You might have a question what this to program files do? Well you might have experienced this "when you type orkut or youtube " in your browser a message box pops up and tells orkut and youtube infected by virus not only that it closes your browser also, Great rite. Some time it may play a laughing sound also.
Well what exactly this so called virus is???
Its not a virus. Surprised??? its a script written using autohotkey software. You can get this software here www.autohotkey.com/download. This software was actually created to automate repetitive task and improve windows user interface but some people are using it to create nasty programs and trouble others.
This worm consists of a set of file including source code for the same !! and packed into a SFX archive using winrar, so that it can be extracted to required location when user double click on USB device. The icon of SFX archive is removed so that it is not easily seen since only file name is visible.
How to bring back the drive icon and label back to normal?
Manual
- launch task manager
- find processes win.exe and avgs.exe runnig under your user name
- Terminate these processes.
- now launch command prompt and type following commands
C:\>del \ah /F [/A: H] autorun.inf thb.ico
repeat this process in each drive. If you have some PC maintaining software check the startup program list if win.exe or avgs.exe remove those entries and do a restart. Now the drive should return to normal. Now scan the system using antivirus software. I suggest using avast's boot time scan on C drive, it will delete all infected files.
This is method i used to remove the virus from my system.
To avoid getting infected by this nasty worm and other similar worms- "Do not double click on your pendrive on any day try to use address bar to access pendrive".
Also use this small but very effective software USB Disk securtiy, mere 1MB software but detects any autorun program including winf.exe as soon as you insert USB device. Home page for this software is http://www.zbshareware.com/.
Posts
12 comments:
nice work vasu...not all ppl were aware of the solution..esply for the most common winf.exe worm....n hey i'd suggest u to upload the procedure to disable autorun(for all dives) thru gpedit.msc...that'l help a lot of ppl..
how to Terminate these processes.
Well as I told when you launch the task manager you should find 2 processes win.exe and avgs.exe running under your user name right click on these process and then click End process tree. Make sure you are disconnected from internet before doing it. If this doesn't work and process keeps on comming back install latest version of avast and do a boot time scan of your system it will find the infected files and delete it.
hello i do this is also .... but this prosses will be return to the computer after restarting.....
befor a 2 days i download avast that had 26. of mb.. vershion 4.8
but after i intal it my comuputer became very slow then i uninztal it...........
What i do ?
( iam kuttigame...............)
and i do a stdy about it and i make post for it ...... from all in my hands
pls veiw it and give me what do for it......
http://chullickal.blogspot.com/2008/10/tcpip-module-missing-from_30.html
Actually did you uninstall the previous anti virus before installing the avast ? if not please do and after installing just launch it and it will scan your memory that time if virus is there it will ask for deletion if too many are there it will ask for boot time scan of system just press yes after scan is complete and virus are deleted your system will work very fastly so just give it a try..
i have also a aniti virus : ESET NOD32
but it can not get the virus.. then i search in windos "win.exe" and i get 1 file that icoun is like "H"
and also search "avgs.exe" then i get a file and it iocon is same to win.exe like "H". then i delete the two files by pressing shift+delete
but when i restart that prosses is will return......
hellow my ram memeroy is too low 128 mb
and this computer had 7 years old and me have 13 years but it prefom very fast but 1 condetion dont wanna more big applecations and no style........hehehehe. it can run adobe photoshop 7 with no hangs........ intel celeron prossesar
ESET was not catching it when I was using it I submited virus file to dem more than 10times and you try with avast It will delete you can't manualy delete it cause its designed to launch itself during start up. Use tune up utilities or any other start up program editors and remove the files from start up. And un install ESET and try with avast it wont tak too much memory and i assure you your PC will be cleaned and will work properly. Just give it a try I've fixed many infected computers with avast.
[b]BEST POSSIBLE SOLUTION WORKING ON 1DEC[/b]
just had this script in my pc.Gotta admit that it's tricky.as many of them have mentioned use task manager to end avgs.exe and win.exe.Use malwarebytes' antimalware(google it.comes around 2mb)}.use it,it'll identify and clean the damaged files now you wont get the win.exe and avgs.exe but now go to your c drive in folder options choose to show hidden files and just delete the thb.ico and autorun.inf file.Now ur clean as a whistle
Excellent concept and elucidation Vasu. Thanks a lot. I couldn't get better info from other sites until now... Just to sum up what I did...
1. Tried out the free s/w that Vasu suggested zbshare one. After I installed, I could see that there is a startup application called "Status" and THB is the name of it. The registry entry is bringing it live everytime... it can be found at HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run. I removed the entire Run folder..
2. The executable virus files were in my C drive C:\Windows\system23\win.dll. See the irony here, win.dll is a folder and contains all the files. It has a REG.BKP, but has a autoexc.inf file (better not open that).. though I accidentally did and didn't find any damage to myself.
3. My C:\ drive icon etc., were changed, I deleted the autoexc.inf and thb.ico files.
Upon restart, all was fine and nice as ever.
Post a Comment