This is a new stupid virus/trojan that will redirected all your traffic to google.com (209.85.225.99) infected my client on 01-01-2010, This virus was made using visual basic with size around 212-233KB. If active it has another supported files with random size.

How to know if you’re infected?

It’s very easy, if you browsing on internet or opening antivirus website then your page always redirected to google website that mean you’re infected by this virus.

Master Files

When this virus active it will created some master files and downloading some another supported files from internet. It will spreading files in different location to make it hard to cleaned. This virus also hiding as windows service and windows drivers.

This is a list of virus master files:

  • %systemroot%\windows\system32
  1. wmispqd.exe
  2. Wmisrwt.exe
  3. qxzv85.exe
  4. qxzv47.exe
  5. secupdat.dat
  • %systemroot%\Documents and Settings\%user%\%xx%.exe, Where xx is random character with size 6KB (example: rclxuio.exe).
  • %systemroot%\windows\system32\drivers
  1. Kernelx86.sys
  2. xx%.sys, where xx is random character with size 40KB (example: cvxqkopsd.sys)
  3. Ndisvvan.sys
  4. krndrv32.sys
  • %systemroot%\Documents and Settings\%user%\secupdat.dat
  • %systemroot%\Windows\inf
  1. Netsf.inf
  2. Netsf_m.inf

Spreading Technique and Virus Affect

This virus will spreading in your network or using any removable disk using a autorun technique. If we look in the back mostly all virus using this same technique to spreading, Maybe a good option to modify your windows to disable autorun.

Virus will blocking some windows function like: System Restore, Windows Firewall, RPC DCOM, etc. Virus will also redirected mostly antivirus or security website into google.com using hosts file.

How to Remove W32/SmallTroj.VPCG

1. Deactivated “System Restore” when in cleaning  progress.

2. Disconnected your computer from Network/LAN.

3. Rename msvbvm60.dll (%systemroot%\Windows\system32\msvbvm60.dll) to backup.dll This step to prevent virus active because this virus was made using visual basic, virus will need msvbvm60.dll to run, when you rename it virus can’t active. After you cleaned this virus I recommended you to rename backup.dll back to msvbvm60.dll.

4. Deleted virus master files using Mini PE2XT, Because some rootkit hidden as windows service and driver you need to boot your computers using Mini PE2XT then follow the step:

Menu -> Programs -> File Management -> Windows Explorer

Then deleted files “Virus Master Files” (check in this article).

5. Deleted registry made by virus using Mini PE2XT

Menu -> Programs -> Registry Tools -> Avast! Registry Tools

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\\ctfmon.exe
HKEY_LOCAL_MACHINE\system\ControlSet001\services\kernelx86
HKEY_LOCAL_MACHINE\system\CurrentControlSet\services\kernelx86
HKEY_LOCAL_MACHINE\system\CurrentControlSet\services\passthru
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe
HKEY_LOCAL_MACHINE\system\ControlSet001\services\%xx%
HKEY_LOCAL_MACHINE\system\CurrentControlSet\services\%xx%

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
* %windir%\system32\ wmispqd.exe = %system%\ wmispqd.exe:*:enabled:UpnP Firewall

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
* %windir%\system32\ wmispqd.exe = %system%\ wmispqd.exe:*:enabled:UpnP Firewall

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
* %windir%\system32\ wmispqd.exe = %system%\ wmispqd.exe:*:enabled:UpnP Firewall

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon
* Change string value Userinit to = userinit.exe

ATTENTION: %xx% is random character, this key created to run .SYS with size 40KB.

