JohnDas FunDas & Ideas

I had this problem. In Tools> Folder options > View - hidden files and folders

The

Show hidden files and folders not working - after virus attack (heap41a svchost.exe)

This is how you get the settings back to normal.

First take

Start > Run >

Type regedit in the Run box and click OK

The Registry editor opens up (See the image below)

Follow the steps in the animation below to get back the folder options to normal to see hidden files.

Browse to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\

CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL

Change the value of CheckedValue from 0 to 1

Cleaning the pen drive right click options :

Browse to HKEY_CURRENT_USER\Software\Microsoft\Windows\

CurrentVersion\Explorer\MountPoints2

Delete all the long keys ( which look like  {DGF53-353b3gg3-353523-3g523g}  ) there.

Still having problems with this “Orkut is banned” virus ” ??

First make sure that the virus is completely removed from the computer.

How to remove “Use Internet Explorer you dope, I dnt hate Mozilla but use IE`r OR ELSE…” svchost.exe heap41a virus
http://www.fundazone.com/2007/06/how-to-remove-use-internet-explorer-you-dope-i-dnt-hate-mozilla-but-use-ier-or-else-svchostexe-heap41a-virus/

Then go to :

Start >Run >
Type regedit

Browse to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\

CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL

Change the value of CheckedValue from 0 to 1

Take My Computer > Tools > Folder Options

Change the setting to show hidden files and folders

Apply and check again.

If it doesn’t work, there is another setting in the registry maybe in HKEY_USERS or HKEY_CURRENT_CONFIG or even HKEY_CURRENT_USER which overrides this setting.
I’ll try to find out where it is (I came across such a problem earlier and I found that key by luck) The key is in a similar place like this \Software\Microsoft\Windows\ CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL

only that the beginning is different.

I’ll post it here when I find it. If anybody knows where it is, please do reply http://www.fundazone.com/2007/09/show-hidden-files-and-folders-not-working-after-virus-attack-heap41a-svchostexe/#comment-146

It’s a relatively new virus, so most antivirus softwares are not able to detect and delete it.

To remove the virus completely, first you have to end the process svchost.exe belonging to the current user (i think you were able to do that and it worked). But then, the virus files are still hidden in your computer in two places.
In C:\heap41a and in temporary folder.

A trick to get to these folders :

Start > Run
Type C:\heap41a . Click OK
Now, you should be able to see and delete the virus files

Second location (temporary files)
Start > Run
Type %temp% . Click OK
Here, you see the virus files it used to enter the computer.

Harry Potter virus: Looks like the last file of a virus you just wiped out, until you try to erase it–then it wipes your drive.

Voldemort virus: You can’t get rid of it, only make it dormant. It can be reactivated by the Wormtail virus up to thirteen years later.

Dumbledore virus: Scares off all the other viruses but never seems to actually *do* anything.

Hermione virus: Fills up all available drive space with files of useless information.

Ron virus: Contains code, some of it buggy, from the author’s five previous viruses.

Draco Malfoy virus: Changes all your screensavers to insults.

Remus Lupin virus: Your computer becomes immune to all other virus and worm attacks, but three days out of the month it becomes a Commodore 64.

Weasley virus: Able to replicate even in limited space conditions.

Ginny virus: Looks like just another copy of the Weasley virus, but wreaks havoc every time you blog.

Tom Riddle virus: Masquerades as the Ginny virus, then retreats into memory.

Luna Lovegood virus: Repeatedly points your web browser to conspiracy-theory sites.

Slytherin virus: Your computer no longer reads hybrid CDs.

Gryffindor virus: All your games are reconfigured so you can no longer “Save As.”

Hufflepuff virus: Increases the efficiency of your computer, but gets no credit for it.

A type of USB pen / flash drive virus is a trojan worm made with VB Script. It gives an Autoplay or “Auto” option on all drives in the computer, affecting C: , D: , E: and so on.

It changes the Internet Explorer homepage to http://www.lastchaos.in.th/

And puts “Hacked by MOOzilla” in the Internet Explorer title

So, it comes like “Google -Hacked by MOOzilla” Or MySpace - Hacked by MOOzilla

This is in addition to affecting the pen drive (USB flash drive) with the same “autorun” and “autoplay”

To remove the infected files, you don’t have to send it to authorised service personnel or buy a new USB drive !

You just have to delete the “autorun.inf” and “IISdll.dll.vbs” files from the USB drive and the hard drive and kill the process “wscript.exe”

When you press Alt-Ctrl-Del (The three finger exercise - Alter + Control + Delete ), the Task Manager runs and shows you the programs which are running. Click “Processes” in the Task Manager.

Select “wscript.exe” and “End Process”

wscript.exe is not a virus, but a normal windows scripting host file which runs several Windows scripts or functions written in VB Script. But the virus is also programmmed in VBScript and so it has to be stopped but not deleted.

