This Yahoo messenger virus attack is one of the most powerful Trojan/virus.. If your computer is infected with this virus; It will sends the nsl-school.org url to all of your friend list in yahoo messenger using your ID . So with in few hours many of your friends will get infected with it.
To solve this problem, Just go through the below steps carefully.
What are those links ?
Nsl-school.org or other (Do not open this url in your browser).
If you are infected with it what is going to happen ?
1: It sets your default IE page to nsl-school.org, you can't even change it back to other page. If you open IE from your comp some malicious code will automatically executed into your computer.
2: It will disables the Task manager / reg edit. So you can't kill the Trojan process anymore.
3: Files that are gonaa installed by this virus are svhost.exe , svhost32.exe , internat.exe. (You can find these files in windows/ & temp/ directories.)
4: It will sends the secured & protected information to attacker
How to remove this manually from your computer ?
1: Close the IE browser. Log out messenger / Remove Internet Cable.
2: Enable your Regedit (Click Start -> Run and type this command exactly as given below: (better - Copy and paste)
Code:
REG add HKCUSoftwareMic*ftWindowsCurrentVersionPoliciesSystem /v DisableRegistryTools /t REG_DWORD /d 0 /f 3:
To enable task manager : (To kill the process we need to enable task manager)
Click Start, Run and type this command exactly as given below: (better - Copy and paste)
Code:
REG add HKCUSoftwareMic*ftWindowsCurrentVersionPoliciesSystem /v DisableTaskMgr /t REG_DWORD /d 0 /f 4:
Now we need to change the default page of IE though regedit.
Go to Start -> Run -> Regedit
From the below locations in Regedit chage your default home page to hackgyan.net or other
Code:
HKEY_CURRENT_USERSOFTWAREMicrosoftInternet ExplorerMain
HKEY_ LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerMain
HKEY_USERSDefaultSoftwareMicrosoftInternet ExplorerMain
Just replace the attacker site with hackgyan.net or set it to blank page.
5: Now we need to kill the process from back end. Press Ctrl + Alt + Del
Kill the process svhost32.exe . ( may be more than one process is running.. check properly)
6: Delete svhost32.exe , svhost.exe files from Windows/ & temp/ directories. Or just search for svhost in your comp.. delete those files.
7: Go to regedit search for svhost and delete all the results you get
8: Restart the computer. That's it now you are virus free
Sunday, March 23, 2008
Taskmanager disabled,regedit banned,folder options banned,gepdit.msc banned,cmd banned....Try dis..!!
hi frnds this is an restriction removal tool
download dis and run....all restriction wil be removed 4m ur pc....njoy!!
1.restriction removal tool
link: http://www.softpedia.com/get/Security/Security-Related/RRT-Remove-Ristrictions-Tool.shtml
------------------------------------------------------------------------------------------
if d above given software doesnt work den go for softwares given below....but i thbk above software vl work for u...
----------------------------------------------------------------
2.unhackme
http://www.greatis.com/unhackme/download.htm
3.hijackthis
http://filehippo.com/download_hijackthis/
http://www.download.com/Trend-Micro-HijackThis/3000-8022_4-10227353.html
4.process explorer
http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
If your pc is affected with some virus the most common of all is your folder otion will be disabled,you may not be able to open task manager, etc etc..
now 1st step is to identify the virus process
process explorer will help u and u may see the path of the installed file on ur system
now use restriction removal tool to remove the task bar ..folder option restrictions...etc...
now our aim is to remove the running virus process..
use hijackthis and select the virus process. it will remove the process from startup registry also..
finally try unhacme.. to remove the rootkits
download dis and run....all restriction wil be removed 4m ur pc....njoy!!
1.restriction removal tool
link: http://www.softpedia.com/get/Security/Security-Related/RRT-Remove-Ristrictions-Tool.shtml
------------------------------------------------------------------------------------------
if d above given software doesnt work den go for softwares given below....but i thbk above software vl work for u...
