Computer And Internet, Personal

After 2 days ago my server already cleaned from mso.sys yesterday it’s spreading again in my local networks and download new Trojan called Virut.56 then infected one of my computers client. I think I’m lucky because I detect this Trojan early before it infected all clients. I’m pretty sure this is a new virut variant which coming from mso.sys , It’s really bad bad Trojan and very hard to remove it using manual technique.

To detect when you’re infected by this Trojan:

  1. When your computer start-up you will see 2 IEXPLORE.exe running on process background.
  2. When It’s already totally control your computer you will see VRTxxx.TMP in your process background (xxx=random from 1 to z) and sometimes created random executable in your username folder.
  3. You can’t open anti-virus website, to test if try to browse www.microsoft.com
  4. If you’re monitoring your traffic Trojan will try to communicate with their server, I don’t know who own this IP but sure it’s located and registered in CHINA!.
  5. You’re executable programs sometimes not working properly.
  6. Your Internet connection slower than usual.

That’s some sign for you to make sure you’re infected by this Trojan. This is really hard Trojan, when I try to remove it using manual technique Trojans keep coming back again and again. Even after I using ckean image from ghost software it’s coming back really fast!. This Trojan infected everything! not only .exe files but .htm and .txt also got infected! specially windows file common used example: explorer.exe, userinit.exe, svchost.exe, and much more.

[to_plus]

If you’re got infected by Trojan virut you actually doesn’t need to re-install total your system. This information was false (but it’s fine), when I try to follow it Trojan coming back in seconds. So don’t waste your time to re-install the system it’s will not working!

How to repair your computer if infected by trojan Virut.56 :

1. Make sure your computer totally not connected to local network and Internet to make sure Trojan can’t hidden or run from the scanner.

2. Download Dr. Web Cure It! and burn it into your CD/DVD (to make sure it’s not infected I used CD non re-writable). Why use Cure It? I try using another anti-virus, anti-malware, and anti-spyware none of them workings right! this is not promotion!

3. Run your computer in safe-mode (recommended) then run Dr. Web Cure It! scan total your system including your removable device (if available) don’t use express scan or custom scan. It should be complete scan! should there is no infected file left or you may cry.

4. After scan complete (usually in 3-6 hours) reboot your computer and try to connect it into local network and Internet. Always check your background process if you find something strange on there disconnected from local network and Internet and re-scan total again your system.

5. If you’re already connected to local network/Internet then you can browse to www.microsoft.com and there is nothing strange on your computer background take a deep breath, the Trojan has been assassinated!

That’s a share for today, have a nice day 😀

[/to_plus]

Related Search Terms:

    Digg Del.icio.us StumbleUpon Reddit Twitter RSS
Computer And Internet, Personal

My server just got infected by this virus yesterday from my client USB drive. The effect caused my computer run slowly and windows explorer keep crashing if I open to much programs. It’s very easy to remove this virus just keep reading this short articles…

To detect if you’re infected by this virus is your computer run very slow especially if you’re using explorer.exe resource. You will find file with name “recycler.lnk” in C:\ drive and you will find also “Internet explorer.lnk” (without icon) in your start menu. When you try to delete this shortcut it will coming back and your computer response become more slowly.

Virus spreading from USB drive, if you find out your computer infected don’t add USB drive into it and also if you can unplug that infected computers from local networks to stop it spreading.

[to_plus]

How To Remove Recycler.lnk Virus :

1. Disconnected your computer from Internet/local networks.

2. Close all running programs, Press CTRL+ALT+DEL to run task manager and kill all process name “Rundll32.exe“.

3. Go to c:\ drive and choose folder option, tab view, show hidden files and folders, and the un-check “Hide protected operating system files (recommended)” then click apply.

4. Find file with name “mso.sys” in c:\ root drive then deleted it. Don’t worry this is a fake system files which actually the core of this virus.

5. Run MSConfig, Start -> Run -> Type “msconfig” (without quote), Remove “recycler.lnk” and “Internet Explorer.lnk” from your startup list.

6. Delete “recycler.lnk” in c:\ and “Internet explorer.lnk” in your start menu, then restart your computer.

7. It’s done, Your computers should back normal again.

That’s share for today, have a nice day 😀

[/to_plus]

Related Search Terms:

    Digg Del.icio.us StumbleUpon Reddit Twitter RSS
Computer And Internet, Personal

My cybercafe just got infected this virus yesterday. It’s spreading from removable device users plug into my server. It’s really annoying because my computers starts to hang for 10 seconds and then it run again but very slows. All I notice is windows give notification low virtual memory, I cannot run Internet explorer (but still I can run another .exe application), and I cannot shutdown the computer. It also effect Internet connection speed, but I’m not really sure about this. When I type in command prompt netstats -a I see a lot of established connection (maybe virus sending or downloading something).

