anybody knows bout diz virus? its infecting everybody in kota kinabalu.. any known software to remove this?
anti yahaa
|
|
 Feb 21 2007, 05:24 PM, updated 19y ago
Show posts by this member only | Post
#1
|
 
Junior Member
312 posts Joined: Apr 2006  
|
|
Quote|
|
|
|
|
Feb 22 2007, 09:37 AM
Show posts by this member only | Post
#2
|
Junior Member
371 posts Joined: Aug 2006
|
QUOTE(raven143 @ Feb 21 2007, 05:24 PM) anybody knows bout diz virus? its infecting everybody in kota kinabalu.. any known software to remove this? Hi,  it would help if a sample of the infected files can be extracted as well as hijackthis logs are extracted and sent to AV companies or alternatively tested at www.virustotal.com for authentication. You may be able to identify it and tell which Av currently have a solution for it because not all viruses have a common name. |
|
|
Feb 25 2007, 02:08 PM
Show posts by this member only | Post
#3
|
Junior Member
277 posts Joined: Dec 2006
|
Hmm... Anti Yahaa?
Win32.Yahaa.P@mm/Q ? Protect yourself from the Yahaa virus with a free tool from BitDefender Security Center. This easy to use tool detects and removes the Yahaa virus (Win32.Yahaa.E@mm) from your system. This is a high spreading Executable Mass Mailer. Get rid of the virus with a fast downloadable dedicated tool. Requirements: 32 MB RAM Install Support: Install Only Platforms: Windows NT 4.x, Windows 95, Windows 2000, Windows 98, Windows XP, Windows Me, Windows NT 3.x http://www.filetransit.com/go.php?id=9539-4-1 <---- Download. --Use At Your Own Risk-- (Yea but of course. I haven't killed anyone's comp yet...."YET") |
|
|
Mar 2 2007, 05:31 AM
Show posts by this member only | Post
#4
|
Senior Member
1,052 posts Joined: Oct 2006 From: Malaysia
|
what antivirus you use? try update it and scan again...
|
|
|
Mar 4 2007, 03:25 AM
Show posts by this member only | Post
#5
|
Junior Member
71 posts Joined: Mar 2007 From: Kajang, Selangor 
|
I am a programmer. I help friends in UMS whenever they encounter problems with computers. One friend told be that he had caught a YaHaa vb Worm. So I went and removed the worm manually.
A few days later, he called me up again, saying that he had caught the worm again. Some of his friends had too. Damn!. I searched the net frantically for a removal tool, but none were available for this strain. So I thought, WTH, why not make the removal tool myself. After analyzing the code, I realized that it was written in vb. Nice... so I reversed engineered the code and made the tool. ##Important## Read the below before even downloading the file! - Before running the tool, please disable all antiviruses. The tool has compatibility issues with some antiviruses such as Avast, Norton and Symantec. - Follow each step carefully. read through each step. Don't even miss 1 step. - Plug in all usb sticks that you might think is infected when prompted to. You can get my removal tool from: http://zultek.dyndns.org After downloading it, unzip it and run remove.bat ( or just "remove" with a funky "gear" icon). Please give feedback on any problems / improvements that I can put into the tool. This post has been edited by zulfajuniadi: Mar 4 2007, 03:33 AM |
|
|
Mar 4 2007, 04:38 AM
Show posts by this member only | Post
#6
|
|
Senior Member
1,052 posts Joined: Oct 2006 From: Malaysia
|
QUOTE(zulfajuniadi @ Mar 4 2007, 03:25 AM) I am a programmer. I help friends in UMS whenever they encounter problems with computers. One friend told be that he had caught a YaHaa vb Worm. So I went and removed the worm manually. ohh...thanx to you bro A few days later, he called me up again, saying that he had caught the worm again. Some of his friends had too. Damn!. I searched the net frantically for a removal tool, but none were available for this strain. So I thought, WTH, why not make the removal tool myself. After analyzing the code, I realized that it was written in vb. Nice... so I reversed engineered the code and made the tool. ##Important## Read the below before even downloading the file! - Before running the tool, please disable all antiviruses. The tool has compatibility issues with some antiviruses such as Avast, Norton and Symantec. - Follow each step carefully. read through each step. Don't even miss 1 step. - Plug in all usb sticks that you might think is infected when prompted to. You can get my removal tool from: http://zultek.dyndns.org After downloading it, unzip it and run remove.bat ( or just "remove" with a funky "gear" icon). Please give feedback on any problems / improvements that I can put into the tool.  i never thought to see some programmer in here.u r the first one... anyway,good job for making the removal tool. must be though job for you  |