----------------------------------------------------------------
2.unhackme
http://www.greatis.com/unhackme/download.htm
3.hijackthis
http://filehippo.com/download_hijackthis/
http://www.download.com/Trend-Micro-HijackThis/3000-8022_4-10227353.html
4.process explorer
http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
If your pc is affected with some virus the most common of all is your folder otion will be disabled,you may not be able to open task manager, etc etc..
now 1st step is to identify the virus process
process explorer will help u and u may see the path of the installed file on ur system
now use restriction removal tool to remove the task bar ..folder option restrictions...etc...
now our aim is to remove the running virus process..
use hijackthis and select the virus process. it will remove the process from startup registry also..
finally try unhacme.. to remove the rootkits
HAPPY BIRTHDAY VIRUS REMOVAL INSTRUCTIONS
below steps are the removal instruction of happy birthday virus.
don’t forget to change the downloaded files extension to .zip and
change exc file extension to exe!!!
Download below links file (Security Task Manager and NOD32 Registry Fix)
http://cid-a8c37fe357e06ebd.skydrive.live.com/self.aspx/System%20Tools/STM.compress
http://cid-a8c37fe357e06ebd.skydrive.live.com/self.aspx/System%20Tools/NOD32%20Registry%20Recovery.compress
1. install security task manager with patch from my attachment and run the program
2.
kill the process of explorcr.exe and delete manually from
%systemroot%\system32 (its hidden). you won't see happy birthday
caption again, as soon as you kill the process
3. delete manually also autorun.inf from the %systemroot% (its hidden)
remark:
if you cant find that files, use other file browser software such as
captain nemo!! cause of virus disabled most of useful system command
such as cmd, regedit, msconfig and much more.
4. insert windows xp cd-rom for copy ntldr from i386\ntldr to %systemdrive%
5. run nod32 registry fix to recover system command
6. restart your computer
dont
forget to check all usb storage and delete manually all of autorun.inf,
explorcr.exe and foldername.exe. explorcr.exe delete ntldr fron the
systemdrive. use windows xp recovery console to recopy the ntldr, if
the computer is already deleted by explorcr.exe
wish all of you to be happy after clean
don’t forget to change the downloaded files extension to .zip and
change exc file extension to exe!!!
Download below links file (Security Task Manager and NOD32 Registry Fix)
http://cid-a8c37fe357e06ebd.skydrive.live.com/self.aspx/System%20Tools/STM.compress
http://cid-a8c37fe357e06ebd.skydrive.live.com/self.aspx/System%20Tools/NOD32%20Registry%20Recovery.compress
1. install security task manager with patch from my attachment and run the program
2.
kill the process of explorcr.exe and delete manually from
%systemroot%\system32 (its hidden). you won't see happy birthday
caption again, as soon as you kill the process
3. delete manually also autorun.inf from the %systemroot% (its hidden)
remark:
if you cant find that files, use other file browser software such as
captain nemo!! cause of virus disabled most of useful system command
such as cmd, regedit, msconfig and much more.
4. insert windows xp cd-rom for copy ntldr from i386\ntldr to %systemdrive%
5. run nod32 registry fix to recover system command
6. restart your computer
dont
forget to check all usb storage and delete manually all of autorun.inf,
explorcr.exe and foldername.exe. explorcr.exe delete ntldr fron the
systemdrive. use windows xp recovery console to recopy the ntldr, if
the computer is already deleted by explorcr.exe
wish all of you to be happy after clean
Thursday, March 13, 2008
Disabled Netwrk drive etc in tools Menu - System.exe Virus
Symptoms
It creates a file hidden system.exe in the Windows directory. McAfee can detect it, but cannot remove because it could not stop it from running, so permission denied.
Folder options are disabled, the tools menu in the explorer is simply filled with stuff like "disable networkd drive" etc.. but no folder options so one cannot view the hidden files...
if you try to run the folder options from Help and suport center, you get the message "The current settings of windows forbid this application..." blah blah...