6. Restart your computer then use this repair-inf (rename it to repair.inf) right click on it then choose install.

[Version]
Signature=”$Chicago$”
Provider=Nobody

[DefaultInstall]
AddReg=UnhookRegKey
DelReg=del

[UnhookRegKey]
HKLM, Software\CLASSES\batfile\shell\open\command,,,”””%1″” %*”
HKLM, Software\CLASSES\comfile\shell\open\command,,,”””%1″” %*”
HKLM, Software\CLASSES\exefile\shell\open\command,,,”””%1″” %*”
HKLM, Software\CLASSES\piffile\shell\open\command,,,”””%1″” %*”
HKLM, Software\CLASSES\regfile\shell\open\command,,,”regedit.exe “%1″”
HKLM, Software\CLASSES\scrfile\shell\open\command,,,”””%1″” %*”
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell,0, “Explorer.exe”
HKLM, software\microsoft\ole, EnableDCOM,0, “Y”
HKLM, SOFTWARE\Microsoft\Security Center,AntiVirusDisableNotify,0×00010001,0
HKLM, SOFTWARE\Microsoft\Security Center,FirewallDisableNotify,0×00010001,0
HKLM, SOFTWARE\Microsoft\Security Center,AntiVirusOverride,0×00010001,0
HKLM, SOFTWARE\Microsoft\Security Center,FirewallOverride,0×00010001,0
HKLM, SYSTEM\ControlSet001\Control\Lsa, restrictanonymous, 0×00010001,0
HKLM, SYSTEM\ControlSet002\Control\Lsa, restrictanonymous, 0×00010001,0
HKLM, SYSTEM\CurrentControlSet\Control\Lsa, restrictanonymous, 0×00010001,0
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden, CheckedValue,0×00010001,0

[del]
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System,DisableRegistryTools
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System,DisableCMD
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoFolderOptions
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run,ctfmon.exe
HKLM, SYSTEM\ControlSet001\Services\kernelx86
HKLM, SYSTEM\ControlSet002\Services\kernelx86
HKLM, SYSTEM\CurrentControlSet\Services\kernelx86
HKLM, SYSTEM\CurrentControlSet\Services\mojbtjlt
HKLM, SYSTEM\ControlSet001\Services\mojbtjlt
HKLM, SYSTEM\ControlSet002\Services\mojbtjlt
HKLM, SYSTEM\ControlSet001\Services\Passthru
HKLM, SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
HKLM, SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate, DoNotAllowXPSP2
HKLM, SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe

7. Deleted all temporary internet files using ATF Cleaner.

8. Restore your hosts files using HostsXpert.

9. To make sure your system totally clean and to prevent virus from coming back please scan full your system using Norman Malware Cleaner, If you don’t like Norman I would recommended you to use AVIRA.

Good luck! :)

Similar Posts:

