Hi Samker,
Sorry for the dealy.
I tried to install HijackThis. But the virus didn't allow me to do so.
Yesterday i got another script.
*************************************************************************
' DESCRIPTION
'
' This script is designed to help you remove:
' 1/ W32/Hakaglan.worm.gen (
http://vil.nai.com/vil/content/v_142233.htm)
' 2/ BackDoor-AVW (
http://vil.nai.com/vil/content/v_103064.htm)
' 3/ Keylog-Perfect (
http://vil.nai.com/vil/content/v_100257.htm)
' 4/ NTRootKit-W (
http://vil.nai.com/vil/content/v_139108.htm)
' 5/ W32/Bagle.ea (
http://vil.nai.com/vil/content/v_139038.htm)
'*************************************************************************
Option Explicit
' SCRIPT CONFIGURATION
Dim WshShell, DocDir, TmpDir, WinDir, SysDir
Dim strComp, strLogs, arrProcs(10), arrFiles(51)
Set WshShell = WScript.CreateObject("WScript.Shell")
DocDir = WshShell.ExpandEnvironmentStrings("%UserProfile%") & chr(92)
TmpDir = WshShell.ExpandEnvironmentStrings("%Temp%") & chr(92)
WinDir = WshShell.ExpandEnvironmentStrings("%WinDir%") & chr(92)
SysDir = WinDir & "system32"
strComp = "." ' Can be changed to name of remote computer
strLogs = ""
' Process Names (in lowercase)
arrProcs(0) = "rvhost.exe"
arrProcs(1) = "ssvichosst.exe"
arrProcs(2) = "sscviihost.exe"
arrProcs(3) = "new folder.exe"
arrProcs(4) = "hinhem.scr"
arrProcs(5) = "blastclnnn.exe"
arrProcs(6) = "skcvhost.exe"
arrProcs(7) = "systems.exe"
arrProcs(
= "hidr.exe"
arrProcs(9) = "m_hook.sys"
' W32/Hakaglan.worm.gen (nhattruongquang, nhatquanglan
arrFiles(0) = WinDir & "RVHOST.exe"
arrFiles(1) = WinDir & "SSVICHOSST.exe"
arrFiles(2) = WinDir & "SSCVIIHOST.exe"
arrFiles(3) = WinDir & "Tasks\At1.job"
arrFiles(4) = SysDir & "nhatquanglan9.exe"
arrFiles(5) = SysDir & "nhatquanglan11.exe"
arrFiles(6) = SysDir & "SSVICHOSST.exe"
arrFiles(7) = SysDir & "SSCVIIHOST.exe"
arrFiles(
= SysDir & "New Folder.exe"
arrFiles(9) = SysDir & "hinhem.scr"
arrFiles(10) = SysDir & "blastclnnn.exe"
arrFiles(11) = SysDir & "autorun.ini"
arrFiles(12) = SysDir & "setting.ini"
arrFiles(13) = SysDir & "setting.xls"
arrFiles(14) = SysDir & "setting.doc"
' BackDoor-AVW
arrFiles(15) = WinDir & "services.exe"
arrFiles(16) = WinDir & "ktd32.atm"
arrFiles(17) = WinDir & "system\sservice.exe"
arrFiles(18) = SysDir & "fservice.exe"
arrFiles(19) = SysDir & "server.exe"
arrFiles(20) = SysDir & "reginv.dll"
arrFiles(21) = SysDir & "winkey.dll"
' Keylog-Perfect
arrFiles(22) = SysDir & "SKCVHOST.exe"
arrFiles(23) = SysDir & "SKCVHOSTr.exe"
arrFiles(24) = SysDir & "SKCVHOSThk.dll"
arrFiles(25) = SysDir & "SYSTEMS.exe"
arrFiles(26) = SysDir & "SYSTEMShk.dll"
arrFiles(27) = SysDir & "SYSTEMShk.dll"
arrFiles(28) = SysDir & "apps.dat"
arrFiles(29) = SysDir & "bpk.bin"
arrFiles(30) = SysDir & "bpk.dat"
arrFiles(31) = SysDir & "bpk.exe"
arrFiles(32) = SysDir & "bpkch.dat"
arrFiles(33) = SysDir & "bsdhooks.dll"
arrFiles(34) = SysDir & "inst.dat"
arrFiles(35) = SysDir & "inst.tmp"
arrFiles(36) = SysDir & "kw.dat"
arrFiles(37) = SysDir & "mc.dat"
arrFiles(38) = SysDir & "pk.bin"
arrFiles(39) = SysDir & "rinst.dat"
arrFiles(40) = SysDir & "rinst.exe"
arrFiles(41) = SysDir & "titles.dat"
arrFiles(42) = SysDir & "web.dat"
arrFiles(43) = SysDir & "web.dll"
arrFiles(44) = SysDir & "keystrokes.html"
arrFiles(45) = SysDir & "websites.html"
arrFiles(46) = SysDir & "chats.html"
arrFiles(47) = SysDir & "report.txt"
' W32/Bagle.ea
arrFiles(48) = DocDir & "Application Data\hidires\hidr.exe"
arrFiles(49) = DocDir & "Application Data\hidires\m_hook.sys"
arrFiles(50) = SysDir & "wintems.exe"
' RESTORE REGISTRY
' W32/Hakaglan.worm.gen
delRegVal "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools"
delRegVal "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr"
delRegVal "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NofolderOptions"
