techian.com

Many time many of us have faced this problem that on double clicking the drives they don’t open instead it will ask to “open with” ..

what the hell.. how can u open your drives with some other soft??

its happening because your system is affected with some virus which has created autorun.inf file in your drives.

try to find the root cause of it.. some copy.exe virus or some stupid virus has caused it and is still active.

so open the task manager and see the process tab and try to identify the unknown process and click on end task after selecting it

process explorer from microsoft might help u if you are not good in these stuffs.. you may download it after googling for link

after killing the process delete its entry from startup too..[registry startup also]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

then our task is to remove the autorun.inf file

click on start>run>then type cmd and press enter

type the following commands

cd\

attrib -s -h -r autorun.inf

del autorun.inf

repeat these commands for each drive you have

for changing drives in cmd you may type

like for d:

just type

d: and press enter

simple

Popularity: 1% [?]

amvo

removal methods

Amvo virus attacks Yahoo! messenger,
It consists of 3 files,
windows\system32\amvo.exe
windows\system32\amvo1.dll
windows\system32\amvo0.dll

just delete these 3 files and the virus is gone, and donot forget to remove the startup entry for amvo.exe, either from msconfig or regedit or any 3rd party tool

1. Open Task Manager
2. End Task Explorer.exe
3. Select Run from File Menu
4. Type cmd (press enter)
5. In Command Prompt Type: cd %windir%\system32
6. Type: attrib -s -h -r amvo*.*
7. Type del amvo*.*
8. Remove startup entries and virus is gone

http://mtaram.wordpress.com/2008/01/03/computer-troubleshooting-virus-issues/

Posted on January 3, 2008 by mtaram

Recently I had a big time trouble with my computer as all the drives failed to open on double clicking and showed me a application selection window instead. After searching through the running processes and other settings I found that the show hidden files options in the folder options was also not working.

With the help of one of my friends [MOHIT] I fixed the issues.

The problem was due to amvo.exe amvo0.dll ampo.exe amvol.dll xfoolavp.com usdeiect.com and autorun.inf present in every drive’s root.

The fix works as follows…

open task manager (if ur task manager doesnt open and shows errors and warnings then use this tool
http://www.brothersoft.com/rrt-(remove-restrictions-tool)-60879.html
and end task the above mentioned processes if u see them in the running process list from the processes pane. Then goto applications pane and click on new task and type in cmd or command. Once at the command prompt type in “cd\” without the quotes to goto the root of the current drive. Then type “del /f /a /s /q”

where of the files above mentioned (this menthod can also be used to force delete any unwanted file ) use this method to delete all above mentioned from the root of every drive.

After this open registry editor by clicking on new task and typing in “regedit” without quotes. Then goto HKCU > software >microsoft >windows >current version > explorer > advanced > then look for the hidden key in the right pane and change the value to 1 from 2.

And to fix the issues with drives not opening or search opening up on double click download this .reg
http://megamachine.infinites.net/open.reg
(right click and save target as) file and double click it and add to your registry.

or do this…

copy every under this line paste in notepad save with .reg extension on ur desktop and double click it

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\Directory\shell]
@=”Open”
[HKEY_CLASSES_ROOT\Directory\shell\Explo

Popularity: 1% [?]

Removal of Driveguard.exe virus is very easy. just open taskmanager and end the process driveguard.exe and also of any .tmp extension is running then also end that process. Now remove its entry from startup by going to msconfig. also dont forget to del your temp files.

How i found it:
Today one of my frnd came to me for some files from my system.. he inserted his pen drive and clicked here ..there… result: pc got infected

i found the process driveguard . exe in task manager

it was trying to access site
http://www.freewebs.com/microsotf/
and download some Update-KB684903-x86. exe file..
http://rapidshare.com/files/127625927/Update-KB684903-x86.rar.html

which was detected by nod as a trojan

the site is still alive as the admins of freewebs are damn lazy to take actions

download link for driveguard file
http://rapidshare.com/files/127625326/WinDriveGuard.rar.html

read the text file.. it claims it to be “spyware removal tool”

Popularity: 1% [?]

common symptoms..

1.folder options will not be visible

2.taskmanager disabled

3.regedit disabled

4.on double clicking on any window.. it will open in new window even if your settings are correct

etc etc..

HOW TO REMOVE VIRUS MANUALLY.

Tools required

1.restriction removal tool

link: http://www.softpedia.com/get/Security/Security-Related/RRT-Remove-Ristrictions-Tool.shtml

http://www.esnips.com/doc/c90f7814-42e8-4586-bc4e-4140696e8fc7/RRT

2.unhackme

http://www.greatis.com/unhackme/download.htm

3.hijackthis

http://www.esnips.com/doc/83f6253f-00a5-4763-bd59-8252244158fd/hijackthis_sfx

http://www.download.com/Trend-Micro-HijackThis/3000-8022_4-10227353.html

4.process explorer

from microsoft site

If your pc is affected with some virus the most common of all is your folder otion will be disabled,you may not be able to open task manager, etc etc..

now 1st step is to identify the virus process

process explorer will help u and u may see the path of the installed file on ur system

now use restriction removal tool to remove the task bar ..folder option restrictions…etc…

now our aim is to remove the running virus process..

use hijackthis and select the virus process. it will remove the process from startup registry also..

finally try unhackme.. to remove the rootkits

many virus can be removed in this way but many still remain on ur pc.. in such situations.. try to google for its removal methods manually.. once the restrictions are removed u may be able to use taskmanager and able to use regedit command

Restriction Removal Tool [RRT]

Simple to Use

Just click on restriction

and after selecting them click on “Check All”

Hijack This

Its used to remove the entries of the process from registry.

