bugs of a debugger » Security

Is the Official Web site of the Department of General Education , Kerala Hacked?

Arun Vishnu — Sat, 06 Dec 2008 13:41:00 +0000

It seems like the official web site of the Department of General Education , Government of Kerala is hacked. Today i was checking the website and noticed a news “Hacked by the. Mo3tafa , Sha2ow” in the hot news box. The news content is just “tHe.Mo3tafA Was Here !!! Your Box 0wn3d By Deface Team We Love Iran Ashiyane Digital Security Team Special Thanks to Ashiyane Defacers & Programmers Team www.ashiyane.org/forums I Don’t Know Any Rival For Muslims”.

Home page of the Department of General Education: http://www.education.kerala.gov.in/

Posted news: http://www.education.kerala.gov.in/admin/news_details.php?id=39

Removing Funny ust scandal virus

Arun Vishnu — Tue, 06 May 2008 03:25:00 +0000

This virus is affected to your yahoo messenger and it will change your status to something like Funny ust scandal .. It also send the virus file through your yahoo messenger. Try the following steps to remove that virus.

Boot the system in safe mode
Open command promt(Type “cmd” in Start->Run without quotes)
Type the following 3 commands
1. taskkill /f /im smss.exe
2. taskkill /f /im killer.exe
3. taskkill /f /im smss.exe
Now we want to delete the virus files. For that execute the following commands
1. del /a:h /f c:\autorun.inf
2. del /a:h /f c:\smss.exe
3. del /a:h /f c:\funny ust scandal.avi.exe

Repeate the above 3 commands for all the drive(‘d’,'e’,'f’) except CD/DVD drive. Do the same by connecting your flash drive. The virus may b there..

Eg:- if u have D drive then replace ‘c’ of “c:\autorun.inf” as “d:\autorun.inf”

del /a:h /f c:\windows\killer.exe
del /a:h /f c:\windows\autorun.inf
del /a:h /f c:\windows\smss.exe
del /a:h /f c:\windows\funny ust scandal.exe
del /a:h /f “%userprofile%\Start Menu\Programs\Startup\lsass.exe”

Goto Start -> Run and
type “regedit” without quotes then search and delete the registry entries
1. smss.exe
2. lsass.exe
3. killer.exe
4. Scandal.avi.exe
Restart your system in normal mode

The above steps are bit difficult. I will create a tool for removing the virus when i get time. Now bit bussy @ office. Hope this will help you

Show Hidden Files and Folders

Arun Vishnu — Sat, 18 Aug 2007 22:29:00 +0000

Some windows users, who are infected by some worms may have problem in viewing the hidden files and folders. If you have any problem to enabling “Show hidden files and folders” in windows explorer then download and run this file .

PS: Press “yes ” if you get any warning.

Removing the SpyLocked Spyware

Arun Vishnu — Mon, 06 Aug 2007 12:08:00 +0000

SpyLocked 4.3 is a fake but dangerous anti-spyware application, that is installed on your computer without your permission using Trojan and other malwares.
When infected with the SpyLocked 4.3 software you will also see fake taskbar alerts stating that you have running spyware applications on your computer. SpyLocked 4.3 also displays a fake warning alert with flashing icon on your system tray. A Pop up balloon warning messages claiming that your PC is infected. For example : “Critical System Error”, “Your computer is infected”, “System Alert”, “Security Alert”, Trojan-Spy.win32@mx”, “Virus Alert”, “Security Alert” or “Spyware.Cyberlog-X”.

If your computer is infected by SpyLocked and hijacked by the unfamiliar webpage or securityiepage.com , then your computer in trouble because it does transfer back and forth information from the infected computer which makes it a potential for application/data theft.

Symptoms

Pop up balloon warning messages claiming that your PC is infected. SpyLocked’s Examples are:

“Critical System Error“,
“Your computer is infected“,
“Trojan-Spy.win32@mx”,
“Virus Alert”,
“Security Alert”
“System Alert”
“Warning! Spyware Threat!” or
“Spyware.Cyberlog-X” infections..
Hijacked homepage to unfamiliar webpage or Onlinestability.com.
Flashing icons appear in the system tray.
Automatic installation of Rogue/Fake antispyware applications such as, Malware Wipe, SpyLocked, Pest Wipe, WinAntispyware, BraveSentry SystemDoctor, SpyLockeder, WinAntiSpyware, Adware.W32g.EXPDwnldrl, SpywareStrike, SpyAxe, SpyTrooper, Adware Punisher, Spy iBlock and SpyGuard.

Removel Mothod

You can remove it manually. But it is little bit difficult. You have to do a lot of searching, deleting, registry edits etc etc. So please try automatic removal methods.
The above spyware is affected in my friends system and after scaning with AVG Anti Spyware it detecetd it and removed. But not sure if it is completely removed or not. I will inform you if it is worked. Here is the link to download AVG Anti spyware. http://free.grisoft.com/doc/20/lng/us/tpl/v5
You can also try this tool. I haven’t tried it. So iam not sure about it. Download Download Automatic Removal tool of SpyLocked
UPDATE: This spyware is successfully deleted using SmitfraudFix. Here is the link for downloading and instructions for deleteing spyware. Click Here http://www.spyware-removal-guideline.com/virusprotectpro-removal

If your problem is not solved then please let me know. And please don’t forget to comment about the above tools ..whether it is working properly or not. It will help a lot of other users who have this problem.

Removing Heap41a / win32.USBworm Worm

Arun Vishnu — Wed, 18 Jul 2007 06:15:00 +0000

If your system is affected by this worm then you will get a message when you vist orkut or youtube. This worm is spread through USB flash drives.

