It's incalculable how much virus is produced during the month of November-December 2009. Average scattered power has a very fast and quite troublesome.
W32/Smalltroj virus. VPCG one malware that wara-wiri at the end of this year. This virus will block access to several security websites and other websites that have been determined by the number switch, which is 209.85.225.99 ip public ip Google.
So every time a user tries to access to certain websites, including website security / antivirus, so that appears not you want the web but the website www.google.com.
Here are 9 steps to clean W32/Smalltroj. VPCG a mixed Vaksincom:
1. Turn off System Restore during the cleaning process take place.
2. Decide who will clean your computer from the network or the Internet.
3. Change the name of the file [C: \ Windws \ system32 \ msvbvm60.dll] to prevent the virus active again.
4. Perform cleaning by using the Tools Windows Live CD Mini PE. This is due to some rootkit files masquerading as services and drivers difficult to stop. Please download the software at the address http://soft-rapidshare.com/2009/11/10/minipe-xt-v2k50903.html
Then boot the computer using software Mini PE Live CD. After that deleting some files iduk virus by:
l Click the [Mini PE2XT]
l Click the [Programs]
l Click the [File Management]
l Click the [Windows Explorer]
l Then delete the following files:
o C: \ Windows \ System32
§ wmispqd.exe
§ Wmisrwt.exe
§ qxzv85.exe @
§ qxzv47.exe @
§ secupdat.dat
o C: \ Documents and Settings \% user% \% xx%. exe, where xx is a random character (example: rllx.exe) with a file size of 6 kb.
o C: \ windows \ system32 \ drivers
§ Kernelx86.sys
§% xx%. Sys, where xx is a random character who has a size of 40 KB (example: mojbtjlt.sys or cvxqvksf.sys)
§ Ndisvvan.sys
§ krndrv32.sys
o C: \ Documents and Settings \% user% \ secupdat.dat
o C: \ Windows \ inf
§ Netsf.inf
§ netsf_m.inf
5. Delete the registry created by the virus, by using the "Avas! Registry Editor", how:
l Click the [Mini PE2XT]
l Click the [Programs]
l Click the [Registry Tools]
l Click [Avast! Registry Editor]
l If the confirmation screen appears Kelik button "Load ....."
l Kemudain delete registry: (see figure 6)
Ø HKEY_LOCAL_MACHINE \ software \ microsoft \ windows \ currentvers
on \ Run \ \ ctfmon.exe
Ø HKEY_LOCAL_MACHINE \ system \ ControlSet001 \ Services \ kernelx86
Ø HKEY_LOCAL_MACHINE \ system \ CurrentControlSet \ Services \ kernelx86
Ø HKEY_LOCAL_MACHINE \ system \ CurrentControlSet \ Services \ passthru
Ø HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ WindowsNT \ CurrentVersion \ Image File Execution Options \ ctfmon.exe
Ø HKEY_LOCAL_MACHINE \ software \ microsoft \ Windows NT \ CurrentVersion \ winlogon
ü Change the string value to be Userinit = userinit.exe,
Ø HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ SharedAccess \ Parameters \ FirewallPolicy \ DomainProfile \ AuthorizedApplications \ List
ü% windir% \ system32 \ wmispqd.exe =% system% \ wmispqd.exe: *: enabled: UPnP Firewall
Ø HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ SharedAccess \ Parameters \ FirewallPolicy \ DomainProfile \ AuthorizedApplications \ List
ü% windir% \ system32 \ wmispqd.exe =% system% \ wmispqd.exe: *: enabled: UPnP Firewall
Ø HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ SharedAccess \ Parameters \ FirewallPolicy \ StandardProfile \ AuthorizedApplications \ List
ü% windir% \ system32 \ wmispqd.exe =% system% \ wmispqd.exe: *: enabled: UPnP Firewall
Ø HKEY_LOCAL_MACHINE \ system \ ControlSet001 \ Services \% xx%
Ø HKEY_LOCAL_MACHINE \ system \ CurrentControlSet \ Services \% xx%
Note:
% xx% showing random characters, this key is made to run the file. SYS which has the size of 40 KB which is in the directory [C: \ Windows \ system32 \ drivers \]
6. Restart the computer, restore the remaining registry that changed by the virus to copy the following script in notepad and then save with the name repair.inf. Execute the following manner: right-click repair.inf | click install
[Version]
Signature = "$ Chicago $"
Provider = Vaksincom
[DefaultInstall]
AddReg = UnhookRegKey
DelReg = del
[UnhookRegKey]
HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ batfile \ shell \ open \ command ,,,"""% 1 ""% * "
HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ comfile \ shell \ open \ command ,,,"""% 1 ""% * "
HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ exefile \ shell \ open \ command ,,,"""% 1 ""% * "
HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ piffile \ shell \ open \ command ,,,"""% 1 ""% * "
HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ regfile \ shell \ open \ command,,, "regedit.exe"% 1 ""
HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ scrfile \ shell \ open \ command ,,,"""% 1 ""% * "
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon, Shell, 0, "Explorer.exe"
HKEY_LOCAL_MACHINE \ software \ microsoft \ ole, EnableDCOM, 0, "Y"
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Security Center, AntiVirusDisableNotify, 0x00010001, 0
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Security Center, FirewallDisableNotify, 0x00010001, 0
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Security Center, AntiVirusOverride, 0x00010001, 0
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Security Center, FirewallOverride, 0x00010001, 0
HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet001 \ Control \ LSA, restrictanonymous, 0x00010001, 0
HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet002 \ Control \ LSA, restrictanonymous, 0x00010001, 0
HKLM, SYSTEM \ CurrentControlSet \ Control \ LSA, restrictanonymous, 0x00010001, 0
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ SuperHidden, CheckedValue, 0x00010001, 0
[del]
HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ System, DisableRegistryTools
HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ System, DisableCMD
HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer, NoFolderOptions
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run, ctfmon.exe
HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet001 \ Services \ kernelx86
HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet002 \ Services \ kernelx86
HKLM, SYSTEM \ CurrentControlSet \ Services \ kernelx86
HKLM, SYSTEM \ CurrentControlSet \ Services \ mojbtjlt
HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet001 \ Services \ mojbtjlt
HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet002 \ Services \ mojbtjlt
HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet001 \ Services \ Passthru
HKEY_LOCAL_MACHINE \ Software \ Policies \ Microsoft \ Windows NT \ SystemRestore
HKEY_LOCAL_MACHINE \ SOFTWARE \ Policies \ Microsoft \ Windows \ windowsupdate, DoNotAllowXPSP2
HKEY_LOCAL_MACHINE \ SOFTWARE \ Policies \ Microsoft \ Windows \ windowsupdate
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ ctfmon.exe
7. Delete temporary files and temporary Internet files. Please use the tools ATF-Cleaner. Download these tools in http://www.atribune.org/public-beta/ATF-Cleaner.exe address.
8. Restore back to the host file in Windows that has been changed by the virus. You can use tools Hoster, please download at the following address http://www.softpedia.com/progDownload/Hoster-Download-27041.html
Click the [Restore MS Hosts File], to restore the Windows hosts file.
9. For optimal cleaning and prevent re-infection, anti-virus scan with up-to-date and was able to detect this virus. You can also use Norman Malware Cleaner, please download at the following address click Here to download
W32/Smalltroj virus. VPCG one malware that wara-wiri at the end of this year. This virus will block access to several security websites and other websites that have been determined by the number switch, which is 209.85.225.99 ip public ip Google.
So every time a user tries to access to certain websites, including website security / antivirus, so that appears not you want the web but the website www.google.com.
Here are 9 steps to clean W32/Smalltroj. VPCG a mixed Vaksincom:
1. Turn off System Restore during the cleaning process take place.
2. Decide who will clean your computer from the network or the Internet.
3. Change the name of the file [C: \ Windws \ system32 \ msvbvm60.dll] to prevent the virus active again.
4. Perform cleaning by using the Tools Windows Live CD Mini PE. This is due to some rootkit files masquerading as services and drivers difficult to stop. Please download the software at the address http://soft-rapidshare.com/2009/11/10/minipe-xt-v2k50903.html
Then boot the computer using software Mini PE Live CD. After that deleting some files iduk virus by:
l Click the [Mini PE2XT]
l Click the [Programs]
l Click the [File Management]
l Click the [Windows Explorer]
l Then delete the following files:
o C: \ Windows \ System32
§ wmispqd.exe
§ Wmisrwt.exe
§ qxzv85.exe @
§ qxzv47.exe @
§ secupdat.dat
o C: \ Documents and Settings \% user% \% xx%. exe, where xx is a random character (example: rllx.exe) with a file size of 6 kb.
o C: \ windows \ system32 \ drivers
§ Kernelx86.sys
§% xx%. Sys, where xx is a random character who has a size of 40 KB (example: mojbtjlt.sys or cvxqvksf.sys)
§ Ndisvvan.sys
§ krndrv32.sys
o C: \ Documents and Settings \% user% \ secupdat.dat
o C: \ Windows \ inf
§ Netsf.inf
§ netsf_m.inf
5. Delete the registry created by the virus, by using the "Avas! Registry Editor", how:
l Click the [Mini PE2XT]
l Click the [Programs]
l Click the [Registry Tools]
l Click [Avast! Registry Editor]
l If the confirmation screen appears Kelik button "Load ....."
