Hello guys,
follow these steps to remove Ahsan's virus from your system.
1. start windows in safe mode in with command prompt.
2. use Free download RRT Tool to enable run " if disabled". "Search in google"
3. Enable regediting if disabled with following reg key.
Code: Select all
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f
4. Open regedit, search and delete all entries with name "Ahsan" , site 110mb.com and Bush.
5. If your folder option is disabled enable it with following reg key "
Code: Select all
HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Policies\Explorer
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\Policies\Explorer
Check if a DWORD value named NoFolderOptions exists in the pane on the right hand side of the screen
Delete it
6. If you are still unable to view the hidden files, which is disabled by virus, enable it with following proc and key.
Code: Select all
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced. Find the value "Hidden" . Rightclick it and modify it to 1. If Key value hidden is not present create it
7. Check the following registery values and set the values given below in each registery key.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN]
"CheckedValue"=dword:02
"ValueName"="Hidden"
"DefaultValue"=dword: 02
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
"CheckedValue"=dword: 01
"ValueName"="Hidden"
"DefaultValue"=dword:02
8. Now enable "show all hidden files / Hidden system files and folders", and search for following files and delete them all.
Code: Select all
system.exe
csrss.exe
Home video.avi.exe
autorun
Note: these files will be in parrent drives (D:, C:) and in windows folder.
9. Dont worrie, you are done. now restart and Enjoy !
About RRT Tool
You may not believe this but there still are lots of computer users that have no anti-virus program installed because they erroneously think that they will be spared from infection. Some don’t even know what a computervirus is!
Well they are clearly wrong and the result is that I needed to clean, repair or dismantle lots of computers to get rid of all the malware that had infected their systems.
When someone asks for my assistance, the first thing I always do is an offline anti-virus scan and clean.
But when I boot the computer, I am often faced with the same problem; the virus has made some changes to the system restrictions in order to hide itself from easy detection. These restrictions are most often:
1 - Disable Folder Options >> so the user can't set the option to show hidden files!
2 - Disable Registry Tools >> so the user can't see what is going on during system startup!
3 - Disable Ctrl+Alt+Del >> so the user can't see the virus and the other applications running!
4 - Disable Show hidden files & folders >> so the user can't see the malware bodies which always come with hidden attribute set to true!
5 - Disable Run Command >> so the user can't use it to run some tools to track the virus activites of remove it.
6 - Disable Windows Firewall (SharedAccess) >> so the virus can send & receive any data through the network without the attention of the user!
7 - Disable Windows Firewall (Wscsvc) >> so the virus can send & receive any data through the network without the attention of the user!
8 - Disable Windows Firewall (Wuauserv) >> so the virus can send & receive any data through the network without the attention of the user!
9 – Restrict Internet Explorer Home Page Changing >> so the user can't change the malicious web page set by the malware!
10 – Restrict Internet Explorer Closing >> so the user can't close the pops up windows that appear when visiting the malicious web page or any other website!
11 – Hide Internet Options >> so the user can't change any setting set by the malware!
12 – Hide Internet Explorer Address Bar >> so the user can't see what web page being visited and what scripts being executed!
13 - Restrict Internet Explorer Right Click >> so the user can't view the source of the page being visited and other useful things.
14 – Hide Internet Explorer Navigation Buttons >> so the user will be forced to user the keyboard shortcuts to navigate through the web sites!
15 - Hide Internet Explorer Context Menu >> so the user can't access this menu which make him able to select some useful settings.
16 - Hide Internet Explorer Toolbar >> so the user can't use it to remove some unwanted toolbars made by the malware.
17 - Disable Command Prompt (cmd.exe) >> so the user cannot run any console programs like command prompt removal tools...
18 - Disable Control Panel >> so the user cannot use the control panel applets.
19 - Hide system files/folders >> so the user can't see the malware bodies which usually come with system attribute set to true!
20 - Change Show Hidden files option button >> So even if you select "Show hidden files and folders from folder options these files & folder will not be shown!
21 - Disable Show System files check box >> So even if you unchecked "Hide protected operating system files" these files & folder will not be shown!
22 - Disable Show all files/folders check >> So changing this from folder options will be ignored!
23 - Hide Desktop items to prevent the user from accessing My Computer and other desktop shortcuts!
24 – Hide files extensions: This is commonly used by malware to trick the user. By hiding file extension, a user doesn't know whether a file with folder icon is an exe file or just an ordinary folder.
