Home | Bio | My Life | Archive | Writings | Talks | Toons | Photos | Site | About | Contact | Feed
Line follower in quintessence.. Latest hit in my blog : Line follower and other Project updates

Monday, May 5, 2008

I caught you Mr. Ahsan (Remove Ahsan's virus)

A few manual steps to catch Ahsan's virus :

Remove Ahsan's virus :


Description:
All stuffs gets his name.Your computer name becomes Ahsan's computer.
All executables gets closed . Continually checks floppies.
Can't do anything ;irritates you in every 5 seconds.

Remedy:

Log in to safe mode as Administrator:


0.Create and Save files named "Home Video.exe" and "csrss.exe" in all drives with 0 kb(If you can't do it within 5 seconds ,do it from a bootable media)
----You can't ignore this 0th step----

  1. Stop system.exe and userinit using taskmanager before it get closed
  2. Run RRt and disable virus effects : check all tick marks and press 'remove'
  3. Virus is out ; if your cmd.exe is enabled now .Take the command prompt from %system32%\cmd.exe
  4. Open regedit, search and delete all entries with his damn name "Ahsan" ,his site 110mb.com and that GW Bush
  5. Enable "Run":
    Take regedit : HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
    and delete NoRun make the same with value 0
  6. Even now if you are not able to handle the situation do SDFix
  7. Thats it !!



Here goes my words during frustration during removal of this thing :
Ahsanmania has got an end .
This is Anil ..I too got an attack from Ahsan's virus ..
I know the 66 kb .exe from my Gmail spam folder was the beginning ..Now its a hazard for me and my friends . The systems in Men's hostel affected .
Really this is an achievement of Ahsan over me .Good one Ahsan ..

I saw his works(probably bad) in internet .The following links are some examples of his crooked mind .

http://gsmhosting.com/vbb/showthread.php?p=3255407
http://www.geekstogo.com/forum/virus-creation-t182300.html

He logs in to different forums with his name and a duplicate id and makes himself a subject of talk . It was really a 'worm' he did to systems . hmm . Wait Ahsan I am coming ......


He is a great man to earn all lots of bad words (usually people say) within a very short time .Then he said he is not the person who made virus and posted an antivirus which is the same thing, the same virus renamed . Beware he could hack into your PC too ..Never open small exe files if you aren't sure . Never install MobiMB3.6.6 from any site .The file is available in a lot of locations . All are his creations which makes it Ahsan's computer . Never read any forums with the user mobiMB,ambpk,Ahsan etc ..All these are his usual names ....
Anyway the internet - the biggest knowledge base says the only solution for this virus is to re-install xp .. Why don't they install linux and lose xp with that virus . Linux won't allow any Ahhhhhsaaannsss ...Damn !!
..
hmmm..
Ahsan Manan Khan Bhutta .. He has posted in almost all virus related forums at his (virus boom) time .. Inspite of the many who tried to catch him with IP , he swam in internet ..Ahsan, I am coming ...You are caught..

Yeah !!




Anil Franklin






Reply for comments,

ahsan,
I was not checking the comments for a month .You need my email address ? I have mentioned it in my blog http://anil.chipmonks.co.in .. Or you could have searched google .. Anil Franklin thats my name (anilfranklin@chipmonks.co.in)
Glad to see this if you are real 'ahsan' . All my effort was to get to you to make you know that this has made really a bad effect in south India too . Lots and lots of systems lost data with this virus Sorry if you are not the virus maker , I just meant to specify a way to get rid of this .

zain,
Now I know , you can't ignore that 0th step .
With information from site discussbits and some other forums , I have updated my ideas with all the possible ways and have rewritten the method as follows :


Detailed steps to remove Ahsan's virus :

1. start windows in safe mode with command prompt(user:admin, preferably a user other than having attacked)

2. use RRT Tool to enable run " if disabled".

3. Enable regediting if disabled with following reg key.


REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f



4. Open regedit, search and delete all entries with name "Ahsan" , site 110mb.com and Bush.

5. If your folder option is disabled enable it with following reg key "


HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Policies\Explorer
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\Policies\Explorer

Check if a DWORD value named NoFolderOptions exists in the pane on the right hand side of the screen
Delete it



6. If you are still unable to view the hidden files, which is disabled by virus, enable it with following proc and key.


HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced. Find the value "Hidden" . Rightclick it and modify it to 1. If Key value hidden is not present create it




7. Check the following registery values and set the values given below in each registery key.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN]
"CheckedValue"=dword:02
"ValueName"="Hidden"
"DefaultValue"=dword: 02

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
"CheckedValue"=dword: 01
"ValueName"="Hidden"
"DefaultValue"=dword:02


8. Now enable "show all hidden files / Hidden system files and folders", and search for following files and delete them all.

system.exe
csrss.exe
Home video.avi.exe
autorun


Note: these files will be in parent drives (D:, C:) and in windows folder.

9.Now you are done !

50 comments:

PakiBoy said...

hi,

i need your e-mail adress for chat.

please send me your email adress to me with the subject "Virus Remover"
at InAngelEyes@Gmail.Com

Thanx !

Waiting For Your Kind Reply...

Anil said...

I saw a post from Ahsan that somebodu else have made the virus ..

I din mean to hurt a person .. I just want to post a remedy for this ..

Whoever made this has gotta go ..

some one said...

Great Job Anil. Wish I had read your remedy before re-installing XP 15 minutes ago :(

But great job.!

Zain said...

I am done with both the ways, but i am unable to remove, because there is a file named, csrss.exe in system32 folder, i tried to delete that but i am unable because the process of that file is running and when i try to end Process so i get a message alerting me that this is very cricitical process and can not be ended,
please help em out,. what shall i do??

killuajohn14 said...

Hi,

Thanks for that info~ I managed to deal with that virus thanks to you Anil but isn't that the real virus maker who was asking for a chat with you?

anyway, Thanks alot dude

speedhawk said...

i would rather advice you to run hijack this just click on the ahsan and just click fix checked its gone...

speedhawk said...

just run Hijack this to remove the virus i think it works....

Anil said...

I think hijack wasn't working at the date I wrote this document .Anyway thanx .

Unknown said...

please let me know where i can download this hijack? is it a tool?

help me out buddy.

Mush

Unknown said...

I have tried all the suggestions you gave Anil but I still cannot get through to it. How do I create the Home Video and crscss .exe files.

Also the RRT tool I downloaded seems not to work in Safe Mode.

Any more suggestions.

I just contracted the virus yesterday.

Please help out

Ed

Zain said...
This comment has been removed by the author.
Zain said...

the new method may be the resolution of this problem, but i have re-installed the window and now thats working fine.
thank you for your re-work...

nikko said...

hi I have the same problem. how can i do the step 0. sorry im not that good in computer. thanks a lot.

nikko said...

hi I have the same problem. how can i do the step 0. sorry im not that good in computer. thanks a lot.

nikko said...

i have removed the ahsans name in my "my comp,my docs, recycle bin" but in my drive C and D, i have a lot of hidden files, I dont know what is that. In the detailed step, I cant see the step number 8. I cant see those .exe files.. please help. thanks.

nikko said...

here's what i got on my drive C.

http://img187.imageshack.us/my.php?image=virxz4.jpg

Anil said...

Hi nikko ,

If you have successfully removed the name of Ahsan from my computer , my docs etc like stuff and if you are successfully using your system without getting it renamed back to Ahsan , its done !

You have removed ahsan's virus .And as seen in your picture you are able to view hidden files too ..


Now your is those sqm files ?
This may be due to your windows live messenger !(or I heard it may also be created while IE upgrade)

The files are part of the Customer Experience Improvement Program and can be stopped by going to Help -> Customer Experience Improvement Program then turning the option off..

Mark said...

Hi Mr. Anil,

i am infected with this virus too. im getting so frustrated looking for solutions on how to get rid of this thing. im really not good at this stuffs so the 0 step, how can i save it to all drives? you mean i should save it to A: C: D:? the RRT tool from Sergiwa is it only a demo? and when turn my computer to safe mode with command promt it says there that the administrator has disabled this feature *dunno exactly what it is* and all was black screen. i dont want to lose files on our computer so please Mr Anil help me on my problem. if you can e-mail me sir pls do. its chrazy_19@yahoo.com or i will check your blog for your reply.

