ARP Spoofing: Genius code from China Series 2, Microsoft.vbs Microsoft.bat Microsoft.pif

D**n those f***ing China! *joke* πŸ˜›

This is new variant for Microsoft.vbs virus which I write formula how to clean it around a month ago when it hit my cybercafe until totally broken he he… Now most people know this virus as ARP virus. Why? Because after learning it more deeply this virus categorized as HIGH RISK and should removed as soon as possible before it infected total your network.

First.. To know this virus is active on your computer is you will get most error pages message when browsing, or error when using messenger, PLUS you will find this file Microsoft.vbs Microsoft.bat Microsoft.pif on your hard drive where you install your OS PLUS *again* your computer gonna be slow PLUS *oh not again* Your internet connectivity will going slow than usually PLUS *OMG* It will flooding your network until some billing(via TCP/IP) will stop responding.

It’s hard to know when your computer infected because it’s only showing a little error when you browsing and sometimes it’s not active (like clean computer) until you idle for some minutes/hour.

arp-spoofing-1.jpg

When you browsing you don’t feel something goes wrong… but when you look on the page source the evil is waiting on there πŸ˜€

arp-spoofing-3.jpg

Clean page source from google.com not injected with any code.. but wait when virus active you will look something like this..

arp-spoofing-2.jpg

Holy s**t what is that!!! πŸ˜›

So the answer is virus going active when you’re using internet by browsing or chat on messenger. Basically all internet explorer activity can bring this virus active! Enough let’s remove this virus permanently and stop it from coming back.

You can use Colasoft MAC Scanner (shareware) to scan your network, If you found there is mac address same with your gateway then you have to unplug that computer from network and clean it before you put it back on network. Why? In condition when you clean infected one virus will going to spread on other computer in your network once you clean it, it will calling back file from other infected one in your network so don’t waste your time for this stupid thing UNPLUG IT to stop it spreading in network!

arp-spoofing-4.jpg

Now.. Get Security Task Manager and delete/remove strange process on your computer background (usually with IE icon and dll files) delete/remove Desktopwin.dll/Jview.dll and ThunderAdvise.dll delete/remove AppInit_DLLs.

Done.. Now get hijackthis and restore your hosts file by Open the Misc Tools section, on System tools choose Open hosts file manager and deleted all line after 127.0.0.1 localhost or you can done this using notepad hosts file is on %systemroot%/system32/drivers/etc

Now get ATF Cleaner and deleted all cookies, history and java cache.

Repair your registry to back in normal by using this code:

[Version]
Signature=”$Chicago$”
Provider=Nobody

[DefaultInstall]
AddReg=UnhookRegKey
DelReg=del

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows, AppInit_DLLs,0, “”
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Object

[del]
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad, ThunderAdvise
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad, DesktopWin

Or download repair.inf

To stop virus coming back from other computer disable default share by using this code:

[Version]
Signature=”$Chicago$”
Provider=Nobody

[DefaultInstall]
AddReg=UnhookRegKey
DelReg=del

[UnhookRegKey]
HKLM, SYSTEM\CurrentControlSet\Services\lanmanserver\parameters, AutoShareWks,0x00010001,0
HKLM, SYSTEM\CurrentControlSet\Services\lanmanserver\parameters, AutoShareServer,0x00010001,0

Or download disable-default-share.inf and activate it restart-net-service.bat

Disable autorun to stop virus coming back from USB flashdisk/removable media by using this code:

[Version]
Signature=”$Chicago$”
Provider=Nobody

[DefaultInstall]
AddReg=UnhookRegKey
DelReg=del

[UnhookRegKey]
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoDriveTypeAutoRun,0x000000ff,255
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer, NoDriveTypeAutoRun,0x000000ff,255

Or download disable-autoplay.inf

To stop virus from coming back by replacing old files let’s make dummy files download dummy.bat!

Last scan with your BEST antivirus/antimalware to make sure your system clean! Another trick to stop virus from infected back your computer you can add static entry on ARP by write in command prompt “arpβ€œ *gatewayipaddress* *gatewaymacaddress*” or another trick say we can blocked those d**n virus site by change it in hosts file here is some website list detected as virus update:

972.aksjd11.com
w3og.cn
qazc.fourtw.cn
www.aujoy.cn
www.hao601.cn
www.psp476.cn
222.1212l112.net
444.1212l112.net
555.1212l112.net
111.1212l112.net
root.51113.com
hk.www404.cn
err.www404.cn

(Still there a lot out there.. BLOCKING ALL .cn domain might resolve this problem hahaha :P)

Anyway this method is not really can stop virus updated as long the creator change website again we have to update block it manually.

Done (finally)… now using your computer like usually for 1-2 hours and see if the virus coming back.. πŸ˜€

Similar Posts:

RELATED SEARCH TERMS:

24 thoughts on “ARP Spoofing: Genius code from China Series 2, Microsoft.vbs Microsoft.bat Microsoft.pif”

  1. hello Istanto it attacks my internet cafe. I’ve tried to clean up following the instructions but why would any one use the Internet appear again? how is me dizzy … I am confused cafe because the virus is …

  2. @ bowo: microsoft virus first name now changed the name of a virus arp:)

    @ cencen: if the internet cafe / office had been infected with it is hard to clean up their network the best way possible to decide cencen all connections in the network and do not clean up one by one on the dial if not 100% sure clean this virus because there is the ability to call him back up on the computer network 1 which still had the files he needs. such a clean computer and the computer still remaining b virus b slightly later computer will continue to request a file to your computer if not found he will request to the website (made by spreading the virus) until he was complete and more active in the network and then spread itself. so the best way is to remove all clean and make sure the new 100% re-enter the network. clear accountability sure if this virus can make a hot head and the heart πŸ˜›

  3. My office is often a few days later. When connecting to a common site network timeout or network interupted. even to enter the wireless router just sometimes have to restart the router. I scan using Colasoft MAC Scanner, but there was no sign of duplicate MAC Address. Is this could be caused by a virus arp?

    Thanks for the answer (if not via email).

  4. DH Ricky, not necessarily caused by a virus that ARP try first observed more closely what it is, to try MAC scanner used after 2-3 hours of active computer .. The easiest way to find out ARP virus infection seen enough in% systemroot% \ WINDOWS \ AppPatch \ is not a file Desktopwin.dll, Jview.dll, Arau ThunderAdvise.dll if any one of the files over the network confirmed the father of ARP virus.

  5. step using HijackThis can not delete line (s) who after 127.0.0.1. have reappeared in the delete alias can not delete. I have tried manually writing also can not make sure the path or filename are correct and hold the window open even save as … I am confused because cafes were closed today 2 … please enlightenment … thx

  6. Ow .. It was very positive taxable ARP virus. Make sure all the processes active virus in the background is dead, if still not able to try the first skip, then if all the new step was finished in benerin hosts files.

    Please note that ALL computers on the network at the cafe please pull the LAN cable used for a while, MAKE SURE COMPUTER CLEANING NOT CONNECTED IN ANY CIRCUMSTANCES, NO FILE IN / OUT, NO OTHER VIRUSES (such Alman / SALITY) ARE ACTIVE. If the clean half of this virus is difficult in Exterminate must instead make a headache because he can backup itself from another computer that looks like a non-infected in one network or via internet.

    I highly recommend reinstall all PCs in cafes and in the deepfreeze give such protection to this virus does not interfere with your business.

    Good luck:)

  7. must reinstall it seems, because as a Istanto’ve written I have done all this still is not right.
    oh yes I have 3 partitions, which takes in all formats whether it or just C: / was it? please help

  8. No fine was because he was still there and active in other computers in the network 1 .. well if you do not know where the location of the virus was better just reinstall your condition especially vulnerable cafe network. norman scan should use cleaner mallware first when I save the important files in the format it and then all partitions. remember use protection like deepfreeze if infected again will not stress you can reinstall continue.

  9. Istanto going to ask the cause of the virus is active arp what causes microsoft.bat,. pif and. vbs this?? because I’ve cleaned but still there are active enlightenment yes please thanks before ….

  10. he .. he .. he .. active during the backup so the virus is still there he would recover in the network πŸ˜€ kk yes shirro same dizzy ARP virus? if my suggestion for internet cafe’s best reinstall all PCs will continue to be protected rather than back and forth can be stressful kk πŸ˜›

  11. when I try,,, apparently after a “disable-default-share.inf and activate it restart-net-service.bat” This makes LAN so illegible so can not share data between the pc … how to enable back?? please help .. thx

  12. Istanto deepfrezee cafe I have all but still taxable, smart virus could exist in another partition d: that was not in the deepfreeze for saving data, not visible, the attrib cmd is not passed there, the scan using the latest update kav also not met, If the proxy directly interface rename disconect, I’ve got a time-out line 2213 from web Winbox mirotik.co.id, I just installed windows xp not condition the program, directly DownLoad win box, when used directly dc all networks, virus Wow creepy yes, until closing Internet cafe for 5 days, it was only 7 pc, what if tens, the ghost only appears again, forced to install manually.

  13. @ luvluv: re-wrote the settings in the setup home or small office network, but the risk of sharing files, although the scope of the intranet.

    @ Ridwan: Sorry about ideals, so that this virus is crowned the recalcitrant category! according to my version πŸ˜€

  14. sir, it’s clear the virus must format all partitions on just what the c: course. because I share the internet rt-rw model net. See you in the format all partitions can-can I scold by the client in: D. about anti-virus can detect and clean up any virus? I use Nod can not detect this virus

  15. if it would secure format all partitions let none of the rest will be back again there’s even a headache hehe .. Until now, I know there are no automated tools antivirus/3rd can clear the virus completely so use manual way and should be checked every hour if conditions there are still signs of life: P I might suggest perhaps sih antivirus norman the best approach

  16. For safety reasons all seem to be formatted partitions. but it seems difficult to apply because in my father’s clients this protest. I was trying to scan and detect pake kaspersky 12 trojans on the drive c. most hide in the same document settings temporary internet files. but unfortunately the same can not didelete kaspersky. after they were scanned in safe mode, system restore dimatiin. scan was 90% skitar road. but suddenly the computer restarts itself. time in normal mode the virus live longer. hahaha …

    My next plan service projects and teman2 c drive format + reinstall windows client computer. then update sp3, install anti-virus. I hope this powerful way to get rid of this damn virus

    arp-s at the command prompt what the client computer with a static arp client then made that led to the client interface (gateway) is made reply-only proxy server? because I use proxy servers …

    fathers guidance

  17. There are forgotten. the destination site trojan mk.cxaaaa.cn / xx.htm. what is still a sort of Trojan viruses arp spoofing as well? because I was looking for mic.vbs, mic.bat, just not in mic.pif c. but the symptoms seem the same ….

  18. Our computer has been infected by Deathlock, Can I restored infected files back, what files types contain this virus !!!

  19. I was recommended this web site by my cousin. I’m not sure whether this post is written by him as nobody else know such detailed about my problem.
    You are amazing! Thanks!

  20. Useful information. Fortunate me I discovered your website by accident,
    and I am surprised why this accident didn’t came about in advance!

    I bookmarked it.

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.