Tuesday, March 31, 2009

How to Remove Huelar.exe (mscvhost.exe, winlogos.exe) virus

One of my regular blog reader ask for some advice on how can he remove huelar virus. He said that the only way he knows to remove that pesky virus is to reformat the PC. He ask if there is any possible and alternative way on removing this virus without the need to reformat the PC. Well my friend here is the solution to your problem.

First I will give you an idea about huelar virus. Huelar virus is actually a worm. Once your computer is infected it spreads very fast through your local area network and sends Autorun.inf in every computer connected to the network. It creates the huelar.exe, winlogos.exe and huelarkill.exe folders in your Windows system files directory. It creates a copy of your files and folders and converts them into executables. Once a folder or file is clicked, it will create another copy of the virus, making it very hard to remove. This virus also disables your registry editor and task manager and also your folder options.

What to do if your PC is infected with Huelar virus

First thing that you should do is to disable your autorun, turn off your system restore, start your windows on safe mode, and scan your computer with an updated antivirus. If your antivirus fails to remove this virus, we will now have to delete it manually.

First we will create a batch program to delete all the possible entries of this virus.

Open your notepad then copy and paste the following codes.

@echo off

echo “==============================================================”
echo “Powered by: http://pcremix.com PC Tips and Tweaks”
echo “==============================================================”

