Damn those all virus maker, they will never stop make our world better. Hey for you all virus maker out there get a job and stop harassing people! :P To detect if your computer has been infected by this virus:

1. You will get error message “16 bit MS-DOS Subsystem” when you start up your computer.

16-bit-ms-dos.JPG

2. Virus will change computer owner and organization become:

RegisteredOrganization = GoldenGhost.Inc
RegisteredOwner = GoldenGhost

computer-properties.JPG

3. When you booting you will see option -= GoldenGhost Was Here =-

xp-booting.JPG

This virus has been made and compiled using visual basic,  compressed with UPX, virus size around 1,312 KB. To trick some newbie out there this virus will associated as windows media player files, Actually… with .exe extension.

Master Files
Virus will create master files on
%SystemRoot%\%folder%\%file%.exe (random)
%SystemRoot%\system32\%folder%\%file%.exe (random)
Blocking Windows Function
Disable function “paste”
Disable run
Disable Searh
Disable FolderOptions
Disable menu Recent Documents
Disable right click
Disable CMD
Disable RegistryTools
Disable TaskMgr
Cannot show hidden files
Deleted antivirus Programs

This virus will try to deleted some antivirus programs like Norman Virus Control, kaspersky dan McAfee.


Auto Access Playboy Website

I think this virus maker is not promoted porn to everyone, this virus maker is just sick and love to watching porn on his computer so he want to make everyone looking on porn site *LOL*

Injected all .exe Files

This virus will make duplicate files and injected all .exe files he found, when you infected by this virus I recommended to stop explore you computer to minimize virus infection! infection files will get injected size around 1.312 KB from original size.

Spamming your IRC client

This virus will spam everyone on IRC when you connected into it. With messages like:

nick, free picture indonesia sex double klik url
nick Ada info baru ne Marshanda, Agnes Monica, Dian Sastro, Bunga.C Dah Berani Bugil, Untuk liat Fotonya double klik url
artis indonesia nude, double klik url
nick , indo artis majalah playboy double klik url
nick mo liat artis majalah playboy indo
nick indonesia free porn, double klik url
ce bangsa indo, double klik

*LOL* this virus maker is noob from Indonesia, look on language he used.. so, it’s easy to remove this virus.. let’s remove it!

Remove GoldenGhost Virus W32/Agent.GYMR

1. Kill virus process, you can use any kill process programs out there except task manager.  kill every background process with media player icon on it. or you can use this 3rd tools called Ice Sword *LOL* :

ice-sword-v122.zip

ice-sword.jpg

2. Repair registry changed by virus , copy the code below then save it as repair.vbs and run it by double click it.

Dim oWSH: Set oWSH = CreateObject(“WScript.Shell”)
on error resume Next
oWSH.Regwrite “HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\open\command\”,”"”%1″” %*”
oWSH.Regwrite “HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\open\command\”,”"”%1″” %*”
oWSH.Regwrite “HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command\”,”"”%1″” %*”
oWSH.Regwrite “HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\open\command\”,”"”%1″” %*”
oWSH.Regwrite “HKEY_LOCAL_MACHINE\Software\CLASSES\scrfile\shell\open\command\”,”"”%1″” /S”
oWSH.Regwrite “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\AlternateShell”,”cmd.exe”
oWSH.Regwrite “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\AlternateShell”,”cmd.exe”
oWSH.Regwrite “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\AlternateShell”,”cmd.exe”
oWSH.Regwrite “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\AlternateShell”,”cmd.exe”
oWSH.Regwrite “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell”,”Explorer.exe”
oWSH.Regwrite “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\system”,”"
oWSH.Regwrite “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\RegisteredOrganization”,”Your Organization”
oWSH.Regwrite “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\RegisteredOwner”,”YourOwner”
oWSH.Regwrite “HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page”,”about:Blank”
oWSH.Regwrite “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\type”,”Group”
oWSH.Regwrite “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt\type”,”checkbox”
oWSH.Regwrite “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden\type”,”checkbox”
oWSH.RegDelete(“HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\GoldenGhost”)
oWSH.RegDelete(“HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer”)
oWSH.RegDelete(“HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders”)
oWSH.RegDelete(“HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions”)
oWSH.RegDelete(“HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu”)
oWSH.RegDelete(“HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu”)
oWSH.RegDelete(“HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSaveSettings”)
oWSH.RegDelete(“HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsMenu”)
oWSH.RegDelete(“HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Nofind”)
oWSH.RegDelete(“HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun”)
oWSH.RegDelete(“HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr”)
oWSH.RegDelete(“HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD”)
oWSH.RegDelete(“HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools”)
oWSH.RegDelete(“HKEY_LOCAL_MACHINE\SOFTWARE\GoldenGhost.A\”)

3. Deleted Master virus and duplicate virus using search function and find any .exe files with size 1,312 KB. Find and delete also this file:

devil.ocx = 1 KB
pluto.ocx = 1 KB
GoldenGhost.exe = 1 KB

4. Delete string @echo off  on file autoexec.bat

5. Delete string -= GoldenGhost Was Here =-  on your boot.ini files (usually on drive c:)

6. Restore host files configuration, you can use hijackthis or  using this tool.

hostsxpert.zip

hostsxpert.JPG

7. Scan with your best antivirus programs, if your antivirus  programs has been deleted/infected I recommended to reinstall that program and full scan your computer to make sure it clean.

8. Smile and give me some money he.. he.. :P

Good luck people…. :D

    Digg Del.icio.us StumbleUpon Reddit Twitter RSS

SIMILAR POST :

Incoming search terms:

  • hostsxpert
  • 16 bit ms-dos subsystem
  • 16 bit ms-dos subsystem error message
  • 16 bit ms dos subsystem
  • VB virus removal software
  • virus 16 bit ms-dos subsystem
  • master file visual basic
  • virus folder 4kb
  • Virus goldenghost
  • 16 bit ms-dos subsystem windows 7
  • 16 bit ms-dos subsystem seven
  • virus folder jpg
  • new virus all jpg file dupklicate exe
  • remove Lnk virus of 32kb
  • true sword virus removal
  • what is 1kb virus
  • virus that hides jpeg
  • virus autohide
  • virus changes exe files to 16bit applications
  • virus documents 1kb
  • virus duplication jpeg folders
  • virus duplicate jpg files
  • Majalah playboy
  • 16 bit ms-dos subsystem virus
  • 16 bit ms-dos subsystem win 7
  • 16-bit ms-dos subsystem windows 7
  • 16bit ms dos subsystem
  • 32kb exevirus
  • 32kb files of jpg virus and hides files
  • 45 kb virus keeps duplicating
  • auto hide file extensions virus
  • auto hide folder virus remover
  • AUTOHIDE VIRUS REMOVER
  • Dian Sastro Bugil
  • hides folders and duplicates them with exe
  • how to use hostsxpert
  • ice sword
  • windows xp virus

If you're new here, you may want to subscribe to my RSS feed. You may copy or publish this article to your blog or other site as long you give credit link back to this site article. Thanks for visiting my blog!


This entry was posted on Thursday, September 25th, 2008 at 7:55 PM and is filed under Computer And Internet, Miscellaneous, Personal. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.