Task manager is disabled. If you press ctr+alt+del, you get "task manager is disabled..." etc. nothign happens when you run TASKMAN from windows folder....
RUN has been deleted from start menu.
Command prompt (cmd.exe) has been disabled...
Solution
firstly use hijack this to remove all suspesious viruses/worms frm ur system also do a scan wid bitdefender or kaspersky.
---------------
for enabling folder options:
Fire up Group Policy Editor. (Start->Run->"gpedit.msc")
On the left, go to User Configuration.
Then, go to Administrative Templates.
Then, go to Windows Components.
Then, go to Windows Explorer.
Finally, on the right desable the option of "Remove the Folder Options menu item from the Tools Menu".
------------------------
to enable cmd
Open Registry Editor (Regedit.exe) and navigate to:
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System]
In the right-pane, double-click DisableCMD and set it's data to 0
------------------------
To enable task manager
Click Start, Run and type this command exactly as given below: (better - Copy and paste)
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f
-------------------------
To enable Regedit
Click Start, Run and type this command exactly as given below: (better - Copy and paste)
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f
----------------
preferably do all the above thing in safe mode.
now remove system.exe
Use Windows Task Manager to Remove system.exe Processes
To open the Windows Task Manager, use the combination of CTRL+ALT+DEL or CTRL+SHIFT+ESC.
Click on the "Image Name" button to search for " system.exe" process by name.
Select the " system.exe" process and click on the "End Process" button to kill it.
------------------------------
Use Windows File Search Tool to Find system.exe Path
Go to Start > Search > All Files or Folders.
In the "All or part of the the file name" section, type in " system.exe" file name(s).
To get better results, select "Look in: Local Hard Drives" or "Look in: My Computer" and then click "Search" button.
When Windows finishes your search, hover over the "In Folder" of " system.exe", highlight the file and copy/paste the path into the address bar. Save the file's path on your clipboard because you'll need the file path to delete system.exe in the following manual removal steps.
----------------------------
Detect and Delete Other system.exe Files
To open the Windows Command Prompt, go to Start > Run > cmd and then press the "OK" button.
Type in "dir /A name_of_the_folder" (for example, C:\Spyware-folder), which will display the folder's content even the hidden files.
To change directory, type in "cd name_of_the_folder".
Once you have the file you're looking for type in del "name_of_the_file".
To delete a file in folder, type in "del name_of_the_file".
To delete the entire folder, type in "rmdir /S name_of_the_folder".
Select the " system.exe" process and click on the "End Process" button to kill it.
It creates a file hidden system.exe in the Windows directory. McAfee can detect it, but cannot remove because it could not stop it from running, so permission denied.
Folder options are disabled, the tools menu in the explorer is simply filled with stuff like "disable networkd drive" etc.. but no folder options so one cannot view the hidden files...
if you try to run the folder options from Help and suport center, you get the message "The current settings of windows forbid this application..." blah blah...
Task manager is disabled. If you press ctr+alt+del, you get "task manager is disabled..." etc. nothign happens when you run TASKMAN from windows folder....
RUN has been deleted from start menu.
Command prompt (cmd.exe) has been disabled...
Solution
firstly use hijack this to remove all suspesious viruses/worms frm ur system also do a scan wid bitdefender or kaspersky.
---------------
for enabling folder options:
Fire up Group Policy Editor. (Start->Run->"gpedit.msc")
On the left, go to User Configuration.
Then, go to Administrative Templates.
Then, go to Windows Components.
Then, go to Windows Explorer.
Finally, on the right desable the option of "Remove the Folder Options menu item from the Tools Menu".
------------------------
to enable cmd
Open Registry Editor (Regedit.exe) and navigate to:
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System]
In the right-pane, double-click DisableCMD and set it's data to 0
------------------------
To enable task manager
Click Start, Run and type this command exactly as given below: (better - Copy and paste)
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f
-------------------------
To enable Regedit
Click Start, Run and type this command exactly as given below: (better - Copy and paste)
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f
----------------
preferably do all the above thing in safe mode.
now remove system.exe
Use Windows Task Manager to Remove system.exe Processes
To open the Windows Task Manager, use the combination of CTRL+ALT+DEL or CTRL+SHIFT+ESC.