:next
taskkill -im mscvhost.exe
taskkill -im winlogos.exe
taskkill -im huelar.exe
:next
tskill -im mscvhost.exe
tskill -im winlogos.exe
tskill -im huelar.exe
:next
REGEDIT /s Huelarkiller.reg
:next
taskkill -im mscvhost.exe
taskkill -im winlogos.exe
taskkill -im huelar.exe
:next
del C:\*.exe
:next
del D:\*.exe
:next
del C:\Documents and Settings\Admin\Start Menu\Programs\Startup\mscvhost.exe
:next
del %Root%\Documents and Settings\\Start Menu\Programs\Startup\mscvhost.exe
:next
del C:\Documents and Settings\Admin\Application Data\Adobe\*.exe
:next
del C:\WINDOWS\console.exe
:next
del C:\*.inf
:next
del C:\Program Files\Common Files\Microsoft Shared\*.exe
:next
del C:\WINDOWS\mswinxpa_sp3upd.exe
:next
del C:\*.htt
:next
del C:\desktop.ini
:next
del D:\*.inf
:next
del D:\*.htt
:next
del C:\Documents and Settings\Admin\Application Data\Macromedia\Flash Player\#SharedObjects\KW2WSRBN\*.exe
:next
del C:\Documents and Settings\Admin\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\*.exe
:next
del D:\desktop.ini
:next
del C:\WINDOWS\desktop.ini
:next
del C:\WINDOWS\huelar.exe
:next
del C:\WINDOWS\winlogos.exe
:next
del C:\WINDOWS\*.htt
:next
del C:\WINDOWS\x64console.exe
:next
del C:\WINDOWS\system\*.exe
:next
del C:\WINDOWS\system\desktop.ini
:next
del C:\WINDOWS\system\Folder.htt
:next
del C:\WINDOWS\system\x64console.exe
:next
del C:\WINDOWS\system32\console.exe
:next
del C:\WINDOWS\system32\desktop.ini
:next
del C:\WINDOWS\system32\Folder.htt
:next
del C:\WINDOWS\system32\x64console.exe
:next
del C:\WINDOWS\system32\huelar.exe
:next
del My Documents\*.htt
:next
del My Documents\desktop.ini
:next
del My Documents\*.exe
:next
del C:\Documents and Settings\Admin\*.exe
:next
del C:\Documents and Settings\All Users\Start Menu\*.exe
:next
del C:\Documents and Settings\Admin\Start Menu\*.exe
:next
del C:\Documents and Settings\All Users\Start Menu\Programs\*.exe
:next
del C:\Documents and Settings\All Users\Start Menu\Programs\Startup\*.exe
:next
del C:\Documents and Settings\Admin\Application Data\*.exe
:next
del C:\Documents and Settings\Admin\Cookies\*.txt
:next
del C:\Documents and Settings\Admin\Favorites\*.exe
:next
del C:\Documents and Settings\Admin\Local Settings\*.exe
:next
del C:\Documents and Settings\Admin\Local Settings\Temp\*.exe
:next
del C:\Documents and Settings\Admin\Start Menu\Programs\Startup\mscvhost.exe
:next
del C:\Documents and Settings\Default User\Cookies.exe
:next
del C:\Documents and Settings\LocalService\Local Settings\*.exe
:next
del C:\Documents and Settings\NetworkService\*.exe
:next
del C:\Documents and Settings\LocalService\Cookies.exe
:next
del C:\Program Files\Common Files\*.exe
:next
del C:\Program Files\*.exe
:next
del C:\Program Files\Yahoo!\Messenger\skins\*.exe
:next
del C:\Documents and Settings\Admin\Application Data\Microsoft\*.exe
:next
del C:\Program Files\ScanSoft\PaperPort\UserConfig\My Paperport Documents\*.exe
:next
del C:\RECYCLER.exe
:next
del C:\WINDOWS.exe
:next
del C:\WINDOWS\system.exe
:next
del C:\WINDOWS\Web.exe
:next
del C:\WINDOWS\Web\*.exe
:next
del C:\WINDOWS\system32\usmt.exe
:next
del C:\WINDOWS\system32\winlogos.exe
:next
del C:\WINDOWS\system32\wbem.exe
:next
del C:\WINDOWS\system32\wbem\*.exe
:next
del C:\WINDOWS\system32\xircom.exe
:next
del C:\WINDOWS\Tasks.exe
:next
del C:\WINDOWS\twain_32\*.exe
:next
del C:\WINDOWS\HuelarKiller.exe
:next
del C:\WINDOWS\mscvhost.exe
:next
del C:\WINDOWS\system32\mscvhost.exe
:next
del C:\WINDOWS\WinSxS.exe
:next
del C:\WINDOWS\WinSxS\*.exe
:next
del C:\WINDOWS\system32\ReinstallBackups.exe
:next
del C:\WINDOWS\system32\ReinstallBackups\*.exe
:next
del C:\WINDOWS\system32\Restore.exe
:next
del C:\WINDOWS\system32\ShellExt.exe
:next
del C:\WINDOWS\system32\SoftwareDistribution.exe
:next
del C:\WINDOWS\system32\SoftwareDistribution\Setup.exe
:next
del C:\WINDOWS\system32\SoftwareDistribution\Setup\*.exe
:next
del C:\WINDOWS\system32\spool\drivers.exe
:next
del C:\WINDOWS\system32.exe
:next
del C:\WINDOWS\twain_32.exe
:next
del C:\WINDOWS\system32\huelar.exe
:next
del C:\WINDOWS\system32\usmt.exe
:next
del C:\Documents and Settings\Admin\Application Data\Macromedia\*.exe
:next
del C:\Documents and Settings\*.exe
:next
del C:\Documents and Settings\*.htt
:next
del C:\Documents and Settings\*.ini
:next
del C:\Documents and Settings\*.inf
:next
del C:\Documents and Settings\Admin\Application Data\Macromedia\Flash Player\#SharedObjects.exe
:next
del C:\Documents and Settings\Admin\Application Data\Macromedia\Flash Player\#SharedObjects\KW2WSRBN.exe
:next
del C:\Documents and Settings\Admin\Application Data\Macromedia\Flash Player\#SharedObjects\KW2WSRBN\*.exe
:next
del C:\Documents and Settings\Admin\Application Data\Microsoft.exe
:next