25 – Disable File Extentions Check >> So changing this from folder options will be ignored!
26 – Restrict Windows Update >> So the user cannot download security patches from Microsoft.
27 – Disable Shut Down Command >> So the user cannot shut down the system normally.
28 – Restrict Settings Folders >> Just imagine when you all items under Start menu>Settings wont run!
29 – Disable Taskbar context menu >> You right click your taskbar.. Oops; nothing happens!
30 – Disable Logoff Command >> So the user cannot logoff and use another profile.
31 – Hide Start Menu Logoff >> So the user cannot use this shortcut to logoff!
32 – Restrict Add/Remove Programs >> So the user cannot see what applications and windows components are installed or uninstall/reinstall any application.
33 – File Extention Default >> So the user cannot select "Hide extensions for known file types".
34 – No Windows Update >> So the user cannot download security updates and other fixes for windows.
35 – R-Media Malware >> This item is indicating that a malicious object is trying to invade your computer through removable media, please see the details below.
36 – Hidden Drives >> So the user cannot see any of the storage drives but they still can use RUN to access and explore them.
37 – Restricted Drives >> So the user can see the drives but cannot access them even when using RUN command.
38 – No Search >> So the user cannot search the file system using the start menu item for any file.
Unfortunately, AV Software doesn’t really care about these restrictions and do nothing to re-enable them!
Until AV software comes up with such a tool in their future versions, we have created a very small tool for you that does just that! It re-enables all what the virus had previously disabled, and gives you back the control over your own computer. We called it Remove Restrictions Tool (RRT).
The new great feature:
RRT now is implemented with a totally new and great feature, we call it:
Removable Media Malware Defender.
Since we noticed that most of the malware nowadays spread via removable media (Flash disks in specific), we implemented RRT with the ability of monitoring, blocking and removing any type of malware that uses flash disks to spread.
RRT with AutoRemove enabled will monitor your system and detects any flash disk as soon as it gets plugged into the USB port. The generic technique will work in less than few milliseconds , if it detects any infection in the flash disk, it will block it and remove the infection before it makes any harm to your computer.
The great news is that RRT -unlick the traditional AVs- doesn't need to be updated with malware signatures in order for it to do it's job, instead, it uses a generic and smart technique that detects any type of malware that attempt to infect your system via flash disk inserted into the USB ports.
Important notes:
1 - Since this tool is a security software that deals with the file system, the system registry and the running processes, it MUST be given all the rights it demands in order for it to do it's job. Some other security softwares will try to block the tool and prevent it from doing its job, please make sure that it's not blocked by your filewall and there's no other program blocking it.
Before running this tool, we recommend you to disable any other security solution you are runing such as Antivirus, Firewall, monitoring tools ..etc.
2 - Though RRT is able to remove the restrictions caused by malware even if the malware is already active, your computer must be CLEAN before using RRT. RRT is not programmed to heal your computer from any type of malware that is already infected your computer. RRT is just a tool to remove the malware leftovers and is a DEFENDER against the future malware that may infect your computer through removable media in the future!
3. RRT will NOT protect you from any malware type that may infect your computer through CD/DVD drives, emails, or the internet. It's only programmed to protect you from the Flash disks malware. By using RRT with AutoRemove enabled, you will be sure 100% of that your computer will not get infected through flash disks!
How to buy RRT
The limited version of this tool is for FREE for personal use only. This limited version does not have the AutoRemove feature and has no Removable Media Malware Defender. If you would like to use the application in a business environment or you want to enjoy those two great features you are required to license the application. Licensing is quick, and the pricing is flexible.
Buy from Plimus (Recommended)
This is the recommended authorized reseller of our products, they accept almost any type of payments methods, CC, PayPal, Wire transfer, pay by fax ...etc, they have an excellent customer support 24/7 an live assistance, you can buy in a secured place and enjoy the discounts and the special promotions, and the most great thing is that you don't have to wait to get your product activated as the activation process is fully automated. To buy RRT from Plimus click hereBuy from Avangate
If you do not have a Credit Card or you want to pay by PayPal or you want enjoy the discount options for bulk orders, you may buy RRT from Avangate hereBuy from CNET
If you have your Credit Card ready and you need to buy only one unit, please you may buy RRT from CNET by clicking here
No comments:
Post a Comment