Pages

Subscribe:

Dec 7, 2008

Huelar remover (updated)

"I will always be with you" - huelar
this is the threat I saw in the registry of my computer when I am hoping to kill this virus. Huelar is a worm which do the following attacks:

-Kill the processes of your Antivirus
-Edits the registry values
-Hides all your folder and replaces it with a file extension .exe which allows the virus to be with your PC all the time.
-It also changes the home page of your internet explorer to redtube.com which is actually a porn site

This are just my personal experiences with this very bad virus. This virus also comes with different virus like mscvhost.exe and winlogos.exe.

now, for the antidote:
1.) first, do not click your folders, maybe its already exe file.
2.) Follow this steps:

How to Remove W32.Heular:

by precisesecurity
November 28th, 2007 at 2:43 am

1. Temporarily Disable System Restore (Windows Me/XP). [how to]
2. Update the virus definitions.
3. Reboot computer in SafeMode [how to]
4. Run a full system scan and clean/delete all infected file(s)
5. Delete/Modify any values added to the registry. [how to edit registry]
Navigate to and delete the following entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
\”Microsoft File Server Manager 2.36″ = “C:\WINDOWS\system32\filesrv32.exe”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
“Heiku - Munist” = “C:\WINDOWS\system32\EraleuH.exe”

Navigate to and restore the following registry entries to their original values, if needed:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\”NoFolderOptions” = “1″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
\”DisableRegistryTools” = “1″
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\DefaultIcon
\”(default)” = “C:\WINDOWS\system32\filesrv32.exe”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\”IeakHelpString” = “I will always be with you, Huelar!”
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\”EnableHeikus” = “1″
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\”InstallDate” = “1/15/2008″
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
\”Window Title” = “Freak-X Browser”
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
\”Local Page” = “[http://]www.hentaisailormoon.com[REMOVED]”
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
\”Start Page” = “[http://]www.hentaisailormoon.com[REMOVED]”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
\Explorer\Advanced\”Hidden” = “0″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
\Explorer\Advanced\”HideFileExt” = “1″

6. Exit registry editor and restart the computer.
7. In order to make sure that threat is completely eliminated from your computer, carry out a full scan of your computer using AntiVirus and Antispyware Software. Another way to delete the virus using various Antivirus Program without the need to install can be done with Online Virus Scanner.


Now, for my own steps:
1.) kill the process in the task manager, if the task manager isn't working, go to start-> run
type: cmd
then in the command window, type:
tasklist
then, find the processess like huelar.exe, mscvhost.exe, and winlogos.exe
kill the processes by their process ID by this:
taskkill /f /pid
/f is force killing the process
/pid is the process ID

2.) you can now execute your antivirus and scan your system, I recommend avast or nod32, these antivirus will delete folder.exe

3.) clean registry, do this by running tuneup utilities registry cleaner [link here]

4.) goto to run and type: msconfig
go to start up then uncheck services like: huelar,mscvhost and winlogos.

5.) run 8x procedure of noob killer [link]

6.) restart system

7.) if symptoms persist, contact me...^_^

These tools can also help:
Hijackthis: [link]
viral massacre: [link]
noob killer: [link]

download this:
http://www.4shared.com/file/82414346/b35aaa70/Heul4r_Utm4t3_R3m0v4l_To0l.html


12 Comments:

Ayel said...

geesh. lahat ng comp sa school affected nito. We have to close the comp lab kasi redtube na ang homepage.

Bad trip kasi ayaw pa tlaga maniwala ng technician namin na this step could solve the prob.

trashman said...

tsk3, pakita nyo po sa kanya ang effect ng virus...i'll add another steps po on how to solve this problem

phraensys said...

looking at your step-by-step solution, it makes sense, but i have another problem: my regedit is restricted. it says, registry editing has been disabled by your administrator.

also, i could not open the task manager [when i right-click on the taskbar]

any alternative back door for this?

trashman said...

using noob killer sir, you can actually enable the task manager, regedit, and many others..

Anonymous said...

Dude ive already click my folders which is already .exe... what will i do now?

Edmond said...

o thanks for this valuable help, my pc got this and for months I'm looking for rescue until I find your solution..thanks for posting

trashman said...

you're welcome.^_^

Anonymous said...

trashman...i need ur help....i tried all the things youve said...but it doesn't work...please help me...to that bad huelar...

Anonymous said...

how to return back the files that infected by the virus?

Marvin Fernandez said...

the files are just hidden... you just need to edit your registry to allow showing of supper hidden files and folers

Lala said...

maraming salamat sa huelar.. ^_^

Anonymous said...

Ayel, kabobohan lang yan sa part ng technician ;)