Click on the "Image Name" button to search for " system.exe" process by name.
Select the " system.exe" process and click on the "End Process" button to kill it.
------------------------------
Use Windows File Search Tool to Find system.exe Path
Go to Start > Search > All Files or Folders.
In the "All or part of the the file name" section, type in " system.exe" file name(s).
To get better results, select "Look in: Local Hard Drives" or "Look in: My Computer" and then click "Search" button.
When Windows finishes your search, hover over the "In Folder" of " system.exe", highlight the file and copy/paste the path into the address bar. Save the file's path on your clipboard because you'll need the file path to delete system.exe in the following manual removal steps.
----------------------------
Detect and Delete Other system.exe Files
To open the Windows Command Prompt, go to Start > Run > cmd and then press the "OK" button.
Type in "dir /A name_of_the_folder" (for example, C:\Spyware-folder), which will display the folder's content even the hidden files.
To change directory, type in "cd name_of_the_folder".
Once you have the file you're looking for type in del "name_of_the_file".
To delete a file in folder, type in "del name_of_the_file".
To delete the entire folder, type in "rmdir /S name_of_the_folder".
Select the " system.exe" process and click on the "End Process" button to kill it.
Saturday, March 8, 2008
newfolder.exe,autoplay virus,sscviihost.exe Virus
if u r infected with this virus then the following problems will occur in ur pc:
1. u'll find New Folder.exe file in the root path of every storage media you have?
2. u'll find a new folder inside every folder you have?
3. When you doubleclick on one of your hard drive partitions, it shows you some unexpected results?
4. When you rightclick on one of your hard drive partitions, you see a new item called "Autoplay" on top of other items with bold face?
5. When you right click on one of your hard drive partitions, you see some new items with garbage text?
6. When your Antivirus detects and deletes the malware that causes all of that and restart your system, you see an error message similar to: "Windows cannot find SSCVIIHOST.exe..."?
If your answer was ‘Yes’ to any of the above questions then the chances are that you may be infected with the Sohanad virus (otherwise known as New Folder.exe) or one of its variants:
IM-Worm.Win32.Sohanad.as
IM-Worm.Win32.Sohanad.ao
IM-Worm.Win32.Sohanad.am
The problem is that this virus is particulary cumbersome to remove, even by reputable anti-virus programs. But their is a solution and it is called SRT (or Sohanad Removal Tool)!
What does this tool do?
It detects and reoves all traces of the Sohanad virus from your system, including floppy disks and USB flash disks (the latter ones must be write enabled during the scan process).
It also removes the leftovers of this virus by removing the 'autorun.inf' files and cleaning up you system registry, so you won’t see the 'autoplay' item anymore.
How to use it?
Start your computer in Safe mode and run this tool. If you have infected floppy/flash disks you can insert them and click start. You can repeat this process for every disk you have.
Click Here to Download the Tool
Manually remove it (new folder.exe Fix)
Delete File named svichossst.exe
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
“@”=[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“Yahoo Messengger”=
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
“Shell”=”Explorer.exe “
1. u'll find New Folder.exe file in the root path of every storage media you have?
2. u'll find a new folder inside every folder you have?
3. When you doubleclick on one of your hard drive partitions, it shows you some unexpected results?
4. When you rightclick on one of your hard drive partitions, you see a new item called "Autoplay" on top of other items with bold face?
5. When you right click on one of your hard drive partitions, you see some new items with garbage text?
6. When your Antivirus detects and deletes the malware that causes all of that and restart your system, you see an error message similar to: "Windows cannot find SSCVIIHOST.exe..."?