Thanks!

Anil said...

Hi Mark,

You can save a file in a drive by using edit command in `command prompt` or just by using notepad or any editor.(save it with the name required).

Sorry, I haven't seen your problem (unable to login to safe mode: http://www.computerhope.com/issues/ch000750.htm ) in any of our affected systems related to Ahsan's virus.

0th step is to prevent the virus running in background from recreating the specified files.You can do that also by logging in from any live(bootable) cd (For example: http://electronics.wikia.com/wiki/How_to_make_a_Phoenix_live_CD_from_a_Debian_installation)

Anyway,I think your problem is a bit complicated if you are sure you cant get safe mode .

Mark said...

hello again Sir,

i can go into safe mode with command prompt but it says there that

"this feature has been disabled by the administrator.
Press any key to continue.."

but im logged in as an administrator. i can also log in to safe mode without the command promt. i can run Dr.Web anti virus but it takes 2 hours or less to finish it and my computer crashes in the middle of it.

your RRT tool is iSergiwa Portable Malware Scanner am i right? but when it scans my drive it shows all the viruses found but i cant remove it coz it says there that "Buy it to Remove" or something like that.

i got so stressed out on this problem. damn this ahsan makes me wanna bring him to satan ^^Y
should i reformat my pc now coz im loosing tons of hope T_T.

thanks for your reply Mr. Anil.

Anil said...

Hi all,
Sorry for putting an external 'RRT' link (the link was being redirected)(thanks 'uman' for reminding me about that) . I have updated the link to http://www.chipmonks.co.in/RRT.zip
Now you can download the RRT tool from this site itself.

Unknown said...

Hi Anil,
Pls help me. I borrowed my younger sister's laptop and now it is infected with this strange virus. I downloaded ur removal tool but it says i have to pay for the remover version. What do i do. I cant even get to your purchase site to know how much it is. Please help me

K said...

Hey thanks dude, thanks a lot!

Musa Signs said...

sir how to create exe file likes home video.exe as first part of this process ,, ans has this process worked for everone ,,,, and if this doesnot help mee then can i format my c drive and reinstall windowss , will it end my problem ,,,,,, or even formatting drives woulnt do it in case ur solution doesnot help mee ,,,,,,,,,,,,,,,,,

i ran sdfix in safe mode its catchme command promt says , there no hidden files
please help thanks

ahsan69 said...

i hav tried the both ways. m stucked in 0th step in 1st way nd in 8th step in 2nd way (8. Now enable "show all hidden files / Hidden system files and folders", and search for following files and delete them all.

system.exe
csrss.exe
Home video.avi.exe
autorun

Unknown said...

brother what is RRT please guide me

Musa Signs said...

listen any one who has ahsan viruss ,, listen me to carefull i got the virus few weeks back ,, let me tell its peace of cake to get rid of it ,,, i searched even came to this anil frankilin thing ,, its crap what has been out here ...................... listen u can get rid of in 10 minutes just restore ur windowss to a date before u got the virus ,, go to google and type how to restore windows it will tell the whole procedure ..... its a childsplayy

Anil said...
This comment has been removed by the author.
Anonymous said...

listen people i got the virus removed by the same procedure given here. but its quite troublesome and requires a lot of expertise. isnt there any other and easier way to get rid of it??

Unknown said...

There is an easier way too.First go to safe mode.Use RRT to activate regedit.Make sure u have winrar in your desktop.Open win rar.Using winrar go to C:drive and their u will see autorun.inf,crss.exeand firewall.exe.Delete these files from your drives+from windows folder.Then use trojan remover and scan and delete the infected files.Thenchange the registeries which anil said and then reboot into normal mode.It destroys the virus but doesnot allow u to see hidden files.,But no need for it as there would be no virus.

Unknown said...

Hi,

Restoring my system through system restore, brought my system to a state where i cannot see AHSAN MANAN KHAN BHUTTA anymore, which is a good thing. But how do i make sure he has been got ridden of for good?

Anil said...