l Kemudain delete registry: (see figure 6)
Ø HKEY_LOCAL_MACHINE \ software \ microsoft \ windows \ currentvers
on \ Run \ \ ctfmon.exe
Ø HKEY_LOCAL_MACHINE \ system \ ControlSet001 \ Services \ kernelx86
Ø HKEY_LOCAL_MACHINE \ system \ CurrentControlSet \ Services \ kernelx86
Ø HKEY_LOCAL_MACHINE \ system \ CurrentControlSet \ Services \ passthru
Ø HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ WindowsNT \ CurrentVersion \ Image File Execution Options \ ctfmon.exe
Ø HKEY_LOCAL_MACHINE \ software \ microsoft \ Windows NT \ CurrentVersion \ winlogon
ü Change the string value to be Userinit = userinit.exe,
Ø HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ SharedAccess \ Parameters \ FirewallPolicy \ DomainProfile \ AuthorizedApplications \ List
ü% windir% \ system32 \ wmispqd.exe =% system% \ wmispqd.exe: *: enabled: UPnP Firewall
Ø HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ SharedAccess \ Parameters \ FirewallPolicy \ DomainProfile \ AuthorizedApplications \ List
ü% windir% \ system32 \ wmispqd.exe =% system% \ wmispqd.exe: *: enabled: UPnP Firewall
Ø HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ SharedAccess \ Parameters \ FirewallPolicy \ StandardProfile \ AuthorizedApplications \ List
ü% windir% \ system32 \ wmispqd.exe =% system% \ wmispqd.exe: *: enabled: UPnP Firewall
Ø HKEY_LOCAL_MACHINE \ system \ ControlSet001 \ Services \% xx%
Ø HKEY_LOCAL_MACHINE \ system \ CurrentControlSet \ Services \% xx%
Note:
% xx% showing random characters, this key is made to run the file. SYS which has the size of 40 KB which is in the directory [C: \ Windows \ system32 \ drivers \]
6. Restart the computer, restore the remaining registry that changed by the virus to copy the following script in notepad and then save with the name repair.inf. Execute the following manner: right-click repair.inf | click install
[Version]
Signature = "$ Chicago $"
Provider = Vaksincom
[DefaultInstall]
AddReg = UnhookRegKey
DelReg = del
[UnhookRegKey]
HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ batfile \ shell \ open \ command ,,,"""% 1 ""% * "
HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ comfile \ shell \ open \ command ,,,"""% 1 ""% * "
HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ exefile \ shell \ open \ command ,,,"""% 1 ""% * "
HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ piffile \ shell \ open \ command ,,,"""% 1 ""% * "
HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ regfile \ shell \ open \ command,,, "regedit.exe"% 1 ""
HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ scrfile \ shell \ open \ command ,,,"""% 1 ""% * "
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon, Shell, 0, "Explorer.exe"
HKEY_LOCAL_MACHINE \ software \ microsoft \ ole, EnableDCOM, 0, "Y"
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Security Center, AntiVirusDisableNotify, 0x00010001, 0
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Security Center, FirewallDisableNotify, 0x00010001, 0
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Security Center, AntiVirusOverride, 0x00010001, 0
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Security Center, FirewallOverride, 0x00010001, 0
HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet001 \ Control \ LSA, restrictanonymous, 0x00010001, 0
HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet002 \ Control \ LSA, restrictanonymous, 0x00010001, 0
HKLM, SYSTEM \ CurrentControlSet \ Control \ LSA, restrictanonymous, 0x00010001, 0
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ SuperHidden, CheckedValue, 0x00010001, 0
[del]
HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ System, DisableRegistryTools
HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ System, DisableCMD
HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer, NoFolderOptions
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run, ctfmon.exe
HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet001 \ Services \ kernelx86
HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet002 \ Services \ kernelx86
HKLM, SYSTEM \ CurrentControlSet \ Services \ kernelx86
HKLM, SYSTEM \ CurrentControlSet \ Services \ mojbtjlt
HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet001 \ Services \ mojbtjlt
HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet002 \ Services \ mojbtjlt
HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet001 \ Services \ Passthru
HKEY_LOCAL_MACHINE \ Software \ Policies \ Microsoft \ Windows NT \ SystemRestore
HKEY_LOCAL_MACHINE \ SOFTWARE \ Policies \ Microsoft \ Windows \ windowsupdate, DoNotAllowXPSP2
HKEY_LOCAL_MACHINE \ SOFTWARE \ Policies \ Microsoft \ Windows \ windowsupdate
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ ctfmon.exe
7. Delete temporary files and temporary Internet files. Please use the tools ATF-Cleaner. Download these tools in http://www.atribune.org/public-beta/ATF-Cleaner.exe address.
8. Restore back to the host file in Windows that has been changed by the virus. You can use tools Hoster, please download at the following address http://www.softpedia.com/progDownload/Hoster-Download-27041.html
Click the [Restore MS Hosts File], to restore the Windows hosts file.
9. For optimal cleaning and prevent re-infection, anti-virus scan with up-to-date and was able to detect this virus. You can also use Norman Malware Cleaner, please download at the following address click Here to download
0 comments:
Post a Comment