You may use this to view all the running process and their path.

Just scan once..mark the ones to be deleted and then click on “fix checked”

if you wish you may save the log file also

I think i have give useful information about removing viruses manually from your system

still if you find some problem you are free to contact me either through my communities

1.Hacking and Virus Writing [http://www.orkut.com/Community.aspx?cmm=26828468]

2.Virus Writing [http://www.orkut.com/Community.aspx?cmm=1450780]

or through mail.

egunda@gmail.com

Popularity: 1% [?]

if your Getting

“svchost.exe” errors with RPC messeges and reboots

OR

“NT Authority…shut down in 1 min”

Soundslike youve got the “Blaster Worm”
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html

This is the hole it exploits
Your computer is being accessed. Download the MS03-026 patch from Microsoft.
http://www.microsoft.com/security/security_bulletins/ms03-026.asp

Fixes Available here
http://support.microsoft.com/?kbid=823980

More Links
http://www.cert.org/advisories/CA-2003-19.html

Automatically Remove the Virus with
http://www.sophos.com/misc/blastsfx.exe

Download and run it, it will create a directory called SOPHTEMP

From Command line type

C:SOPHTEMPRESOLVE.COM -DF=BLASTERA.DAT -NOC

How do I remove W32/Blaster-A manually?
To remove W32/Blaster-A manually on Windows 95/98/Me and Windows NT/2000/XP:

ensure you have installed Microsoft patch MS03-026 and implemented as many of the steps mentioned above as is feasible.
press Ctrl+Alt+Del
in Windows NT/2000/XP click Task Manager and select the Processes tab
look for a process named msblast.exe in the list
click the process to highlight it
click the ‘End Process’ (in Windows 95/98/Me ‘End Task’) button
close Task Manager.
Search for the file msblast.exe in the Windows system folder (usually a subfolder of Windows or WINNT) and delete it.

In Windows NT/2000/XP you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type ‘Regedit’ and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. If in doubt, contact your network administrator. Incorrect editing of the Windows Registry can cause system failure.
Locate the HKEY_LOCAL_MACHINE entry:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun

in the righthand pane select

windows auto update = msblast.exe

and delete it if it exists.
Close the registry editor.
You should reboot your computer and repeat the above process to ensure all traces of the worm have been removed from your system.

Which systems are affected?
Windows 95/98/Me and Windows NT/2000/XP are potentially affected
Apple-based workstations, Unix and other platforms (including PDAs and games consoles) cannot be infected with W32/Blaster-A
If a W32/Blaster-A file is found on a computer, it has been dropped there by an infected computer, or it has been executed locally.

How did my computer become infected?
W32/Blaster-A scans the internet and local networks looking for computers vulnerable to Microsoft’s DCOM RPC security exploit. When it finds one it causes the remote computer to use TFTP to download a copy of the worm. This is saved as msblast.exe in the Windows system folder and the registry on that computer is changed so that the worm will be run when the computer restarts.

My computer is continuously rebooting, how can I download RESOLVE?
Often when a computer is infected with W32/Blaster-A it restarts every few minutes, usually with a message similar to “Windows must now restart because the Remote Procedure Call (RPC) Terminated Unexpectedly”. This prevents the required patches and files from being downloaded.

On Windows XP you may be able to prevent the computer from rebooting by turning on the inbuilt firewall.

To do this:

go to Network Connections
click on your internet connection (LAN or dial-up)
on the lefthand window click ‘Change settings of this connection’
click Advanced
click ‘Protect my computer…..’
you will probably then be able to download the files you need.
Where possible, download the RESOLVE W32/Blaster-A self-extractor on another computer. Save it to floppy disk and run the self-extractor on the affected computer.

If you cannot download on another computer, disable Distributed COM to prevent this rebooting.

Windows XP

Select Start|Run and type
dcomcnfg.exe.
Select Console Root|Component services.
Open the Computers subfolder.
Right-click on My Computer|Properties.
Click the Default Properties tab.
Deselect ‘Enable distributed COM’, click Apply then click OK.
Restart the computer.
Set the options back to normal after applying relevant patches

Windows NT/2000

Select Start|Run and type
dcomcnfg.exe.
Select the Default Properties tab.
Deselect ‘Enable distributed COM on this computer’, click Apply then click OK.
Restart the computer.i
Set the options back to normal after applying relevant patches

Safe Computing (-:

Popularity: 1% [?]