This is a new stupid virus/trojan that will redirected all your traffic to google.com (209.85.225.99) infected my client on 01-01-2010, This virus was made using visual basic with size around 212-233KB. If active it has another supported files with random size.

How to know if you’re infected?

It’s very easy, if you browsing on internet or opening antivirus website then your page always redirected to google website that mean you’re infected by this virus.

Master Files

When this virus active it will created some master files and downloading some another supported files from internet. It will spreading files in different location to make it hard to cleaned. This virus also hiding as windows service and windows drivers.

This is a list of virus master files:

• %systemroot%\windows\system32

1. wmispqd.exe
2. Wmisrwt.exe
3. qxzv85.exe
4. qxzv47.exe
5. secupdat.dat

• %systemroot%\Documents and Settings\%user%\%xx%.exe, Where xx is random character with size 6KB (example: rclxuio.exe).

• %systemroot%\windows\system32\drivers

1. Kernelx86.sys
2. xx%.sys, where xx is random character with size 40KB (example: cvxqkopsd.sys)
3. Ndisvvan.sys
4. krndrv32.sys

• %systemroot%\Documents and Settings\%user%\secupdat.dat

• %systemroot%\Windows\inf

1. Netsf.inf
2. Netsf_m.inf

Spreading Technique and Virus Affect

This virus will spreading in your network or using any removable disk using a autorun technique. If we look in the back mostly all virus using this same technique to spreading, Maybe a good option to modify your windows to disable autorun.

Virus will blocking some windows function like: System Restore, Windows Firewall, RPC DCOM, etc. Virus will also redirected mostly antivirus or security website into google.com using hosts file.

How to Remove W32/SmallTroj.VPCG

1. Deactivated “System Restore” when in cleaning  progress.

2. Disconnected your computer from Network/LAN.

3. Rename msvbvm60.dll (%systemroot%\Windows\system32\msvbvm60.dll) to backup.dll This step to prevent virus active because this virus was made using visual basic, virus will need msvbvm60.dll to run, when you rename it virus can’t active. After you cleaned this virus I recommended you to rename backup.dll back to msvbvm60.dll.

4. Deleted virus master files using Mini PE2XT, Because some rootkit hidden as windows service and driver you need to boot your computers using Mini PE2XT then follow the step:

Menu -> Programs -> File Management -> Windows Explorer

Then deleted files “Virus Master Files” (check in this article).

5. Deleted registry made by virus using Mini PE2XT

Menu -> Programs -> Registry Tools -> Avast! Registry Tools

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\\ctfmon.exe
HKEY_LOCAL_MACHINE\system\ControlSet001\services\kernelx86
HKEY_LOCAL_MACHINE\system\CurrentControlSet\services\kernelx86
HKEY_LOCAL_MACHINE\system\CurrentControlSet\services\passthru
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe
HKEY_LOCAL_MACHINE\system\ControlSet001\services\%xx%
HKEY_LOCAL_MACHINE\system\CurrentControlSet\services\%xx%

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
* %windir%\system32\ wmispqd.exe = %system%\ wmispqd.exe:*:enabled:UpnP Firewall

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
* %windir%\system32\ wmispqd.exe = %system%\ wmispqd.exe:*:enabled:UpnP Firewall

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
* %windir%\system32\ wmispqd.exe = %system%\ wmispqd.exe:*:enabled:UpnP Firewall

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon
* Change string value Userinit to = userinit.exe

ATTENTION: %xx% is random character, this key created to run .SYS with size 40KB.

6. Restart your computer then use this repair-inf (rename it to repair.inf) right click on it then choose install.

[Version]
Signature=”$Chicago$”
Provider=Nobody

[DefaultInstall]
AddReg=UnhookRegKey
DelReg=del

[UnhookRegKey]
HKLM, Software\CLASSES\batfile\shell\open\command,,,”"”%1″” %*”
HKLM, Software\CLASSES\comfile\shell\open\command,,,”"”%1″” %*”
HKLM, Software\CLASSES\exefile\shell\open\command,,,”"”%1″” %*”
HKLM, Software\CLASSES\piffile\shell\open\command,,,”"”%1″” %*”
HKLM, Software\CLASSES\regfile\shell\open\command,,,”regedit.exe “%1″”
HKLM, Software\CLASSES\scrfile\shell\open\command,,,”"”%1″” %*”
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell,0, “Explorer.exe”
HKLM, software\microsoft\ole, EnableDCOM,0, “Y”
HKLM, SOFTWARE\Microsoft\Security Center,AntiVirusDisableNotify,0×00010001,0
HKLM, SOFTWARE\Microsoft\Security Center,FirewallDisableNotify,0×00010001,0
HKLM, SOFTWARE\Microsoft\Security Center,AntiVirusOverride,0×00010001,0
HKLM, SOFTWARE\Microsoft\Security Center,FirewallOverride,0×00010001,0
HKLM, SYSTEM\ControlSet001\Control\Lsa, restrictanonymous, 0×00010001,0
HKLM, SYSTEM\ControlSet002\Control\Lsa, restrictanonymous, 0×00010001,0
HKLM, SYSTEM\CurrentControlSet\Control\Lsa, restrictanonymous, 0×00010001,0
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden, CheckedValue,0×00010001,0

[del]
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System,DisableRegistryTools
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System,DisableCMD
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoFolderOptions
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run,ctfmon.exe
HKLM, SYSTEM\ControlSet001\Services\kernelx86
HKLM, SYSTEM\ControlSet002\Services\kernelx86
HKLM, SYSTEM\CurrentControlSet\Services\kernelx86
HKLM, SYSTEM\CurrentControlSet\Services\mojbtjlt
HKLM, SYSTEM\ControlSet001\Services\mojbtjlt
HKLM, SYSTEM\ControlSet002\Services\mojbtjlt
HKLM, SYSTEM\ControlSet001\Services\Passthru
HKLM, SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
HKLM, SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate, DoNotAllowXPSP2
HKLM, SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe

7. Deleted all temporary internet files using ATF Cleaner.

8. Restore your hosts files using HostsXpert.

9. To make sure your system totally clean and to prevent virus from coming back please scan full your system using Norman Malware Cleaner, If you don’t like Norman I would recommended you to use AVIRA.

Good luck!

Do you have any wallpaper site or photos site which get lot of traffic but there is no conversion? I know you might get frustrated to solve this problem. The problem is usually image search traffic from google search engine will bring visitors on a frame, this frame should have to be removed to get full page attention.

Using this trick it should can break any frames coming to your website. The risk behind this code already known and confirmed by some webmaster. This code can bring down your your SERP in time, also your site might got penalties. The good side, people already try using this code get more accurate data from analystic.

<script language=”JavaScript” type=”text/javascript”>

if (top.location != self.location) top.location = self.location;

</script>

Put  this code in your page code it should works like magic removing frames, usually people will put it on header files. Please note, I’m NOT recommended you to use this code because you already know the risk of using this code. If you still using this code that mean you’re using it at your own risk.

Have  a good day

This time-bomb virus will deleted all your data in your hard-disk and flash-disk  including system files for each file founded on date 12-13 around 8-9 AM each month. If you got this message in your computer then you have infected by this Deadlock Virus.

This virus has strange master files, I don’t know why this virus creator choose apache.exe (popular web server) and mysql.exe (popular database) if users familiar with computer process they will found out this master files easily. Deadlock has been compressed by petite 2.x. with size 80KB, using application icon.

Spreading Technique:

No autorun.inf, Deadlock using desktop.ini then folder.htt to execute flashguard.exe, so… if you’re infected by this virus each folder will contains this 3 files.

