Not all antivirus program this day will help you eliminate yourテあvirus problem, In this case antivirus XP 2008テあis spyware which try to make your computer as spam zombie.テあ This case make a strong people opinion on corporation between virus maker and antivirus maker(bad joke) *LOL* Be careful when you open email from someone you don’t know, specially from Daily Top 10テあwith subjectテあCNN.com Daily Top 10 this email will asking you to update your flash player but actually that file is virus.

antivirus-xp-2008.JPG

norman.JPG

If you downloaded and run this files it will making virusテあmaster and downloaded files from internet automatically then run it.

C:\WINDOWS\system32\CbEvtSvc.exe
C:\Documents and Settings\Your User Name\Local Settings\Temp\lfq0kzgs.exe
C:\Documents and Settings\Your User Name\Local Settings\Temp\.xx1.tmp.vbs
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\smss.exe
C:\WINDOWS\system32\lphc7nvj0e52e.exe
C:\WINDOWS\system32\phc7nvj0e52e.bmp
C:\WINDOWS\system32\phc7nvj0e52e.bmp
C:\WINDOWS\system32\blphc7nvj0e52e.scr
C:\WINDOWS\system32\phc7nvj0e52e.bmp
C:\windows\system32\drivers\xxx.sys
C:\Documents and Settings\LocalService\Application Data\584289103.exe
C:\Program Files\rhc3nvj0e52e
C:\Windows\system32\pphc7nvj0e52e.exe
C:\Documents and Settings\LocalService\Application Data\rhc3nvj0e52e
C:\Documents and Settings\Your User Name\Application Data\rhc3nvj0e52e.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008
C:\Documents and Settings\Your User Name\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Desktop\Antivirus XP 2008.lnk

This virus will also make your registry changes:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CbEvtSvc
DisplayName = CbEvtSvc
ImagePath = %SystemRoot%\System32\CbEvtSvc.exe -k netsvcs

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CbEvtSvc
DisplayName = CbEvtSvc
ImagePath = %SystemRoot%\System32\CbEvtSvc.exe -k netsvcs

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\CbEvtSvc
DisplayName = CbEvtSvc
ImagePath = %SystemRoot%\System32\CbEvtSvc.exe -k netsvcs

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6127a5e3
ImagePath = \SystemRoot\System32\drivers\6127a5e3.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\6127a5e3
ImagePath = \SystemRoot\System32\drivers\6127a5e3.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\6127a5e3
ImagePath = \SystemRoot\System32\drivers\6127a5e3.sys

KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
lphc7nvj0e52e = C:\WINDOWS\system32\lphc7nvj0e52e.exe

SMrhc3nvj0e52e = C:\Program Files\rhc3nvj0e52e\rhc3nvj0e52e.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\software notifier

HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\rhc3nvj0e52e
DisplayName = AntivirXP08
UninstallString = “C:\Program Files\rhc3nvj0e52e\uninstall.exe”

HKEY_LOCAL_MACHINE\software\rhc3nvj0e52e
HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion
rhc3nvj0e52e = 8b 6e 99 48 (bynary)

HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
AntivirXP08 = AntiVirXP08
SV1

This virus will try to spreading using your internet connection, it will spam every email address founded on your computers, type netstat -a on your command prompt and you will found lot of activity without your action.

spam.JPG

This virus also will remove your “screen saver” and “desktop” tab on display properties and change your desktop with file %systemroot%\system32\phc7nvj0e52e.bmp and change your screensaver with executed fileテあ%systemroot%\\system32\blphc7nvj0e52e.scr to make you panic by showing fake blue screen of death (BSOD) on your screen

desktop.JPG

bsod.JPG

Enough, now time to remove this stupid things!

1. Run your computer from “safe mode” and disable your “system restore

2. Stop active virus services by type in run/command prompt services.msc

services.JPG

3. Findテあ services with name CbEvtSvc or something similar with that name then click properties on that services. Stop it and on startup column choose Disable then click OK.

4. Repair your registry already changed by virus using this code:

テあ[Version]
Signature=”$Chicago$”
Provider=nobody

[DefaultInstall]
AddReg=UnhookRegKey
DelReg=del

[UnhookRegKey]
HKLM, Software\CLASSES\batfile\shell\open\command,,,”””%1″” %*”
HKLM, Software\CLASSES\comfile\shell\open\command,,,”””%1″” %*”
HKLM, Software\CLASSES\exefile\shell\open\command,,,”””%1″” %*”
HKLM, Software\CLASSES\piffile\shell\open\command,,,”””%1″” %*”
HKLM, Software\CLASSES\regfile\shell\open\command,,,”regedit.exe “%1″”
HKLM, Software\CLASSES\scrfile\shell\open\command,,,”””%1″” %*”
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell,0, “Explorer.exe”
HKCU, Control Panel\Desktop, ConvertedWallpaper,0, “”
HKCU, Control Panel\Desktop, OriginalWallpaper,0, “”
HKCU, Control Panel\Desktop, SCRNSAVE.EXE,0, “”
HKCU, Control Panel\Desktop, Wallpaper,0, “”
HKCU, Software\Microsoft\Internet Explorer\Desktop\General, BackupWallpaper,0, “”
HKCU, Software\Microsoft\Internet Explorer\Desktop\General, Wallpaper,0, “”

[del]
HKLM, Software\Microsoft\Windows\CurrentVersion\Run, lphc7nvj0e52e
HKLM, Software\Microsoft\Windows\CurrentVersion\Run, services
HKLM, Software\Microsoft\Windows\CurrentVersion\Run, SMrhc3nvj0e52e
HKLM, Software\Microsoft\Windows\CurrentVersion\Run, rhc3nvj0e52e.exe
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System, NoDispBackgroundPage
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System, NoDispScrSavPage
HKLM, SYSTEM\CurrentControlSet\Services\6127a5e3
HKLM, SYSTEM\ControlSet002\Services\6127a5e3
HKLM, SYSTEM\ControlSet001\Services\6127a5e3
HKLM, SYSTEM\ControlSet001\Services\CbEvtSvc
HKLM, SYSTEM\ControlSet002\Services\CbEvtSvc
HKLM, SYSTEM\CurrentControlSet\Services\CbEvtSvc
HKLM, SYSTEM\ControlSet001\Services\CbEvtSvc
HKLM, SYSTEM\CControlSet002\Services\CbEvtSvc
HKLM, SOFTWARE\Microsoft\software notifier
HKLM, software\Microsoft\Windows\CurrentVersion\Uninstall\rhc3nvj0e52e
HKLM, software\rhc3nvj0e52e
HKLM, software\Microsoft\Windows\CurrentVersion, rhc3nvj0e52e
HKLM, software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
HKLM, SOFTWARE\Microsoft\Software Notifier
HKLM, SYSTEM\ControlSet001\Services\125c1fb5
HKLM, SYSTEM\ControlSet002\Services\125c1fb5
HKLM, SYSTEM\CurrentControlSet\Services\125c1fb5

Save this code as repair.inf and run it by right click and choose install, or you can download it repair.inf

5.テあ Deleted this file list (if your OS on drive d then c:\ should be d:\ and so on):

C:\WINDOWS\system32\CbEvtSvc.exe
C:\Documents and Settings\Your User Name\Local Settings\Temp\lfq0kzgs.exe
C:\Documents and Settings\Your User Name\Local Settings\Temp\.xx1.tmp.vbs (xx=random).
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\smss.exe
C:\WINDOWS\system32\lphc7nvj0e52e.exe
C:\WINDOWS\system32\phc7nvj0e52e.bmp
C:\WINDOWS\system32\phc7nvj0e52e.bmp
C:\WINDOWS\system32\blphc7nvj0e52e.scr
C:\WINDOWS\system32\phc7nvj0e52e.bmp
C:\windows\system32\drivers\xxx.sys (xxx random with size 108 KB)
C:\Documents and Settings\LocalService\Application Data\584289103.exe
C:\Program Files\rhc3nvj0e52e
C:\Windows\system32\pphc7nvj0e52e.exe
C:\Documents and Settings\LocalService\Application Data\rhc3nvj0e52e
C:\Documents and Settings\Your User Name\Application Data\rhc3nvj0e52e.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008
C:\Documents and Settings\Your User Name\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Desktop\Antivirus XP 2008.lnk

6. Delete your temporary files using ATF Cleaner.

7. Last, scan with your best updated antivirus to make sure system is clean.

Done, now get some coffee and send it to me he he he 沽

Similar Posts:

Related Search Terms:

    Digg Del.icio.us StumbleUpon Reddit Twitter RSS

If you're new here, you may want to subscribe to my RSS feed. You may copy or publish this article to your blog or other site as long you give credit link back to this site article. Thanks for visiting my blog!