Frustrated, I’m looking on google with keyword services303.exe but it’s refers to non computer virus. I believe this is first case of services303.exe documented. Lucky me this virus not spreading in my network so I can stop it fast before it infected others computers. I try scan my computer using malwarebytes, avira, avg, eset32/NOD and they not detects any virus *great*.

The main virus is services303.exe and it’s located in [WINDOWSDRIVE]\DOCUMENTS AND SETTINGS\[USERNAME]\APPLICATION DATA\MICROSOFT\SERVICES303.exe with attributes read only and hidden.

It’s also change your registry in:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

It’s set to run services303.exe when computer starts and giving fake program description about Adobe speed launcher.

[to_plus]

How To Remove Services303.exe

1. Run your computers in safe mode.

2. Open command prompt, Go to folder [WINDOWSDRIVE]\DOCUMENTS AND SETTINGS\[USERNAME]\APPLICATION DATA\MICROSOFT\ and type Attrib -s -h /S /D.

3. Once attrib process done you can see file with name services303.exe, delete it! don’t forget empty your recycle bin too.

4. Delete manually auto-start services303.exe in registry, start – run -> regedit and look on this field :

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

5. Delete all temporary Internet and windows files. Use ATFCleaner or Ccleaner.

6. Scan whole system with updated antivirus.

Done, Your computers should back normal again. Have a nice day everyone 😀

[/to_plus]

Related Search Terms:

    Digg Del.icio.us StumbleUpon Reddit Twitter RSS
Computer And Internet, Personal

If you feel your Computers and Internet slower than usual you may get infected by W32/Obfuscated.J (Trojan.Downloader2.25378). This new Trojan will using your Internet connection to send your information to their server and updated their self. Carefully when you’re using your computers for business, they may stole your credit cards or bank information. Would you get up from your sleep and find out someone stole your money? I don’t think so… no one would that happening including myself.

W32/Obfuscated.J (Trojan.Downloader2.25378) created using C language. There is 2 important files for this virus it was .exe and wjdrive32.exe, both of file have size 49KB, hidden attributes, located in \windows\ folder.

Just like an older method W32/Obfuscated.J (Trojan.Downloader2.25378) will spreading using your removable device and hidden in recycler folder. (I’m not sure if this Trojan can spreading on network since I eleminate it before it grown in my networks)

It’s very easy to detect if your computer infected by W32/Obfuscated.J (Trojan.Downloader2.25378) just take a look on some information bellow.

[to_plus]

1. You’ll see a lot of visual basic activity.

2. If you’re running an old computer sometimes virus may crash your explorer.exe

3. Virus will send your information to this server list (use netstats command or another tools to find out):

112.78.112.208 : 80
216.108.234.10 : 80
218.85.133.201 : 80
72.18.202.18 : 80
91.213.29.141 : 80
91.213.29.147 : 80
123.183.217.32 : 5943
60.190.223.125 : 6943

When I check those IP using online IP whois information some of that IP located in JAPAN and some in UNITED STATES. I think this is to make us confused to know who’s creating this Trojan.

4. Virus will turn off your windows firewall.

How to remove W32/Obfuscated.J (Trojan.Downloader2.25378)

1. Disconnect your computers from local networks/Internet.

2. Run you computers in safe mode.

3. Download Dr.Web CureIt! (from clean computers) and then zip it. Transfer this zipped files to your infected computers. Double click zip file and choose the main programs. Scan all yours computer drives including removable device.

*ATTENTION DON’T EXTRACT THE ZIP CONTENT TO FOLDER OR IT MAY GET INFECTED!

4. Repair your registry using this code below:

[Version]
Signature=”$Chicago$”
Provider=Nobody

[DefaultInstall]
AddReg=Repair
DelReg=Remove

[Repair]
HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced, ShowSuperHidden,0x00010001,1
HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced, SuperHidden,0x00010001,1
HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced, HideFileExt,0x00010001,0
HKLM, SOFTWARE\CLASSES\batfile\shell\open\command,,,”””%1″” %*”
HKLM, SOFTWARE\CLASSES\comfile\shell\open\command,,,”””%1″” %*”
HKLM, SOFTWARE\CLASSES\exefile\shell\open\command,,,”””%1″” %*”
HKLM, SOFTWARE\CLASSES\piffile\shell\open\command,,,”””%1″” %*”
HKLM, SOFTWARE\CLASSES\regfile\shell\open\command,,,”regedit.exe “%1″”
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell,0, “Explorer.exe

[Remove]
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, Microsoft Config Setup
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, (Default)
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, vyre32
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, MS0593[1]
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run, Microsoft Config Setup
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, Taskman
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, 12CFG214-K641-12SF-N85P

Save it as whateveryoulike.inf , right click on it choose install. You may download repairtrojandownloader.inf from my site.

