Damn those all virus maker, they will never stop make our world better. Hey for you all virus maker out there get a job and stop harassing people! 😛 To detect if your computer has been infected by this virus:

1. You will get error message “16 bit MS-DOS Subsystem” when you start up your computer.

16-bit-ms-dos.JPG

2. Virus will change computer owner and organization become:

RegisteredOrganization = GoldenGhost.Inc
RegisteredOwner = GoldenGhost

computer-properties.JPG

3. When you booting you will see option -= GoldenGhost Was Here =-

xp-booting.JPG

This virus has been made and compiled using visual basic, compressed with UPX, virus size around 1,312 KB. To trick some newbie out there this virus will associated as windows media player files, Actually… with .exe extension.

Master Files
Virus will create master files on
%SystemRoot%\%folder%\%file%.exe (random)
%SystemRoot%\system32\%folder%\%file%.exe (random)
Blocking Windows Function
Disable function “pasteâ€
Disable run
Disable Searh
Disable FolderOptions
Disable menu Recent Documents
Disable right click
Disable CMD
Disable RegistryTools
Disable TaskMgr
Cannot show hidden files
Deleted antivirus Programs

This virus will try to deleted some antivirus programs like Norman Virus Control, kaspersky dan McAfee.


Auto Access Playboy Website

I think this virus maker is not promoted p**n to everyone, this virus maker is just sick and love to watching p**n on his computer so he want to make everyone looking on p**n site *LOL*

Injected all .exe Files

This virus will make duplicate files and injected all .exe files he found, when you infected by this virus I recommended to stop explore you computer to minimize virus infection! infection files will get injected size around 1.312 KB from original size.

Spamming your IRC client

This virus will spam everyone on IRC when you connected into it. With messages like:

nick, free picture indonesia sex double klik url
nick Ada info baru ne Marshanda, Agnes Monica, Dian Sastro, Bunga.C Dah Berani Bugil, Untuk liat Fotonya double klik url
artis indonesia nude, double klik url
nick , indo artis majalah playboy double klik url
nick mo liat artis majalah playboy indo
nick indonesia free p**n, double klik url
ce bangsa indo, double klik

*LOL* this virus maker is noob from Indonesia, look on language he used.. so, it’s easy to remove this virus.. let’s remove it!

Remove GoldenGhost Virus W32/Agent.GYMR

1. Kill virus process, you can use any kill process programs out there except task manager. kill every background process with media player icon on it. or you can use this 3rd tools called Ice Sword *LOL* :

ice-sword-v122.zip

ice-sword.jpg

2. Repair registry changed by virus , copy the code below then save it as repair.vbs and run it by double click it.

Dim oWSH: Set oWSH = CreateObject(“WScript.Shell”)
on error resume Next
oWSH.Regwrite “HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\open\command\”,”””%1″” %*”
oWSH.Regwrite “HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\open\command\”,”””%1″” %*”
oWSH.Regwrite “HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command\”,”””%1″” %*”
oWSH.Regwrite “HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\open\command\”,”””%1″” %*”
oWSH.Regwrite “HKEY_LOCAL_MACHINE\Software\CLASSES\scrfile\shell\open\command\”,”””%1″” /S”
oWSH.Regwrite “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\AlternateShell”,”cmd.exe”
oWSH.Regwrite “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\AlternateShell”,”cmd.exe”
oWSH.Regwrite “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\AlternateShell”,”cmd.exe”
oWSH.Regwrite “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\AlternateShell”,”cmd.exe”
oWSH.Regwrite “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell”,”Explorer.exe”
oWSH.Regwrite “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\system”,””
oWSH.Regwrite “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\RegisteredOrganization”,”Your Organization”
oWSH.Regwrite “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\RegisteredOwner”,”YourOwner”
oWSH.Regwrite “HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page”,”about:Blank”
oWSH.Regwrite “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\type”,”Group”
oWSH.Regwrite “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt\type”,”checkbox”
oWSH.Regwrite “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden\type”,”checkbox”
oWSH.RegDelete(“HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\GoldenGhost”)
oWSH.RegDelete(“HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer”)
oWSH.RegDelete(“HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders”)
oWSH.RegDelete(“HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions”)
oWSH.RegDelete(“HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu”)
oWSH.RegDelete(“HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu”)
oWSH.RegDelete(“HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSaveSettings”)
oWSH.RegDelete(“HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsMenu”)
oWSH.RegDelete(“HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Nofind”)
oWSH.RegDelete(“HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun”)
oWSH.RegDelete(“HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr”)
oWSH.RegDelete(“HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD”)
oWSH.RegDelete(“HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools”)
oWSH.RegDelete(“HKEY_LOCAL_MACHINE\SOFTWARE\GoldenGhost.A\”)

3. Deleted Master virus and duplicate virus using search function and find any .exe files with size 1,312 KB. Find and delete also this file:

devil.ocx = 1 KB
pluto.ocx = 1 KB
GoldenGhost.exe = 1 KB

4. Delete string @echo off on file autoexec.bat

5. Delete string -= GoldenGhost Was Here =-Â on your boot.ini files (usually on drive c:)

6. Restore host files configuration, you can use hijackthis or using this tool.

hostsxpert.zip

hostsxpert.JPG

7. Scan with your best antivirus programs, if your antivirus programs has been deleted/infected I recommended to reinstall that program and full scan your computer to make sure it clean.

8. Smile and give me some money he.. he.. 😛

Good luck people…. 😀

Similar Posts:

Related Search Terms:

    Digg Del.icio.us StumbleUpon Reddit Twitter RSS

If you're new here, you may want to subscribe to my RSS feed. You may copy or publish this article to your blog or other site as long you give credit link back to this site article. Thanks for visiting my blog!