1. Desktop.ini
2. Folder.htt
3. Flashguard.exe

Virus Affect:

This virus will deleted all files, not only data or document, virus will removing them all. If this happen to you I really don’t have smart solution for this… You can try using recovery programs, badly this programs not free. Maybe you can try to searching for free recovery programs, Anyway in my experience not all recovery programs working 100% sometimes you can’t get back lost files in 100% if you lost it in long time ago (ex: 1 year ago).

Virus also will deleted system files and make your computers fails to start, consult with your OS vendor how to fix this (In windows XP there is repair tools from CD but don’t know other) if there is no repair tools you have no choice to reinstall your OS then recover back your lost files.

HOW TO:Remove DeadLock Virus Manually:

1. Disable System Restore when in cleaning process.

Read More »

Choosing your web server programs might needed when you need to use maximum resource on your server. This happen to me around 2-4 days ago when there is contact from abuse department hosting about my vps reached it’s maximum specification. I frustrated because they gonna kick me out or they might charge me more if I can’t lower usage resource. After looking at the problem I was found out there is someone using (maybe bug) to use my server as spam email, I deleted that email account, the spam gone and memory going down a little, but the vps resource usage keep high and started annoyed me.

After looking more deeply at the problem this is actually caused by apache webserver, it’s takes to much memory resource and once people remote it I used to many resource, BAM! all my sites down. Thanks god finally I found the solution for this problem. I convert my Apache into Lighttpd to lower the memory usage, you bet… it working like a flash!

It’s very simple to convert from Apache to Lighttpd you can done it in just minutes just follow the installation document, the problem you guy’s will faced is only one, rewrite rules because it totally different with apache. This is might be the hardest part of this installation but once you pass it you will love lighttpd more than apache! don’t you? look at this images you will love it!

What you need to know about lighttpd rewrite rules? it’s simple look at this:

url.rewrite-once = ( “<regex>” => “<relative-uri>” )

OR

url.rewrite-repeat = ( “<regex>” => “<relative-uri>” )

Just write this rules on your configuration files, for more clearly documentation you can read it from here. Lighttpd standard configuration are faster than apache (already test it), anyway if you like to tune up/optimize it for better result you can look the documentation in here. Just follow it, I didn’t try it yet because I like the standard configuration but maybe next time when needed.

Good Score:

• Faster.
• Clean.
• Low resource consumption.

Bad Score:

• Hard to follow rewrite rules.
• To much manual configuration.

I’m not try google sitemap generator beta yet, but I’m sure will be there no problem at all. Go try lighttpd if you want to make your website/blog faster. Have a nice day

VBS/Cryf.A was created using visual basic scripting (not visual basic), first case happen on my cyber cafe on date 18 July 2009 it spreading from user flash disk and try to infected all PC in my network.

I’m not sure why so much Indonesian virus maker using lot of this  VBS technique (maybe they know without msvbvm.dll VBS can executed on a lot target), Since I write about VBS article long long time ago (I forget maybe around year 2003-2005) in jasakom website with title “VBS sederhana yang berbahaya” many people has try to manipulate that simple code to become advanced code. Now I’m fell really stupid by share that Article to public…

How to know if you’re infected by this worm VBS/Cryf.A:

1.First time your computer turned on it will open web browser and show this pictures.

2. VBS/Cryf.A will change your web browser start page become:

3. There is folder “album bokep” (in Indonesian language this mean porn) in all folder.

4. VBS/Cryf.A will change your system properties become like this:

5. Change file type .lnk become “movie clip”

6. It will control your DVD/CD-rom by make it open and close to make you panic.

Read More »

Having automatic renewed sitemap like google sitemap plugins for wordpress is really needed when you want to get indexed faster on top 5 search engine. Anyway if you’re not using wordpress CMS then how to build your sitemap manually? Lucky you, there is a lot free sitemap generator out there. Small sites are easy and fast to generated sitemap in just minutes, but how if the situation is your sites big and…. said it have at least 1,000 static URL inside it. You will get crazy on waiting sitemap generator working for it and of course the problem will coming back again when you want to renew your big sites sitemap.

Wasting time and of course it will make you bored managed it. Anyway I just found out the beta google sitemap generator working on my VPS machine.  If you’re on shared hosting sorry this might not used unless your hosting provider want to help you. Now every time I updated my sites it’s will automatically renewed my sitemap without needed to work on it manually again. Just update the content and let sitemap generator created and submitted my sitemap to search engine automatically.

There is 2 beta version for google sitemap generator for windows and linux, In this article I will write for linux version only, because I didn’t try windows version.

Requirements:

• Operating system. Google Sitemap Generator has been tested with the following types of Linux systems:
  • CentOS 4.6 (I run on CentOS 5 it has no problem at all)
  • Fedora 7
  • Debian etch r0
  • Mandriva 2007
  • Red Hat Enterprise Linux 3 (32 bit or 64 bit)
  • Red Hat Enterprise Linux 4 (32 bit or 64 bit)
  • SUSE Linux Enterprise Server 10.0 (32 bit or 64 bit)
  • Ubuntu 6.10 (32 bit or 64 bit)
• Web server. Google Sitemap Generator has been tested with Apache web server versions 1.3, 2.0, and 2.2.
• Disk space. You’ll need between 100MB and 1GB of free disk space; the number of unique URLs on your website determines the actual disk space needed. One million URLs require approximately 1GB of disk space.
• Web server access. You’ll need administrative access to the web server.
  

Setup Your google Sitemap Generator:

Open this download list and downloaded files you need. Then following installation guide here just following it if you meet problem (usually in the last step I meet problem too but I fixed it) just try another package, if it still failed then you might try to install it with command option (look on number 3), Lastly if all fails the try to communicate in their groups and asking about your problem.

Once installation completed you have to setting your server SSL (for remote only, not needed if you managed it from local) then setting your port, normally 8181 but for security you might need to changed it, the restart your web server.

Configure/Manage Your google Sitemap Generator:

Just open http://<yourwebiphere>:<yourporthere> (local) or https://<yourwebiphere>:<yourporthere> (remote)

You will see something like this

Then just configure it, if you meet problem take a look on here. Now after you configure it just sit back and waiting the result if it not fit your need then must be there something wrong on your configuration, fix it then sit back again.

Done, Have a nice day!

Sandra Dewi Bugil….? This is not porn! this is an computer virus! but surely this is a noob virus creator *again*

Virus characteristic:

• Virus size 132kb
• Virus file type “application”
• Virus extension .exe
• Using images icon

Sandra Dewi Bugil Virus has been created using visual basic, If virus success on infected your system he will created some files:

• \Sandra Dewi Bugil.exe (In all root drive)
• \Documents and Settings\%user%\Start Menu\Programs\Startup\Sandra Dewi Bugil.exe
• \WINDOWS\Sandra Dewi Bugil.exe
• \WINDOWS\system32\ Sandra Dewi Bugil.exe
• Creating duplicate virus on all folder in removable drive/usb.

This virus will show message when your computer active, the easiest way to know is you’re system infected by this virus.

This virus will blocking some windows function to make him hard to removed.

• Disable Folder Options
• Disable Registry Editor
• Disable Search/Find
• Disable Command Prompt
• Disable Task Manager
• Disable Control Panel
• Disable Msconfig/System Configuration Utility
• Disable Right Click on Desktop
• Disable “All Programs” on Start Menu
• Disable Log Off/Turn Off

Read More »

Look… Another lame virus maker… this virus not dangerous at all but it surelly can make you a little anger when your computers slow down and some configuration changed. Mahadewa virus has been created using visual basic scripting (not visual basic) it can simple deactivated by easily rename/deleted wscript.exe in your system32 folders.

