Comments on: THB and Jammer Virus Removal http://www.techlemon.com/2008/12/30/thb-jammervirus-removal/ Inspired by Technology Sun, 01 Aug 2010 06:36:25 +0000 http://wordpress.org/?v=2.7 hourly 1 By: Abhijith BR http://www.techlemon.com/2008/12/30/thb-jammervirus-removal/comment-page-1/#comment-805 Abhijith BR Thu, 29 Apr 2010 07:43:47 +0000 http://www.techlemon.com/?p=479#comment-805 Hi, Here's some info about that THB malware. C:\WINDOWS\system32\win.dll\avgs.exe C:\WINDOWS\system32\win.dll\Desktop.ini C:\WINDOWS\system32\win.dll\DLL.ico C:\WINDOWS\system32\win.dll\drivelist.txt C:\WINDOWS\system32\win.dll\Icon.ico C:\WINDOWS\system32\win.dll\reproduce.txt C:\WINDOWS\system32\win.dll\script1.txt C:\WINDOWS\system32\win.dll\std.txt C:\WINDOWS\system32\win.dll\thb.ico C:\WINDOWS\system32\win.dll\win.exe C:\WINDOWS\system32\win.dll\win.mp3 C:\WINDOWS\system32\win.dll\reg.bkp\autorun.inf c:\thb.ico These are the files which distributed by %$thb$% malware. This malware also includes its source code in that directory. The source code file are, C:\WINDOWS\system32\win.dll\reproduce.txt C:\WINDOWS\system32\win.dll\script1.txt C:\WINDOWS\system32\win.dll\std.txt the executable avgs.exe and win.exe are the compilers for the scripts. Its purely written in A********y language. Its a gud language, but everyone is using this for writing malwares. The registry entries made by the malware, HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL It checks for that value, then if it is not 0, sets to 0 HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run,winlogon,C:\WINDOWS\system32\win.dll\win.exe C:\WINDOWS\system32\win.dll\std.txt look at this regentry, it sets the winlogon value to Win.exe + the source code. Easy Cure: 1,Close the malware processes(win.exe, avgs.exe) 2,repair the registry keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL go to this location and set "CheckedValue" to 1 3, delete the folder named C:\WINDOWS\system32\win.dll, including its contents. 4, delete C:\autorun.inf and c:\winthb.exe 5, finally rename the c:\ drive and give it a null name. The feaky icon'll change. Enjoy the Computing! Hi,
Here’s some info about that THB malware.

C:\WINDOWS\system32\win.dll\avgs.exe
C:\WINDOWS\system32\win.dll\Desktop.ini
C:\WINDOWS\system32\win.dll\DLL.ico
C:\WINDOWS\system32\win.dll\drivelist.txt
C:\WINDOWS\system32\win.dll\Icon.ico
C:\WINDOWS\system32\win.dll\reproduce.txt
C:\WINDOWS\system32\win.dll\script1.txt
C:\WINDOWS\system32\win.dll\std.txt
C:\WINDOWS\system32\win.dll\thb.ico
C:\WINDOWS\system32\win.dll\win.exe
C:\WINDOWS\system32\win.dll\win.mp3
C:\WINDOWS\system32\win.dll\reg.bkp\autorun.inf
c:\thb.ico

These are the files which distributed by %$thb$% malware.
This malware also includes its source code in that directory.
The source code file are,
C:\WINDOWS\system32\win.dll\reproduce.txt
C:\WINDOWS\system32\win.dll\script1.txt
C:\WINDOWS\system32\win.dll\std.txt

the executable avgs.exe and win.exe are the compilers for the scripts.
Its purely written in A********y language.
Its a gud language, but everyone is using this for writing malwares.

The registry entries made by the malware,

HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
It checks for that value, then if it is not 0, sets to 0

HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run,winlogon,C:\WINDOWS\system32\win.dll\win.exe C:\WINDOWS\system32\win.dll\std.txt
look at this regentry, it sets the winlogon value to Win.exe + the source code.

Easy Cure:
1,Close the malware processes(win.exe, avgs.exe)
2,repair the registry keys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
go to this location and set “CheckedValue” to 1
3, delete the folder named C:\WINDOWS\system32\win.dll, including its contents.
4, delete C:\autorun.inf and c:\winthb.exe
5, finally rename the c:\ drive and give it a null name. The feaky icon’ll change.

Enjoy the Computing!

]]> By: narayan http://www.techlemon.com/2008/12/30/thb-jammervirus-removal/comment-page-1/#comment-773 narayan Thu, 28 May 2009 17:26:23 +0000 http://www.techlemon.com/?p=479#comment-773 this is the e mail address narayankg@aim.com the above guys who tried it i believe it worked for them.. u guys are also encouraged for posting me.... lets BE FRIENDS !!! waiting for the response very eagerly this is the e mail address

narayankg@aim.com

the above guys who tried it i believe it worked for them.. u guys are also encouraged for posting me…. lets BE FRIENDS !!!

waiting for the response very eagerly

]]> By: narayan http://www.techlemon.com/2008/12/30/thb-jammervirus-removal/comment-page-1/#comment-772 narayan Thu, 28 May 2009 17:24:22 +0000 http://www.techlemon.com/?p=479#comment-772 i tried with this, but i was not able to find a file named "win.exe".... actually 1st i tried for a 1st aid, which dint work, so dint try for a complete cure.... my question is if i reinstall my windows will it go & how does the computer got affected by JAMMER VIRUS.... does make the comp performance slow or something related to that.... will be very happy if i get the troubleshooting steps in my e mail address mentioned above.... will be happy if i get is soon thanks in advance narayan (can call me as rocky) i tried with this, but i was not able to find a file named “win.exe”…. actually 1st i tried for a 1st aid, which dint work, so dint try for a complete cure…. my question is if i reinstall my windows will it go & how does the computer got affected by JAMMER VIRUS…. does make the comp performance slow or something related to that…. will be very happy if i get the troubleshooting steps in my e mail address mentioned above…. will be happy if i get is soon

thanks in advance

narayan (can call me as rocky)

]]> By: maya http://www.techlemon.com/2008/12/30/thb-jammervirus-removal/comment-page-1/#comment-771 maya Wed, 06 May 2009 09:10:10 +0000 http://www.techlemon.com/?p=479#comment-771 This article helps me a lot.thank you very much.. This article helps me a lot.thank you very much..

]]> By: Arunjith http://www.techlemon.com/2008/12/30/thb-jammervirus-removal/comment-page-1/#comment-752 Arunjith Thu, 29 Jan 2009 04:40:02 +0000 http://www.techlemon.com/?p=479#comment-752 @Arun, you can just follow the steps mentioned. It will work. Techlemon does not have a ready executable file to do this. @Arun, you can just follow the steps mentioned. It will work. Techlemon does not have a ready executable file to do this.

]]> By: arun http://www.techlemon.com/2008/12/30/thb-jammervirus-removal/comment-page-1/#comment-748 arun Fri, 23 Jan 2009 06:11:12 +0000 http://www.techlemon.com/?p=479#comment-748 sir i have same problem, but not able to follow. so plz give me a executable file to delete the virus sir i have same problem, but not able to follow. so plz give me a executable file to delete the virus

]]>