Wednesday, December 31, 2008


How to delete unprotected files from your computer

  • Wednesday, December 31, 2008
  • Share
  • Today we will discus that how  to delete unprotected files from your computer and make them safe . The problem of unprotected files is caused by Deadhat worm (W32.HLLW.Deadhat or Vesser) which targets Windows systems that are or have been infected with the Norvarg (MyDoom) worm version A or B. the worm scans remote systems to determine whether TCP port 1080, 3127, and/or 3128 is open. If any of these ports is open because of a backdoor program installed by the Norvarg worm, the Deadhat worm copies itself to %systemroot%\sms.exe, thereby infecting the system. Once Deadhat starts running, it may pop up a message reading “Error executing program!” or “Corrupted File.”To ensure that it starts every time the infected system boots, this worm modifies the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    Key in the Registry by adding the value "KernelFaultChk"="%systemroot%\sms.exe". Deadhat also finds the shared folder used by the Soulseek file-sharing program and then copies itself to this folder, assigning itself a name such as Norton.All.Products.KeyMkr.exe, F-Secure.Antivirus.Keymkr.exe, Windows2003Keygen.exe, WinZip.exe, or mIRC.v6.12.Keygen.exe. It opens TCP port 2766 to enable a remote attacker to connect to this port and then upload programs, which if done successfully causes them to immediately run.

    Additionally, Deadhat tries to kill processes that run in connection with antivirus and personal firewall software and also processes invoked by Novarg. If the infected system is infected with Norvarg, it keeps Norvarg from starting whenever the system boots by removing the Registry values that the various versions of Norvarg have added, including: 


    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ TaskMon 



    Next it starts scanning sequential IP address ranges to locate ones on which ports 1080, 3127, and 3128 are active. Once connected, it sends a copy of itself to the location within the infected machine’s file system in which the Novarg executable resides, effectively eradicating Norvarg. Finally, this worm connects to an Internet Relay Chat (IRC) server, where it waits for commands to be sent to it.

     What we can do to delete unprotected files from your computer ?

    If you pc is infected by such problem than it is not terribly difficult to remove them . You need to do a live update of the infected system’s with good anti-virus software, restart the system in Safe Mode or VGA mode, run a virus scan on all files in the system (confirming the deletion of each infected file that the anti virus software identifies), and finally delete the values that Deadhat adds to Registry keys. (NOTE: In Windows Me and XP systems the System Restore function must be performed before the steps described here) .

    0 Responses to “How to delete unprotected files from your computer”

    Post a Comment