Removal of W32.Xabot.Worm and wininit32.exe

posted under Virus by Prince Mathew

Removal of W32.Xabot.Worm and wininit32.exe

orkut is sending viruses to your pc. To protect your pc close the windoworkut is infected by jammer worm

W32.Xabot.Worm is a Trojan/Backdoor that attempts to spread itself through the IRC and file-sharing networks. It also has backdoor Trojan Horse capabilities, which allows a hacker to gain control of a compromised computer. The existence of the file wininit32.exe is an indication of a possible infection.

Method of Installation

When executed, the worm copies self to: %System%\wininet32.exe.

It then adds the following keys to the registry:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysInit = "%System%\wininet32.exe -drivers"

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ SysInit = "%Syste

m%\wininet32.exe -drivers"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ SysInit =

"%System%\wininet32.exe -drivers"

to ensure that the worm is executed at each Windows start.

Note: '%System%' is a variable location. The worm determines the location of the current System folder by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; and for XP is C:\Windows\System32.

This worm is also known as:

• Backdoor.IRCBot.gen - named by Kaspersky.

• Win32.Xabot.B - named by Computer Associates.

• Win32/IRCBot.S trojan - named by Eset.

Name : W32.Xabot.Worm

Type : Trojan/Backdoor

Affected : Windows 2000, Windows 95, Windows 98, Windows Me,Windows NT, Windows Server 2003, Windows XP

Risk : Level 2: Low

Discovered : November 9, 2003

Update : February 13, 2007 12:13:35 PM

Wild Level : Low

Number of Infections : 0 - 49

Number of Sites : 0 - 2

Geographical Distribution: Low

Threat Containment : Easy

Removal : Moderate

Threat Assessment : Damage

Damage Level : Medium

Distribution Level : Medium

Writeup By : Robert X Wang

Manual Removal

► Open Windows Task Manager, choose Process Tab, find and kill process “Wininit32.exe”.

► Search your Hard Disk Partitions for “Wininit32.exe”, if found permanentally delete the file. (Note there is a system file called Wininit.exe, do not delete that file or it make you repair you OS).

► Open registry editor and remove the following entries.

Navigate through both HKLM as well as HKCU to find the below mentioned

keys.

Key: Software\Microsoft\Windows\Active Setup\Installed Components\SysInit

Value:StubPath

Key:

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

Value: 1

Key:

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

Value:10

Key: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

Value: 11

Key: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

Value: 12

Key: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

Value: 13

Key: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

Value: 14

Key: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

Value: 15

Key: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

Value: 16

Key: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

Value: 17

Key: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

Value: 18

Key: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

Value: 19

Key: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

Value: 2

Key: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

Value: 20

Key: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

Value: 21

Key: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

Value: 22

Key: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

Value: 23

Key: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

Value: 24

Key: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

Value: 25

Key: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

Value: 26

Key: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

Value: 27

Key: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

Value: 28

Key: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

Value: 29

Key: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

Value: 3

Key: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

Value: 4

Key: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

Value: 5

Key: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

Value: 6

Key: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

Value: 7

Key: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

Value: 8

Key: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

Value: 9

Key: Software\Microsoft\Windows\CurrentVersion\RunOnce

Value:SysInit

► Close the registry editor and Restart your computer.

► Now open your Web browser and open Orkut. Enjoy ☺

USB Autorun Virus Remover v2.3

posted under Software , Virus by Prince Mathew

USB Autorun Virus Remover v2.3

Autorun Virus Remover provides protection against any malicious programs trying

to attack via USB drive. When a USB devic

e is inserted into your computer, Autorun Virus Remover will automatically scan it, block and delete autorun virus, trojans, and malicious code. Also, it can detect and remove USB virus such as autorun.inf

virus in your computer.

Now you can be assured of immu

nity from those nasty pen drives, which are major sources of nasty viruses/

trojan horses/

worms.

Password: razor@inwarez.com

Removal of W32 USB worm

posted under Virus by Prince Mathew

Removal of W32 USB worm

“Orkut is banned you fool,The administrators didnt writs this program guess who did?? MUHAHAHA!!”

This error message is the aftereffect of a virus affection. The name of that virus is W32.USBWorm or Heap41a. This virus is spreads automatically to other computers by sending itself out by email or through Pen,USB,Thump disk. A program that propagates itself by attacking other machines and copying itself to the affected machine. Worms have self-replicating code that travels from machine to machine by various means. A worms first objective is merely propagation. Worms can be destructive depending on what payload they have been given. Worms may replace files, but do not insert themselves into files.

There are two ways to remove this virus; by manual and by software.

Properties of This Virus:

Autostarts/Stays Resident
No EULA present
No standard Uninstaller
Non-closeable ads
Stealth Tactics

Take a look at the funny error messages:

Orkut virus manual removal

Open the Task Manager by pressing Ctrl + Alt + Del and go to processes tab.
Locate svchost.exe under the image name. There will be many processes by that name but look for the ones which have your username under the username.
Just kill these processes by pressing Del key or right click and click end process .Only kill those which have your username under the username and leave the rest.
Open windows explorer and type "C:\heap41a" in the address bar and hit enter.
This is a hidden folder. Delete all the contents of this folder.
Open the registry. Search for heap41a in the registry by using the find command.
You will get something like this “[winlogon] C:\heap41a\svchost.exe C:\heap(some number)\std.txt“. Just delete the entries by pressing the del key.
Close the registry editor. Now the virus will be gone. ☺

Orkut virus removal tools

Mr. Sarath Lakshman from Kerala has created a fix to easily and automatically remove W32.USBWorm worm. Just download the fix from the link below, extract the archive and run Worm-fix.exe. Click the big Remove button and it’ll do its job.

You can download it from here:

Or you can also try cleaning it with Flash Disinfector created by sUBs.

You can download Flash Disinfector from here:

Thank You...

Subscribe to: Posts (Atom)

top