This lame virus maker really noob hehehe.. he’s created a BIG size virus, LOL! usually virus has small size to help them spreaded fast but this one really crazy he have a BIG size that make me laugh really hard today.

Wait! I think I know this virus creator here’s him!

Hahaha… I just joking don’t take it seriously people…

How to know your computer infected by mahadewa virus:

1. Your internet explorer header changed.

2. Your internet explorer start page changed to “http://webkom”

3. Your computer name and organization changed.

Read More »

This virus has been infected my cybercafe server on 25/05/2009 not sure from where this virus coming from, it’s look like from my users flash disk in my cybercafe. After learn it surely this virus can be removed using manual technique.

This virus scripts almost same with bulubebek I think the creator is same person. Some people in forum said this virus is reincarnation of bulubebek. Badly, mostly antivirus company didn’t detected this virus, the only one can detect it only SMADAV but Norman detect it also as W32/VBTroj.AOQB.

Nadia Saphira virus characteristics:

• File size 17kb and 69kb
• File type “Application”
• File extension .exe and .ini
• Using folder icon
• Created duplicated folder base on folder name and hiding the real folder
• Remove folder options
• Can’t used CD-rom
• Can’t access command prompt
• Can’t open registry editor

Same with bulubebek virus, Nadia Saphira virus has been created using visual basic. If virus success on infected your system it will created some file list:

• autorun.inf (on all root drive)
• NadiaSaphira.ini (on all root drive)
• Documents and Settings\All User\Start Menu\Programs\Startup\lan.exe
• Documents and Settings\%User%\NadiaSaphira.ini
• WINDOWS\taskmgr.exe
• WINDOWS\system32\.exe
• WINDOWS\system32\allsys.exe
• WINDOWS\system32\misconfig.exe
• WINDOWS\system32\MS586.sys
• WINDOWS\system32\System
• WINDOWS\system32\wtoolsb.exe
• WINDOWS\system32\dllcache\.exe
• WINDOWS\system32\ dllcache\System

Same with bulubebek virus Nadia Saphira virus will hiding all your folder that already changed with “fake” folder to tricky some newbie out there to activate this virus. It also will blocking some windows function such as Folder Options, Registry Editor, Search/Find, and Command Prompt.

To make this virus more hard to removed his creator changed your registry and created autorun files when your computer start-up, the first file is lan.exe then it will calling another files to backup. take a look on picture…

Infection Method:

As I said in the top articles this virus will using your flashdisk and hijacked windows autoplay function for infection method. Virus will created some autorun.inf files for make him spreading in your system.

Alright enough let’s remove this sh*t *lol*

How to Remove Nadia Saphira Virus W32/VBTroj.AOQB

1. Disconnected your computer from networks

2. Turn off system restore when in cleaning process (Don’t forget to turn it on again when you already remove this virus)

3. Because this virus blocking your task manager you can use this 3rd tools CurrProcess Kill this process to stop active virus in your system:

Read More »

I know many webmaster looking the way how to do this Last week ago I try to searching about how to make custom preloader just like games.co.id used javascript. Many of result are false and didn’t give solution, sometimes it’s not working in IE or Firefox or even not working in both *lol* until I found one at least working almost same and I decided to share the code.

When we’re using custom preloader it might can take mostly visitor attention because they eyes focused on that area. We can fill preloader with anything we want, ex: ads, info, offers, and anything you like.

Mostly gaming template using design like this images below, eye spot area is the key content that interest our visitor. Our job is  manipulate the eye spot area to reach maximum visitor attention.

Finally we can making preloader to hide the content first when loading (usually flash game) then show it in time interval we setting, normally is 15 seconds to long may make your visitor bored.

Alright here’s the sample code you need to make this preloader jquery-preloader sample page are in http://www.istanto.net/jquery/ (Test working on IE and Firefox)

lastly you need to addopted this sample code into your web code. You can modified it but please share the code with people in here