|
|
|
|
|
Mar 4 2007, 08:44 AM
Show posts by this member only | Post
#7
|
|
Junior Member
71 posts Joined: Mar 2007 From: Kajang, Selangor
|
QUOTE(id86 @ Mar 4 2007, 04:38 AM) ohh...thanx to you bro Ur welcome i never thought to see some programmer in here.u r the first one... anyway,good job for making the removal tool. must be though job for you Not really tough.. took me a few hours, three cups of coffee and a pack of Dunhill 20s.  .This post has been edited by zulfajuniadi: Mar 4 2007, 08:45 AM |
|
|
Mar 4 2007, 02:48 PM
Show posts by this member only | Post
#8
|
Senior Member
2,188 posts Joined: Nov 2005
|
@zulfajuniadi
Give me your rational on your BAT coding. TASKKILL section... Why not replace it with:- CODE TASKKILL /IM wscript.exe /F Unless you mean that the Worm itself has other names, which is why a filter is needed? Correct me if I am wrong. Cheers! EDIT: Anyway, Thumbs Up on the Good Work! This post has been edited by natakaasd: Mar 4 2007, 02:49 PM |
|
|
Mar 4 2007, 03:12 PM
Show posts by this member only | Post
#9
|
Senior Member
9,257 posts Joined: Aug 2005 From: Not so sure myself Status: 1+3+3=7  
|
I am just puzzled why don't you just just a bat file to remove the registy entries as well? You made it to *.exe so that nobody else can edit the executable itself?
Anyway good job for creating such stuffs.  *But so, if you say that you're a programmer you should compile everything into an exe file, shouldn't you?* |
|
|
Mar 4 2007, 09:06 PM
|
|
Junior Member
71 posts Joined: Mar 2007 From: Kajang, Selangor
|
QUOTE(eXPeri3nc3 @ Mar 4 2007, 03:12 PM) I am just puzzled why don't you just just a bat file to remove the registy entries as well? You made it to *.exe so that nobody else can edit the executable itself? Can you do that? the only arguments for regedit from command that i know of are just to import. Anyway good job for creating such stuffs. *But so, if you say that you're a programmer you should compile everything into an exe file, shouldn't you?* (http://www.pctools.com/guides/article/id/1/page/4/) Sorry, this is my first time in making such tool. I wanted to compile everything in .exe, but my c knowledge are limited. Those who are more experienced could shed some light in this matter. The vbs script is just a "suka-suka" script that I wanted to try out. As long as it does it's job, It's gud enough for me. QUOTE You made it to *.exe so that nobody else can edit the executable itself? Actually no. I wanted to make a program that can output a text file with user input. I know that there are numerous prog languages out there that can do the job, I'm just more comfortable in using c. My primary programming skills are more to php and vb. The source code is below:CODE #include <stdio.h> #include <conio.h> #include <ctype.h> int main ( void ) { char regowner[80]; char pid[80]; char pns[80]; char conf; FILE *create_reg; FILE *append_reg; printf("Yahaa VB Worm Removal Tool\n\n"); do { printf("Please enter the Registered Owner\n(e.g. Amat bin Dollah)\n>"); fscanf (stdin, " %79[^\n]", ®owner); printf("\nPlease enter the Processor Name\n(e.g. Intel(R) Pentium(R) 4 CPU 2.80GHz)\n>"); fscanf (stdin, " %79[^\n]", &pns); printf("\nPlease enter the Product ID\n(e.g. 12345-123-1234567-12345)\n>"); fscanf (stdin, " %79[^\n]", &pid); printf("\n\n"); printf("You entered:\nRegistered Owner: %s\nProcessor Name: %s\nProduct ID: %s\n\nAre these values correct? (y=yes, n=no)",regowner,pns,pid); scanf(" %c", &conf); } while ( conf != 'y'); create_reg= fopen("append.reg", "w"); fprintf(create_reg, "Windows Registry Editor Version 5.00\n\n"); fclose(create_reg); append_reg= fopen("append.reg", "a"); fprintf(append_reg, "[HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run]\n\"autoupdate\"=\"\"\n\n"); fprintf(append_reg, "[HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main]\n\"Window Title\"=\"\"\n\n"); fprintf(append_reg, "[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion]\n\"RegisteredOwner\"=\"%s\"\n\n", regowner); fprintf(append_reg, "[HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0]\n\"ProcessorNameString\"=\"%s\"\n\n", pns); fprintf(append_reg, "[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion]\n\"ProductId\"=\"%s\"\n\n", pid); fprintf(append_reg, "[HKEY_CLASSES_ROOT\\vbsfile]\n\"DefaultIcon\"=\"C:\\Windows\\System32\\WScript.exe,2 vbsfile\""); fclose(append_reg); printf("\n\nRegistration Keys written. Press any key to continue\n\n"); getch(); return 0; } @natakaasd I tried "TASKKILL /IM wscript.exe /F" on my computer, It just killed one task. I don't know why, but it didn't kill all the wscript.exe processes. YaHaa spawns more than one instances of wscript.exe. Thats why I used the filter. This post has been edited by zulfajuniadi: Mar 4 2007, 10:15 PM |
