A few manual steps to catch Ahsan's virus :
Remove Ahsan's virus :
All stuffs gets his name.Your computer name becomes Ahsan's computer.
All executables gets closed . Continually checks floppies.
Can't do anything ;irritates you in every 5 seconds.
Log in to safe mode as Administrator:
0.Create and Save files named "Home Video.exe" and "csrss.exe" in all drives with 0 kb(If you can't do it within 5 seconds ,do it from a bootable media)
----You can't ignore this 0th step----
- Stop system.exe and userinit using taskmanager before it get closed
- Run RRt and disable virus effects : check all tick marks and press 'remove'
- Virus is out ; if your cmd.exe is enabled now .Take the command prompt from %system32%\cmd.exe
- Open regedit, search and delete all entries with his damn name "Ahsan" ,his site 110mb.com and that GW Bush
- Enable "Run":
Take regedit : HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
and delete NoRun make the same with value 0
- Even now if you are not able to handle the situation do SDFix
- Thats it !!
Here goes my words during frustration during removal of this thing :
Ahsanmania has got an end .
This is Anil ..I too got an attack from Ahsan's virus ..
I know the 66 kb .exe from my Gmail spam folder was the beginning ..Now its a hazard for me and my friends . The systems in Men's hostel affected .
Really this is an achievement of Ahsan over me .Good one Ahsan ..
I saw his works(probably bad) in internet .The following links are some examples of his crooked mind .
He logs in to different forums with his name and a duplicate id and makes himself a subject of talk . It was really a 'worm' he did to systems . hmm . Wait Ahsan I am coming ......
He is a great man to earn all lots of bad words (usually people say) within a very short time .Then he said he is not the person who made virus and posted an antivirus which is the same thing, the same virus renamed . Beware he could hack into your PC too ..Never open small exe files if you aren't sure . Never install MobiMB3.6.6 from any site .The file is available in a lot of locations . All are his creations which makes it Ahsan's computer . Never read any forums with the user mobiMB,ambpk,Ahsan etc ..All these are his usual names ....
Anyway the internet - the biggest knowledge base says the only solution for this virus is to re-install xp .. Why don't they install linux and lose xp with that virus . Linux won't allow any Ahhhhhsaaannsss ...Damn !!
Ahsan Manan Khan Bhutta .. He has posted in almost all virus related forums at his (virus boom) time .. Inspite of the many who tried to catch him with IP , he swam in internet ..Ahsan, I am coming ...You are caught..
Reply for comments,
I was not checking the comments for a month .You need my email address ? I have mentioned it in my blog http://anil.chipmonks.co.in .. Or you could have searched google .. Anil Franklin thats my name (firstname.lastname@example.org)
Glad to see this if you are real 'ahsan' . All my effort was to get to you to make you know that this has made really a bad effect in south India too . Lots and lots of systems lost data with this virus Sorry if you are not the virus maker , I just meant to specify a way to get rid of this .
Now I know , you can't ignore that 0th step .
With information from site discussbits and some other forums , I have updated my ideas with all the possible ways and have rewritten the method as follows :
Detailed steps to remove Ahsan's virus :
1. start windows in safe mode with command prompt(user:admin, preferably a user other than having attacked)
2. use RRT Tool to enable run " if disabled".
3. Enable regediting if disabled with following reg key.
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f
4. Open regedit, search and delete all entries with name "Ahsan" , site 110mb.com and Bush.
5. If your folder option is disabled enable it with following reg key "
Check if a DWORD value named NoFolderOptions exists in the pane on the right hand side of the screen
6. If you are still unable to view the hidden files, which is disabled by virus, enable it with following proc and key.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced. Find the value "Hidden" . Rightclick it and modify it to 1. If Key value hidden is not present create it
7. Check the following registery values and set the values given below in each registery key.
8. Now enable "show all hidden files / Hidden system files and folders", and search for following files and delete them all.
Note: these files will be in parent drives (D:, C:) and in windows folder.
9.Now you are done !