If your answer was ‘Yes’ to any of the above questions then the chances are that you may be infected with the Sohanad virus (otherwise known as New Folder.exe) or one of its variants:
IM-Worm.Win32.Sohanad.as
IM-Worm.Win32.Sohanad.ao
IM-Worm.Win32.Sohanad.am
The problem is that this virus is particulary cumbersome to remove, even by reputable anti-virus programs. But their is a solution and it is called SRT (or Sohanad Removal Tool)!
What does this tool do?
It detects and reoves all traces of the Sohanad virus from your system, including floppy disks and USB flash disks (the latter ones must be write enabled during the scan process).
It also removes the leftovers of this virus by removing the 'autorun.inf' files and cleaning up you system registry, so you won’t see the 'autoplay' item anymore.
How to use it?
Start your computer in Safe mode and run this tool. If you have infected floppy/flash disks you can insert them and click start. You can repeat this process for every disk you have.
Click Here to Download the Tool
Manually remove it (new folder.exe Fix)
Delete File named svichossst.exe
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
“@”=[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“Yahoo Messengger”=
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
“Shell”=”Explorer.exe “
Show Hidden Files Not Working
A few days back, my friend told me that he was having trouble with his Windows XP. The show hidden files and folders was not working at all. If he selected the radio button “Show hidden files and folders”, and then press Ok .. the changes would just disappear upon opening the dialog again. It was probably some virus attack after which the Windows registry was not being updated properly. So here is what I did to restore it back.
Go to registry editor by running regedit in the run box.
Go to this key:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\Advanced
In the right hand area, double click hidden and change the value to 1.
Now you’re all set to go. Check it in your tools menu if the changes have taken effect. Mine have already been fixed :-).
Go to registry editor by running regedit in the run box.
Go to this key:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\Advanced
In the right hand area, double click hidden and change the value to 1.
Now you’re all set to go. Check it in your tools menu if the changes have taken effect. Mine have already been fixed :-).
Registry Editing Disabled By Admin..??!!
Today a friend of mine asked that his registry editor had been disabled accidently and now how should he enable it back again. Here are two ways to enable the registry editing in Windows.
1- From Group Policy Editor
Go to Run –> gpedit.msc
In the left hand menu, go to User Config –> Administrative Templated –> System.
Now In the right hand pane, select “Prevent access to registry editing tools”. It will probably be not configured or enabled. If it’s enabled, disable it and if it’s not configured, first enable it, apply settings and then disable it. Most probably the settings have been applied instantly. If not, then run gpupdate in command prompt to apply the group policies.
2- From the Run Menu
I got this tweak while surfing the internet. Go to Start –> Run, copy and paste the follow in the Run box and press OK.
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f
The effects are usually instant. If not then you should see the results after restarting your computer.
Please tell me your experiences on this tweak.
1- From Group Policy Editor
Go to Run –> gpedit.msc
In the left hand menu, go to User Config –> Administrative Templated –> System.
Now In the right hand pane, select “Prevent access to registry editing tools”. It will probably be not configured or enabled. If it’s enabled, disable it and if it’s not configured, first enable it, apply settings and then disable it. Most probably the settings have been applied instantly. If not, then run gpupdate in command prompt to apply the group policies.
2- From the Run Menu
I got this tweak while surfing the internet. Go to Start –> Run, copy and paste the follow in the Run box and press OK.
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f
The effects are usually instant. If not then you should see the results after restarting your computer.
Please tell me your experiences on this tweak.
Task Manager Has Been Disabled By Ur Administrator..!!
My friend asks that whenever he tries to open the task manager, he is encountered by the following error:
“Task Manager has been disabled by your administrator”
Here is solution about enabling the task manager:
Enabling Task Manager from Group Policy Editor
1. Go to “Start” -> “Run” -> Write “Gpedit.msc” and press on “Enter” button.
2. Navigate to “User Configuration” -> “Administrative Templates” -> “System” -> “Ctrl+Alt+Del Options”
3. In the right side of the screen verity that “Remove Task Manager”" option set to “Disable” or “Not Configured”.
4. Close “Gpedit.msc” MMC.
5. Go to “Start” -> “Run” -> Write “gpupdate /force” and press on “Enter” button.
Enabling Task Manager from Registry Editor
1. Go to “Start” -> “Run” -> Write “regedit” and press on “Enter” button.
Warning: Modifying your registry can cause serious problems that may require you to reinstall your operating system.