|
|
Mar 5 2007, 07:07 AM
|
|
Senior Member
2,188 posts Joined: Nov 2005
|
QUOTE I tried "TASKKILL /IM wscript.exe /F" on my computer, It just killed one task. I don't know why, but it didn't kill all the wscript.exe processes. YaHaa spawns more than one instances of wscript.exe. Thats why I used the filter. This makes some sense too. Never thought of that. QUOTE My primary programming skills are more to php and vb. VB as in VB or VBS or VB .Net. If it is pure VB, I'd really like to talk to you.  Cheers! |
|
|
Mar 5 2007, 02:07 PM
|
|
Senior Member
9,257 posts Joined: Aug 2005 From: Not so sure myself Status: 1+3+3=7
|
QUOTE(zulfajuniadi @ Mar 4 2007, 09:06 PM) Can you do that? the only arguments for regedit from command that i know of are just to import. I'm no programmer myself. (http://www.pctools.com/guides/article/id/1/page/4/) Sorry, this is my first time in making such tool. I wanted to compile everything in .exe, but my c knowledge are limited. Those who are more experienced could shed some light in this matter. The vbs script is just a "suka-suka" script that I wanted to try out. As long as it does it's job, It's gud enough for me. Actually no. I wanted to make a program that can output a text file with user input. I know that there are numerous prog languages out there that can do the job, I'm just more comfortable in using c. My primary programming skills are more to php and vb. The source code is below: CODE #include <stdio.h> #include <conio.h> #include <ctype.h> int main ( void ) { char regowner[80]; char pid[80]; char pns[80]; char conf; FILE *create_reg; FILE *append_reg; printf("Yahaa VB Worm Removal Tool\n\n"); do { printf("Please enter the Registered Owner\n(e.g. Amat bin Dollah)\n>"); fscanf (stdin, " %79[^\n]", ®owner); printf("\nPlease enter the Processor Name\n(e.g. Intel(R) Pentium(R) 4 CPU 2.80GHz)\n>"); fscanf (stdin, " %79[^\n]", &pns); printf("\nPlease enter the Product ID\n(e.g. 12345-123-1234567-12345)\n>"); fscanf (stdin, " %79[^\n]", &pid); printf("\n\n"); printf("You entered:\nRegistered Owner: %s\nProcessor Name: %s\nProduct ID: %s\n\nAre these values correct? (y=yes, n=no)",regowner,pns,pid); scanf(" %c", &conf); } while ( conf != 'y'); create_reg= fopen("append.reg", "w"); fprintf(create_reg, "Windows Registry Editor Version 5.00\n\n"); fclose(create_reg); append_reg= fopen("append.reg", "a"); fprintf(append_reg, "[HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run]\n\"autoupdate\"=\"\"\n\n"); fprintf(append_reg, "[HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main]\n\"Window Title\"=\"\"\n\n"); fprintf(append_reg, "[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion]\n\"RegisteredOwner\"=\"%s\"\n\n", regowner); fprintf(append_reg, "[HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0]\n\"ProcessorNameString\"=\"%s\"\n\n", pns); fprintf(append_reg, "[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion]\n\"ProductId\"=\"%s\"\n\n", pid); fprintf(append_reg, "[HKEY_CLASSES_ROOT\\vbsfile]\n\"DefaultIcon\"=\"C:\\Windows\\System32\\WScript.exe,2 vbsfile\""); fclose(append_reg); printf("\n\nRegistration Keys written. Press any key to continue\n\n"); getch(); return 0; } @natakaasd I tried "TASKKILL /IM wscript.exe /F" on my computer, It just killed one task. I don't know why, but it didn't kill all the wscript.exe processes. YaHaa spawns more than one instances of wscript.exe. Thats why I used the filter.  For the registry query/edit please refer below, I do not know if this might be of use or not, but:-  That's what I'd recalled seeing my "Mentors" using it.  |
|
|
Mar 5 2007, 04:21 PM
|
|
Senior Member
2,188 posts Joined: Nov 2005
|
To make it simple, why not you ONLY run the EXE instead of the Batch File, experience? Just use random values for all the questions. THEN, read the Registry File that is produced. You will then understand that MS-DOS Codes are NOT adequate to "Edit" the "Hacked by pokemon" Code. Cheers!
