Wednesday, November 11, 2009

Funny UST Scandal virus

How I removed Funny UST Scandal virus from my system.Recently my system infected with a virus. I am using Win XP and using McAFee. But, McAFee did not recognise the threat at all.Characteristics: The virus is closing every program it thought might be dangerous to its existence. If I open task manager, virus is minimizing it to system tray. There are processes running killer.exe, smss.exe, lsass.exe. Yes, smss.exe and lsass.exe are system processes, but virus is running two processes with the same name. one process is running with the name smss.exe, while two processes are running with the name lsass.exe, in that one is system process, another one is virus.I have already installed process explorer, otherwise I would have to download it from another system because when I tried to download it from the Net virus is closing the window. I have used this software to kill the above processes. In the process, before I am killing the processes virus is minimizing this process explorer to system tray, I am opening it from there, and I closed all the processes. Two entries are there for lsass.exe, one is child process for System process, another one is child for explorer.exe, this later one is virus process.Once virus processes are closed, I took the following steps:
Deleted Funny UST Scandal.exe, smss.exe, and killer.exe in Windows folder, Windows\System, and Windows\System32 folder.
Checked and deleted root folder of every partition for these files and autorun.inf. In some locations I found xmss.exe also, they all have some icon. So, I recognised them easily.
Usually these files will be hidden. You can use “attrib –h –s smss.exe” in command prompt to unhide them and then delete. But, I have used Bullet Proof FTP for locating these hidden files and deleting them. As I have already installed the software I used it, you can download trial version. It is very easy by using this FTP client. With attrib command we have to go every location and issue command and then delete it. This BP FTP is showing hidden files, and I dont need to use DOS commands.
Deleted C:\Documents and Settings\All Users\Start Menu\Programs\Startup\lsass.exe. I have also deleted Desktop.ini files which are placed in every folder of Start menu for every user. I think this file shouldn't in those locations.
Used MSConfig command to clean the startup items, I have unchecked all suspicious processes from startup tab.
Using RegEdit tool, deleted Auto Play entries which are pointed to smss.exe
And then searched for “Funny”, “Killer”, “Smss”, and “lsass”. Be careful when deleting lsass keys as there is an important system process will be running with the same name. System copy of the file will be in the Windows\System32 folder.If you find this information useful, please leave a comment below.
Posted by at 1 comment:

Your mobile's unique number

Every Mobile contains a number to uniquely identify it. GSM, CDMA uses different types of numbers. It is International Mobile Equipment Identity (IMEI) for GSM phones, Electronic Serial Number (ESN), and Mobile Equipment Identifier (MEID) for CDMA phones.This number can be found underneath the battery. You can find IMEI number by pressing *#06# in your GSM Mobile also. Note down the number. In case you lost your mobile, you can use this number to block the phone.You can know Mobile model, etc here by giving IMEI number.
Posted by at No comments:

Lost mobile phone?

If you have lost your mobile, you can block the handset with the help of unique number of your mobile. For this, you have to give complaint in the police station, and after that go to your operator. You needed to give your mobile's unique number. Your operator will put this number in a shared list. All the operators which are following the list will block the phone from using. This will work even the thief uses new SIM of another operator as long as that operator following that common list.You can buy and install some software before you lost mobile so that you can track your mobile.Lost Mobile Tracking System (LMTS) sends a message to you when somebody inserted new SIM in your mobile. You have to provide alternate number, and email id when registering. When the SIM was changed, LMTS sends a message containing new SIM number, and location to the alternate number, email.Virtual Mobile Security (VMS) offers more options. This software can hide your data apart from sending message. You can retrieve contacts from address book remotely, play alarm, display a message with your details (or warning message). Even you can lock the phone also.
Posted by at No comments:

Webpage disabled rightclick?

Some sites will disable right clicking on the page using JavaScript. If you find this annoying there is a solution. In you Firefox, go to Tools > Options > Content. Click on the 'Advanced' button opposite to the 'Enable Java Script'. Then un check the "Disable or replace context menus". Thats it.
Posted by at No comments:

Registry Accessing disabled?