del C:\Documents and Settings\Admin\Local Settings\Application Data\Google\*.exe
:next
del C:\Documents and Settings\Admin\Application Data\Microsoft\*.exe
:next
del C:\Documents and Settings\Admin\Application Data\Microsoft\Installer.exe
:next
del C:\Documents and Settings\Admin\Application Data\Microsoft\Installer\*.exe
:next
del C:\Documents and Settings\Admin\Application Data\Microsoft\*.exe
:next
del C:\Documents and Settings\Admin\Application Data\*.exe
:next
del C:\Documents and Settings\Admin\ChikkaDefault.exe
:next
del C:\Documents and Settings\Admin\ChikkaDefault\*.exe
:next
del C:\Documents and Settings\Admin\ChikkaDefault\Data\ADS.exe
:next
del C:\Documents and Settings\Admin\ChikkaDefault\Data\ADS\*.exe
:next
del C:\Documents and Settings\Admin\ChikkaDefault\Data\*.exe
:next
del C:\Documents and Settings\Admin\Desktop\New Folder.exe
:next
del C:\Documents and Settings\Admin\My Documents\*.exe
:next
del C:\Documents and Settings\Admin\Local Settings\Application Data\Google.exe
:next
del C:\Documents and Settings\Admin\Local Settings\Application Data\Google\Picasa2.exe
:next
del C:\Documents and Settings\Admin\Local Settings\Application Data\Google\Picasa2\*.exe
:next
del C:\Documents and Settings\Admin\Local Settings\Application Data\Identities.exe
:next
del C:\Documents and Settings\Admin\Local Settings\Temp\pft18~tmp.exe
:next
del C:\Documents and Settings\Admin\Local Settings\Temp\pft18~tmp\*.exe
:next
del C:\Documents and Settings\Admin\Local Settings\Temp\Picasa2\Picasa filecheck.exe
:next
del C:\Documents and Settings\Admin\Local Settings\Temp\Temporary Internet Files\Content.IE5.exe
:next
del C:\Documents and Settings\Admin\Local Settings\Temp\Temporary Internet Files\*.exe
:next
del C:\Documents and Settings\Admin\Microsoft Office.exe
:next
del C:\Documents and Settings\Admin\Local Settings\Temp\Temporary Internet Files\Content.IE5\*.exe
:next
del C:\Documents and Settings\Admin\Local Settings\Temp\OIS.exe
:next
del C:\Documents and Settings\Admin\Local Settings\Temp\OIS\*.exe
:next
del C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\ALEO5B74\RSU78X1M.exe
:next
del C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\ALEO5B74\RSU78X1M\*.exe
:next
del C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\*.exe
:next
del C:\Documents and Settings\All Users\Application Data.exe
:next
del C:\WINDOWS\system32\config\systemprofile\Cookies.exe
:next
del C:\WINDOWS\system32\config\systemprofile\Local Settings\*.exe
:next
del C:\WINDOWS\system32\directx.exe
:next
del C:\WINDOWS\system32\microsoft.exe
:next
del C:\WINDOWS\system32\spool.exe
:next
del C:\WINDOWS\system32\Tools.exe
:next
del C:\WINDOWS\system32\wins.exe
:next
del C:\WINDOWS\temp.exe
:next
del C:\WINDOWS\twain_32.exe
:next
del C:\WINDOWS\system32\inetsrv.exe
:next
del C:\WINDOWS\pchealth.exe
:next
del C:\WINDOWS\pchealth\ERRORREP.exe
:next
del C:\WINDOWS\pchealth\ERRORREP\*.exe
:next
del C:\WINDOWS\pchealth\*.exe
:next
del C:\WINDOWS\pchealth\helpctr\*.exe
:next
del C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\*.exe
:next
del C:\Documents and Settings\Admin\Local Settings\Temp\*.exe
:next
del C:\WINDOWS\system32\inetsrv.exe
:next
del C:\WINDOWS\pchealth\helpctr\System\*.exe
:next
del C:\WINDOWS\pchealth\helpctr\System\images\*.exe
:next
del C:\WINDOWS\pchealth\helpctr\System\panels\*.exe
:next
del C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\*.exe
:next
del C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Interaction\*.exe
:next
del C:\WINDOWS\pchealth\helpctr\System\*.exe
:next
del C:\WINDOWS\pchealth\helpctr\System\sysinfo\*.exe
:next
del C:\WINDOWS\pchealth\helpctr\Vendors\*.exe
:next
del C:\WINDOWS\PeerNet.exe
:next
del C:\WINDOWS\Prefetch.exe
:next
del C:\WINDOWS\Profiles.exe
:next
del C:\WINDOWS\Profiles\*.exe
:next
del C:\WINDOWS\Profiles\All Users\Adobe.exe
:next
del C:\WINDOWS\Profiles\All Users\Adobe\Webbuy.exe
:next
del C:\WINDOWS\Provisioning.exe
:next
del C:\WINDOWS\Provisioning\*.exe
:next
del C:\WINDOWS\Registration.exe
:next
del C:\WINDOWS\Registration\*.exe
:next
del C:\WINDOWS\Resources.exe
:next
del C:\WINDOWS\repair.exe
:next
del C:\WINDOWS\Resources\*.exe
:next
del C:\WINDOWS\Resources\Themes\*.exe
:next
del C:\WINDOWS\Resources\Themes\Luna\*.exe
:next
del C:\WINDOWS\security\*.exe
:next
del C:\WINDOWS\SHELLNEW.exe
:next
del C:\WINDOWS\SoftwareDistribution\Download\*.exe
:next
del C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\asms\*.exe
:next
del C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\asms\10\*.exe
:next
del C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\asms\10\msft\*.exe
:next
del C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\asms\10\msft\windows\*.exe
:next