Right click and open the drives and delete the files “autorun.inf” and “IISdll.dll.vbs”

These files may not be visible (they are set as hidden files and system files) , so if you don’t see them,

take Tools > Folder Options… > View

Choose “Show hidden files and folders” in “Hidden files and folders”

And remove the tick from “Hide protected operating system files (Recommended)”

Now, when you go to the drives ( ALWAYS RIGHT CLICK AND OPEN - NEVER DOUBLE CLICK ),

you can see and delete the files autorun.inf and IISdll.dll.vbs

There is also a copy of the virus in the Windows directory “C:/Windows/iidDLL.dll.vbs” in most computers. Or just do this del %windir%\IISDLL.dll.vbs (It deltes the virus from your windows folder)

Then you should clear the registry too at these places.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\”Window Title”

(more…)

Symptoms :
* All hard drive partitions ( C: , D: , E: , …) have an autoplay

* Internet Explorer homepage set to some Thai site . Internet Explorer shows “Hacked by Moozilla” (sic)

on the title bar

* USB drives, and cameras and memory cards and portable hard drives and USB mp3 players and everything

USB shows an autoplay. And windows says it cannot stop the drive safely

* Another one creates copies of itself in every folder, each named as the folder with the folder icon.

USB drive has an extra “folder” disguised virus named “DATA user” or “DATA (computer username)”

Signs :

* Right clicking any drive shows an extra autoplay, auto, or open (each for different USB worms)

* If you enable view hidden files AND system files, you can see the virus files in the rrot folder of

every drive with an autorun file too. Both made system files.

* Using Alt-Ctrl-Del , to get Task Manager or any other task manager software, you can see wscript.exe

running (Other viruses include pfw.exe, br?????.exe, autorun.exe, copy.exe, …)

Investigations :

* If you try to run or download an antivirus and the computer shuts down, it’s probably brontok - very

dangerous

* If you can take Tools -> Folder Options, it’s not very dangerous

* If u can run regedit, u can cure the virus

* If u enable view hidden and system files, and can delete the virus files, u can cure it.

Treatment :

* Enable view hidden and system files, and delete the virus files.

* Open regedit, Go to HKeyCurrentUser>Software>Microsoft>Windows>Current Version>Run and delete the

virus entries

* then Go to HKeyLocalMachine>Software>Microsoft>Windows>Current Version>Run and delete the virus

entries

* After that Go to HKeyCurrentUser>Software>Microsoft>Windows>Current Version>Explorer>Mountpoints2 and

delete the virus entries

* Later that Go to HKeyCurrentUser>Software>Microsoft>Internet Explorer and delete the virus entries

By http://www.fundazone.com

© JohnDa da FunDa

Small pox is back !!! Kolkata ( formerly Calcutta - home of the Bengali babus), West Bengal, India. And Bangladesh. In the Indian subcontinent.

Although naturally occurring smallpox has been eradicated( not quite true - see above), there is still heightened concern that the variola virus might be used as an agent of bioterrorism. In the first documented case of biological warfare, in the 18th century, contaminated blankets used by smallpox patients were distributed among Native American Indians by the British with the intent of initiating outbreaks. A smallpox epidemic occurred, killing more than 50% of affected tribes. If a strain of the variola virus could be obtained, it could be manufactured easily and disseminated widely in an aerosol release. A release of smallpox could escalate to a catastrophic global epidemic unless effective control measures can be implemented quickly.

Smallpox has been identified by the Centers for Disease Control (CDC) as a “Category A” agent, meaning it has been given high priority due to its potential threat to national security. The following references provide information on the use of smallpox as a bioweapon and associated issues to be considered during a smallpox outbreak.

• Emergency Preparedness & Response: Smallpox. Centers for Disease Control and Prevention (CDC). Contains extensive smallpox information, including fact sheets, overviews, FAQs, diagnosis and evaluation, infection control, laboratory testing, surveillance and investigation, selected publications, and education and training materials.
• Inglesby, Thomas V., et al. “Smallpox as a Biological Weapon: Medical and Public Health Management.” Journal of the American Medical Association (JAMA) 281.22(1999, June 9): 2281-2290. Considers the prospect of an aerosol release of variola virus, and provides information on epidemiology, infection signs and symptoms, diagnosis and monitoring, vaccination, medical treatment, infection control, environmental decontamination, and more.
• Textbook of Military Medicine: Medical Aspects of Chemical and Biological Warfare: Chapter 27 - Smallpox. Office of the Surgeon General, Department of the Army, (1997), 114 KB PDF, 21 pages. Provides a thorough review of smallpox, including its history and epidemiology, as well as biological warfare and clinical issues.
• USAMRIID’s Medical Management of Biological Casualties Handbook, Fifth Edition. US Army Medical Research Institute of Infectious Diseases (USAMRIID), (2004, August). Provides links to PDF documents that contain information from this publication, known as the “Bluebook”, and recommendations regarding medical response to a biological warfare attack on a civilian or military population. Specific information on a number of potential bioterrorist agents is supplied, including smallpox.
• Variola major (Smallpox): Bioterrorism Information and Resources. Infectious Diseases Society of America (IDSA). Includes a comprehensive clinical manual on smallpox, as well as other documents and resources.
• BW Agents: Smallpox. University of Pittsburgh Medical Center (UPMC), Center for Biosecurity, (2005). Provides links to fact sheets, FAQs, and other references.
• Smallpox. Saint Louis University (SLU), School of Public Health, Institute for Bio-Security. Provides links to quick reference material, education and training resources, news and journal articles, and other documents on smallpox.
• Smallpox and Bioterrorism. Michigan Department of Community Health, Bureau of Epidemiology, Division of Communicable Disease and Immunization, 118 KB PDF, 2 pages. Covers key facts related to smallpox and bioterrorism, including disease facts, risk, and treatment.
• Variola Virus (Smallpox). Texas Department of Health. Provides information on symptoms, diagnosis, and treatment available in the event smallpox virus is used as a bioterrorist weapon.