If it is so its good . I have usually seen two processes mutually creating each other in Ahsan affected systems which usually catch back after doing anything you can .The first trace of Ahsan is his name itself.If u get rid of that then you are safe from Ahsan's virus.

Saad said...

Hi Anil,


Thanks for your help, I had removed that thing from my PC, infact this virus attaches with the USB stick aswell, is there a way to get rid of this virus from USB?

Thanks

one more thing, I want to thank Ahsan too for putting us in that trouble.

Novskie said...

Hi??? Im Noel Angelo
please help me because my PC have
a problem...
The Ahsan Virus attact my Pc
and my cmd was disable...
How can I remove it?
my email add..
Killjoy_ramos_m25@yahoo.com
and i try some spywareRemover
but my Licence key was expired
my spywareRemover was XoftspySE
can you help me please........

Talib Abbas said...

I really appreciate what ahsan has done. Although i know that it create major problems for many of the people out there. But his work is fantastic, this virus hits all my institute pcs.

Sorry for those who got affected by the virus. I,too, become the victim of this shit.

But I must say, Genius

Although, he has its own way to prove himself. :)

Ruq said...

Hi Anil,
Have tried the steps u've recommended but it does not seem to be working. Have used RRT but cmd prompt still does not work it says "Disabled by administrator", I've also tried using SDFix but I can't get it to run. HELP!!!!!!!!!

Unknown said...

hello sir i m a research scholar,my all files related to research work are corrupted due to ahsan i m really very upset.....needs a immediate solution...i m nt a computer expert.............

Unknown said...

myseif kaman brar i m a research scholar suffering from ahsan its in all laptops of my universty.i just cant get my window format ........i m nt a computer expert......plzzzzzzzzzzzzzzzzzzzzzzzzz help meeeeeeeeeeee

Pakka Dost 4 Frienship said...

Hello to everyone,I was also affected by this ahsan's virus and I was also really very upset when I couldnt find any solution but now I make a simple solution to get rid of this damn ahsan's virus.The solution is very simple that reinstall your window and then dont open your hard disk drives from "my Computer" because ahsan's virus begins to attack your computer when you open hard disk drives(your drive will open in another window screen instead of openning in the same window screen if you set "open windows in same window").That's the time when ahsan's virus enters your computer and setting problems for you.You simply need to create shortcuts of all your hard disk drives on desktop without openning your drives and then open these drives from desktop and dont commit this error to open your hard disk drives from My computer again because if you will open these drives from "My Computer" then you will really hurt by Ahsan's Virus.So simple and detailed method is in front of you and you can absolutely get rid of this virus (not permanently) but if you want to get rid from it permanently then you have to format your hard disk by reinstalling window and again making partitions but you will lose your important data and I suggests you to only make shortcuts of your hard disk drives by clicking right mouse button on selected drive and then click "create shortcut" and your drive's shortcut will be on the desktop and then you will get rid of your tensions and Ahsan's virus.

thanks
Asad from Pakistan

Fashion said...

you , all abuses 4 u ahsan
bhain madar gan tujhe itne gaalian doon ketera pha





and love u anil franklin for thesolution

Muhammad Amjad Iqbal said...

I solved this problem in the following way.
1. Copy important files from C to any other drive
2. Format C and Re installed Window Xp
3. Installed Semantic Antivirus with latest patches, i asked my friend to provide me thorough Flash Drive.
4. Scanned Other drives with this antivirus
5. This removed Homevideo.avi.exe and Csrss.exe and my data saved and Virus removed
6. Remember to not to open any other drive during all this process, only scan these, if you opened it will caught you again.
7. after all this search these two files homevideo and Csrss by search these will not there, if still there then delete them from search window.
8. you will surely get rid of this Ahsen's virus.

bukhari said...

Thanks for enlightment and help, i tried every thing mentioned in all the forums but nothing worked than i downloaded Clamwin portable installed it in a USB drive ran it from there and Viola caught the crss.exe 110mb.com and GW bush. Bye Bye Mr Ahsan Mannan Bhutta gO TO HELL.

Ali Jan said...

