>

Computer And Internet, Personal

If you feel your Computers and Internet slower than usual you may get infected by W32/Obfuscated.J (Trojan.Downloader2.25378). This new Trojan will using your Internet connection to send your information to their server  and updated their self. Carefully when you’re using your computers for business, they may stole your credit cards or bank information. Would you get up from your sleep and find out someone stole your money? I don’t think so… no one would that happening including myself.

W32/Obfuscated.J (Trojan.Downloader2.25378) created using C language. There is 2 important files for this virus it was .exe and wjdrive32.exe, both of file have size 49KB, hidden attributes, located in \windows\ folder.

Just like an older method W32/Obfuscated.J (Trojan.Downloader2.25378) will spreading using your removable device and hidden in recycler folder. (I’m not sure if this Trojan can spreading on network since I eleminate it before it grown in my networks)

It’s very easy to detect if your computer infected by W32/Obfuscated.J (Trojan.Downloader2.25378) just take a look on some information bellow.

    Digg Del.icio.us StumbleUpon Reddit Twitter RSS
Computer And Internet, Personal, Tips & Trick

Computer virus always using sociable technique to infecting their victims. When there is gossip virus creator always using this gossip to spreading their virus ex:paris hilton xxx movies, what FBI hidding from us, etc. This time they’re using facebook popularity to infect all facebook fans. This virus also has been reported bundled with FAKE antispyware security tools.

When you see this on your monitor that mean you’re already infected.

Just ignore this fake antispyware warning, if you follow it you will get more virus infected your computer or your operating system gonna be corrupt.

How to Remove Facebook Virus W32/Obfuscated.D2!genr :

1. It’s recommended to running windows in “safe mode” when in cleaning process, backup all your important data first!.

2. Disable “System Restore” when in cleaning process.

3. Disconnected your computers from local network.

4. Download “unlocker” and install it.

5. Download “security task manager” then kill virus process active in computer background.

[Version]
Signature=”$Chicago$”
Provider=nobody[DefaultInstall]
AddReg=inject
DelReg=rem[inject]
HKLM, Software\CLASSES\batfile\shell\open\command,,,”””%1″” %*”
HKLM, Software\CLASSES\comfile\shell\open\command,,,”””%1″” %*”
HKLM, Software\CLASSES\exefile\shell\open\command,,,”””%1″” %*”
HKLM, Software\CLASSES\piffile\shell\open\command,,,”””%1″” %*”
HKLM, Software\CLASSES\regfile\shell\open\command,,,”regedit.exe €œ%1″”
HKLM, Software\CLASSES\scrfile\shell\open\command,,,”””%1″” %*”
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell,0, €œExplorer.exe”
HKCU, Software\Microsoft\Internet Explorer\Main, tart Page,0, €œabout:blank”
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon,userinit,0, €œuserinit.exe”

[rem]
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run,reader_s
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run,47543326
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run,PromoReg
HKCU, SOFTWARE\Microsoft\Windows\CurrentVersion\Run,reader_s
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System,EnableProfileQuota
HKLM, SOFTWARE\AGProtect
HKLM, SOFTWARE\47543326
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network, UID
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion, Rlist
HKU, .DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}
HKU, .DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{8FFA689D-2C2B-2B2E-D865-74C04CA4EF06}

    Digg Del.icio.us StumbleUpon Reddit Twitter RSS
Computer And Internet, Short Reviews

Hi all sorry for not blogging for 3 weeks, I’m just back after busy middle test in my campus. This come to my attention after analyze “keyword” that bring people reaching my blog. Many of them looking for virus removal. After reading on people trends many of them are infected by Kido/Conficker/Downadup so… here’s the short review for 8 tools to remove this virus and 5 steps to make sure your system clean.

1. Kaspersky AVP Removal Tool

kaspersky-avp-removal-tool

Download Here

2. Norman Malware Cleaner

norman-malware-cleaner

Download Here

3. McAfee AVERT Stinger

mcafee-avert-stinger

Download Here

Read More »

    Digg Del.icio.us StumbleUpon Reddit Twitter RSS
Computer And Internet, Miscellaneous, Tips & Trick

“K0pL4xZ” Virus or VBWorm.QTT is computer virus that targeted on Microsoft Office files. This virus has been created using Visual Basic, Basically K0pL4xZ will change the icon and file type Microsoft Office.

To hiding K0pL4xZ will use Windows Media Player Classic icon, but if you always working carefully you will know this file type is .exe, OK let’s remove it.

Step to Remove K0pL4xZ Virus VBWorm.QTT

1. Disconnected your computer from network.

2. Turn off “System Restore” when in cleaning process.

3. Kill active virus process in your computer background using THIS 3rd tool.

4. Repair your registry using code below save it as repair.inf the right click on it choose install, or just download it HERE

[Version]
Signature=”$Chicago$”
Provider=Nobody

[DefaultInstall]
AddReg=UnhookRegKey
DelReg=del

[UnhookRegKey]
HKLM, Software\CLASSES\batfile\shell\open\command,,,”””%1″” %*”
HKLM, Software\CLASSES\comfile\shell\open\command,,,”””%1″” %*”
HKLM, Software\CLASSES\exefile\shell\open\command,,,”””%1″” %*”
HKLM, Software\CLASSES\piffile\shell\open\command,,,”””%1″” %*”
HKLM, Software\CLASSES\regfile\shell\open\command,,,”regedit.exe “%1″”
HKLM, Software\CLASSES\scrfile\shell\open\command,,,”””%1″” %*”
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell,0, “Explorer.exe”
HKLM, SYSTEM\ControlSet001\Control\SafeBoot, AlternateShell,0, “cmd.exe”
HKLM, SYSTEM\ControlSet002\Control\SafeBoot, AlternateShell,0, “cmd.exe”
HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot, AlternateShell,0, “cmd.exe”
HKLM, SOFTWARE\Classes\exefile,,,application
HKCU, Software\Microsoft\Internet Explorer\Main, start page,0, “about:blank”
HKCU, Software\Microsoft\Internet Explorer\Main, Search Page,0, “about:blank”
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt, UncheckedValue,0×00010001,0
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden, UncheckedValue,0×00010001,1
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion, RegisteredOrganization,0, “Organization”
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion, RegisteredOwner,0, “Owner”
HKLM, SOFTWARE\Classes\txtfile, FriendlyTypeName,0, “@C:\Windows\system32\notepad.exe,-469″
HKLM, SOFTWARE\Classes\Word.Document.8,,,”Microsoft Word Document”
HKLM, SOFTWARE\Classes\Word.Document.8\DefaultIcon,,,”C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-01500 48383C9}\wordicon.exe,1″
HKLM, SOFTWARE\Classes\PowerPoint.Show.8,,, “Microsoft PowerPoint Presentation”
HKLM, SOFTWARE\Classes\PowerPoint.Show.8\DefaultIcon,,,”C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-015 0048383C9}\pptico.exe,1″
HKLM, SOFTWARE\Classes\Excel.Sheet.8,,,”Microsoft Excel Worksheet”
HKLM, SOFTWARE\Classes\Excel.Sheet.8\DefaultIcon,,,”C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-01500483 83C9}\xlicons.exe,1″
HKLM, SOFTWARE\Classes\Access.Application.11,,,”Microsoft Office Access Application”
HKLM, SOFTWARE\Classes\Access.Application.11\DefaultIcon,,,”C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-01 50048383C9}\accicons.exe,1″
HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced, Hidden, 0×00010001,1
HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced, HideFileExt, 0×00010001,0
HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced, ShowSuperHidden, 0×00010001,1
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden,WarningIfNotDefault,0,”@ shell32.dll,-28964″

[del]
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoFolderOptions
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System,DisableRegistryTools
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System,DisableTaskMgr
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System,DIsablecmd
HKCU, Software\Microsoft\Internet Explorer\Main, Window Title
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer,NoFolderOptions
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System,DisableRegistryTools
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System,DisableTaskMgr
HKLM, SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
HKCU, Software\Microsoft\Windows\CurrentVersion\Run, System
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop
HKCU, Software\Microsoft\Windows NT\CurrentVersion\Winlogon, shell
HKCU, Software\Policies\Microsoft\Windows\System, DisableCMD
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt, WarningIfNotDefault
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Run, cintaku
HKLM, SOFTWARE\Classes\exefile, FriendlyTypeName

5. Deleted file %systemroot%\Windows\desktop.ini using DOS prompt.
Read More »

    Digg Del.icio.us StumbleUpon Reddit Twitter RSS
Computer And Internet, Miscellaneous

Hello world! Are your network attacking by Conficker? hahaha.. don’t get mad this virus can be removed using 7 simple step only. Anyway this virus  make some people mad because it’s attacking network (they might have more trouble when try to clean it) and of course your protection :P , If we look more deeply this virus using mostly lame virus technique included all in one packet *lol*…. but in advanced the virus maker understand and really know hows really weak windows protection so he make you all mad :P

How to detect if your computer infected by conficker? There many sign like…. Error message Generic Host Process, You can’t access some important site ex: www.microsoft.com,  www.symantec.com,  www.norman.com,  www.clamav.com,  www.grisoft.com,  www.avast.com, etc. You can’t update your antivirus, Many application not working like usually specially network application, and many more sign.

This virus created with UPX compression with size 162kb, You might get trouble when try to killed this virus process because it’s (again) using lame technique by running .dll files following fake svchost.exe file. Virus is not automatically active, it will starts download some images files and created temporary files then building himself (again) LAME! *lol*

Once virus build completed it will starts to disabled some windows services, Virus will blocking any string he found on each active application, here is the list:

Read More »

    Digg Del.icio.us StumbleUpon Reddit Twitter RSS