del C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\asms\10\policy\*.exe
:next
del C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\asms\10\policy\msft\*.exe
:next
del C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\asms\10\policy\msft\windows\*.exe
:next
del C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\asms\51\*.exe
:next
del C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\asms\51\msft\*.exe
:next
del C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\asms\51\msft\windows\system\*.exe
:next
del C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\asms\51\policy\*.exe
:next
del C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\asms\51\policy\msft\*.exe
:next
del C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\asms\51\policy\msft\windows\*.exe
:next
del C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\asms\51\policy\msft\windows\system\*.exe
:next
del C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\asms\*.exe
:next
del C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\*.exe
:next
del C:\WINDOWS\srchasst.exe
:next
del C:\Program Files\Common Files\InstallShield\Professional\RunTime\*.exe
:next
del C:\Program Files\Common Files\Microsoft Shared\THEMES11\*.exe
:next
del C:\Program Files\Common Files\System\*.exe
:next
del C:\Program Files\Common Files\Microsoft Shared\*.exe
:next
del C:\Program Files\Common Files\InstallShield\Driver\7\*.exe
:next
del C:\Program Files\Common Files\InstallShield\*.exe
:next
del C:\WINDOWS\system32\appmgmt.exe
:next
del C:\WINDOWS\system32\1054.exe
:next
del C:\WINDOWS\system32\2052.exe
:next
del C:\WINDOWS\system32\3076.exe
:next
del C:\WINDOWS\system32\1042.exe
:next
del C:\WINDOWS\system32\1041.exe
:next
del C:\WINDOWS\system32\1037.exe
:next
del C:\WINDOWS\system32\1033.exe
:next
del C:\WINDOWS\system32\1031.exe
:next
del C:\WINDOWS\system32\1028.exe
:next
del C:\WINDOWS\system32\1025.exe
:next
del C:\WINDOWS\system32\3com_dmi.exe
:next
del C:\WINDOWS\system32\CatRoot.exe
:next
del C:\WINDOWS\system32\appmgmt\*.exe
:next
del C:\WINDOWS\system32\CatRoot_bak.exe
:next
del C:\WINDOWS\system32\CatRoot2.exe
:next
del C:\WINDOWS\system32\Color.exe
:next
del C:\WINDOWS\system32\Com.exe
:next
del C:\WINDOWS\system32\config.exe
:next
del C:\WINDOWS\system32\config\systemprofile.exe
:next
del C:\WINDOWS\system32\dhcp.exe
:next
del C:\WINDOWS\system32\dllcache.exe
:next
del C:\WINDOWS\system32\drivers.exe
:next
del C:\WINDOWS\system32\ias.exe
:next
del C:\WINDOWS\system32\icsxml.exe
:next
del C:\WINDOWS\system32\IME.exe
:next
del C:\WINDOWS\system32\Macromed.exe
:next
del C:\WINDOWS\system32\mui.exe
:next
del C:\WINDOWS\system32\npp.exe
:next
del C:\WINDOWS\system32\oobe.exe
:next
del C:\WINDOWS\system32\PreInstall.exe
:next
del C:\WINDOWS\system32\ras.exe
:next
del C:\WINDOWS\system32\ReinstallBackups.exe
:next
del C:\WINDOWS\system32\ShellExt.exe
:next
del C:\WINDOWS\system32\mui\*.exe
:next
del C:\WINDOWS\system32\oobe\*.exe
:next
del C:\WINDOWS\system32\oobe\html\*.exe
:next
del C:\WINDOWS\WinSxS\Policies\*.exe
:next
del C:\WINDOWS\WebJetWizard.exe
:next
del C:\WINDOWS\assembly\GAC_MSIL\*.exe
:next
del C:\WINDOWS\$NtUninstallKB950749$.exe
:next
del C:\WINDOWS\$hf_mig$\KB951072-v2\*.exe
:next
del C:\WINDOWS\$hf_mig$\*.exe
:next
del C:\WINDOWS\$hf_mig$\KB946648\*.exe
:next
del C:\WINDOWS\$hf_mig$.exe
:next
del C:\System Volume Information.exe
:next
del C:\WINDOWS\assembly.exe
:next
del C:\Program Files\Common Files\Microsoft Shared\web server extensions\40.exe
:next
del C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\*.exe
:next
del C:\Program Files\InstallShield Installation Information\*.exe
:next
del C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.AForce.Graphics.Dashboard.resources\*.exe
:next
del C:\WINDOWS\assembly\GAC_MSIL\CLI.Component.Eeu.resources\*.exe
:next
del C:\WINDOWS\assembly\GAC_MSIL\CLI.Component.Erecord.resources\*.exe
:next
del C:\WINDOWS\assembly\GAC_MSIL\*.exe
:next
del C:\WINDOWS\assembly\*.exe
:next
del C:\WINDOWS\assembly\GAC_MSIL\CLI.Component.Dashboard.resources\*.exe
:next
del C:\WINDOWS\assembly\GAC_MSIL\CLI.Component.Dashboard.HotKeyManager.Resources\*.exe
:next
del C:\WINDOWS\assembly\GAC_MSIL\CLI.Component.Dashboard.ProfileManager.Resources\*.exe
:next
del C:\WINDOWS\assembly\GAC_MSIL\CLI.Component.Systemtray.resources\*.exe
:next
del C:\RECYCLER\*.exe
:next
del C:\WINDOWS\assembly\GAC_MSIL\CLI.Component.Wizard.resources\*.exe
:next
del C:\WINDOWS\assembly\GAC_MSIL\PCKGHLP.Foundation.Implementation.resources\*.exe
:next
del C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\*.exe
:next
del C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.MMVideo.Graphics.Wizard.resources\*.exe
:end

Save the this file as cleaner.bat

Next is, we will do a registry entry.

Open your Notepad again and copy and paste the following code.

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
“DisableRegistryTools”=dword:0

[-HKEY_LOCAL_MACHINE\SOFTWARE\Huelar]
“ValueToBeRemoved”=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“Huelar Services 2.0″=”"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“winlogos.exe”=”"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“Microsoft Service Host”=”"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“Huelar Services 2.0″=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“winlogos.exe”=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“Microsoft Service Host”=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
“Shell”=”explorer.exe”

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
“Window Title”=”Microsoft Internet Explorer”

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
“Start Page”=”http://yahoo.com”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
“DisableTaskMgr”=dword:0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer]
“NoDriveTypeAutoRun”=dword:255

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel]
“Homepage”=dword:0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
“NoFolderOptions”=dword:0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion]
“IeakHelpString”=”I will always be with you, Emman!”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
“Hidden”=dword:1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
“ShowSuperHidden”=dword:1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
“HideFileExt”=dword:0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
“SuperHidden”=dword:1


Save the file as huelarkiller.reg

Run cleaner.bat then run huelar.reg

Restart your computer

Huelar virus should now be gone on your system.

4 comments:

dolly said...

where can i find the cleaner. bat and the huelar.reg?

Lord_Aragorn said...

@dolly
very funny! lol

Lord_Aragorn said...

nice blog men. very informative. my whole damn network has been hit by these insects.
this is a great help. keep it up.

ryan said...

i try to run the huelarkiller. reg but it wont execute..it appears that registry was disable by the administrator..