|
|
|
|
|
|
Mar 5 2007, 04:43 PM
|
|
Senior Member
9,257 posts Joined: Aug 2005 From: Not so sure myself Status: 1+3+3=7
|
I disagree. I didn't do research on the Hacked By Pokemon thingy, but I do know that "reg" is able to remove the registry added by it.
http://www.microsoft.com/resources/documen...g.mspx?mfr=true |
|
|
Mar 5 2007, 06:57 PM
|
|
Senior Member
2,188 posts Joined: Nov 2005
|
Obviously, you misinterpreted everything.
Let say you have an entry Value : "Natakaasd hacked by Pokemon". I want to preserve "Natakaasd", BUT Remove "hacked by pokemon". How would you do it with REG? And not to mention, not many amateurs know how to write Fix.REG themselves. That's the purpose of the EXE. Cheers! |
|
|
Mar 5 2007, 09:54 PM
|
|
Senior Member
9,257 posts Joined: Aug 2005 From: Not so sure myself Status: 1+3+3=7
|
QUOTE(natakaasd @ Mar 5 2007, 06:57 PM) Obviously, you misinterpreted everything. Oh, now I get what you mean. Let say you have an entry Value : "Natakaasd hacked by Pokemon". I want to preserve "Natakaasd", BUT Remove "hacked by pokemon". How would you do it with REG? And not to mention, not many amateurs know how to write Fix.REG themselves. That's the purpose of the EXE. Cheers!  It could be done, by VB interface I guess?  Sorry, I misinterpreted it... My bad.Added on March 5, 2007, 9:56 pmAnyway, it's no biggie, the user can manually edit it back. I don't think that they'll complain much for that.  Tho' the sense of the discussion is user input. Cheers!  This post has been edited by eXPeri3nc3: Mar 5 2007, 09:56 PM |
|
|
Mar 6 2007, 03:19 PM
|
|
Senior Member
2,188 posts Joined: Nov 2005
|
It could be done with VBS itself, but it has been a while since I last fiddled with VB Syntax. I guess another way to approach the matter is:-
1. VBS Calls for the REG Entries and Values 2. VBS does String Manipulation (Remove the "hack...") 3. VBS Sends the new String to Registry via WinAPI OR "Comspec" Cheers! P.S. It's an idea. Hopefully it can be implemented somehow. Cheers! |
|
|
Mar 6 2007, 05:29 PM
|
|
Senior Member
9,257 posts Joined: Aug 2005 From: Not so sure myself Status: 1+3+3=7
|
Lol, when I can't sleep last night I thought of something that might work, but coding takes a bit more time.
I remember looking at my friend's QBasic book, in DOS it's able to call for user input. Hence:- "Please type the desired text to appear on IE/FF top bar (Blank for default)" Then call the batch to create a reg file based on what the user typed, and import into registry. This will work.  Anyway, it seems that this turned out to be a suggestion thread |
|
|
Mar 8 2007, 04:37 PM
|
|
Senior Member
2,188 posts Joined: Nov 2005
|
No comments on DOS. LOL. I am not pro in DOS Commands, but yes, there is a way to do it. Suggestion thread? Obviously it is heading that way
. Cheers! |
| Change to: |  0.0185sec
 0.64
 5 queries
 GZIP Disabled
Time is now: 22nd December 2025 - 02:00 AM |
All Rights Reserved © 2002- 2025 Vijandren Ramadass (~unite against racism~)
Powered by Invision Power Board © 2025 IPS, Inc.