When you try orkut the message will be: ORKUT IS BANNED,Orkut is banned you fool`,The administrators didnt write this program guess who did??

And for youtube: youtube IS BANNED,youtube is banned you fool`,The administrators didnt write this program guess who did??

If you use firefox the message will be: USE INTERNET EXPLORER YOU DOPE,I DNT HATE MOZILLA BUT USE IE

Steps for removing Manually removing Heap41a / win32.USBworm Worm

Restart the system in safe mode.
Press CTRL+ALT+DEL and go to the processes tab
Look for svchost.exe . There will be more than one process with that name. End that process but make sure that the username of that process should be your username.
End all svchost.exe process with your username.
Goto your “C:\” drive and delete the folder heap41a. That folder is an hidden folder. So you must enable the option for showing the hidden files( Seletct Tools from the menu bar and select Folder options. Then select view tab. there you can find the option for showing the hidden files).
Search for entries named “heap41a” in the Registery as follows
Go to Start –> Run and type Regedit. Press Enter
Go to the menu Edit –> Find
Type “heap41a” and press enter.
Delete all those entires with the name “heap41a“. It will be in HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\ CurrentVersion\policies\Explorer\Run
Restart in normal mode.

Enabling REGEDIT and Task Manager

Arun Vishnu — Sun, 13 May 2007 18:32:00 +0000

Hi friends.. I got lots of comments and mails regarding virus problems. The main problem is disabled rededit and Windows Task manager. So here is a method to enable task manager and regedit. Please try this. And don’t forgot to post your comments.
Download and run these files.

Download this for enabling regedit
Download this for enabling Windows task Manager

Removing thecoolpics.net worm

Arun Vishnu — Mon, 27 Nov 2006 12:16:00 +0000

This W32/Sohanad is a worm. The worm will infect Windows systems and spreads through Instant Messaging. This worm propagates via Yahoo! Messenger, AOL Instant Messenger (AIM), Windows Live Messenger or Windows Messenger by sending an instant message to all the contacts of an active user. This message contains a link to a remote copy of itself. When the recipient clicks the link, a copy of this worm is downloaded and executed on the recipients’ system.
Common Instant Message an infected user sends are as follows:

http://thecoolpics.net/hot.jpg
hot pics this week – http://thecoolpics.net/hot.jpg
1 of my vacation pictures – http://thecoolpics.net/vacation2.jpg
Screenshot of new windows version _ Windows Vista – http://thecoolpics.net/vista.jpg so cool
Images shot in Iraq _ The war will never end _ http://thecoolpics.net/Iraqwar.jpg
oh my god , i’ve won a 20000 usd lottery – http://thecoolpics.net/mylottery.jpg
never click into the links like something in this image – http://thecoolpics.net/dontclick.jpg
the page cannot be displayed ” http://thecoolpics.net/error.jpg Something was wrong !!! Check it again and tell me later.
My pics – http://thecoolpics.net/mypics.jpg
Miss World 2006: – http://thecoolpics.net/MissWorld.jpg
Do you realize who is in this image – http://thecoolpics.net/who.jpg . Just think for a moment and tell me soon

How to remove thecoolpics:

Download this file W32Sohanad.vbs
Reboot your computer in “SafeMode” and remain that no other programs are running.
Double click on W32Sohanad.vbs.

This will solve your problem. Please note that this code will set your home page to this blog. If you want you can change it. K.

Keep visiting my blog

Yahoo Messenger Worm

Arun Vishnu — Mon, 23 Oct 2006 13:51:00 +0000

There is a very bad worm attack on Yahoo Messenger where it will take control of your messenger and without your knowledge sends some messages with a website links which contains the worm, to your friends list, without your knowledge.

This is a worm that spreads itself by sending links to your contacts in messengers like Yahoo. It disables Registry Editor and Task Manager. It changes the Internet Explorer (IE) home page and also modifies registry such that you cannot change the homepage address.

If your computer is infected with this virus ” It will sends the nsl-school.org url to all of your friend list in yahoo messenger using your ID . So with in few hours many of your friends will get infected with it.

What are those links ?:

Nsl-school.org

mytermex.com

myglobal-news.com/?news_id=18388

or other (Do not open this url in your browser).

Here are simple steps following which you can get the worm removed from your system:

1) Download this http://arunmvishnu.googlepages.com/RepairRegistry.reg file (or you can do it manually)

2) Double click on that downloaded registry file, you will be asked wheather you’re sure to add this to registry, click yes.

3) Restart your system.

4) Delete the file svhost32.exe from your Windows folder( If it is present).

5) Delete the file svhost.exe from your Windows folder( If it is present).

6) Lastly, search for: ENET.EXE and delete it if found.

Editing registry manually

——————————

1: Close the browser. Log out messenger.

2: Click Start, Run and type this command exactly as given below: (better – Copy and paste)

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f

3: To enable task manager : (To kill the process we need to enable task manager)

Click Start, Run and type this command exactly as given below: (better – Copy and paste)

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f

4: Now we need to change the default page of IE though regedit.

Start>Run>Regedit

From the below locations in Regedit chage your default home page to http://arunmvishnu.siteburg.com or other.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main

HKEY_ LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main

HKEY_USERS\Default\Software\Microsoft\Internet Explorer\Main

Just replace the attacker site with http://arunmvishnu.siteburg.com or set it to blank page.

5: Now we need to kill the process from back end. Press Ctrl + Alt + Del

Kill the process svhost32.exe . ( may be more than one process is running.. check properly)

6: Delete svhost32.exe , svhost.exe files from Windows/ & temp/ directories. Or just search for svhost in your comp.. delete those files.

7: Go to regedit search for svhost and delete all the results you get.

Start menu > Run > Regedit >

8: Restart the computer.

Thats All..