Always backup your files before doing this registry hack.
2. Navigate to the following registry keys and verity that following settings set to default:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
“DisableTaskMgr”=dword:00000000
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\LocalUser\Software\Microsoft\Windows\CurrentVersion\Policies\System]
“DisableTaskMgr”=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\]
“DisableTaskMgr”=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
“DisableCAD”=dword:00000000
3. Reboot the computer.
For your convenience, I have created a registry file. Just download, double click it and add the info to your registry. The task manager will be enabled. Post your experiences please.
Enabling Task Manager from the Run Menu
Go to Start –> Run and copy and paste the following and press OK.
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /fOlympic Torch Invitation Virus Hoax
Do not open any message with an attached filed called"Invitation" regardless of who sent it, It is a virus that opens an Olympic Torch which "burns" the whole hard disc C of your computer. This virus will be received from someone who has your e-mail address in his/her contact
list, that is why you should send this e-mail to all your contacts. It is better to receive this message 25 times than to receive the virus and open it.If you receive a mail called "invitation", though sent by a friend, do not open it and shut down your computer immediately.
This is the worst virus announced by CNN, it has been Classified by Microsoft as the most destructive virus ever.This virus was discovered by McAfee yesterday, and there is no repair yet for this kind of virus.This virus simply destroys the Zero Sector of the Hard Disc,where the vital information is kept.
list, that is why you should send this e-mail to all your contacts. It is better to receive this message 25 times than to receive the virus and open it.If you receive a mail called "invitation", though sent by a friend, do not open it and shut down your computer immediately.
This is the worst virus announced by CNN, it has been Classified by Microsoft as the most destructive virus ever.This virus was discovered by McAfee yesterday, and there is no repair yet for this kind of virus.This virus simply destroys the Zero Sector of the Hard Disc,where the vital information is kept.
amvo.exe Virus Manual Removal Steps
This is a nasty virus, dont know who dropped it on me. It spreads via USB Memory Sticks. It cannot be seen in the process list, hides itself and hides all files. And my antivirus doesn't seem to find a problem! :(
symptoms
How to get rid off?
Step 1
The usual way is to Format the system, but it is not a permanent solution. To get rid run regedit, find all keys related to amvo.exe or the name of the virus.
Run msconfig in the Start Up Tab you can find the amvo.exe or its variants.
Remove all occurrence of the name from regedit.
Reboot the System.
Step 2
Reboot and do the following changes to the Registry using regedit
-- OR --
Reboot into a different OS and do the following
Step 3
From all the drives delete the autorun.inf using command line (if on windows) or from a linux OS. Do not open the drive from the explorer as it would spread the virus again to this OS. If you have linux installed and can access all partitions on the disk, go delete the files and clear the trash on all drives.
Step 4
Reboot the system.
Do necessary changes as in Step 2, if you have not done those.
I hope that will do it
Install a good antivirus update it.
Prevent Autorun from USBs.
To disable Autoplay of all drives
Start > Run > gpedit.msc
symptoms
- Cannot show hidden files
- Slows down USB devices
- Adds infections to plugged in USB devices
- Drives open in new windows from My Computer
How to get rid off?
Step 1
The usual way is to Format the system, but it is not a permanent solution. To get rid run regedit, find all keys related to amvo.exe or the name of the virus.
Run msconfig in the Start Up Tab you can find the amvo.exe or its variants.
Remove all occurrence of the name from regedit.
Reboot the System.
