Regedit , Task Manager , Control Panel DISABLED!!! CALL 911 !!!!!!!!!!!!

Well I am a little hyper today and a bit dramatic :p its just cuz the problem that viruses cause today are not only insane but really gets on your nerves even if your realllllly geeky. Once such problem hit me last week, I have a routine I’ve get hit by a virus, first I try to take my meds, get a good sleep, make a doctor’s appointment if it gets really worse….no WAIT!!! ….what am I doing? thats the wrong routine let me start over. I meant to say that i have a routine when MY COMPUTER gets hit by a virus. Well I am little aware of what common viruses would do today with the help of creating registry keys. I pulled a few strings to learn more about what sort of registry keys would be malicious in my registry, I used to track them down and erase them for good. As far as the task manager is concerned, I use it to track down the culprit virus process that is hiding in the memory and creating the registry keys at every regular bootup. But some smart a$$ virus thinks it can ruin my day by disabling my tools of the trade (regedit & taskmanager) whilst carrying out its dirty work as usual. Well fear no more friends, I am about to put a solution in here for viruses like that which I am sure will make your day when you end up in a situation like I did. Although there are numerous free tools and fixes in the internet to enable regedit , task manager bla bla, I am of the mindset, “you can do anything to make your life easier but never let that stop your geeky side to grow ” . Well lets talk business now shall we?….
I assume that you’ve been infected by a virus that has disabled all the required system tools that can possibly bring it down. So to renable everything follow the steps:

1.Make sure you have administrative privileges to your account.

2.Open command prompt and type the following:

“REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f” [without quotes]

“REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableSR /t REG_DWORD /d 0 /f” [without quotes]

“REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f” [without quotes]

“REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisallowRun /t REG_DWORD /d 0 /f” [without quotes]

“REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoControlPanel /t REG_DWORD /d 0 /f” [without quotes]

3.If hypothetically, command prompt is disabled too then you have to open a new text document and create a .reg file. Its content should be as follows, its copy and paste friendly

————————————
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
“DisableTaskMgr”=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
“NoControlPanel”=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
“DisableSR”=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
“DisallowRun”=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
“DisableRegistryTools”=dword:00000000

————————————-

4.Save the file with a name followed by “.reg” extension and then double click that reg file to add those entries into the registry.

5.Either method gives the same result, so its simply based on the fact whether your command prompt is malfunctioning or not.

6.There its done!! but before I finish, in step two I am using standard dos commands to do the job, which means the /d /t and /f are options to be used whilst the key is being added to the registry.

/v denotes the name of the New value to be added.

/t denotes the type of value to be added , be it BINARY or DWORD etc.

0 denotes the value that the key will hold once it is created. It can be 1 or 0 if its a DWORD key.

/f denotes to forcibly change the value of the key if the registry key already exists(because of the virus, which creates the key and sets the value to 1, where you set it back to 0)

I hope this tip helped you out, so until next time, take care and thanks for reading

Peeka Boo!! In Your Network

Hey ppl, during most of the times we’d like to share resources between two or more computers in your network. This task is made easy to you by the network neighbourhood.  You can easily access other computers in your network from there, But what if you still want to be able to share folders with some users but you just don’t want everyone on the network to see your computer’s shares? Is there a way to do it instead of just disabling sharing altogether, you ask? Well here is how you do it, perform the below steps in the computer whose resources you wanna make it limited and visible to certain users alone.

Steps:
1.Click Start —> Run.
2.In the Run box, type net config server /hidden:yes
3.Click OK.
Now others who know the UNC path (\\your computer name\share name) can connect to your computer’s shares from the Run box, but it won’t show up in the network browse list. There you go! hope this tip helped you out

