Posts Tagged ‘virus’

Heal Pendrive v2.0 uploaded

2 February, 2011

Heal Pendrive v2.0

Download
Finally i finished the v2 for HealPendrive. It has a user friendly GUI and many useful features.

Features:
*This tool can be used to remove virus/suspected files from pendrive.
*Instructions are provided at the botom of each step.
*Build on VB.net, this application is much superior to the previous v1.0
*Improved “hunt-and-delete” has been integrated in this version.
+Automatic selection for connected pendrive.
+Details for the selected drive.
+Displays contents of autorun.inf
+Individual options to fix registries.
+Calls CHKDSK utility to detect and fix bad sectors.
+Most appreciating “hunt-and-delete” feature with multiple options.

Whats not:
-Files marked for deletion are deleted permanently.(not sent to Recycle Bin)
-Registry change is not reversible.
-This tool only to be used on removable drives.

Whats coming:
*Safely remove drive feature in the next builds.

How to disable Autorun for drives

17 May, 2009

Follow this procedure . . .
Goto Start > Run > “gpedit.msc”
Goto UserConfiguration > AdministrativeTemplates > Syatem
Select TurnOffAutoplay > Properties > Enabled > AllDrives

Windows File Protection “SFC /SCANNOW”

3 May, 2009

If your Windows files are corrupted/infected by any virus, the best way to restore them is by using Windows File Protection.
Open Start>Run>”cmd”>”sfc /scannow”
The windows file protection will start running.
It scans all protected system files and replaces incorrect versions with correct Microsoft versions.
It will ask you to insert your WindowsXP cd to replace the files.

* You can customize the drive for cd. Open Regedit and goto “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup”. Change “SourcePath” and “ServicePackSourcePath” to your drive letter.

Best way to kill SOUNDMIX.EXE

26 April, 2009

Its very difficult to kill the virus process Soundmix.exe
i found out that this process looks for the presence of a file named “C:\stop.txt”
Generally when you try to kill the virus process, it comes again and again.
Now, create a simple notepad in c:\ and rename it to “stop.txt”
And now, try killing the sounmix.exe
Hola! the process stops…
probably the virus developer used this in testing, but forgot to remove this.. 😉

Hunt and Delete Virus Files

6 January, 2009

This small utility is a continuation of HealPenDrive.
I have added a few more options.
The best one is: This will help you to delete , what i call, “pattern files”.
Like a virus exe file inside every folder with the name of parent folder name
Eg: ..\songs\songs.exe
One more option is to hunt n delete files based on its size.

Its completely a “batch” file.
I went throgh various samples of batch file over net and learnt to code such programs. Its nice 🙂
So you can open and check its contents.

*Many of you have complained about HealPenDrive to be detected as virus. The thing is, that software is built by AutoIt software, which cannot (as far as i know) be run in exe debuggers to know its exact working. Most of AutoIt files are being put up suspicious by antiviruses there have been many viruses found built on AutoIt.

Link to download:
HuntAndDelete.zip

New Virus Attack : (MS Word Icon) SVCHOST SPOOLSV

15 April, 2008

Discovered a new virus that resides in c:\Recycled

  • CTFMON.exe
  • SMSS.exe
  • SPOOLSV.exe
  • SVCHOST.exe

The icon of these files are EXCTLY like Microsoft Windows MS Word type

  • Icon : MS Word
  • Type of File: Application
  • Description: Microsoft Office Word
  • Size : 55.0 KB (56,320 bytes)
  • Size on disk: 56.0 KB (57,344 bytes)
  • File version : 11.0.5604.0
  • Copyright : Copyright © 1983-2003 Microsoft Corporation. All rights reserved.
  • Language : Language Neutral
  • etc

It adds to the startup at

  • HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
  • Explorer.exe “C:\recycled\SVCHOST.exe”

If you try to end task one of the process, the other processes make such changes in your system registry that u’ll be never again able to login to ur windows account. : ( [observed by me at some cases, still got to work out] The comp logs off as soon as you click on your account.

  • coz of changes to HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

Discovered

  • Place : rvce, bangalore
  • Dated : April 2, 2008
  • was present much earlier than this date

I’ll work on this soon, didn’t find any occurrence from anywhere else on my blog yet.

Kaspersky do not detect this virus yet, as on 15 april 2008.

Have a look at the virus file

regsvr.exe / rundll.exe / ‘Microsoft CorpAration’ virus details & heal uploaded

26 March, 2008

It has been quite many days. People have been reporting about this new virus. Thanks to Muthu Kumar, who sent me the virus file for find out the heal.

I really like this virus. It creates a lot of files and make a lot of registry changes. Finding the solution was really challenging. It is built with AutoIt , version unknown. Latest update of kaspersky do not detect this virus, unless it is scanned thoroughly.

not-a-virus:Monitor.Win32.007SpySoft.q       -> rundll.exe
Worm.Win32.AutoIt.s                                           -> regsvr.exe

The “Microsoft Corparation” tag is really confusing. Mind it, its Corp’a’ration, not Corp’o’ration … he he

I wont say my heal is totally complete, but still some more work i’m supposed to do with it, probably to fix some more registries that i still know what they do. Overall my heal will end task the virus files and restore most of the registries.

This virus/trojan keeps complete look on  the system, by taking snap shots every 30 seconds. Suppose u hav this virus for 30 days,just think how much space it will eat. lol

Like the recent coming viruses, even this virus makes exe file inside every folder with the name of the parent folder. (BUT only in the removable drives, this is what i found). It spreads via pen drives, leaving regsvr.exe, New Folder.exe, autorun.inf files in the root directory of pen drive and other <folder named> files inside.

So here is the solution…
https://piyushlabs.wordpress.com/regsvr/

Truth about AVG

3 February, 2008

i was supposed to post this 1 month back

i was called to fix the some problem on Sandeep sir’s comp. i found AVG installed, and fully up to date. after serching for a few minutes , i found the problem: that was ust scandal virus. i was amazed coz AVG had latest updates.

after uninstalling virus. the AVG suddenly poppd up and deleted the “Funny UST Scandal.avi.exe” file. i said: ok, its doing it. but there was another exe file of the same virus named “smss.exe”. surprisingly, it could not be detected. i thought may, let it be.

i came back to my comp. i have lot of viruses saved in my comp.. he he.. when i looked into the properties of these two files, what i saw. both of them have SAME SIZE, SAME MD5 HASH VALUES, only different names.  What does it mean, AVG detects viruses based on “virus name”???

 Oh AVG users gonna kill me for this post. Plz i said this was just an observation by me. May be i am wrong..

Softwares (HEALS) uploaded !!!

17 October, 2007

Atlast today i have uploaded my antivirus for ssvichosst, nhatquanglan, orkut virus (microsoftpowerpoint.exe) ,etc. These are just virus removers and do not provide any protection from the viruses again. These are programs written in C/C++ by me and are free to use and distribute. The size of these HEALS are just a few KB’s.  It simply does the troubleshooting as you can do yourself by following my step by step procedure. You can remove the viruses with these small softwares 🙂

https://piyushlabs.wordpress.com/downloads/

solution for nhatquanglan found

16 October, 2007

i had to install this virus to find out what does it do. Then i found out the step by step solution fot this. it spreads deadly via LAN. When i installed , it sent its offsprings to all the accessible shared folders on the network. Here’s how you can fix the problem

https://piyushlabs.wordpress.com/nhatquanglan-new-folder-svchost/

(more…)


%d bloggers like this: