps today evening ,
and tell you the results.

Thanks,
Meghana

Samker

  • SCF Administrator
  • *****
  • Posts: 7206
  • KARMA: 291
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • SCforum.info - Samker's Computer Forum
Re: Compilation Error in Script for W32/Hakaglan.warm.gen
« Reply #3 on: 25. September 2007., 09:00:33 »
Hi Samker,

Sure i will follow the steps provided by you.
But i think it will not allow me to install  Kaspersky Online Scan .
Whenever i tried to install new version of AV,
it shows me message :- some files of Nortans are conflicting.
so remove the Nortans before installing this S/W.
And it is not allowing me to uninstall Nortans.

I tried to install Mccafe and Nortans AV 8.0

Anyways i will execute these steps today evening ,
and tell you the results.

Thanks,
Meghana

I think that you will not have problem with this since this is only Online Scan, anyway if you have problem with Kaspersky try to provide us log from McAfee or Symantec Online scan (you have link to both in our Help Center).

One more question: which Norton version you use, is't updated and did he work Ok right now?

I'll wait your reply and logs.

Samker

P.S.
During Online scaning Turn of AutoProtect (of your AntiVirus)!

meghana

  • SCF Newbie
  • *
  • Posts: 3
  • KARMA: 0
Re: Compilation Error in Script for W32/Hakaglan.warm.gen
« Reply #4 on: 27. September 2007., 03:35:35 »
Hi Samker,

Sorry for the dealy.
I tried to install HijackThis. But the virus didn't allow me to do so.
Yesterday i got another script.

*************************************************************************
' DESCRIPTION
'
' This script is designed to help you remove:
' 1/ W32/Hakaglan.worm.gen (http://vil.nai.com/vil/content/v_142233.htm)
' 2/ BackDoor-AVW (http://vil.nai.com/vil/content/v_103064.htm)
' 3/ Keylog-Perfect (http://vil.nai.com/vil/content/v_100257.htm)
' 4/ NTRootKit-W (http://vil.nai.com/vil/content/v_139108.htm)
' 5/ W32/Bagle.ea (http://vil.nai.com/vil/content/v_139038.htm)
'*************************************************************************


Option Explicit

' SCRIPT CONFIGURATION
Dim WshShell, DocDir, TmpDir, WinDir, SysDir
Dim strComp, strLogs, arrProcs(10), arrFiles(51)

Set WshShell = WScript.CreateObject("WScript.Shell")
DocDir = WshShell.ExpandEnvironmentStrings("%UserProfile%") & chr(92)
TmpDir = WshShell.ExpandEnvironmentStrings("%Temp%") & chr(92)
WinDir = WshShell.ExpandEnvironmentStrings("%WinDir%") & chr(92)
SysDir = WinDir & "system32"

strComp = "." ' Can be changed to name of remote computer
strLogs = ""

' Process Names (in lowercase)
arrProcs(0) = "rvhost.exe"
arrProcs(1) = "ssvichosst.exe"
arrProcs(2) = "sscviihost.exe"
arrProcs(3) = "new folder.exe"
arrProcs(4) = "hinhem.scr"
arrProcs(5) = "blastclnnn.exe"
arrProcs(6) = "skcvhost.exe"
arrProcs(7) = "systems.exe"
arrProcs(8) = "hidr.exe"
arrProcs(9) = "m_hook.sys"

' W32/Hakaglan.worm.gen (nhattruongquang, nhatquanglan
  • , hinhem, etc.)

arrFiles(0) = WinDir & "RVHOST.exe"
arrFiles(1) = WinDir & "SSVICHOSST.exe"
arrFiles(2) = WinDir & "SSCVIIHOST.exe"
arrFiles(3) = WinDir & "Tasks\At1.job"
arrFiles(4) = SysDir & "nhatquanglan9.exe"
arrFiles(5) = SysDir & "nhatquanglan11.exe"
arrFiles(6) = SysDir & "SSVICHOSST.exe"
arrFiles(7) = SysDir & "SSCVIIHOST.exe"
arrFiles(8) = SysDir & "New Folder.exe"
arrFiles(9) = SysDir & "hinhem.scr"
arrFiles(10) = SysDir & "blastclnnn.exe"
arrFiles(11) = SysDir & "autorun.ini"
arrFiles(12) = SysDir & "setting.ini"
arrFiles(13) = SysDir & "setting.xls"
arrFiles(14) = SysDir & "setting.doc"

' BackDoor-AVW
arrFiles(15) = WinDir & "services.exe"
arrFiles(16) = WinDir & "ktd32.atm"
arrFiles(17) = WinDir & "system\sservice.exe"
arrFiles(18) = SysDir & "fservice.exe"
arrFiles(19) = SysDir & "server.exe"
arrFiles(20) = SysDir & "reginv.dll"
arrFiles(21) = SysDir & "winkey.dll"

' Keylog-Perfect
arrFiles(22) = SysDir & "SKCVHOST.exe"
arrFiles(23) = SysDir & "SKCVHOSTr.exe"
arrFiles(24) = SysDir & "SKCVHOSThk.dll"
arrFiles(25) = SysDir & "SYSTEMS.exe"
arrFiles(26) = SysDir & "SYSTEMShk.dll"
arrFiles(27) = SysDir & "SYSTEMShk.dll"
arrFiles(28) = SysDir & "apps.dat"
arrFiles(29) = SysDir & "bpk.bin"
arrFiles(30) = SysDir & "bpk.dat"
arrFiles(31) = SysDir & "bpk.exe"
arrFiles(32) = SysDir & "bpkch.dat"
arrFiles(33) = SysDir & "bsdhooks.dll"
arrFiles(34) = SysDir & "inst.dat"
arrFiles(35) = SysDir & "inst.tmp"
arrFiles(36) = SysDir & "kw.dat"
arrFiles(37) = SysDir & "mc.dat"
arrFiles(38) = SysDir & "pk.bin"
arrFiles(39) = SysDir & "rinst.dat"
arrFiles(40) = SysDir & "rinst.exe"
arrFiles(41) = SysDir & "titles.dat"
arrFiles(42) = SysDir & "web.dat"
arrFiles(43) = SysDir & "web.dll"
arrFiles(44) = SysDir & "keystrokes.html"
arrFiles(45) = SysDir & "websites.html"
arrFiles(46) = SysDir & "chats.html"
arrFiles(47) = SysDir & "report.txt"

' W32/Bagle.ea
arrFiles(48) = DocDir & "Application Data\hidires\hidr.exe"
arrFiles(49) = DocDir & "Application Data\hidires\m_hook.sys"
arrFiles(50) = SysDir & "wintems.exe"

' RESTORE REGISTRY
' W32/Hakaglan.worm.gen
delRegVal "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools"
delRegVal "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr"
delRegVal "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NofolderOptions"
delRegVal "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares\shares"
delRegVal "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Yahoo Messengger"
setRegVal "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell", "Explorer.exe", "REG_SZ"
delRegVal "HKLM\SYSTEM\ControlSet001\Services\Schedule\AtTaskMaxHours"

' BackDoor-AVW
delRegVal "HKCR\CLSID\{1D1B2879-99FF-11E3-8D96-D7ACAC95952A}"
delRegVal "HKCR\TypeLib\{1D1B286C-99FF-11E3-8D96-D7ACAC95952A}"
delRegVal "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}"

' Keylog-Perfect
delRegVal "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bpk"
delRegVal "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SYSTEMS"

' NTRootKit-W
delRegVal "HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_M_HOOK"
delRegVal "HKLM\SYSTEM\ControlSet001\Services\m_hook"
delRegVal "HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_M_HOOK"

' W32/Bagle.ea
delRegVal "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\drvsyskit"

If strLogs <> "" Then
WScript.Echo "Scanning in process: " & VBCrLf & VBCrLf & strLogs
strLogs = ""
End If

Sub setRegVal(Target, Value, Reg)
On Error Resume Next
WshShell.RegWrite Target, Value, Reg
If Err = 0 Then
strLogs = strLogs & ".. Set value of " & Target & " to " & Value & VBCrLf
End If
Err.Clear
On Error Goto 0
End Sub

Sub delRegVal(Target)
On Error Resume Next
WshShell.RegDelete Target
If Err = 0 Then
strLogs = strLogs & ".. Deleted value: " & Target & VBCrLf
End If
Err.Clear
On Error Goto 0
End Sub

' KILL 'EM
Dim objWMI : Set objWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComp & "\root\cimv2")
Dim objFSO : Set objFSO = WScript.CreateObject("Scripting.FileSystemObject")

If Err = 0 Then
KillProcs
Set objWMI = Nothing
Set objFSO = Nothing
End If
Err.Clear

Sub KillProcs
' Variables
Dim objProc, objFile
Dim strFile, i

' Kill process if running
Dim colProc : Set colProc = objWMI.ExecQuery("Select Name from Win32_Process")
For Each objProc in colProc
For i=0 to UBound(arrProcs)
If arrProcs(i) = LCase(CStr(objProc.Name)) Then
objProc.Terminate()
strLogs = strLogs & ".. Terminated process: " & arrProcs(i) & VBCrLf
Exit For
End If
Next
Next

Set colProc = Nothing
Set objProc = Nothing

' Delete file
For i=0 to UBound(arrFiles)
RemoveFile arrFiles(i)
Next

' Delete folder
If objFSO.FolderExists(DocDir & "Application Data\hidires") Then
Dim objFolder : Set objFolder = objFSO.GetFolder(DocDir & "Application Data\hidires")
objFolder.Attributes = 0
objFolder.Delete
Set objFolder = Nothing
End If

' Empty TEMP folder
RemoveTmpFolder TmpDir

If strLogs <> "" Then
WScript.Echo "Scanning in process: " & VBCrLf & VBCrLf & strLogs
End If
End Sub

Sub RemoveTmpFolder(Target)
On Error Resume Next
Dim tmpDir : Set tmpDir = objFSO.GetFolder(Target)
Dim tmpFolder, tmpFile

For Each tmpFile In tmpDir.Files
tmpFile.Attributes = 0
tmpFile.Delete
Next

For Each tmpFolder In tmpDir.SubFolders
RemoveTmpFolder tmpFolder.Path
tmpFolder.Attributes = 0
tmpFolder.Delete
Next

Set tmpDir = Nothing
Set tmpFolder = Nothing
Set tmpFile = Nothing
On Error Goto 0
End Sub

Sub RemoveFile(Target)
On Error Resume Next
If objFSO.FileExists(Target) Then
Dim objFile : Set objFile = objFSO.GetFile(Target)
objFile.attributes = 0
objFile.Delete
Set objFile = Nothing
strLogs = strLogs & ".. Deleted file: " & Target & VBCrLf
End If
On Error Goto 0
End Sub

' BYE
WScript.Echo "Done!"
WScript.Quit


I ran this script and the problem got solved.
After running this script i restarted my machine
And the installed HijackThis.
Ran it and checked the log.
There was no entry of SCVHOST.exe.
Task manager and Registry editor was enabled.
SCVHOST.exe was gone from C:\Windows.
The a1t.job was gone from schedule Task.

Then i installed Kaspersky and scanned the pc.
The virus was gone.

Thanks for your help and quick respoce.
Hope this script will be useful for other users.

Thanks a lot,
Meghana

 

With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Verification:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters):www.scforum.info:

Enter your email address to receive daily email with 'SCforum.info - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising