This is a new stupid virus/trojan that will redirected all your traffic to google.com (209.85.225.99) infected my client on 01-01-2010, This virus was made using visual basic with size around 212-233KB. If active it has another supported files with random size.

How to know if you’re infected?

It’s very easy, if you browsing on internet or opening antivirus website then your page always redirected to google website that mean you’re infected by this virus.

Master Files

When this virus active it will created some master files and downloading some another supported files from internet. It will spreading files in different location to make it hard to cleaned. This virus also hiding as windows service and windows drivers.

This is a list of virus master files:

  • %systemroot%\windows\system32
  1. wmispqd.exe
  2. Wmisrwt.exe
  3. qxzv85.exe
  4. qxzv47.exe
  5. secupdat.dat
  • %systemroot%\Documents and Settings\%user%\%xx%.exe, Where xx is random character with size 6KB (example: rclxuio.exe).
  • %systemroot%\windows\system32\drivers
  1. Kernelx86.sys
  2. xx%.sys, where xx is random character with size 40KB (example: cvxqkopsd.sys)
  3. Ndisvvan.sys
  4. krndrv32.sys
  • %systemroot%\Documents and Settings\%user%\secupdat.dat
  • %systemroot%\Windows\inf
  1. Netsf.inf
  2. Netsf_m.inf

Spreading Technique and Virus Affect

This virus will spreading in your network or using any removable disk using a autorun technique. If we look in the back mostly all virus using this same technique to spreading, Maybe a good option to modify your windows to disable autorun.

Virus will blocking some windows function like: System Restore, Windows Firewall, RPC DCOM, etc. Virus will also redirected mostly antivirus or security website into google.com using hosts file.

How to Remove W32/SmallTroj.VPCG

1. Deactivated “System Restore” when in cleaning progress.

2. Disconnected your computer from Network/LAN.

3. Rename msvbvm60.dll (%systemroot%\Windows\system32\msvbvm60.dll) to backup.dll This step to prevent virus active because this virus was made using visual basic, virus will need msvbvm60.dll to run, when you rename it virus can’t active. After you cleaned this virus I recommended you to rename backup.dll back to msvbvm60.dll.

4. Deleted virus master files using Mini PE2XT, Because some rootkit hidden as windows service and driver you need to boot your computers using Mini PE2XT then follow the step:

Menu -> Programs -> File Management -> Windows Explorer

Then deleted files “Virus Master Files” (check in this article).

5. Deleted registry made by virus using Mini PE2XT

Menu -> Programs -> Registry Tools -> Avast! Registry Tools

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\\ctfmon.exe
HKEY_LOCAL_MACHINE\system\ControlSet001\services\kernelx86
HKEY_LOCAL_MACHINE\system\CurrentControlSet\services\kernelx86
HKEY_LOCAL_MACHINE\system\CurrentControlSet\services\passthru
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe
HKEY_LOCAL_MACHINE\system\ControlSet001\services\%xx%
HKEY_LOCAL_MACHINE\system\CurrentControlSet\services\%xx%

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
* %windir%\system32\ wmispqd.exe = %system%\ wmispqd.exe:*:enabled:UpnP Firewall

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
* %windir%\system32\ wmispqd.exe = %system%\ wmispqd.exe:*:enabled:UpnP Firewall

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
* %windir%\system32\ wmispqd.exe = %system%\ wmispqd.exe:*:enabled:UpnP Firewall

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon
* Change string value Userinit to = userinit.exe

ATTENTION: %xx% is random character, this key created to run .SYS with size 40KB.

6. Restart your computer then use this repair-inf (rename it to repair.inf) right click on it then choose install.

[Version]
Signature=”$Chicago$”
Provider=Nobody

[DefaultInstall]
AddReg=UnhookRegKey
DelReg=del

[UnhookRegKey]
HKLM, Software\CLASSES\batfile\shell\open\command,,,”””%1″” %*”
HKLM, Software\CLASSES\comfile\shell\open\command,,,”””%1″” %*”
HKLM, Software\CLASSES\exefile\shell\open\command,,,”””%1″” %*”
HKLM, Software\CLASSES\piffile\shell\open\command,,,”””%1″” %*”
HKLM, Software\CLASSES\regfile\shell\open\command,,,”regedit.exe “%1″”
HKLM, Software\CLASSES\scrfile\shell\open\command,,,”””%1″” %*”
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell,0, “Explorer.exe”
HKLM, software\microsoft\ole, EnableDCOM,0, “Y”
HKLM, SOFTWARE\Microsoft\Security Center,AntiVirusDisableNotify,0x00010001,0
HKLM, SOFTWARE\Microsoft\Security Center,FirewallDisableNotify,0x00010001,0
HKLM, SOFTWARE\Microsoft\Security Center,AntiVirusOverride,0x00010001,0
HKLM, SOFTWARE\Microsoft\Security Center,FirewallOverride,0x00010001,0
HKLM, SYSTEM\ControlSet001\Control\Lsa, restrictanonymous, 0x00010001,0
HKLM, SYSTEM\ControlSet002\Control\Lsa, restrictanonymous, 0x00010001,0
HKLM, SYSTEM\CurrentControlSet\Control\Lsa, restrictanonymous, 0x00010001,0
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden, CheckedValue,0x00010001,0

[del]
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System,DisableRegistryTools
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System,DisableCMD
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoFolderOptions
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run,ctfmon.exe
HKLM, SYSTEM\ControlSet001\Services\kernelx86
HKLM, SYSTEM\ControlSet002\Services\kernelx86
HKLM, SYSTEM\CurrentControlSet\Services\kernelx86
HKLM, SYSTEM\CurrentControlSet\Services\mojbtjlt
HKLM, SYSTEM\ControlSet001\Services\mojbtjlt
HKLM, SYSTEM\ControlSet002\Services\mojbtjlt
HKLM, SYSTEM\ControlSet001\Services\Passthru
HKLM, SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
HKLM, SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate, DoNotAllowXPSP2
HKLM, SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe

7. Deleted all temporary internet files using ATF Cleaner.

8. Restore your hosts files using HostsXpert.

9. To make sure your system totally clean and to prevent virus from coming back please scan full your system using Norman Malware Cleaner, If you don’t like Norman I would recommended you to use AVIRA.

Good luck! 🙂

Similar Posts:

Related Search Terms:

  • menghilangkan searchqu
  • menghilangkan searchqu
  • sirefef 0
  • sirefef 0
  • client for microsoft sharing
  • client for microsoft sharing
  • win32/sirefef 0
  • win32/sirefef 0
  • sirefef taringa
  • sirefef taringa
  • TROJ_SIREFEF dd
  • TROJ_SIREFEF dd
  • eliminar searchqu
  • eliminar searchqu
  • cara menghapus virus trojan
  • searchqu nedir
  • remove client for microsoft sharing
  • searchqu nedir
  • remove client for microsoft sharing
  • cara menghapus virus trojan
  • sirefef nasÄl silinir
  • sirefef nasÄl silinir
  • sirefef o eliminar
  • client for microsoft sharing remove
  • win32 sirefef 0
  • sirefef o eliminar
  • cara menghapus sirefef o
  • Cara menghapus serverx exe
  • cara menghapus virus trojan win32/sirefef o
  • firefox exe drive not ready
  • win32 sirefef 0
  • firefox exe drive not ready
  • cara menghapus sirefef o
  • Cara menghapus serverx exe
  • client for microsoft sharing remove
  • cara menghapus virus trojan win32/sirefef o
  • virus sirefef 0
  • virus sirefef 0
  • trojan:win32/sirefef 0
  • membersihkan searchqu
  • trojan win32/sirefef 0
  • troj_sirefef dd removal
  • membersihkan searchqu
  • trojan win32/sirefef 0
  • troj_sirefef dd removal
  • trojan:win32/sirefef 0
  • desinstalar client for microsoft sharing
  • searchqu silmek
  • cara membuang virus trojan:win32/sirefef o
  • searchqu destruir de explorer
  • serchqu sorunu
  • desinstalar client for microsoft sharing
  • bagaimana cara menghapus searchqu
  • cara mengatasi virus trojan
  • firefox exe - drive not ready
  • cara membuang virus trojan:win32/sirefef o
  • firefox exe - drive not ready
  • eliminar sirefef da
  • eliminar sirefef da
  • bagaimana cara menghapus searchqu
  • win32/sirefef o nasÄl kaldÄrÄrÄm
  • win32/sirefef o nasÄl kaldÄrÄrÄm
  • searchqu destruir de explorer
  • cara mengatasi virus trojan
  • searchqu silmek
  • serchqu sorunu
  • sirefef k microsoft nÃo consegue resolver
  • eliminar virus sirefef
  • cara basmi trojan userinit
  • cara basmi virus trojan
  • annti virus penghilang searchqu
  • w32/smalltroj
  • client for microsoft sharing cannot be uninstalled
  • cara mengatasi virus Trojan:Win32/Sirefef O
  • cara mengatasi virus Trojan:Win32/Sirefef O
  • cmenghapuskan virus trojen win32/sirefef dengan cmd
  • sirefef 0 remove
  • cara menghapus virus trojan sirefef O
  • eliminar virus sirefef
  • cara menghilangkan error windows explorer
  • sirefef k microsoft nÃo consegue resolver
  • cara remove virus trojan sirefef o
  • cara menghapus trojan sirefef o
  • cara menghapus virus sirefef o
  • con que programa puedo eliminar el virus trojan:win32/sirefef o
  • remove sirefef 0
  • sirefef da trojan removal
  • remove w32 smalltroj
  • cara remove virus trojan sirefef o
  • cara menghilangkan virus pada system win32
  • cmenghapuskan virus trojen win32/sirefef dengan cmd
  • sirefef k
  • cara menghapus trojan sirefef o
  • remove win32/sirefef 0
  • cara menghapus virus trojan sirefef O
  • remove sirefef 0
  • sirefef da trojan removal
  • cara menghapus virus sirefef o
  • remove w32 smalltroj
  • con que programa puedo eliminar el virus trojan:win32/sirefef o
    Digg Del.icio.us StumbleUpon Reddit Twitter RSS

If you're new here, you may want to subscribe to my RSS feed. You may copy or publish this article to your blog or other site as long you give credit link back to this site article. Thanks for visiting my blog!