    Digg Del.icio.us StumbleUpon Reddit Twitter RSS

menghilangkan searchqu, f1ku exe, f1ku exe remove, mengatasi f1ku exe, sirefef 0, client for microsoft sharing, f1ku, eliminar abnow, win32/sirefef 0, sirefef taringa, how to remove f1ku exe, searchqu 406, TROJ_SIREFEF dd, virus f1ku, cara menghapus f1ku exe, cara menghilangkan virus abnow, cara mengatasi searchqu, sirefet, hoe sirefef da verwijderen, eliminar virus explorer exe, eliminar searchqu, troj_sirefef hh, sirefif, menghilangkan virus f1ku, removing client for microsoft sharing, searchqu nedir, menghilangkan f1ku exe, mengatasi virus f1ku, remove f1ku exe, remove client for microsoft sharing, virus f1ku exe, sirefef nasıl silinir, basmi virus f1ku, f1ku exe removal, cara menghilangkan abnow, cara menghapus virus trojan, cara menghapus virus f1ku, cara menghilangkan f1ku exe, firefox exe drive not ready, cara menghapus virus trojan win32/sirefef o, client for microsoft sharing remove, cara menghapus sirefef o, Cara menghapus serverx exe, sirefef o eliminar, win32 sirefef 0, serchqu, serchqu verwijderen, userinit logon application has stopped working windows 7, supprimer abnow, menghapus f1ku exe, mengatasi virus f1ku exe, manajemen file menggunakan explorer, abnow แก้, abnow nedir, cara menghapus f1ku, cara mengatasi iexplore exe - drive not ready, วิธีแก้ไวรัส abnow, cara mengatasi virus f1ku exe, abnow virüs temizleme, apa itu f1ku exe, Cara mengatasi windows explorer error pada win xp, trojan win32/sirefef 0, troj_sirefef dd removal, userinit logon application has stopped working, virus sirefef 0, trojan:win32/sirefef 0, sirefet dv, f1ku nedir, cara menghilangkan virus f1ku, f1ku remover, delete f1ku exe, cara menghapus user related errors specific to your windows account, cara menghilangkan virus f1ku exe, masalah firefox exe - No Disk, mengatasi problem page windows xp, membasmi virus f1ku, menghilangkan virus abnow, membersihkan searchqu, limpia sirefet, membasmi f1ku exe, quitar f1ku virus, penyebab windows drive not ready, rimuover sirefef o, searchqu destruir de explorer, remove f1ku, mengatasi masalah firefox has stopped working, mengatasi internet explorer has stopped working bagaimana, masalah firefox stop working, kenapa semua program muncul tulisan has stop working, programa para eliminar troyano serefef, membasmi virus f1ku exe, membersihkan f1ku exe, how to remove sirefef o, w32 smalltroj, taringa sirefef dv, serchqu sorunu, win32/sirefef o nasıl kaldırırım, searchqu silmek, sirefef dv, cara mengatasi masalah firefox has stopped working, cara hapus f1ku exe, borrar seachqu, cara hapus f1ku, cara mengatasi host application has stopped working, cara membuang virus trojan:win32/sirefef o, cara mengatasi virus trojan, bagaimana cara menghapus searchqu, abnow eliminar, วิธีแก้ f1ku, apa itu hh exe, cara mengatasprivacy protection, hapus virus f1ku exe, firefox exe - drive not ready, hapus virus f1ku, cara menghilangkan searchqu pada mozilla, hapus f1ku exe, eliminar client for microsoft sharing remove, eliminar f1ku exe, eliminar f1ku, eliminar sirefef da, cách diệt virus f1ku exe, how to delete f1ku exe, f1ku exe silme, desinstalar client for microsoft sharing, f1ku exe remover, eliminare abnow, client for microsoft sharing virus, eliminar client for microsoft sharing, con que programa puedo eliminar el virus trojan:win32/sirefef o, clean f1ku exe, eliminar abnow definitivamente, cmenghapuskan virus trojen win32/sirefef dengan cmd, cara menghilangkan userinit logon application has stopped working, f1ku exe antivirus, f1ku حذف كردن, client for microsoft sharing cannot be uninstalled, diệt virus autorun f1ku và i6g8xs, clinet microsoft sharing, firefox drive not ready, cara mudah menghapus virus f1ku, cara remove f1ku exe, cara remove virus trojan sirefef o, edit regedit tool exe, cara menghilangkan virus rpc, f1ku remove, delete f1ku exe from registery, cara menghilangkan virus pada system win32, eliminar client microsoft sharing, eliminare trojan win32/sirefef 0, f1ku برنامج للتخلص من, cara menghapus trojan sirefef o, cara menghapus virus trojan sirefef O, cara menghilangkan error windows explorer, eliminare sirefef dv trojan, hh exe & how to remove permanently, cara menghapus virus f1ku exe, eliminare trojan:win32/sirefef 0, eliminar sirefif dv, cara menghapus virus sirefef o, hilangkan f1ku exe, cara menghilangkan f1ku, cara menghilangkan f1ku exe bagaimana ya?, cara menghapus homepage searchqu, google searchqu 414, eliminar i6g8xs, cara menghilangkan firefox exe drive not ready, cara menghilangkan i6g8xs exe, eliminar virus sirefef, hapus f1ku exe virus, eliminar virus f1ku, sirefef k, sirefif ch, trojan:win32sirefef 0, virus the drive is not ready, solusi mengatasi f1ku exe, W32 small troj Vpcg, sirefef k microsoft não consegue resolver, troj_sirefef bw, virus abnow, sirefef o nasıl silerim, w32/smalltroj, sirefef virüsü nasıl temizlenir, sirefef hh, win32 sirefef o nasıl temizlenir, troj-sirefef dd, troj sirefef dd, serchqu mematikan, sirefef o nedir, sirefef 0 remove, serchqu quitar, serachqu verwijderen, Serverx exe corrupt file cara menghapus, sirefef da trojan removal, troj_sirefef, trojan win32 sirefef 0, Membasmi virus yang menyebabkan fire fox error, mengatasi firefox has stopped working, menghilangkan virus no disc, masalah f1ku exe, quitar client for microsoft sharing

If you're new here, you may want to subscribe to my RSS feed. You may copy or publish this article to your blog or other site as long you give credit link back to this site article. Thanks for visiting my blog!