Removal Of Winsetup.exe Virus

Hello Friends, Yes I understand its been a long time since I’ve updated my blog. What can I say? I’ve been quite busy with college work, and of course my personal life, if you must know, i would say relationships or blah whatever , I am sure you know what I am talking about?
Any way, enough about me, if you are a regular pen drive or thumb drive user, I am sure that by now, you would be aware of the fact that there is a new virus in the block. Which goes by the name Taloq.Trojan or some AV software detect it as Win32.*blah*.Taloq.Trojan.
The Bottom line is none of the AV softwares either free or proprietary is able to provide a proper offense against this virus, but yet they offer good defense if you didn’t let the virus in the first place by regular updation of your antivirus signatures.
But we are talking about a situation, in which your AV updates are lagging for quite a few months, and you already have the virus in your system, NOW WHAT DO I DO????
I’ll tell you, what the problem is here. Since your AV software isn’t up-to-date, it is still able to detect the virus. It says “Successfully Deleted/Quarantined” or whatever. But every time you re-plug your pen drive, the virus pops back in, out of no where?
At first you would try googling the problem, and most of the solutions that I came across said, “Delete Winsetup.exe in the Windows Directory” or something of that short. But to my disappointment and your dismay, that will never stop this virus from doing its dirty work. So what exactly happens?
Well, see it has to do with the System Restore Option Of Windows. If you happened to have enabled it, then there is your problem. No matter how many times you delete this virus from USB drives, it restores a copy of itself by using one of your hard drive partitiions as base, without your knowledge. Even if you do a full system scan with your AV software, there is a slight chance that the virus is missed during the scan, unless your AV software is state-to-the-art as they promise it would be.
“Enough with the explanations buddy, lets get on with the removal steps!!!” if thats what your thinking right now, I am not gonna take you on Any way here is how:
1. First you have to find the hidden process which pops up when you plug in your pen drive. You can’t use Task Manager, as by the time you plug in and open it, the process goes into hiding :p (I know nifty, huh? )

2.For that I would recommend the freeware “IBPROCMAN”. If you haven’t heard of it, try googling it, you should find it sooner than you can find a way to pronounce it :p

3.The installation should be a jiffy process. Once its done, run the application, you should see the normal windows processes running. Now plug your pen drive. When you do, you should see a weird unknown process starting up, immediately right click on it and click Properties. The name of this weird process is most probably “sysdate.exe”.

4.Just look for the drive in which it is hiding, from its Properties.

5.Now is when linux comes in handy, exit your windows machine, boot into your linux distro(Live CD or Your Harddisk Installation). Mount the drive which has the hidden process. Find the folders “$RECYCLE.BIN” and “RECYCLER”. Delete them both, and remove the autorun file from your pen drive, with the help of my other blog posts “to remove autorun virus“, and WOLAH!!! YOUR DONE.

6.Hope this helped you out. I’ll let you in more about my personal life, NEXT TIME , cuz it just got interesting, again if you know what I am talking about :p.

Removal of Killer Virus, Amvo Virus, Funny UST Scandal Virus

Hey its your buddy g47 again

I hope the steps to remove the ntde1ect.com virus helped you out. The viruses which we are about to destroy now are slight variants of ntde1ect. Since the steps to destroy each of these virus is too long, i have decided to write the anitode for the virus in the form of batch files. These batch files are like exectuables which you can run based on my instructions to remove the viruses from your system. If you don’t know how to create batch files, check out my post on Virus programming using batch files, which should help you out on this. Now for this method to work you will need to create two batch files. To create the first batch file, open notepad, copy & paste the following code.

#comment: start copy from below this line
title UST Scandal Removal by G47(first file)
echo off
cls

echo Funny UST Scandal Removal (first file)
echo ——————————–
echo .

echo FIXING REGISTRIES :
pause

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRun /t REG_DWORD /d 0 /f
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoDispCPL /t REG_DWORD /d 0 /f

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFolderOptions /t REG_DWORD /d 0 /f
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v DisallowRun /t REG_DWORD /d 0 /f
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /f
reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /f

reg add HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /v AlternateShell /t REG_SZ /d “cmd.exe” /f
reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Runonce /f
reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Runonce /f
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL /v CheckedValue /t REG_DWORD /d 1 /f
reg add “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon” /v Shell /t REG_SZ /d Explorer.exe /f

echo .
echo .
echo .
echo ### copy the file g47-2.bat to “c:\Windows\” directory
pause
echo .
echo .
echo ### Restart The Computer as “Safe Mode with Command Prompt”
echo —————————————————
echo You can do this by pressing and holding the F8 Key.
echo After this step you should be getting the boot options list.
echo From the list select Safe Mode with Command Prompt Only.
echo In the command prompt, navigate to the Windows directory and type “g47-2.bat” (without quotes)
echo And your done, Enjoy.
echo .
echo .
pause
exit

#comment:stop copy above this line.

Now once you do the above step, save the file as 1.bat [not 1.txt] .  Then run it with adminstrative privileges.

The first batch file, is the first layer of removal. You can run it by simply double-clicking it or running it via the command prompt. Although it removes all instances of the viruses , instances which are still in the memory are not removed.

So the contents of the second batch file is as follows. Copy & paste it in a new notepad file.

#comment:start copy below this line.

title UST Scandal Removal By G47(first file)
echo off
cls
title Funny UST Scandal Removal (second file)
echo Funny UST Scandal Removal (second file)
echo —————————————
echo (to be used in Saf Mode With Command Prompt)
echo .
echo .
echo .

Echo DISINFECTING REGISTRIES:
pause
echo Hit Enter

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRun /t REG_DWORD /d 0 /f
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoDispCPL /t REG_DWORD /d 0 /f

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFolderOptions /t REG_DWORD /d 0 /f
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v DisallowRun /t REG_DWORD /d 0 /f
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /f
reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /f

reg add HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /v AlternateShell /t REG_SZ /d “cmd.exe” /f
reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Runonce /f
reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Runonce /f
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL /v CheckedValue /t REG_DWORD /d 1 /f
reg add “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon” /v Shell /t REG_SZ /d Explorer.exe /f

echo .
echo .
echo .

Echo REMOVING RUNNING VIRUS PROCESSES IF ANY:
pause
taskkill /IM “killer.exe” /t /f
taskkill /IM “Funny UST Scandal.exe” /t /f
taskkill /IM “Funny UST Scandal.avi.exe” /t /f

echo .
echo .
echo .

Echo DELETING VIRUS FILE FROM WINDOWS:
pause
del “%windir%\autorun.inf” /f /a
del “%windir%\smss.exe” /f /a
del “%windir%\killer.exe” /f /a
del “%windir%\Funny UST Scandal.*” /f /a
del C:\log /f /a
del D:\log /f /a
del “c:\Documents and Settings\All Users\Start Menu\Programs\Startup\lsass.exe” /f /a
del “D:\Documents and Settings\All Users\Start Menu\Programs\Startup\lsass.exe” /f /a

echo .
echo .
echo .

Echo DELETING VIRUS FILE FROM OTHER DRIVES:
echo (considering u have 4 drives namely C,D,E & F)
echo if u have more drives then edit this batch file and add more… like
Echo del “X:\autorun.inf” /f /a
Echo del “X:\smss.exe” /f /a
Echo del “X:\Funny UST Scandal.*” /f /a
Echo Like see the example below. If you have queries here, ask me
echo .
echo .
echo .
pause

del “c:\autorun.inf” /f /a
del “c:\smss.exe” /f /a
del “c:\Funny UST Scandal.*” /f /a

del “d:\autorun.inf” /f /a
del “d:\smss.exe” /f /a
del “d:\Funny UST Scandal.*” /f /a

del “e:\autorun.inf” /f /a
del “e:\smss.exe” /f /a
del “e:\Funny UST Scandal.*” /f /a

del “f:\autorun.inf” /f /a
del “f:\smss.exe” /f /a
del “f:\Funny UST Scandal.*” /f /a

Echo Hope this helps you out, Cheers from G47
pause
explorer
exit

#comment:stop copy above this line.

Now save this file as 2.bat

So after you’ve runned the first batch file, you have to copy the second batch file to “x:\windows\” directory where ‘x’ is your system partition. Then you have to restart the system, and boot into “Safe Mode with Command Prompt Only” by holding the F8 key. Once you’ve reached the command prompt, navigate to the windows directory and type in “2.bat” (without quotes). Then restart the computer. If you do all this correctly your system should be squeaky clean

Important NOTE: Do not run the second batch file(2.bat) in Normal Windows mode, it may cause your system to become unstable. This is because that batch file tries to quit system processes from the memory which are affected by the virus. So I strictly advise you to use it in Safe Mode.

Well I hope this helped you out, check out my other post on how to destroy ntde1ect.com virus also. Cheers

Destroying ntde1ect.com virus and n1detect.com virus

Ok, I know once Autorun virus was ruling its throne in the USB empire, but I showed you a way to stop it. Now a new demon enters the fray. This one is smarter than the USB autorun virus. Infact this one duplicates itself into different instances instead of similar ones. This makes them harder to defeat, by using a single removal tool. So how do we stop it? Its quite easy actually if you know where each instance of the virus hides. Another interesting thing about this virus, is it doesn’t place itself in the most virus prone areas like the system32. Its location is diversified based on the system it infects. Either ways you can still stop it. By using the following steps.

Steps:
1)Open Task Manager(Ctrl+Alt+Del)
2) If wscript.exe process is running, end it.
3) If explorer.exe process is running, end it.
4) Open up “File | New Task (Run)” in the Task manager.
5) Run cmd
6) Run the following command on all your drives by replacing c:\ with other drives in turn

del c:\autorun.* /f /a /s /q

7) Go to your Windows\System32 directory by typing cd c:\windows\system32 in the cmd prompt.
8) Type

“dir /a avp*.*” (without quotes)

9) If you see any files names like avp0.dll or avpo.exe or avp0.exe, use the following commands to delete each of them:

“attrib -r -s -h avpo.exe” [without quotes]

“del avpo.exe” [without quotes]

10) Use the Task Manager’s Run command and type in regedit.
11) In the left hand side explore to the following path:

“HKEY_CURRENT_USER \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run \”

12) If there are any entries for avpo.exe, delete them.[check for the other two files also]
13) Do a complete search of your registry for ntde1ect.com and delete any entries you find.
14) Restart your computer.
There you go, this is how you delete the ntde1ect.com virus, there is another variant of this virus which is known as the killer virus, it is also called as amvo virus. I have put two batch files with instructions to run it. Use it to destroy that virus. I hope this helped you out.

Removal Of Autorun Virus And USB Viruses

Tired of searching for a decent antivirus program to stop the auto-play virus?
Are you saying that there is no autorun program, which is commercially free enough to stop this maniac virus?
Well I gotta agree with you, there are programs like Kaspersky to stop it, but if your reading this, I can understand your in no intention to afford one
Well, I’ve got news for you my friend, there is a way to stop this insane virus from ripping of your computer.
Now as always, there is always to appproaches for a virus like this,
One, Counter measure.
Two, Preventive measure.
Now mind you, both these measures that I am about to suggest are absolutely free, and is proven to be effective.
First things first, lets start with the Counter Measure.
If your USB drive is indentified as drive ‘X’ when you plug it in, this is what you need to do.

Steps:
1. Go to Start->Run (so as to get admin privileges)
2.Type in ‘cmd’ to get the commad prompt.
3.In the cmd prompt, go into your usb drive, but before this step it is wise to disable the ‘explorer.exe’ service from the task manager.(you can access it by right-clicking on the taskbar). This is because when this virus is active it most probably hides itself in this service, or under rundll32.
4.Once your inside your USB drive, type in (if X is your USB drive letter):
X:\attrib -s -a -r -h autorun.inf
5.This will make the file visible, and as you have admin privileges, you can delete it by simply typing in,
X:\del autorun.inf /f /s /a /q
Note: You can’t delete this virus, without performing the previous step of disabling its hidden attributes.
So make sure you follow these steps in the order I’ve mentioned, you can also use this method to clean any virus file(if you know its name, instead of autorun.inf, example svchost.exe etc.) in your harddrives or pendrives by replacing ‘X’ with the corresponding drive letter.
6. There you go, your system should be clean if you do all this right.
The preventive measure is to restrict the access to USB drives in your system, which can be done using the Group Policy Editor.(gpedit.msc)
Steps:

1.Go to Start->Run->Type in ‘gpedit.msc’
2.Next follow this chain, in the left panel.
Computer Configuration->Administrative Templates->System->Removable Storage Access->All Removable Storage classes:Deny all access(in Right Panel).
3.If you have enough admin privileges, you can enable or disable this option by double-clicking on it and selecting the appropriate option.
Note:If enabled, no USB drives can be accessed even though if they are connected. So use this setting based on your need.
4.This is a good costless preventive measure, which you will love to try out.