three nasty viruses in wild

First one=SVCHOST.EXE

It looks like Word File, (ref: my previous post).
The file name is *.scr , (ie screen saver file)
It hides your original word document and instead there a *.scr file is created which is of the same name of the word file.
For ex, you create a document Hello.doc and after you write on it and save it, the Hello.doc gets system hidden, and a file named Hello.scr is created which is having the same word icon.
In the administrator account, it makes such a change in registry that you will never be able to login to your account. When you click on your login name it logs in and suddenly logs out.
So, whenever opening word file, right click and check the options.
For virus file, it will be: open,run,run as,test,configure,etc
Once if you get the virus in limited user , never login to your admin. or else , as i said, it makes such a change in registry that you will nerver be able to login again.

Second=spoolsv.exe

the virus writer has done a quite much research on autorun property.
when you insert your pen drive, (if autorun is ON) , it asks for what to do, eg,
open using windows explorer, open using WMP, open using Nero, view photos using some s/w, etc.
but if it has this virus, it will say
“open using software provided on this device”
So, be careful.

After the virus is installed, i found no separte virus process, probably it injects some dlls
I am unable to find the solution yet.
its challenging… hmm…

Third=SHAHROKH.EXE

how come anyone misspell shahrukh khan. its so sad. : )
it creates AUTORUNS.EXE, and EXPLORER.EXE files.
the EXPLORER.EXE file is placed inside c:\windows\system32\ folder.
so, whenevre the comp starts , it doesnt load the genuine window’s EXPLORER.EXE but it runs the virus EXPLORER.EXE program.
This happens because in the “path” system32 directory has higher preference than windows directory…
now i think, y doesnt the windows’s EXPLORER.EXE is not placed in system32 folder.

My semester exams this month, so m going to hibernate, gud bye guys… be in touch.

14 Responses to “three nasty viruses in wild”

  1. ginji Says:

    how do i remove these three viruses????

    I GOT ALL THREE OF THEM

  2. Krish Says:

    Hey Piyush, Can you tell me whether your Heal pen drive 1.0 heals all ssvichosst.exe files too.?

  3. sreejit pk Says:

    hi piyush..i too hav all those virus attacks in my system..plz tell me hw i can remove all those threats..

  4. sahitya Says:

    how to remove regsvr.exe pls tell me

  5. Manish Says:

    Sir ur site nd antiviruses r of gre8 help to me now plzz give me the solution for shahrokh.exe and antivirus to delete it plzz reply as soon as possible

  6. sarwesh suman Says:

    Format u r computer using bootable disk.

  7. sarwesh suman Says:

    Can anybody mail me with complete information about regsvr.exe

  8. blink Says:

    That virus shahrokh.exe is on my i-pod… It disables task manager of any desktop or laptop i connect. Now my computer is reformatted and it is clean…. But the virus is still there in the i-pod… how do i delete it from the i-pod permanently? plz help ……

  9. Robin Says:

    Pleez help me to remove shahrokh.exe virus from my F drive…
    it gets deleted but once i restart the computer its der again…
    plz help me to remove this virus……………………

  10. Robin Says:

    but i dont have any explorer.exe file in C:\windows\system32
    i am using windows 7…..hope tat shahrokh.exe wont do any bad to the processor….

    • piyushlabs Says:

      Robin,
      Sorry i can’t help you because i have never used windows7.
      Any antivirus u have, just update it. It should remove the virus, as its about 1 year old virus.

  11. Robin Says:

    thnkz piyush…
    kaspersky detected it and even avira did….

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: