D**n those f***ing China! *joke*
This is new varian for Microsoft.vbs virus which I write formula how to clean it around a month ago when it hit my cybercafe until totally broken he he… Now most people know this virus as ARP virus. Why? Because after learning it more deeply this virus categorized as HIGH RISK and should removed as soon as possible before it infected total your network.
First.. To know this virus is active on your computer is you will get most error pages message when browsing, or error when using messenger, PLUS you will find this file Microsoft.vbs Microsoft.bat Microsoft.pif on your hard drive where you install your OS PLUS *again* your computer gonna be slow PLUS *oh not again* Your internet connectivity will going slow than usually PLUS *OMG* It will flooding your network until some billing(via TCP/IP) will stop responding.
It’s hard to know when your computer infected because it’s only showing a little error when you browsing and sometimes it’s not active (like clean computer) until you idle for some minutes/hour.

When you browsing you don’t feel something goes wrong… but when you look on the page source the evil is waiting on there

Clean page source from google.com not injected with any code.. but wait when virus active you will look something like this..

Holy s**t what is that!!!
So the answer is virus going active when you’re using internet by browsing or chat on messenger. Basically all internet explorer activity can bring this virus active! Enough let’s remove this virus permanently and stop it from coming back.
You can use Colasoft MAC Scanner (shareware) to scan your network, If you found there is mac address same with your gateway then you have to unplug that computer from network and clean it before you put it back on network. Why? In condition when you clean infected one virus will going to spread on other computer in your network once you clean it, it will calling back file from other infected one in your network so don’t waste your time for this stupid thing UNPLUG IT to stop it spreading in network!

Now.. Get Security Task Manager and delete/remove strange process on your computer background (usually with IE icon and dll files) delete/remove Desktopwin.dll/Jview.dll and ThunderAdvise.dll delete/remove AppInit_DLLs.
Done.. Now get hijackthis and restore your hosts file by Open the Misc Tools section, on System tools choose Open hosts file manager and deleted all line after 127.0.0.1 localhost or you can done this using notepad hosts file is on %systemroot%/system32/drivers/etc
Now get ATF Cleaner and deleted all cookies, history and java cache.
Repair your registry to back in normal by using this code:
 [Version]
Signature=”$Chicago$”
Provider=Nobody
[DefaultInstall]
AddReg=UnhookRegKey
DelReg=del
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows, AppInit_DLLs,0, “”
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Object
[del]
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad, ThunderAdvise
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad, DesktopWin
Or download repair.inf
To stop virus coming back from other computer disable default share by using this code:
[Version]
Signature=”$Chicago$”
Provider=Nobody
[DefaultInstall]
AddReg=UnhookRegKey
DelReg=del
[UnhookRegKey]
HKLM, SYSTEM\CurrentControlSet\Services\lanmanserver\parameters, AutoShareWks,0×00010001,0
HKLM, SYSTEM\CurrentControlSet\Services\lanmanserver\parameters, AutoShareServer,0×00010001,0
Or download disable-default-share.inf and activate it restart-net-service.bat
Disable autorun to stop virus coming back from USB flashdisk/removable mediaby using this code:
[Version]
Signature=”$Chicago$”
Provider=Nobody
[DefaultInstall]
AddReg=UnhookRegKey
DelReg=del
[UnhookRegKey]
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoDriveTypeAutoRun,0x000000ff,255
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer, NoDriveTypeAutoRun,0x000000ff,255
Or download disable-autoplay.inf
To stop virus from coming back by replacing old files let’s make dummy files download dummy.bat!
Last scan with your BEST antivirus/antimalware to make sure your system clean! Another trick to stop virus from infected back your computer you can add static entry on ARP by write in command prompt “arp –s *gatewayipaddress* *gatewaymacaddress*” or another trick say we can blocked those d**n virus site by change it in hosts file here is some website list detected as virus update:
972.aksjd11.com
w3og.cn
qazc.fourtw.cn
www.aujoy.cn
www.hao601.cn
www.psp476.cn
222.1212l112.net
444.1212l112.net
555.1212l112.net
111.1212l112.net
root.51113.com
hk.www404.cn
err.www404.cn
(Still there a lot out there.. BLOCKING ALL .cn domain might resolve this problem ha ha ha
)
Anyway this method is not really can stop virus updated as long the creator change website again we have to update block it manually.
Done (finally)… now using your computer like usually for 1-2 hours and see if the virus coming back..
Similar Posts:
- Remove virus AMBURADUL (all varian)
- How To Remove W32/Obfuscated.J (Trojan.Downloader2.25378)
- 8 Tools Kido/Conficker/Downadup Remover
- Microsoft.lnk Shortcut Virus? Worm:PIF/Starter.A
- PENGERTIAN SPOOFING
- setting anti arp spoofing mikrotik
- cara mengatasi does name exist
- blok sality di mikrotik
- Tutorial membuat plood web via hp
- serang ip dengan cmd
- antiarp bat
- time scheduler in winbox
- Cara mengatur jaringan hdsp pada laptop
- CARA MENYEMBUNYIKAN IP
- cara drop virus arp spoofing di mikrotik
- pengertian mikrotik
- free download anti spoofing windows xp
- cara blok ip dengan anti arp
- kode flood
- arti arp spoofing
- kegunaan arp
- arp spoofing mikrotik
- Cara flood web pakai hp
- fungsi arp poisoning
- pengertian arp spoofing
- mikrotik sality
- mikrotik arp spoofing
- mengatasi-ip-spoofing-pada-mikrotik
- cara mengatasi virus arp
- mikrotik anti arp spoofing
- menyembunyikan ip address dengan cmd
- carainjectvirus
- cara mengatasi arp spoorfing
- pengertian arp
- setting mikrotik anti spoofing
- anti arp di mikrotik
- Anti ARP VER 6 O2
- tips pembersihan virus arp spoofing
- mikrotik disable arp
- mikrotik anti fix ip
- virus cara mengatasi ip address conflict
- microtek protect from spoof
- merakit jaringan warlles dengan manual mengunakan windows 7
- menyembunyikan scan winbox
- virus jaringan dengan nembak ip address
- menyembunyikan hostname ipscan
- virus sality mikrotik
- mengilangkan flood mikrotik
- menghilangkan geniu di windos xp sp3
- MIKROTIK anti mac spoofing
- virus arp windows 7
- mikrotik anti spoofing
- mikrotik boot scripts
- mikrotik blocking cn
- mikrotik blocking arp poisoning
- mikrotik block china domain
- mikrotik block arping
- mikrotik block arp broadcast
- virus arp spoofing mikrotik
- mikrotik block arp attac
- mikrotik arp virus removal tool
- mikrotik arp flooding
- menghapus ip di mikrotik
- menghapus host otomatis mikrotik
- mengatur jaringan dalam cmd
- membuat ip flooding
- membuat aplikasi penangkal arp poison
- memblokir virus arp
- membersihkan arpvirus di mikrotik
- melihat trafik virus pada mikrotik
- melepaskan jaringan dari mikrotik
- manual mikrotik anti spoofing
- mac spoofing mikrotik
- what is arp list winbox
- kegunaan spoofing di ubuntu
- kegunaan spofing di ubuntu
- winbox sharing internet dengan mac address
- membuat trojan dengan vbscript
- membuat virus trojan vbscript
- cara ngatasi ip banned pada wifi
- mengatasi virus code block
- mengatasi virus arp spoofing di mikrotik
- mengatasi nge-fload mikrotik
- mengatasi billing error terkena firus
- virus XP Duplicate name in network
- mengatasi arp position
- mencegah virus yang menduplikasi mac address
- mencegah flooding di mikrotik
- pengertian blok
- mencegah flood di mikrotik
- mencegah arp spoofing di mikrotik
- kegunaan antiARP
- setting arp poisoning mikrotik dengan winbox
- source code html code injection dengan vbscript
- program bank pake vb
- prevent arp spoof by mikrotik
- port 38768
- pengertian winbox
- pengertian virus spoofing
- pengertian virus sality
- pengertian spoofing jaringan wireless
- Pengertian spoofing dan flooding dalam jaringan
- source code java program anti arp
- pengertian spoofing dan flooding
- program penangkal spoof
- protect mikrotik from arp spoof
- proteksi virus mikrotik
- setting sharing jaringan menggunakan windows 7
- software penangkal arp poisoning
- sembunyikan mac address windows 7
- sembunyikan IP Adress
- script mikrotik anti spoof
- script anti flood mikrotik
- source code for Spoofing in vb net
- script anti arp mikrotik
- scheduler static arp di mikrotik
- sality dengan mikrotik
- put virus o mikrotik
- spofing mikrotik
- Pengertian sofhwer
- pengertian sality virus
- stop mac spoofing in mikrotik
- tips mengetahui flood mikrotik
- pengertian anti arp
- pengerian arp wifi
- trik sms sembunyikan nomor
- penangkal ARP dengan notepad
- mikrotik tr content uploads 2008 winbox firewall log drop 7
- mikrotik stop virus flooding
- vb net arp posion
- vb6 source code arp spoof -freelancer -softwaretopic
- mikrotik prevent arp spoofing
- pengertian block
- pengertian blocking
- spoofing mikrotik
- spoof ip in winbox
- Spoofing
- Pengertian jaringan nirkabel spoofing took online download dan upload
- spoofing dan flooding pengertian
- pengertian interface pada java
- pengertian Idle
- pengertian host name
- pengertian flooding
- pengertian floodiing
- pengertian clearing ARP
- pengertian cara membuat jaringan wireles
- mikrotik port virus sality
- cara menangani spoofing
- blokir web facebook pakek mikrotik
- blokir port virus sality di mikrotik
- bloking arp poisioning/spoffing di jaringan wifi
- blok virus sality lewat mikrotik
- blok ip spoofing di mikrotik
- block trojan dengan miktoik
- block arp poisoning mikrotik
- block arp flooding mikrotik
- best antivirus for anti arp spoofing
- arti logo mikrotik
- arti dan pengertian spoofing
- arti ARP pada tcp/ip
- arpspoof mikrotik
- cara bikin link flood web pakai vbs
- cara bikin web flood
- cara blocking via cmd
- cara menangani arp spoofing di mikrotik
- cara membuat bingkai di cmd
- cara memblokir win32 worm downadup gen di mikrotik
- cara memblock internet positif
- cara memakai arp-scan di ubuntu
- cara masuk jaringan bank BCA
- cara flood komputer lain pada jarigan wireles
- cara disble arp pada mikrotik
- cara blokir client instal idm melalui cmd
- cara blok worm di mikrotik
- cara blok trafik virus di mikrotik via winbox
- cara blok jaringan kantor
- cara blok internet kantor
- arp spoofing with vb net
- ARP Spoofing virus download
- anti spoofing mikrotik
- anti poisoning mikrotik
- anti flooding mikrotik
- anti flood untuk mikrotik
- anti flood mikrotik
- anti conficker mikrotik
- anti change macaddress mikrotik
- anti arp spoofing mikrotik
- anti arp spoofing
- anti arp spoof mikrotik
- anti arp source code java
- anti arp server java
- anti arp mikrotik
- antispoofing for mikrotik
- apa kegunaan program file sharing manager
- aplikasi anti arp wifi di ubuntu
- arp spoofing using vb net
- arp spoofing code implementation in batch
- arp spoofing 소스 vb
- arp spoofer in vb
- ARP scan vbs
- arp poisoning vbs
- arp poisoning vb
- arp poisoning mikrotik
- arp menggunakan cmd
If you're new here, you may want to subscribe to my RSS feed. You may copy or publish this article to your blog or other site as long you give credit link back to this site article. Thanks for visiting my blog!






Tag cloud
Subscribe my feed

July 30th, 2008 at 1:17 PM
What else ya virus?
August 2nd, 2008 at 9:55 PM
hello Istanto it attacks my internet cafe. I’ve tried to clean up following the instructions but why would any one use the Internet appear again? how is me dizzy … I am confused cafe because the virus is …
August 6th, 2008 at 11:08 AM
@ bowo: microsoft virus first name now changed the name of a virus arp:)
@ cencen: if the internet cafe / office had been infected with it is hard to clean up their network the best way possible to decide cencen all connections in the network and do not clean up one by one on the dial if not 100% sure clean this virus because there is the ability to call him back up on the computer network 1 which still had the files he needs. such a clean computer and the computer still remaining b virus b slightly later computer will continue to request a file to your computer if not found he will request to the website (made by spreading the virus) until he was complete and more active in the network and then spread itself. so the best way is to remove all clean and make sure the new 100% re-enter the network. clear accountability sure if this virus can make a hot head and the heart
August 10th, 2008 at 9:21 AM
i need networking
August 14th, 2008 at 11:09 PM
Your blog is interesting!
Keep up the good work!
October 23rd, 2008 at 10:50 PM
My office is often a few days later. When connecting to a common site network timeout or network interupted. even to enter the wireless router just sometimes have to restart the router. I scan using Colasoft MAC Scanner, but there was no sign of duplicate MAC Address. Is this could be caused by a virus arp?
Thanks for the answer (if not via email).
October 24th, 2008 at 6:09 AM
DH Ricky, not necessarily caused by a virus that ARP try first observed more closely what it is, to try MAC scanner used after 2-3 hours of active computer .. The easiest way to find out ARP virus infection seen enough in% systemroot% \ WINDOWS \ AppPatch \ is not a file Desktopwin.dll, Jview.dll, Arau ThunderAdvise.dll if any one of the files over the network confirmed the father of ARP virus.
October 26th, 2008 at 10:28 AM
step using HijackThis can not delete line (s) who after 127.0.0.1. have reappeared in the delete alias can not delete. I have tried manually writing also can not make sure the path or filename are correct and hold the window open even save as … I am confused because cafes were closed today 2 … please enlightenment … thx
October 26th, 2008 at 10:46 AM
Ow .. It was very positive taxable ARP virus. Make sure all the processes active virus in the background is dead, if still not able to try the first skip, then if all the new step was finished in benerin hosts files.
Please note that ALL computers on the network at the cafe please pull the LAN cable used for a while, MAKE SURE COMPUTER CLEANING NOT CONNECTED IN ANY CIRCUMSTANCES, NO FILE IN / OUT, NO OTHER VIRUSES (such Alman / SALITY) ARE ACTIVE. If the clean half of this virus is difficult in Exterminate must instead make a headache because he can backup itself from another computer that looks like a non-infected in one network or via internet.
I highly recommend reinstall all PCs in cafes and in the deepfreeze give such protection to this virus does not interfere with your business.
Good luck:)
October 26th, 2008 at 11:17 AM
must reinstall it seems, because as a Istanto’ve written I have done all this still is not right.
oh yes I have 3 partitions, which takes in all formats whether it or just C: / was it? please help
October 27th, 2008 at 1:24 AM
No fine was because he was still there and active in other computers in the network 1 .. well if you do not know where the location of the virus was better just reinstall your condition especially vulnerable cafe network. norman scan should use cleaner mallware first when I save the important files in the format it and then all partitions. remember use protection like deepfreeze if infected again will not stress you can reinstall continue.
November 3rd, 2008 at 8:16 AM
Istanto going to ask the cause of the virus is active arp what causes microsoft.bat,. pif and. vbs this?? because I’ve cleaned but still there are active enlightenment yes please thanks before ….
November 4th, 2008 at 12:41 PM
he .. he .. he .. active during the backup so the virus is still there he would recover in the network
kk yes shirro same dizzy ARP virus? if my suggestion for internet cafe’s best reinstall all PCs will continue to be protected rather than back and forth can be stressful kk
November 13th, 2008 at 12:20 AM
when I try,,, apparently after a “disable-default-share.inf and activate it restart-net-service.bat” This makes LAN so illegible so can not share data between the pc … how to enable back?? please help .. thx
January 17th, 2009 at 9:12 AM
Istanto deepfrezee cafe I have all but still taxable, smart virus could exist in another partition d: that was not in the deepfreeze for saving data, not visible, the attrib cmd is not passed there, the scan using the latest update kav also not met, If the proxy directly interface rename disconect, I’ve got a time-out line 2213 from web Winbox mirotik.co.id, I just installed windows xp not condition the program, directly DownLoad win box, when used directly dc all networks, virus Wow creepy yes, until closing Internet cafe for 5 days, it was only 7 pc, what if tens, the ghost only appears again, forced to install manually.
January 17th, 2009 at 5:42 PM
@ luvluv: re-wrote the settings in the setup home or small office network, but the risk of sharing files, although the scope of the intranet.
@ Ridwan: Sorry about ideals, so that this virus is crowned the recalcitrant category! according to my version
February 19th, 2009 at 11:04 PM
sir, it’s clear the virus must format all partitions on just what the c: course. because I share the internet rt-rw model net. See you in the format all partitions can-can I scold by the client in: D. about anti-virus can detect and clean up any virus? I use Nod can not detect this virus
February 20th, 2009 at 3:11 AM
if it would secure format all partitions let none of the rest will be back again there’s even a headache hehe .. Until now, I know there are no automated tools antivirus/3rd can clear the virus completely so use manual way and should be checked every hour if conditions there are still signs of life: P I might suggest perhaps sih antivirus norman the best approach
February 21st, 2009 at 4:29 AM
For safety reasons all seem to be formatted partitions. but it seems difficult to apply because in my father’s clients this protest. I was trying to scan and detect pake kaspersky 12 trojans on the drive c. most hide in the same document settings temporary internet files. but unfortunately the same can not didelete kaspersky. after they were scanned in safe mode, system restore dimatiin. scan was 90% skitar road. but suddenly the computer restarts itself. time in normal mode the virus live longer. hahaha …
My next plan service projects and teman2 c drive format + reinstall windows client computer. then update sp3, install anti-virus. I hope this powerful way to get rid of this damn virus
arp-s at the command prompt what the client computer with a static arp client then made that led to the client interface (gateway) is made reply-only proxy server? because I use proxy servers …
fathers guidance
February 21st, 2009 at 4:32 AM
There are forgotten. the destination site trojan mk.cxaaaa.cn / xx.htm. what is still a sort of Trojan viruses arp spoofing as well? because I was looking for mic.vbs, mic.bat, just not in mic.pif c. but the symptoms seem the same ….
September 5th, 2009 at 7:22 AM
Istanto the inject how?
October 7th, 2009 at 6:23 PM
Our computer has been infected by Deathlock, Can I restored infected files back, what files types contain this virus !!!