Wednesday, December 31, 2008
0
How to delete unprotected files from your computer
Today we will discus that how to delete unprotected files from your computer and make them safe . The problem of unprotected files is caused by Deadhat worm (W32.HLLW.Deadhat or Vesser) which targets Windows systems that are or have been infected with the Norvarg (MyDoom) worm version A or B. the worm scans remote systems to determine whether TCP port 1080, 3127, and/or 3128 is open. If any of these ports is open because of a backdoor program installed by the Norvarg worm, the Deadhat worm copies itself to %systemroot%\sms.exe, thereby infecting the system. Once Deadhat starts running, it may pop up a message reading “Error executing program!” or “Corrupted File.”To ensure that it starts every time the infected system boots, this worm modifies the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Key in the Registry by adding the value "KernelFaultChk"="%systemroot%\sms.exe". Deadhat also finds the shared folder used by the Soulseek file-sharing program and then copies itself to this folder, assigning itself a name such as Norton.All.Products.KeyMkr.exe, F-Secure.Antivirus.Keymkr.exe, Windows2003Keygen.exe, WinZip.exe, or mIRC.v6.12.Keygen.exe. It opens TCP port 2766 to enable a remote attacker to connect to this port and then upload programs, which if done successfully causes them to immediately run.
Additionally, Deadhat tries to kill processes that run in connection with antivirus and personal firewall software and also processes invoked by Novarg. If the infected system is infected with Norvarg, it keeps Norvarg from starting whenever the system boots by removing the Registry values that the various versions of Norvarg have added, including:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Explorer
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ TaskMon
HKEY_CURRENT_USER\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}
\InprocServer32
HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}
\InprocServer32
Next it starts scanning sequential IP address ranges to locate ones on which ports 1080, 3127, and 3128 are active. Once connected, it sends a copy of itself to the location within the infected machine’s file system in which the Novarg executable resides, effectively eradicating Norvarg. Finally, this worm connects to an Internet Relay Chat (IRC) server, where it waits for commands to be sent to it.
What we can do to delete unprotected files from your computer ?
If you pc is infected by such problem than it is not terribly difficult to remove them . You need to do a live update of the infected system’s with good anti-virus software, restart the system in Safe Mode or VGA mode, run a virus scan on all files in the system (confirming the deletion of each infected file that the anti virus software identifies), and finally delete the values that Deadhat adds to Registry keys. (NOTE: In Windows Me and XP systems the System Restore function must be performed before the steps described here) .
Key in the Registry by adding the value "KernelFaultChk"="%systemroot%\sms.exe". Deadhat also finds the shared folder used by the Soulseek file-sharing program and then copies itself to this folder, assigning itself a name such as Norton.All.Products.KeyMkr.exe, F-Secure.Antivirus.Keymkr.exe, Windows2003Keygen.exe, WinZip.exe, or mIRC.v6.12.Keygen.exe. It opens TCP port 2766 to enable a remote attacker to connect to this port and then upload programs, which if done successfully causes them to immediately run.
Additionally, Deadhat tries to kill processes that run in connection with antivirus and personal firewall software and also processes invoked by Novarg. If the infected system is infected with Norvarg, it keeps Norvarg from starting whenever the system boots by removing the Registry values that the various versions of Norvarg have added, including:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Explorer
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ TaskMon
HKEY_CURRENT_USER\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}
\InprocServer32
HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}
\InprocServer32
Next it starts scanning sequential IP address ranges to locate ones on which ports 1080, 3127, and 3128 are active. Once connected, it sends a copy of itself to the location within the infected machine’s file system in which the Novarg executable resides, effectively eradicating Norvarg. Finally, this worm connects to an Internet Relay Chat (IRC) server, where it waits for commands to be sent to it.
What we can do to delete unprotected files from your computer ?
If you pc is infected by such problem than it is not terribly difficult to remove them . You need to do a live update of the infected system’s with good anti-virus software, restart the system in Safe Mode or VGA mode, run a virus scan on all files in the system (confirming the deletion of each infected file that the anti virus software identifies), and finally delete the values that Deadhat adds to Registry keys. (NOTE: In Windows Me and XP systems the System Restore function must be performed before the steps described here) .
Subscribe to:
Post Comments (Atom)
0 Responses to “How to delete unprotected files from your computer”
Post a Comment