5. Restart your computers and then clean all temporary files (you can use windows disk cleanup, but I recommended CCLEANER).

6. If you won’t this virus coming back update your windows or get some great antivirus you trust.

Done, Have a nice day 😀

[/to_plus]

Related Search Terms:

    Digg Del.icio.us StumbleUpon Reddit Twitter RSS
Computer And Internet, Miscellaneous, Personal

After a weeks analyze newest search term keywords coming to my blog I found there is a lot of request for articles about how to removing virus Searchqu (around 5%). In this short articles I will write how to remove SearchQU virus and bring back your computers to normal condition.

Searchqu is a highly dangerous trojan which lures users to unknowingly perform corrupt actions on a targeted computer. Searchqu poses as an antispyware application that displays deceptive warnings and misleading scan results. It then asks for users to purchase it. Searchqu record the contents of all the instant messages you send or receive—along with the usernames and addresses of your IM partners. Searchqu record the entire contents of each chat room you visit—and log the usernames and addresses of other channel members. Searchqu pretends to be a legitimate software, but infact it’s a virus many computer users got currently, and antivirus won’t help, you need to remove Searchqu manually.

[to_plus]

2 simple step to remove SearchQU virus

1. Deleted this file list manually :

%AppData%\searchqutoolbar\stat.log
%AppData%\searchqutoolbar\uninstallStatIE.dat
%AppData%\searchqutoolbar\uninstallIE.dat
%AppData%\searchqutoolbar\stats.dat
%AppData%\searchqutoolbar\guid.dat
%AppData%\searchqutoolbar\preferences.dat
%AppData%\searchqutoolbar\log.txt
%AppData%\searchqutoolbar\dtx.ini
%AppData%\searchqutoolbar\coupons\categories.xml
%AppData%\searchqutoolbar\
%AppData%\searchqutoolbar\version.xml
%AppData%\searchqutoolbar\coupons\merchants2.xml
%AppData%\searchqutoolbar\coupons\merchants.xml
%Temp%\searchqutoolbar-manifest.xml

Or you can created a manual batch file with content like this:

del %AppData%\searchqutoolbar\stat.log
del %AppData%\searchqutoolbar\uninstallStatIE.dat
del %AppData%\searchqutoolbar\uninstallIE.dat
del %AppData%\searchqutoolbar\stats.dat
del %AppData%\searchqutoolbar\guid.dat
del %AppData%\searchqutoolbar\preferences.dat
del %AppData%\searchqutoolbar\log.txt
del %AppData%\searchqutoolbar\dtx.ini
del %AppData%\searchqutoolbar\coupons\categories.xml
del %AppData%\searchqutoolbar\
del %AppData%\searchqutoolbar\version.xml
del %AppData%\searchqutoolbar\coupons\merchants2.xml
del %AppData%\searchqutoolbar\coupons\merchants.xml
del %Temp%\searchqutoolbar-manifest.xml

Or download it from here

2. Remove this registry list manually:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar “Searchqu Toolbar”
HKEY_LOCAL_MACHINE\SOFTWARE\Classes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SearchQUIEHelper.DNSGuard\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SearchQUIEHelper.DNSGuard.1\SearchQUIEHelper.DNSGuard
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SearchQUIEHelper.DNSGuard\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A40DC6C5-79D0-4ca8-A185-8FF989AF1115}\ProgID “SearchQUIEHelper.UrlHelper.1”
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A40DC6C5-79D0-4ca8-A185-8FF989AF1115} “UrlHelper Class”
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A40DC6C5-79D0-4ca8-A185-8FF989AF1115}\VersionIndependentProgID “SearchQUIEHelper.UrlHelper”
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{99079a25-328f-4bd4-be04-00955acaa0a7}\InprocServer32 “C:\PROGRA~1\WINDOW~4\ToolBar\searchqudtx.dll”
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{99079a25-328f-4bd4-be04-00955acaa0a7} “Searchqu Toolbar”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{99079a25-328f-4bd4-be04-00955acaa0a7} “Searchqu Toolbar”

Or download searchqu-repair.inf from my blog, then right click on it ,choose install.

3. Done.

I’m not guarantee this way will works for everyone, if there is new varian this step may not works. Have a nice day everyone! 🙂

[/to_plus]

Related Search Terms:

    Digg Del.icio.us StumbleUpon Reddit Twitter RSS