delRegVal "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares\shares"
delRegVal "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Yahoo Messengger"
setRegVal "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell", "Explorer.exe", "REG_SZ"
delRegVal "HKLM\SYSTEM\ControlSet001\Services\Schedule\AtTaskMaxHours"
' BackDoor-AVW
delRegVal "HKCR\CLSID\{1D1B2879-99FF-11E3-8D96-D7ACAC95952A}"
delRegVal "HKCR\TypeLib\{1D1B286C-99FF-11E3-8D96-D7ACAC95952A}"
delRegVal "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}"
' Keylog-Perfect
delRegVal "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bpk"
delRegVal "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SYSTEMS"
' NTRootKit-W
delRegVal "HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_M_HOOK"
delRegVal "HKLM\SYSTEM\ControlSet001\Services\m_hook"
delRegVal "HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_M_HOOK"
' W32/Bagle.ea
delRegVal "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\drvsyskit"
If strLogs <> "" Then
WScript.Echo "Scanning in process: " & VBCrLf & VBCrLf & strLogs
strLogs = ""
End If
Sub setRegVal(Target, Value, Reg)
On Error Resume Next
WshShell.RegWrite Target, Value, Reg
If Err = 0 Then
strLogs = strLogs & ".. Set value of " & Target & " to " & Value & VBCrLf
End If
Err.Clear
On Error Goto 0
End Sub
Sub delRegVal(Target)
On Error Resume Next
WshShell.RegDelete Target
If Err = 0 Then
strLogs = strLogs & ".. Deleted value: " & Target & VBCrLf
End If
Err.Clear
On Error Goto 0
End Sub
' KILL 'EM
Dim objWMI : Set objWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComp & "\root\cimv2")
Dim objFSO : Set objFSO = WScript.CreateObject("Scripting.FileSystemObject")
If Err = 0 Then
KillProcs
Set objWMI = Nothing
Set objFSO = Nothing
End If
Err.Clear
Sub KillProcs
' Variables
Dim objProc, objFile
Dim strFile, i
' Kill process if running
Dim colProc : Set colProc = objWMI.ExecQuery("Select Name from Win32_Process")
For Each objProc in colProc
For i=0 to UBound(arrProcs)
If arrProcs(i) = LCase(CStr(objProc.Name)) Then
objProc.Terminate()
strLogs = strLogs & ".. Terminated process: " & arrProcs(i) & VBCrLf
Exit For
End If
Next
Next
Set colProc = Nothing
Set objProc = Nothing
' Delete file
For i=0 to UBound(arrFiles)
RemoveFile arrFiles(i)
Next
' Delete folder
If objFSO.FolderExists(DocDir & "Application Data\hidires") Then
Dim objFolder : Set objFolder = objFSO.GetFolder(DocDir & "Application Data\hidires")
objFolder.Attributes = 0
objFolder.Delete
Set objFolder = Nothing
End If
' Empty TEMP folder
RemoveTmpFolder TmpDir
If strLogs <> "" Then
WScript.Echo "Scanning in process: " & VBCrLf & VBCrLf & strLogs
End If
End Sub
Sub RemoveTmpFolder(Target)
On Error Resume Next
Dim tmpDir : Set tmpDir = objFSO.GetFolder(Target)
Dim tmpFolder, tmpFile
For Each tmpFile In tmpDir.Files
tmpFile.Attributes = 0
tmpFile.Delete
Next
For Each tmpFolder In tmpDir.SubFolders
RemoveTmpFolder tmpFolder.Path
tmpFolder.Attributes = 0
tmpFolder.Delete
Next
Set tmpDir = Nothing
Set tmpFolder = Nothing
Set tmpFile = Nothing
On Error Goto 0
End Sub
Sub RemoveFile(Target)
On Error Resume Next
If objFSO.FileExists(Target) Then
Dim objFile : Set objFile = objFSO.GetFile(Target)
objFile.attributes = 0
objFile.Delete
Set objFile = Nothing
strLogs = strLogs & ".. Deleted file: " & Target & VBCrLf
End If
On Error Goto 0
End Sub
' BYE
WScript.Echo "Done!"
WScript.Quit
I ran this script and the problem got solved.
After running this script i restarted my machine
And the installed HijackThis.
Ran it and checked the log.
There was no entry of SCVHOST.exe.
Task manager and Registry editor was enabled.
SCVHOST.exe was gone from C:\Windows.
The a1t.job was gone from schedule Task.
Then i installed Kaspersky and scanned the pc.
The virus was gone.
Thanks for your help and quick respoce.
Hope this script will be useful for other users.
Thanks a lot,
Meghana