If you feel your Computers and Internet slower than usual you may get infected by W32/Obfuscated.J (Trojan.Downloader2.25378). This new Trojan will using your Internet connection to send your information to their server and updated their self. Carefully when you’re using your computers for business, they may stole your credit cards or bank information. Would you get up from your sleep and find out someone stole your money? I don’t think so… no one would that happening including myself.

W32/Obfuscated.J (Trojan.Downloader2.25378) created using C language. There is 2 important files for this virus it was .exe and wjdrive32.exe, both of file have size 49KB, hidden attributes, located in \windows\ folder.

Just like an older method W32/Obfuscated.J (Trojan.Downloader2.25378) will spreading using your removable device and hidden in recycler folder. (I’m not sure if this Trojan can spreading on network since I eleminate it before it grown in my networks)

It’s very easy to detect if your computer infected by W32/Obfuscated.J (Trojan.Downloader2.25378) just take a look on some information bellow.

[to_plus]

1. You’ll see a lot of visual basic activity.

2. If you’re running an old computer sometimes virus may crash your explorer.exe

3. Virus will send your information to this server list (use netstats command or another tools to find out):

112.78.112.208 : 80
216.108.234.10 : 80
218.85.133.201 : 80
72.18.202.18 : 80
91.213.29.141 : 80
91.213.29.147 : 80
123.183.217.32 : 5943
60.190.223.125 : 6943

When I check those IP using online IP whois information some of that IP located in JAPAN and some in UNITED STATES. I think this is to make us confused to know who’s creating this Trojan.

4. Virus will turn off your windows firewall.

How to remove W32/Obfuscated.J (Trojan.Downloader2.25378)

1. Disconnect your computers from local networks/Internet.

2. Run you computers in safe mode.

3. Download Dr.Web CureIt! (from clean computers) and then zip it. Transfer this zipped files to your infected computers. Double click zip file and choose the main programs. Scan all yours computer drives including removable device.

*ATTENTION DON’T EXTRACT THE ZIP CONTENT TO FOLDER OR IT MAY GET INFECTED!

4. Repair your registry using this code below:

[Version]
Signature=”$Chicago$”
Provider=Nobody

[DefaultInstall]
AddReg=Repair
DelReg=Remove

[Repair]
HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced, ShowSuperHidden,0x00010001,1
HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced, SuperHidden,0x00010001,1
HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced, HideFileExt,0x00010001,0
HKLM, SOFTWARE\CLASSES\batfile\shell\open\command,,,”””%1″” %*”
HKLM, SOFTWARE\CLASSES\comfile\shell\open\command,,,”””%1″” %*”
HKLM, SOFTWARE\CLASSES\exefile\shell\open\command,,,”””%1″” %*”
HKLM, SOFTWARE\CLASSES\piffile\shell\open\command,,,”””%1″” %*”
HKLM, SOFTWARE\CLASSES\regfile\shell\open\command,,,”regedit.exe “%1″”
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell,0, “Explorer.exe

[Remove]
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, Microsoft Config Setup
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, (Default)
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, vyre32
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, MS0593[1]
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run, Microsoft Config Setup
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, Taskman
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, 12CFG214-K641-12SF-N85P

Save it as whateveryoulike.inf , right click on it choose install. You may download repairtrojandownloader.inf from my site.

5. Restart your computers and then clean all temporary files (you can use windows disk cleanup, but I recommended CCLEANER).

6. If you won’t this virus coming back update your windows or get some great antivirus you trust.

Done, Have a nice day 😀

[/to_plus]

Similar Posts:

Related Search Terms:

    Digg Del.icio.us StumbleUpon Reddit Twitter RSS

If you're new here, you may want to subscribe to my RSS feed. You may copy or publish this article to your blog or other site as long you give credit link back to this site article. Thanks for visiting my blog!