Many viruses disable the access to the registry so that we can't remove the virus entries in the registry. In these cases you can download the following file UnHookExec.inf. After downloaded, right click on the file, and select Install.You can enable it manually by editing the group policy editor. Go to Windows > Run > gpEdit.mscGo to User Configuration > Administrative Templates > System > Prevent Access to Registry Editing Tools. Disable it. You should be able to open regedit now.
Posted by at No comments:

Removed Fun.exe, dc.exe, SVIQ.exe virus

I have got a virus, which automatically opening the Yahoo messenger. So, when I have looked the processes in the task manager, I have found the following processes Fun.exe, dc.exe, SVIQ.exe.I killed those processes, by right clicking the process and select "End Process Tree". After I have killed all those processes, I searched Internet and found the following link W32.Imaut.AS (also called Dung Coi). Then I have deleted all the virus files and cleaned the registry.I am describing the exact steps below:
First go to the task manager (right click on the task bar > task manager) and select the processes tab.
Right click on the Fun.exe, dc.exe, SVIQ.exe and select "End Process Tree". This stops the viruses from interrupting in the cleanup process.
Go to the MSConfig (Win+R, type MSConfig and press enter). Go to the startup tab. Uncheck the dc.exe, fun.exe, SVIQ.exe, Other.exe, Win.exe. This stop the virus processes from starting with the windows.
Next go to the Registry Editor (Win+R, type RegEdit and press enter). Remove the following keys
dc, dc2k5, fun under the key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
load, run under the key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
Go to the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon and Modify Shell's value to "Explorer.exe".
Remove HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\dc
Remove HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\dc2k5
Remove HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Fun
Remove HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Load
Remove HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Run
Delete the following files.
%Windir%\Help\Other.exe
%Windir%\inf\Other.exe
%Windir%\system\Fun.exe
%Windir%\System32\config\Win.exe
%Windir%\System32\WinSit.exe
%Windir%\dc.exe
%Windir%\SVIQ.exe
%Windir%\System32\NWB.dat
c:\PNga.txt
%Windir%\wininit.iniI have created two files to automate the process of deleting the Registry keys, and the virus files. Download Fun Virus Removal, unzip it. Double click on the RemoveVirus.bat file.Thats it. I got rid from the virus. I read in the net that this virus will create a copy of virus file in directories with the same name and uses a folder icon, so that users will click on it thinking it was a folder. But, I dint get any files like that, if you got any files like that, don't click on them, delete them immediately. If you have any doubt, right click on that and select properties, then you can know whether it is a file or folder.
Posted by at No comments:

Stop viruses coming from pen drives

Now a days pen drives ( or USB drives ) are became necessary. But there is a problem with these pen drives. They can be very easily infected by viruses. But, we can not live without using pen drives.You can be a bit more careful when using pen drives to prevent them infecting your system with different types of viruses.
First disable auto play in your system. This prevents viruses in the pen drive from running automatically when pen drives are inserted into the system. (Please note that this will disable auto playing of CDs also).
After inserting pen drive into the system open it in explorer mode only, don't open it in My Computer.
To open Explorer, press Win+E on your keyboard.
Or right click on My Computer, and select explorer.
If My Computer is already opened, click on 'Folders' in the tool bar (or View menu> Explorer Bar> Folders).
Always open pen drive by clicking on the pen drive name from the left pane only. Don't open from right pane.
Don't open the files you don't need. If you find any file suspicious, right click on file name and select properties. It will show complete details about that file. Don't rely on icons. Some viruses use folder icon to make us think that they are folders, and most probably we will double click on that to see what is there in that folder which actually executes the virus.A little careful handling of pen drives will prevent a lot many viruses.
Posted by at No comments:

Clean New Folder.exe, RegSvr.exe Virus

Recently I got infected with this virus. This virus just shows a message when windows started, "Rundll.exe is not found.......", and infecting the pen drives for first few days. Not much harm. But after 4 or 5 days it is starting creating copies of virus file in many folders. The copy will be having the same name as the folder name and it also having folder icon, so that we will think it as another folder.When I have searched Internet, I got the following link useful Am I Works. I have developed a tool for removing this virus.Download New Folder virus removal tool, unzip it, and double click on RemoveVirus.bat file. Tell me if you get rid of virus in comments section.Note: If you are not able to open Registry Editor (Win+R, regedit.exe), See Accessing Registry disabled?
Posted by at No comments:

RDown - Rapidshare Downloader

You can download rapidshare files without using any downloader.
Using firefox now things are easy to download rapidshare links.
https://addons.mozilla.org/en-US/firefox/search?q=rdown&cat=all
Posted by at No comments:
Subscribe to: Posts (Atom)