.

Archive for Security

Is the Official Web site of the Department of General Education , Kerala Hacked?

// December 6th, 2008 // No Comments » // Security


It seems like the official web site of the Department of General Education , Government of Kerala is hacked. Today i was checking the website and noticed a news “Hacked by the. Mo3tafa , Sha2ow” in the hot news box. The news content is just tHe.Mo3tafA Was Here !!! Your Box 0wn3d By Deface Team We Love Iran Ashiyane Digital Security Team Special Thanks to Ashiyane Defacers & Programmers Team www.ashiyane.org/forums I Don’t Know Any Rival For Muslims”.

Home page of the Department of General Education: http://www.education.kerala.gov.in/

Posted news: http://www.education.kerala.gov.in/admin/news_details.php?id=39

  • Share/Bookmark

Removing Funny ust scandal virus

// May 6th, 2008 // 1 Comment » // Security

This virus is affected to your yahoo messenger and it will change your status to something like Funny ust scandal .. It also send the virus file through your yahoo messenger. Try the following steps to remove that virus.

  1. Boot the system in safe mode
  2. Open command promt(Type “cmd” in Start->Run without quotes)
  3. Type the following 3 commands
    1. taskkill /f /im smss.exe
    2. taskkill /f /im killer.exe
    3. taskkill /f /im smss.exe
  4. Now we want to delete the virus files. For that execute the following commands
    1. del /a:h /f c:\autorun.inf
    2. del /a:h /f c:\smss.exe
    3. del /a:h /f c:\funny ust scandal.avi.exe
  5. Repeate the above 3 commands for all the drive(‘d’,'e’,'f’) except CD/DVD drive. Do the same by connecting your flash drive. The virus may b there..

    Eg:- if u have D drive then replace ‘c’ of “c:\autorun.inf” as “d:\autorun.inf”

    1. del /a:h /f c:\windows\killer.exe
    2. del /a:h /f c:\windows\autorun.inf
    3. del /a:h /f c:\windows\smss.exe
    4. del /a:h /f c:\windows\funny ust scandal.exe
    5. del /a:h /f “%userprofile%\Start Menu\Programs\Startup\lsass.exe”
  6. Goto Start -> Run and
    type “regedit” without quotes then search and delete the registry entries

    1. smss.exe
    2. lsass.exe
    3. killer.exe
    4. Scandal.avi.exe
  7. Restart your system in normal mode

The above steps are bit difficult. I will create a tool for removing the virus when i get time. Now bit bussy @ office. Hope this will help you :)

  • Share/Bookmark

Show Hidden Files and Folders

// August 18th, 2007 // 2 Comments » // Security, Tips & Tricks

Some windows users, who are infected by some worms may have problem in viewing the hidden files and folders. If you have any problem to enabling “Show hidden files and folders” in windows explorer then download and run this file .

PS: Press “yes ” if you get any warning.

  • Share/Bookmark

Removing the SpyLocked Spyware

// August 6th, 2007 // No Comments » // Security, Tips & Tricks



SpyLocked 4.3 is a fake but dangerous anti-spyware application, that is installed on your computer without your permission using Trojan and other malwares.
When infected with the SpyLocked 4.3 software you will also see fake taskbar alerts stating that you have running spyware applications on your computer. SpyLocked 4.3 also displays a fa
ke warning alert with flashing icon on your system tray. A Pop up balloon warning messages claiming that your PC is infected. For example : “Critical System Error”, “Your computer is infected”, “System Alert”, “Security Alert”, Trojan-Spy.win32@mx”, “Virus Alert”, “Security Alert” or “Spyware.Cyberlog-X”.

If your computer is infected by SpyLocked and hijacked by the unfamiliar webpage or securityiepage.com , then your computer in trouble because it does transfer back and forth information from the infected computer which makes it a potential for application/data theft.

Symptoms

  • Pop up balloon warning messages claiming that your PC is infected. SpyLocked’s Examples are:

    Critical System Error“,
    Your computer is infected“,
    “Trojan-Spy.win32@mx”,
    “Virus Alert”,
    “Security Alert”
    “System Alert”
    “Warning! Spyware Threat!” or
    “Spyware.Cyberlog-X”
    infections..

  • Hijacked homepage to unfamiliar webpage or Onlinestability.com.
  • Flashing icons appear in the system tray.
  • Automatic installation of Rogue/Fake antispyware applications such as, Malware Wipe, SpyLocked, Pest Wipe, WinAntispyware, BraveSentry SystemDoctor, SpyLockeder, WinAntiSpyware, Adware.W32g.EXPDwnldrl, SpywareStrike, SpyAxe, SpyTrooper, Adware Punisher, Spy iBlock and SpyGuard.


Removel Mothod

  1. You can remove it manually. But it is little bit difficult. You have to do a lot of searching, deleting, registry edits etc etc. So please try automatic removal methods.
  2. The above spyware is affected in my friends system and after scaning with AVG Anti Spyware it detecetd it and removed. But not sure if it is completely removed or not. I will inform you if it is worked. Here is the link to download AVG Anti spyware. http://free.grisoft.com/doc/20/lng/us/tpl/v5
  3. You can also try this tool. I haven’t tried it. So iam not sure about it. Download Download Automatic Removal tool of SpyLocked
  4. UPDATE: This spyware is successfully deleted using SmitfraudFix. Here is the link for downloading and instructions for deleteing spyware. Click Here http://www.spyware-removal-guideline.com/virusprotectpro-removal

If your problem is not solved then please let me know. And please don’t forget to comment about the above tools ..whether it is working properly or not. It will help a lot of other users who have this problem.

  • Share/Bookmark

Removing Heap41a / win32.USBworm Worm

// July 18th, 2007 // 11 Comments » // Security

If your system is affected by this worm then you will get a message when you vist orkut or youtube. This worm is spread through USB flash drives.

When you try orkut the message will be: ORKUT IS BANNED,Orkut is banned you fool`,The administrators didnt write this program guess who did??

And for youtube: youtube IS BANNED,youtube is banned you fool`,The administrators didnt write this program guess who did??

If you use firefox the message will be: USE INTERNET EXPLORER YOU DOPE,I DNT HATE MOZILLA BUT USE IE

Steps for removing Manually removing Heap41a / win32.USBworm Worm

  1. Restart the system in safe mode.
  2. Press CTRL+ALT+DEL and go to the processes tab
  3. Look for svchost.exe . There will be more than one process with that name. End that process but make sure that the username of that process should be your username.
  4. End all svchost.exe process with your username.
  5. Goto your “C:\” drive and delete the folder heap41a. That folder is an hidden folder. So you must enable the option for showing the hidden files( Seletct Tools from the menu bar and select Folder options. Then select view tab. there you can find the option for showing the hidden files).
  6. Search for entries named “heap41a” in the Registery as follows
  7. Go to Start –> Run and type Regedit. Press Enter
  8. Go to the menu Edit –> Find
  9. Type “heap41a” and press enter.
  10. Delete all those entires with the name “heap41a“. It will be in HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\ CurrentVersion\policies\Explorer\Run
  11. Restart in normal mode.

  • Share/Bookmark

Enabling REGEDIT and Task Manager

// May 13th, 2007 // 20 Comments » // Security, Tips & Tricks

Hi friends.. I got lots of comments and mails regarding virus problems. The main problem is disabled rededit and Windows Task manager. So here is a method to enable task manager and regedit. Please try this. And don’t forgot to post your comments.
Download and run these files.

  1. Download this for enabling regedit
  2. Download this for enabling Windows task Manager
  • Share/Bookmark

Removing thecoolpics.net worm

// November 27th, 2006 // 12 Comments » // Security, Tips & Tricks

This W32/Sohanad is a worm. The worm will infect Windows systems and spreads through Instant Messaging. This worm propagates via Yahoo! Messenger, AOL Instant Messenger (AIM), Windows Live Messenger or Windows Messenger by sending an instant message to all the contacts of an active user. This message contains a link to a remote copy of itself. When the recipient clicks the link, a copy of this worm is downloaded and executed on the recipients’ system.
Common Instant Message an infected user sends are as follows:

How to remove thecoolpics:

  • Download this file W32Sohanad.vbs
  • Reboot your computer in “SafeMode” and remain that no other programs are running.
  • Double click on W32Sohanad.vbs.

This will solve your problem. Please note that this code will set your home page to this blog. If you want you can change it. K.

Keep visiting my blog

  • Share/Bookmark

Yahoo Messenger Worm

// October 23rd, 2006 // 41 Comments » // Security, Tips & Tricks

There is a very bad worm attack on Yahoo Messenger where it will take control of your messenger and without your knowledge sends some messages with a website links which contains the worm, to your friends list, without your knowledge.

This is a worm that spreads itself by sending links to your contacts in messengers like Yahoo. It disables Registry Editor and Task Manager. It changes the Internet Explorer (IE) home page and also modifies registry such that you cannot change the homepage address.

If your computer is infected with this virus ” It will sends the nsl-school.org url to all of your friend list in yahoo messenger using your ID . So with in few hours many of your friends will get infected with it.

What are those links ?:

Nsl-school.org

mytermex.com

myglobal-news.com/?news_id=18388

or other (Do not open this url in your browser).

Here are simple steps following which you can get the worm removed from your system:

1) Download this http://arunmvishnu.googlepages.com/RepairRegistry.reg file (or you can do it manually)

2) Double click on that downloaded registry file, you will be asked wheather you’re sure to add this to registry, click yes.

3) Restart your system.

4) Delete the file svhost32.exe from your Windows folder( If it is present).

5) Delete the file svhost.exe from your Windows folder( If it is present).

6) Lastly, search for: ENET.EXE and delete it if found.

Editing registry manually

——————————

1: Close the browser. Log out messenger.

2: Click Start, Run and type this command exactly as given below: (better – Copy and paste)

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f

3: To enable task manager : (To kill the process we need to enable task manager)

Click Start, Run and type this command exactly as given below: (better – Copy and paste)

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f

4: Now we need to change the default page of IE though regedit.

Start>Run>Regedit

From the below locations in Regedit chage your default home page to http://arunmvishnu.siteburg.com or other.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main

HKEY_ LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main

HKEY_USERS\Default\Software\Microsoft\Internet Explorer\Main

Just replace the attacker site with http://arunmvishnu.siteburg.com or set it to blank page.

5: Now we need to kill the process from back end. Press Ctrl + Alt + Del

Kill the process svhost32.exe . ( may be more than one process is running.. check properly)

6: Delete svhost32.exe , svhost.exe files from Windows/ & temp/ directories. Or just search for svhost in your comp.. delete those files.

7: Go to regedit search for svhost and delete all the results you get.

Start menu > Run > Regedit >

8: Restart the computer.

Thats All..

  • Share/Bookmark