Have you seen this message in your computer.
” ORKUT IS BANNED,Orkut is banned you fool`,The administrators didnt write this program guess who did?? ”
Then you are infectedwith the above virus.
The virus, after affecting your computer, creates a folder named "heap41a" in your root drive ie; C drive, where it resides. This folder will be hidden and since this virus disables show hidden files and folders option, it is not easy to locate. This folder contains following:
* Offspring - an empty folder.
* 2.mp3 - a laughing sound.
* Icon.ico - a blank icon file.
* reproduce .txt - codes to change registry entries.
* svchost.exe - gives all kinds of pop-ups.
* script1.txt - codes for displaying pop-ups.
* std.txt - codes to change registry entries.
It will not let you open Orkut using Internet Explorer. It will not let you access even YouTube too.
This is the AHKHEAP Worm
MicrosoftPowerPoint.exe (462,050 bytes),
svchost.exe (239,104 bytes)
AliasesW32/AHKHeap-A (Sophos) worm_ahkheap.a (Trend Micro) Characteristics
Removal Process
Users running Windows ME and XP must disable System Restore to allow full scanning of infected computers.
1. First you have to boot your computer in to safe mode by pressing F8 while booting.
2. Then go to search, select in advance option for search in hidden file & folders and system files & folders.
3. In search give keyword"heap41a"
4. You can see a folder name "heap41a" in C:\
5. Shift+ Delete that folder
6. If you can see the message system cam not delete the file, then click ctrl+ alt+delete
7. Try to end task a file svshost.exe
8. Then again try to delete that folder "heap41a".
Now i will tell you how you restore your registry.
If the registry entry below is not found, the malware may not have executed as of detection. If so, proceed to the succeeding solution set.
1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
2. In the left panel, double-click the following:HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft> Windows>CurrentVersion>Policies>Explorer>Run
3. In the right panel, locate and delete the entry:winlogon = "%System Root%\heap41a\svchost.exe %System Root%\heap41a\std.txt"
Deleting/Restoring Other Registry Entries
1. Still in the Registry Editor, in the left panel, double-click the following:HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft> Windows>CurrentVersion>Policies>Explorer>Run
2. In the right panel, locate and delete the entry:status = "present"
3. In the left panel, double-click the following: HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft> Windows>CurrentVersion>Explorer> Advanced\Folder>Hidden>SHOWALL
4. In the right panel, locate the entry: checkedvalue = "0"
5. Right-click on the value name and choose Modify. Change the value data of this entry to: 1
6. Close Registry Editor.
Deleting the Malware Folders
1. Right-click Start then click Search... or Find..., depending on the version of Windows you are running.
2. In the Named input box, type:MICROSOFTPOWERPOINT
3. In the Look In drop-down list, select My Computer, then press Enter.
4. Once located, check if the location of the file is the following:%User Temp% (Note: %User Temp% is the current user's Temp folder, which is usually C:\Windows\Profiles\{user name}\Temp on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Temp on Windows NT, and C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.)
5. If yes, select the file then press SHIFT+DELETE.
6. Again in the Named input box, type:heap41a
7. In the Look In drop-down list, select My Computer, then press Enter.
8. Once located, check if the location of the file is the following:%System Root% (Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)
9. If yes, select the file then press SHIFT+DELETE.
Restoring AUTORUN.INF
1. Right-click Start then click Search... or Find..., depending on the version of Windows you are running.
2. In the Named input box, type:AUTORUN.INF
3. In the Look In drop-down list, select a drive, then press Enter.
4. Select the file, then open using Notepad.
5. Check if the following lines are present in the file: [Autorun] open=MicrosoftPowerPoint.exe shellexecute=MicrosoftPowerPoint.exe shell\Auto\command=MicrosoftPowerPoint.exe
6. If the lines are present, delete the file.
7. Repeat steps 3 to 6 for AUTORUN.INF files in the remaining removable drives.
8. Close Search Results.
Now you are removed the virus file. Enjoy browsing. But before that you have to restore your show hideen file & system file normal, by following my above method , which described in this blog.
myspace, facebook, twitter, youtube, skyrock, music, online, promotion, promotions, marketing, online myspace marketing, myspace traffic incrase, indie, bands, music marketing, musicians, songwriters, musician, myspace promotion services, advertising, manager, artist, promoter, how to get more friends, myspace marketing, myspace promotion, myspace promotions, facebook marketing, facebook promotion, facebook promotions, twitter marketing, twitter promotion, twitter promotions, band promotion, promote my band, myspace work, facebook work, twitter work, youtube work, youtube marketing, youtube promotion, youtube promotions, skyrock work, skyrock marketing, skyrock promotion, skyrock promotions, indie promotions, online promotions, online marketing, social networking expert, website submission, search engine submission, web site submission, search engine, submission, web site, search engine, website, search engine optimization, seo, service, company
Monday, December 31, 2007
How to remove ntde1ect.com virus
There is a trojan/virus (either the Win32/Pacex virus or the Win32/PSW.Agent.NDP trojan) that uses those two files. Here is how you can get rid of them:
1) Open up Task Manager (Ctrl-Alt-Del)
2) If wscript.exe is running, end it.
3) If explorer.exe is running, end it.
4) Open up “File New Task (Run)” in the Task manager
5) Run cmd
6) Run the following command on all your drives by replacing c:\ with other drives in turn (note: if you have autorun.inf files that you think you need to backup, do so now):
del c:\autorun.* /f /a /s /q
7) Go to your Windows\System32 directory by typing cd c:\windows\system32
8) Type dir /a avp*.*
9) If you see any files names avp0.dll or avpo.exe or avp0.exe, use the following commands to delete each of them:
attrib -r -s -h avpo.exedel avpo.exe
10) Use the Task Manager’s Run command to fire up regedit
11) Navigate to HKEY_CURRENT_USER \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run (as usual, take a backup of your registry before touching it!)
12) If there are any entries for avpo.exe, delete them.
13) Do a complete search of your registry for ntde1ect.com and delete any entries you find.
14) Restart your computer.
1) Open up Task Manager (Ctrl-Alt-Del)
2) If wscript.exe is running, end it.
3) If explorer.exe is running, end it.
4) Open up “File New Task (Run)” in the Task manager
5) Run cmd
6) Run the following command on all your drives by replacing c:\ with other drives in turn (note: if you have autorun.inf files that you think you need to backup, do so now):
del c:\autorun.* /f /a /s /q
7) Go to your Windows\System32 directory by typing cd c:\windows\system32
8) Type dir /a avp*.*
9) If you see any files names avp0.dll or avpo.exe or avp0.exe, use the following commands to delete each of them:
attrib -r -s -h avpo.exedel avpo.exe
10) Use the Task Manager’s Run command to fire up regedit
11) Navigate to HKEY_CURRENT_USER \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run (as usual, take a backup of your registry before touching it!)
12) If there are any entries for avpo.exe, delete them.
13) Do a complete search of your registry for ntde1ect.com and delete any entries you find.
14) Restart your computer.
Show hidden files & folders
In some times,when virus or spyware, adware attacks your pc, then you can not setting the Show hidden files & folders. Here i gives you the tricks, how you can set it to normal.
Click “Start” -> “Run…” (or press Windows key + R) Type “regedit” and click “Ok”. Find the key:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Explorer\Advanced\Folder\Hidden\SHOWALL
Look at the “CheckedValue” key… This should be a DWORD key. If it isn’t, delete the key. Create a new key called “CheckedValue” as a DWORD (hexadecimal) with a value of 1. The “Show hidden files & folders” check box should now work normally. Enjoy!
Click “Start” -> “Run…” (or press Windows key + R) Type “regedit” and click “Ok”. Find the key:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Explorer\Advanced\Folder\Hidden\SHOWALL
Look at the “CheckedValue” key… This should be a DWORD key. If it isn’t, delete the key. Create a new key called “CheckedValue” as a DWORD (hexadecimal) with a value of 1. The “Show hidden files & folders” check box should now work normally. Enjoy!
Subscribe to:
Posts (Atom)
