This is a new stupid virus/trojan that will redirected all your traffic to google.com (209.85.225.99) infected my client on 01-01-2010, This virus was made using visual basic with size around 212-233KB. If active it has another supported files with random size.
How to know if you’re infected?
It’s very easy, if you browsing on internet or opening antivirus website then your page always redirected to google website that mean you’re infected by this virus.
Master Files
When this virus active it will created some master files and downloading some another supported files from internet. It will spreading files in different location to make it hard to cleaned. This virus also hiding as windows service and windows drivers.
This is a list of virus master files:
- %systemroot%\windows\system32
- wmispqd.exe
- Wmisrwt.exe
- qxzv85.exe
- qxzv47.exe
- secupdat.dat
- %systemroot%\Documents and Settings\%user%\%xx%.exe, Where xx is random character with size 6KB (example: rclxuio.exe).
- %systemroot%\windows\system32\drivers
- Kernelx86.sys
- xx%.sys, where xx is random character with size 40KB (example: cvxqkopsd.sys)
- Ndisvvan.sys
- krndrv32.sys
- %systemroot%\Documents and Settings\%user%\secupdat.dat
- %systemroot%\Windows\inf
- Netsf.inf
- Netsf_m.inf
Spreading Technique and Virus Affect
This virus will spreading in your network or using any removable disk using a autorun technique. If we look in the back mostly all virus using this same technique to spreading, Maybe a good option to modify your windows to disable autorun.
Virus will blocking some windows function like: System Restore, Windows Firewall, RPC DCOM, etc. Virus will also redirected mostly antivirus or security website into google.com using hosts file.
How to Remove W32/SmallTroj.VPCG
1. Deactivated “System Restore” when in cleaning progress.
2. Disconnected your computer from Network/LAN.
3. Rename msvbvm60.dll (%systemroot%\Windows\system32\msvbvm60.dll) to backup.dll This step to prevent virus active because this virus was made using visual basic, virus will need msvbvm60.dll to run, when you rename it virus can’t active. After you cleaned this virus I recommended you to rename backup.dll back to msvbvm60.dll.
4. Deleted virus master files using Mini PE2XT, Because some rootkit hidden as windows service and driver you need to boot your computers using Mini PE2XT then follow the step:
Menu -> Programs -> File Management -> Windows Explorer
Then deleted files “Virus Master Files” (check in this article).
5. Deleted registry made by virus using Mini PE2XT
Menu -> Programs -> Registry Tools -> Avast! Registry Tools
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\\ctfmon.exe
HKEY_LOCAL_MACHINE\system\ControlSet001\services\kernelx86
HKEY_LOCAL_MACHINE\system\CurrentControlSet\services\kernelx86
HKEY_LOCAL_MACHINE\system\CurrentControlSet\services\passthru
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe
HKEY_LOCAL_MACHINE\system\ControlSet001\services\%xx%
HKEY_LOCAL_MACHINE\system\CurrentControlSet\services\%xx%
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
* %windir%\system32\ wmispqd.exe = %system%\ wmispqd.exe:*:enabled:UpnP Firewall
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
* %windir%\system32\ wmispqd.exe = %system%\ wmispqd.exe:*:enabled:UpnP Firewall
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
* %windir%\system32\ wmispqd.exe = %system%\ wmispqd.exe:*:enabled:UpnP Firewall
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon
* Change string value Userinit to = userinit.exe
ATTENTION: %xx% is random character, this key created to run .SYS with size 40KB.
6. Restart your computer then use this repair-inf (rename it to repair.inf) right click on it then choose install.
[Version]
Signature=”$Chicago$”
Provider=Nobody
[DefaultInstall]
AddReg=UnhookRegKey
DelReg=del
[UnhookRegKey]
HKLM, Software\CLASSES\batfile\shell\open\command,,,”””%1″” %*”
HKLM, Software\CLASSES\comfile\shell\open\command,,,”””%1″” %*”
HKLM, Software\CLASSES\exefile\shell\open\command,,,”””%1″” %*”
HKLM, Software\CLASSES\piffile\shell\open\command,,,”””%1″” %*”
HKLM, Software\CLASSES\regfile\shell\open\command,,,”regedit.exe “%1″”
HKLM, Software\CLASSES\scrfile\shell\open\command,,,”””%1″” %*”
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell,0, “Explorer.exe”
HKLM, software\microsoft\ole, EnableDCOM,0, “Y”
HKLM, SOFTWARE\Microsoft\Security Center,AntiVirusDisableNotify,0x00010001,0
HKLM, SOFTWARE\Microsoft\Security Center,FirewallDisableNotify,0x00010001,0
HKLM, SOFTWARE\Microsoft\Security Center,AntiVirusOverride,0x00010001,0
HKLM, SOFTWARE\Microsoft\Security Center,FirewallOverride,0x00010001,0
HKLM, SYSTEM\ControlSet001\Control\Lsa, restrictanonymous, 0x00010001,0
HKLM, SYSTEM\ControlSet002\Control\Lsa, restrictanonymous, 0x00010001,0
HKLM, SYSTEM\CurrentControlSet\Control\Lsa, restrictanonymous, 0x00010001,0
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden, CheckedValue,0x00010001,0
[del]
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System,DisableRegistryTools
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System,DisableCMD
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoFolderOptions
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run,ctfmon.exe
HKLM, SYSTEM\ControlSet001\Services\kernelx86
HKLM, SYSTEM\ControlSet002\Services\kernelx86
HKLM, SYSTEM\CurrentControlSet\Services\kernelx86
HKLM, SYSTEM\CurrentControlSet\Services\mojbtjlt
HKLM, SYSTEM\ControlSet001\Services\mojbtjlt
HKLM, SYSTEM\ControlSet002\Services\mojbtjlt
HKLM, SYSTEM\ControlSet001\Services\Passthru
HKLM, SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
HKLM, SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate, DoNotAllowXPSP2
HKLM, SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe
7. Deleted all temporary internet files using ATF Cleaner.
8. Restore your hosts files using HostsXpert.
9. To make sure your system totally clean and to prevent virus from coming back please scan full your system using Norman Malware Cleaner, If you don’t like Norman I would recommended you to use AVIRA.
Good luck! 🙂
Similar Posts:
- 6 Step to: Remove Jengkol Virus
- Repair:Antivirus XP 2008, CNN fake message, get_flash_update.exe, Spam & Fake blue screen of death(BSOD)
- Stop Virus Stargate
- 8 Tools Kido/Conficker/Downadup Remover
RELATED SEARCH TERMS:
- menghilangkan searchqu
- menghilangkan searchqu
- sirefef 0
- client for microsoft sharing
- sirefef 0
- client for microsoft sharing
- win32/sirefef 0
- win32/sirefef 0
- sirefef taringa
- sirefef taringa
- TROJ_SIREFEF dd
- TROJ_SIREFEF dd
- eliminar searchqu
- eliminar searchqu
- cara menghapus virus trojan
- remove client for microsoft sharing
- sirefef nasıl silinir
- cara menghapus virus trojan
- remove client for microsoft sharing
- searchqu nedir
- searchqu nedir
- sirefef nasıl silinir
- sirefef o eliminar
- cara menghapus sirefef o
- client for microsoft sharing remove
- Cara menghapus serverx exe
- Cara menghapus serverx exe
- client for microsoft sharing remove
- cara menghapus virus trojan win32/sirefef o
- cara menghapus virus trojan win32/sirefef o
- win32 sirefef 0
- firefox exe drive not ready
- cara menghapus sirefef o
- sirefef o eliminar
- firefox exe drive not ready
- win32 sirefef 0
- troj_sirefef dd removal
- trojan:win32/sirefef 0
- trojan win32/sirefef 0
- trojan:win32/sirefef 0
- troj_sirefef dd removal
- membersihkan searchqu
- virus sirefef 0
- membersihkan searchqu
- trojan win32/sirefef 0
- virus sirefef 0
- searchqu destruir de explorer
- searchqu silmek
- searchqu silmek
- cara membuang virus trojan:win32/sirefef o
- eliminar sirefef da
- eliminar sirefef da
- bagaimana cara menghapus searchqu
- firefox exe - drive not ready
- serchqu sorunu
- win32/sirefef o nasıl kaldırırım
- win32/sirefef o nasıl kaldırırım
- desinstalar client for microsoft sharing
- cara mengatasi virus trojan
- bagaimana cara menghapus searchqu
- searchqu destruir de explorer
- cara mengatasi virus trojan
- cara membuang virus trojan:win32/sirefef o
- firefox exe - drive not ready
- serchqu sorunu
- desinstalar client for microsoft sharing
- sirefef k microsoft não consegue resolver
- cara menghapus virus sirefef o
- sirefef 0 remove
- cara menghapus trojan sirefef o
- sirefef k
- cara mengatasi virus Trojan:Win32/Sirefef O
- annti virus penghilang searchqu
- cara menghapus virus trojan sirefef O
- eliminar virus sirefef
- sirefef k microsoft não consegue resolver
- w32/smalltroj
- sirefef da trojan removal
- con que programa puedo eliminar el virus trojan:win32/sirefef o
- cmenghapuskan virus trojen win32/sirefef dengan cmd
- remove w32 smalltroj
- remove sirefef 0
- sirefef da trojan removal
- remove w32 smalltroj
- remove sirefef 0
- cara remove virus trojan sirefef o
- cara menghilangkan virus pada system win32
- cara menghilangkan error windows explorer
- cmenghapuskan virus trojen win32/sirefef dengan cmd
- client for microsoft sharing cannot be uninstalled
- cara basmi trojan userinit
- remove win32/sirefef 0
- cara menghapus trojan sirefef o
- cara menghapus virus trojan sirefef O
- cara mengatasi virus Trojan:Win32/Sirefef O
- cara basmi virus trojan
- cara remove virus trojan sirefef o
- cara menghapus virus sirefef o
- eliminar virus sirefef
- con que programa puedo eliminar el virus trojan:win32/sirefef o
I was recommended this web site by my cousin.
I am not sure whether this post is written by him as
no one else know such detailed about my difficulty. You’re incredible! Thanks!