Step 2
Reboot and do the following changes to the Registry using regedit
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer searchidden en 1
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer searchsystemdirs en 1
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\Advanced hidden en 1
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\Advanced showsuperhiden en 1
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\Advanced superhiden en 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN CheckedValue 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN DefaultValue 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL CheckedValue 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL DefaultValue 1
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\Explorer NoDriveTypeAutoRun 0x00000091 (145)
-- OR --
Reboot into a different OS and do the following
Step 3
From all the drives delete the autorun.inf using command line (if on windows) or from a linux OS. Do not open the drive from the explorer as it would spread the virus again to this OS. If you have linux installed and can access all partitions on the disk, go delete the files and clear the trash on all drives.
Step 4
Reboot the system.
Do necessary changes as in Step 2, if you have not done those.
I hope that will do it
Install a good antivirus update it.
Prevent Autorun from USBs.
To disable Autoplay of all drives
Start > Run > gpedit.msc
Virus In Yahoo Msngr, Automatically Sending links - gaigoitanbing.xlphp.net
EDIT - Running Windows is Safe Mode is pretty easy. First of all, restart your computer. When it's booting (black screen with / without writings before the Windows XP logo comes up), press F8 button on your desktop. Your computer will stop booting and give you some options like -
Start in Safe Mode
Start in Safe Mode with Networking
Start Windows XP normally etc.
Choose "Start in Safe Mode". Your computer will start with a black background and with a very hazy display. Open McAfee now and scan your computer. Restart again (without pressing F8) when you are done to start Windows in Normal Mode.
Is your McAfee fully updated? If no, then update it first of all and then run a full system scan. If it still finds nothing, then do an online Panda ActiveScan (it will scan your computer and remove most infections without you having to download anything):
http://www.pandasecurity.com/homeusers/s...
I am sure that McAfee or Panda will get rid of the virus.
Good luck!
:)
Start in Safe Mode
Start in Safe Mode with Networking
Start Windows XP normally etc.
Choose "Start in Safe Mode". Your computer will start with a black background and with a very hazy display. Open McAfee now and scan your computer. Restart again (without pressing F8) when you are done to start Windows in Normal Mode.
Is your McAfee fully updated? If no, then update it first of all and then run a full system scan. If it still finds nothing, then do an online Panda ActiveScan (it will scan your computer and remove most infections without you having to download anything):
http://www.pandasecurity.com/homeusers/s...
I am sure that McAfee or Panda will get rid of the virus.
Good luck!
:)
Clean D Virus xn1inx.com
This is a spyware where creates files of the name like h.cmd, xn1i9x.com, ylr.exe, awda2.exe etc and creates an associated autorun.inf file which executes these files. Simply deleting these files along with autorun.inf wont work as they are recreated after some time. This happens because it has created an entry in the startup folder. You need to remove it and once that is done just delete all the malicious files present on each of your drive. They wont be recreated after that.
The startup entry can be present in the various possible location.
click here to get detailed description of these places
The startup entry can be present in the various possible location.
click here to get detailed description of these places
MonaRonaDona: A revolution In Social Engineering
Recently, infections of the malware "MonaRonaDona" have been increasingly prevelent.
Once "MonaRonaDona" is installed on a user's system, it displays the following message:
"Hi, My name is MonaRonaDona. I am a virus
& I am here to Wreck your PC. If you
observe strange behaviour with your PC, like
program windows disappearing e.t.c, it's me
who is doing all this. I was created as a protest
against the Human Rights Violation
being observed throughout the world & the
very purpose of my existence is to remind
& stress the world to respect humainty."
Once active, "MonaRonaDona" attempts to terminate the following services:
Immidiatly after infection however, this activity will not be present as the malware registers itself to run as 'Windows' boots. As a result of this, how "MonaRonaDona" actually infects computers is still unknown as users often cannot remember their actions prior to the infection.
However, this is where it gets interesting as due such actions as displaying a warning message once infected, actively terminating common 'Windows' processes and displaying messages in application's title bars, we are forced to ask ourselvs the simple question:
"Why does the malware author want "MonaRonaDona" to be noticed by the user to such an extent?"
