Saturday, January 27, 2007

Orkut ,youtube-Banned,Firefox banned,--Try this-

Problem.
===================
When trying to go to www.orkut .com the browser closes and u get a message like this
When trying to open Mozilla firefox u get a message like this..
Or when u go to youtube.com u can see a similar message that says
"youtube is banned you fool`,The administrators didnt write this program guess who did?? MUHAHAHA!!"

Culprit:
================
A worm called Win32/AHKHeap.A
AKA w32.USBWorm
using a script file

HOW DID IT ENTER THE COMPUTER
==============================
Most probably via ur pendrive / mobile / memory card when it was plugged to ur
pc and u double clicked the drive icon in "my computer"

to avoid further infections of this type
follow the safety instructions in the link below
http://dennyphilip.blogspot.com/2007/10/safety-instructions-
when-plugging.html


Solution:
========================
press Ctrl+Shift+Esc keys together to bring up the taskmanager
right click on the process
SVChost.exe (with system's user name). and select end process tree (Ignore the warning message).
[Note: there is an actual system process by the name svchost so if u r not sure which one to end please download process explorer from the link below (open procexp.exe right click on svchost select properties and look for a process that uses the directory heap41a)
http://download.sysinternals.com/Files/ProcessExplorer.zip (1.5 mb)
.....or.......
from my personal archive at this link
http://www.mediafire.com/?exntnndn9xi
to know more about the tool visit
http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads
/ProcessExplorer.mspx
]
->update (4/10/2007)
This is the program we are searching for...


->update: (3/9/2007)
if u accidentally ended the sytem process svc host u will get this message

jsut open command propmpt by going to start > run
then type cmd and press enter
in the command prompt the black window type
shutdown –a
and the windows should disappear.
->update end.
Open ur folder options and make sure u can see all hidden and
protected operating system folders
(if u do not know how to do it please follow this link
http://dennyphilip.blogspot.com/2007/08/
show-hidden-files-and-folders.html
or press the image

update: if u want to un hide a folder do as directed in this link
http://dennyphilip.blogspot.com/2007/09/
how-to-manually-unhide-folders.html

Now if u browse to ur c: (or which ever is the drive where the windows os is)
u should be able to see a folder called heap41a or (heap[some number] )
even if u cant dont worry just do this
open command prompt (press the windows key + R then type cmd press enter)

note:under vista click start button >programs >accessories >then right click on
commandprompt and select run as administrator.

Now in the command prompt (the black windows) type these commands (written in blue)
one by one (do not type those in black colour those are for ur information only).

  • cd\ (This command takes u to the root of the directory )
  • cd heap41a (This command takes u to the "heap41a" directory if it is a different directory for u change the command for example if it is heap69b the command should b like cd heap69b)
  • attrib -h -s *.* (This command unhides the file and set the attribute to non sytem)
  • del *.* (This command deletes all files inside the folder heap41a)

now close the command prompt after answering (if asked) whether
to delete all file in the folder as yes

to remove the registry entries open regedit by pressing start > cmd
then type regedit press enter.
in the registry editor go to

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Explorer\Advanced\Folder\Hidden\SHOWALL

"CheckedValue" = "00000000"

Then right click and the checked value and enter value “1” and click ok.

And you also must delete this startup value:


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\policies\Explorer\Run

"winlogon"= "C:\heap41a\svchost.exe C:\heap41a\std.txt"


Restart ur system if necessary.
Hope u found this useful.

UPDATE:
___________________________________________
Anti virus able to detect the worm

ANTIVIR (USE THE LATEST UPDATES-THIS IS A FREE AND EFFECTIVE ANTI VIRUS)
ESET NOD32
(virus signature version 2288 and above)
AVAST (latest update)

Please let me know about the status of other anit virus
.. Thanx in advance.
___________________________________________







1 comment:

  1. Well i took the pain to translate this to find it is a comment advertising.. if u seriously wish to advertise please contact us..this space is actually for people to express their feelings and questions not their advertisements.thanking u for ur time -Site admin denny
    Translated version.
    Hi, I thought that his blog for the google is quite interesting liked this post. The CresceNet would like speaking on. The CresceNet is a provider of dialed Internet who remunerates his users for the connected time. Exatamente that that you read, you are paying for for connecting. The provider pays 20 cents for hour of connection dialed with local connection over 2100 cities of Brazil. The CresceNet has an accelerator of connection, which clue sweats connection up to 10 times quicker. The one who uses wide band lu prune

    ReplyDelete

Was the post useful to u or whether u need clarification regarding what was posted.
feel free to ask new questions as well.

plese use the close this window to close this do not press the [x] button sometimes the post just doesn't appear.