Fix "Here You Are" Email Worm

“Here You Are” is the latest E-Mail Threat circulating around the internet in recent times. The subject of the Email will be "Here Yor Are". Effectively, the way it tricks to infect you, it appear to link be a link to PDF, but in reality, is an executable file. Once infected, then worm will automatically send email to your entire contact list and infect more systems.

Mr. Vasim Memon, working as technical guy in India has created a batch file that will solve this problem. This file will automatically perform some cleanup task in all affected areas and will make you feel happy; here is link to download the batch file.

And incase if you want to experiment and want to remove the worm mannually, here are the steps you need to follow. All The Best!

First of all kill below process: –

1. %windows%\system\updates.exe
2. %windows%\csrss.exe
3. %windows%\ff.exe
4. %windows%\gc.exe
5. %windows%\hst.iq
6. %windows%\ie.exe
7. %windows%\im.exe
8. %windows%\op.exe
9. %windows%\pspv.exe
10. %windows%\rd.exe
11. %windows%\re.exe
12. %windows%\re.iq
13. %windows%\tryme1.exe
14. %windows%\vb.vbs
15. %system%\SendEmail.dll

Note: How to find the processes that are currently running. And If you want delete any running process, Press Ctrl+Alt+Del The Same Time and click on taskbar - Processes. 

And then delete below registry entries: – 

Warning: before you try to modify windows registry, learn how to backup windows registry. Also try to have a backup of your registry at this stage before you proceed. Read More On How To Backup Windows Registry.

• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options0hoeav.com
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Optionsw.com
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.ExE
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.ExE
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safebox.ExE
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.ExE
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\6.bat
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\6fnlpetp.exe
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\6×8be16.cmd
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BIOSREad.exe
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BdSurvey.exe
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CaVCmd.exe
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CavaUd.ExE
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Cavapp.ExE
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a2cmd.ExE
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a2free.ExE
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a2service.ExE
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a2upd.ExE
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aNtIaRP.ExE
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aNtS.ExE
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aPVxdWIN.ExE
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aVCONSOL.ExE
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aVENGINE.ExE
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aVP32.ExE
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aVPCC.ExE
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aVPM.ExE
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\abk.bat
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adobe Gamma Loader.exe
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\algsrvs.exe
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\algssl.exe
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\angry.bat
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\anti-trojan.exe
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\antihost.exe
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\apu-0607g.xml
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\apu.stt
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\arSwp.ExE
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashEnhcd.exe
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashLogV.exe
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashMaiSv.exe
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashPopWz.exe
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashQuick.exe
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashServ.exe
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashSkPcc.exe
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashUpd.exe
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashWebSv.exe
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashdisp.exe
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ast.ExE
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aswBoot.exe
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aswRegSvr.exe
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aswUpdSv.exe
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoRun.ExE
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoRunKiller.ExE
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorun.bin
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorun.ini
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorun.reg
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorun.txt
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorun.wsh
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorunsc.exe
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avMonitor.ExE
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avadmin.exe
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avastSS.exe
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avciman.exe
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconfig.exe
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgamsvr.exe
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgas.exe
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgcc.exe
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgcc32.exe
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgemc.exe
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avginet.exe
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrssvc.exe
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrsx.exe
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgscan.exe
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgscanx.exe
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgserv.exe
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgupsvc.exe
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgw.exe
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgwdsvc.exe
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avltd.exe
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avmailc.exe
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avnotify.exe
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avzkrnl.dll
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bad1.exe
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bad2.exe
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bad3.exe
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdsubwiz.exe
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\blackd.exe
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\blackice.exe
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\caiss.exe
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\caissdt.exe
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\catcache.dat
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cauninst.exe
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cavasm.ExE

And restore the following registry keys back to their defaults

• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
• EnableLUA=dword:00000000 to EnableLUA=dword:00000001
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
• Shell= Explorer.exe %windows%\csrss.exe to Shell=Explorer.exe

No doubt, you have to do lot of manual work. This file will automatically perform some cleanup task in all affected areas and will make you feel happy; here is the link to download the batch file.

Reference: http://systadmin.wordpress.com/2010/09/17/here-you-are-worm-removal-tool-%E2%80%93-email-worm-solution/