The awnswer lies in a simple search for "MonaRonaDona" in one of today's popular search engines. This query will direct the user to a page similar to this one:
"Unigray antivirus".
The article displayed in the image claims that "MonaRonaDona" can be fixed with the following legitimate applications:
'Kapersky'
'AVG'
and 'McAfee'
When in reality, only 'Kaspersky' has included "MonaRonaDona" in it's 'DATs' (as 'Trojan.Win32.Monagrey.a').
The article also claims that the best application that a user can use to fix the malware is called 'Unigray antivirus'.
'Unigray antivirus' is an application published on the web at the same time detections of "MonaRonaDona" began appearing.
Furthermore, when examined by 'Kaspersky Labs', the application was found to only detect (to a minimal standard) 19 different threats (including "MonaRonaDona") yet only removes one.. "MonaRonaDota".
When comparing the code of "MonaRonaDona" to that of 'Unigray', it is also noteable that there are many simularities.
Therefore, it extremely probable that the individual(s) behind "MonaRonaDona" are the same individual(s) that created "MonaRonaDona".
It seems social engineering techniques are getting increasingly devious and manipulative and that fraudware/malware authors are gaining more insight into the psycology of their victims and can thusly be expected to be seen employing social engineering techniques as a venue for infection more regularly.
Once "MonaRonaDona" is installed on a user's system, it displays the following message:
"Hi, My name is MonaRonaDona. I am a virus
& I am here to Wreck your PC. If you
observe strange behaviour with your PC, like
program windows disappearing e.t.c, it's me
who is doing all this. I was created as a protest
against the Human Rights Violation
being observed throughout the world & the
very purpose of my existence is to remind
& stress the world to respect humainty."
Once active, "MonaRonaDona" attempts to terminate the following services:
Date And TimeThe 'Internet Explorer' title bar is also modified to contain text regarding "MonaRonaDona".
Windows Task Manager
Registry Editor
Irfanview
Google Talk
Macromedia
Adobe
Microsoft Visual
Windows Media Player
Winamp
Microsoft Office
Microsoft Excel
Microsoft Word
Messenger
Immidiatly after infection however, this activity will not be present as the malware registers itself to run as 'Windows' boots. As a result of this, how "MonaRonaDona" actually infects computers is still unknown as users often cannot remember their actions prior to the infection.
However, this is where it gets interesting as due such actions as displaying a warning message once infected, actively terminating common 'Windows' processes and displaying messages in application's title bars, we are forced to ask ourselvs the simple question:
"Why does the malware author want "MonaRonaDona" to be noticed by the user to such an extent?"
The awnswer lies in a simple search for "MonaRonaDona" in one of today's popular search engines. This query will direct the user to a page similar to this one:
"Unigray antivirus".
The article displayed in the image claims that "MonaRonaDona" can be fixed with the following legitimate applications:
'Kapersky'
'AVG'
and 'McAfee'
When in reality, only 'Kaspersky' has included "MonaRonaDona" in it's 'DATs' (as 'Trojan.Win32.Monagrey.a').
The article also claims that the best application that a user can use to fix the malware is called 'Unigray antivirus'.
'Unigray antivirus' is an application published on the web at the same time detections of "MonaRonaDona" began appearing.
Furthermore, when examined by 'Kaspersky Labs', the application was found to only detect (to a minimal standard) 19 different threats (including "MonaRonaDona") yet only removes one.. "MonaRonaDota".
When comparing the code of "MonaRonaDona" to that of 'Unigray', it is also noteable that there are many simularities.
Therefore, it extremely probable that the individual(s) behind "MonaRonaDona" are the same individual(s) that created "MonaRonaDona".
It seems social engineering techniques are getting increasingly devious and manipulative and that fraudware/malware authors are gaining more insight into the psycology of their victims and can thusly be expected to be seen employing social engineering techniques as a venue for infection more regularly.
Subscribe to:
Posts (Atom)