dadwhiskers
New Member
I am using XP Professional, but the folders are the same for Vista. The virus lives (keeps all its files) in two places:
C:\Documents and Settings\Administrator\Local Settings\Temp\winthb, and
C:\WINDOWS\system32\win.dll
(It also writes itself as autorun.inf and winthb.exe to pen drives etc. that connect to the system. These are hidden files. winthb.exe has a blank icon.)
These are both hidden folders (win.dll looks like a .dll file, but it is actually a folder), so you'll have to enable seeing hidden files and folders and seeing superhidden files and folders. This virus is not sophisticated enough to turn those functions off, although it apparently tries - see the second registry change below (and its std.txt file).
Below is the text of a .reg file that will restore seeing hidden and superhidden, assuming some other virus isn't constantly turning seeing them off:
<Start Code>
Windows Registry Editor Version 5.00
[HKEY_USERS\S-1-5-21-1491950412-2009852829-4049741679-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden"=dword:00000001
"SuperHidden"=dword:00000001
"ShowSuperHidden"=dword:00000001
<End Code>
Do not include <Start Code> or <End Code> in the .reg file.
Make it by pasting the code into notepad and saving the file as something like:
Restore See Hidden and Superhidden.reg
After saving, click on it and then confirm by clicking on OK.
Delete both those folders, empty the recycle bin and delete C:\autorun.inf and C:\thb.ico. This should take care of it. It only writes itself to those locations 4 locations (and USB devices). It is the C:\ autorun.inf and C:\thb.ico files that keep your C:\ drive icon changed. Once the two folders and the two files in C:\ are gone, and you reboot, everything will be back to normal.
(If you want to see what the virus installs itself, open the folders before deleting them and copy the .txt files to somewhere for reviewing later.)
Now do a system restore to restore the 2 registry entries changed:
1) HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\winlogon
the value of which has been changed to:
C:\WINDOWS\system32\win.dll\win.exe C:\WINDOWS\system32\win.dll\std.txt
I do not know the correct value for either XP or Vista.
2) HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\checkedvalue
This value has been changed to 0, but on my XP system, the ability to see hidden and superhidden files was not changed. Maybe it is in Vista. I don't know. The value should be 1
Doing the System Restore may put the virus back 8-( but just delete the folders and files again - making absolutely sure NOT to click on or even hover the mouse pointer over any .exe file in either of the viruses folders), and check the registry entries.
If System restore did put the virus back, turn of System Restore for all drives. All the old System Restore information will have been deleted, along with the virus saved in it. Then repeat the process. Now turn it back on.
While you're turning System Restore back on, in the 'Settings' for your C:\ drive (assuming your OS is installed there) move the slider down to 6% for the System Restore file area, and turn it off for all other partitions that don't have an OS installed on them. That'll save gigabytes of space on your hard disk.
Everything should be OK now.
Last edited: