D**n those f***ing China! *joke* πŸ˜›

This is new variant for Microsoft.vbs virus which I write formula how to clean it around a month ago when it hit my cybercafe until totally broken he he… Now most people know this virus as ARP virus. Why? Because after learning it more deeply this virus categorized as HIGH RISK and should removed as soon as possible before it infected total your network.

First.. To know this virus is active on your computer is you will get most error pages message when browsing, or error when using messenger, PLUS you will find this file Microsoft.vbs Microsoft.bat Microsoft.pif on your hard drive where you install your OS PLUS *again* your computer gonna be slow PLUS *oh not again* Your internet connectivity will going slow than usually PLUS *OMG* It will flooding your network until some billing(via TCP/IP) will stop responding.

It’s hard to know when your computer infected because it’s only showing a little error when you browsing and sometimes it’s not active (like clean computer) until you idle for some minutes/hour.

arp-spoofing-1.jpg

When you browsing you don’t feel something goes wrong… but when you look on the page source the evil is waiting on there πŸ˜€

arp-spoofing-3.jpg

Clean page source from google.com not injected with any code.. but wait when virus active you will look something like this..

arp-spoofing-2.jpg

Holy s**t what is that!!! πŸ˜›

So the answer is virus going active when you’re using internet by browsing or chat on messenger. Basically all internet explorer activity can bring this virus active! Enough let’s remove this virus permanently and stop it from coming back.

You can use Colasoft MAC Scanner (shareware) to scan your network, If you found there is mac address same with your gateway then you have to unplug that computer from network and clean it before you put it back on network. Why? In condition when you clean infected one virus will going to spread on other computer in your network once you clean it, it will calling back file from other infected one in your network so don’t waste your time for this stupid thing UNPLUG IT to stop it spreading in network!

arp-spoofing-4.jpg

Now.. Get Security Task Manager and delete/remove strange process on your computer background (usually with IE icon and dll files) delete/remove Desktopwin.dll/Jview.dll and ThunderAdvise.dll delete/remove AppInit_DLLs.

Done.. Now get hijackthis and restore your hosts file by Open the Misc Tools section, on System tools choose Open hosts file manager and deleted all line after 127.0.0.1 localhost or you can done this using notepad hosts file is on %systemroot%/system32/drivers/etc

Now get ATF Cleaner and deleted all cookies, history and java cache.

Repair your registry to back in normal by using this code:

[Version]
Signature=”$Chicago$”
Provider=Nobody

[DefaultInstall]
AddReg=UnhookRegKey
DelReg=del

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows, AppInit_DLLs,0, “”
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Object

[del]
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad, ThunderAdvise
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad, DesktopWin

Or download repair.inf

To stop virus coming back from other computer disable default share by using this code:

[Version]
Signature=”$Chicago$”
Provider=Nobody

[DefaultInstall]
AddReg=UnhookRegKey
DelReg=del

[UnhookRegKey]
HKLM, SYSTEM\CurrentControlSet\Services\lanmanserver\parameters, AutoShareWks,0x00010001,0
HKLM, SYSTEM\CurrentControlSet\Services\lanmanserver\parameters, AutoShareServer,0x00010001,0

Or download disable-default-share.inf and activate it restart-net-service.bat

Disable autorun to stop virus coming back from USB flashdisk/removable media by using this code:

[Version]
Signature=”$Chicago$”
Provider=Nobody

[DefaultInstall]
AddReg=UnhookRegKey
DelReg=del

[UnhookRegKey]
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoDriveTypeAutoRun,0x000000ff,255
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer, NoDriveTypeAutoRun,0x000000ff,255

Or download disable-autoplay.inf

To stop virus from coming back by replacing old files let’s make dummy files download dummy.bat!

Last scan with your BEST antivirus/antimalware to make sure your system clean! Another trick to stop virus from infected back your computer you can add static entry on ARP by write in command prompt “arpβ€œ *gatewayipaddress* *gatewaymacaddress*” or another trick say we can blocked those d**n virus site by change it in hosts file here is some website list detected as virus update:

972.aksjd11.com
w3og.cn
qazc.fourtw.cn
www.aujoy.cn
www.hao601.cn
www.psp476.cn
222.1212l112.net
444.1212l112.net
555.1212l112.net
111.1212l112.net
root.51113.com
hk.www404.cn
err.www404.cn

(Still there a lot out there.. BLOCKING ALL .cn domain might resolve this problem hahaha :P)

Anyway this method is not really can stop virus updated as long the creator change website again we have to update block it manually.

Done (finally)… now using your computer like usually for 1-2 hours and see if the virus coming back.. πŸ˜€

Similar Posts:

Related Search Terms:

  • PENGERTIAN SPOOFING
  • PENGERTIAN SPOOFING
  • cara mengatasi does name exist
  • cara mengatasi does name exist
  • serang ip dengan cmd
  • antiarp bat
  • serang ip dengan cmd
  • antiarp bat
  • arp spoofing mikrotik
  • kegunaan arp
  • mikrotik arp flooding
  • arp spoofing mikrotik
  • kegunaan arp
  • mikrotik arp flooding
  • menyembunyikan ip address dengan cmd
  • pengertian arp spoofing
  • mikrotik anti arp spoofing
  • pengertian arp spoofing
  • mikrotik anti arp spoofing
  • menyembunyikan ip address dengan cmd
  • scheduler static arp di mikrotik
  • sality dengan mikrotik
  • put virus o mikrotik
  • cara mencegah flooding di mikrotik
  • cara scan mac address jaringan
  • trik sms sembunyikan nomor
  • cara proteksi flood linux
  • cara sebunyi in nomor
  • virus XP Duplicate name in network
  • mikrotik block arping
  • free arp spoofing for xp 2
  • cara blok jaringan kantor
  • mikrotik block arp broadcast
  • aplikasi anti arp wifi di ubuntu
  • cara menghilangkan virus arp
  • cara scan mac address jaringan
  • mikrotik anti spoofing
  • cara ngatasi ip banned pada wifi
  • cmd arp flooding codes
  • arp spoofer in vb
  • pengertian cara membuat jaringan wireles
  • mikrotik block china domain
  • kegunaan antiARP
  • cara menggunakan arpspoofing
  • fungsi arp list di router
  • menghapus host otomatis mikrotik
  • kegunaan antiARP
  • mikrotik block arping
  • sality dengan mikrotik
  • put virus o mikrotik
  • trik sms sembunyikan nomor
  • cara proteksi flood linux
  • virus XP Duplicate name in network
  • scheduler static arp di mikrotik
  • cara sebunyi in nomor
  • fungsi arp list di router
  • menghapus host otomatis mikrotik
  • cara flood komputer lain pada jarigan wireles
  • cara menyembunyikan ip dan hostname di jaringan dengan cmd
  • mikrotik block china domain
  • pengertian cara membuat jaringan wireles
  • arp spoofer in vb
  • cara flood komputer lain pada jarigan wireles
  • cara menyembunyikan ip dan hostname di jaringan dengan cmd
  • proteksi virus mikrotik
  • cara menghilangkan virus arp
  • cara menggunakan arpspoofing
  • free arp spoofing for xp 2
  • cara mencegah flooding di mikrotik
  • cara blok jaringan kantor
  • mikrotik block arp broadcast
  • aplikasi anti arp wifi di ubuntu
  • mikrotik anti spoofing
  • cara ngatasi ip banned pada wifi
  • cmd arp flooding codes
  • proteksi virus mikrotik
    Digg Del.icio.us StumbleUpon Reddit Twitter RSS

If you're new here, you may want to subscribe to my RSS feed. You may copy or publish this article to your blog or other site as long you give credit link back to this site article. Thanks for visiting my blog!