1. First of all try RESTORE, if it works for you. Turn the computer back to a date from the preinfection state. Its easy

BUT

If restore function is disabled or doesnt work then try the following:

2. Use clamwin portable to identify locations of the files infected. Note them down. (You'll need them later)

Then use MalwareBytes AntiMalware (download it from download.com and cnet) When it has detected the worms, remove all but do NOT restart. Not yet. This is very very crucial!!!!! Otherwise worm will regenerate if you let it restart.

next step.. run Hijack this and fixcheck: Ahsan and the browser url **101.com and also fix check system.exe bad1 bad2 bad3 and bad4.exe (Dont fix check anyother files that you're not sure about OK!!)

------

now use the assassin tool in Malware Bytes and kill all the files identified by Clamwin in its scan. Remember not to open explorer yet. you can kill the bad files by opening the infected file via assassin tool. Try all directories c. d. e etc and type autorun.inf, Home Video.exe, even if you dont see them, try and open them as they may be hidden (even after you unhide them in folder options, its weird but thats how it is!) Once assassin opens a file it asks you, and choose DELETE.

Now rename all your icons

Bye Bye Bye Ahsan

Hope this helped.

Cheers!!

(and Ahsan kay bachay mulk ka naam kissi achi baat kay liyay bi roshan karo kyoon logo ko tang kartay ho. tauba karo warna kiamat kay din ulta latak jao gay!!))

Anil said...
This comment has been removed by the author.
ASTROBOY said...

mr anil your a good guy...tnx I am not a computer expert only user, can i use the utilities in hirens? or winPE if so pls tell teach me how and what utility to use. my friend told me to use this boot cd (hirens 9.7) tnx in the future more power

rana said...

hi
I think that u can get red of ahsan by downloding & installing clamwin portable in ur U S B and run it from there I did that and I think ahsan is out I re name doc and my comp it is holding try it if i could do it every one should be able to do it good luck

Muhammad Abid said...

Dear Every one ,
i have created a small tool that removes the virus completely , and fixes all problems that caused by this virus , my program named (AH Remove_fix).
no computer knowledge required by just one click in less than a second the computer will be removed completely ..

download Remover: http://www.4shared.com/file/105248471/d315ba5d/AH_Remove_Fix.html

Zip file contains one exe file that do every thing and one folder called (ASSOC Fixes) that user to fix file assoc. for bat files registry files vbs files , at first run the exe file (run as administrator for vista) and then click on (Destroy Ahsan Virus and fix) every thing about this virus will be removed in less than one second .
after that run the registry files inside the ASSOC Fixes folder .

Note : this tool(exe file) will automatically fixes the registry files to work for the fixes that u sre running .

what this Tool do :
- Fixes all registry problems caused by this virus
- Removes all virus data and files from the computer
- Fixes the environment names and variables Like(My computer , My documents , ...etc)
- Removes all restrictions like disabled folder option , disabled cmd , ...etc
- Fixes the internet explorer settings (removes the ahsan title , and he's home page ,...etc)
- and many more things
- i set the homepage for internet explorer to (http://www.google.ae), you can change it

Tips :
- This tool will work on both Vista and XP .
- you must run it as administrator on Vista .
- In Vista you may get a black screen while cleaning this doesn't matter .

Anil said...

@muhammad

Thank you..

I thought this tool was related to Khalat Jalal From ( KUrdy Team )


@ all
Can I know about the details of this tool (About the language of script for the exe file and about ASSOC files).Thank you.

And thanks for the link :
download Remover: http://www.4shared.com/file/105248471/d315ba5d/AH

Unknown said...

Sir Muhammad,

i downloaded your AH remover and i successfully removed that freakin ahsan virus on my computer. but i got another problem. i used the program to delete the ahsan virus on the other computer but it wont work. the name will be "My Computer" then after a second, it goes back as "Ahsan's Computer". i tried it for how many times but i still cant resolve it. The PC is using Windows XP and i logged in as the Administrator. but i cant still remove it. please help me. i need to fix my other computer. Thanks!

Unknown said...

Sir Anil,

Thanks for the help. This is the first time i encountered this virus and im happy to know that you and other people around this blog has ways to remove this thing.