HKLM

Remove virus AMBURADUL (all varian)

They never been stop spreading their knowledge…. and we also never let them alive forever. This is the article how to remove amburadul virus for all varian no need for antivirus program you can simply clean it using manual technique. The simple way to know if your computer infected by this virus is you will see JPEG files with aplication extension. Now let’s start to remove it! 1. Unplug your infected computer from your network to stop this virus spreading. 2. Disable “System Restore” when in cleaning process. 3. Kill the virus process using power tools “currprocess” kill all process… Read More »Remove virus AMBURADUL (all varian)

How To Remove W32/Obfuscated.J (Trojan.Downloader2.25378)

If you feel your Computers and Internet slower than usual you may get infected by W32/Obfuscated.J (Trojan.Downloader2.25378). This new Trojan will using your Internet connection to send your information to their server and updated their self. Carefully when you’re using your computers for business, they may stole your credit cards or bank information. Would you get up from your sleep and find out someone stole your money? I don’t think so… no one would that happening including myself. W32/Obfuscated.J (Trojan.Downloader2.25378) created using C language. There is 2 important files for this virus it was .exe and wjdrive32.exe, both of file… Read More »How To Remove W32/Obfuscated.J (Trojan.Downloader2.25378)

HOW TO: Remove Facebook Virus W32/Obfuscated.D2!genr

Computer virus always using sociable technique to infecting their victims. When there is gossip virus creator always using this gossip to spreading their virus ex:paris hilton xxx movies, what FBI hidding from us, etc. This time they’re using facebook popularity to infect all facebook fans. This virus also has been reported bundled with FAKE antispyware security tools. When you see this on your monitor that mean you’re already infected. Just ignore this fake antispyware warning, if you follow it you will get more virus infected your computer or your operating system gonna be corrupt. How to Remove Facebook Virus W32/Obfuscated.D2!genr… Read More »HOW TO: Remove Facebook Virus W32/Obfuscated.D2!genr

8 Tools Kido/Conficker/Downadup Remover

Hi all sorry for not blogging for 3 weeks, I’m just back after busy middle test in my campus. This come to my attention after analyze “keyword” that bring people reaching my blog. Many of them looking for virus removal. After reading on people trends many of them are infected by Kido/Conficker/Downadup so… here’s the short review for 8 tools to remove this virus and 5 steps to make sure your system clean.

1. Kaspersky AVP Removal Tool

kaspersky-avp-removal-tool

Download Here

2. Norman Malware Cleaner

norman-malware-cleaner

Download Here

3. McAfee AVERT Stinger

mcafee-avert-stinger

Download Here

Read More »8 Tools Kido/Conficker/Downadup Remover

RELATED SEARCH TERMS:

Remove K0pL4xZ Virus VBWorm.QTT

“K0pL4xZ” Virus or VBWorm.QTT is computer virus that targeted on Microsoft Office files. This virus has been created using Visual Basic, Basically K0pL4xZ will change the icon and file type Microsoft Office.

To hiding K0pL4xZ will use Windows Media Player Classic icon, but if you always working carefully you will know this file type is .exe, OK let’s remove it.

Step to Remove K0pL4xZ Virus VBWorm.QTT

1. Disconnected your computer from network.

2. Turn off “System Restore” when in cleaning process.

3. Kill active virus process in your computer background using THIS 3rd tool.

4. Repair your registry using code below save it as repair.inf the right click on it choose install, or just download it HERE

[Version]
Signature=”$Chicago$”
Provider=Nobody

[DefaultInstall]
AddReg=UnhookRegKey
DelReg=del

[UnhookRegKey]
HKLM, Software\CLASSES\batfile\shell\open\command,,,”””%1″” %*”
HKLM, Software\CLASSES\comfile\shell\open\command,,,”””%1″” %*”
HKLM, Software\CLASSES\exefile\shell\open\command,,,”””%1″” %*”
HKLM, Software\CLASSES\piffile\shell\open\command,,,”””%1″” %*”
HKLM, Software\CLASSES\regfile\shell\open\command,,,”regedit.exe “%1″”
HKLM, Software\CLASSES\scrfile\shell\open\command,,,”””%1″” %*”
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell,0, “Explorer.exe”
HKLM, SYSTEM\ControlSet001\Control\SafeBoot, AlternateShell,0, “cmd.exe”
HKLM, SYSTEM\ControlSet002\Control\SafeBoot, AlternateShell,0, “cmd.exe”
HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot, AlternateShell,0, “cmd.exe”
HKLM, SOFTWARE\Classes\exefile,,,application
HKCU, Software\Microsoft\Internet Explorer\Main, start page,0, “about:blank”
HKCU, Software\Microsoft\Internet Explorer\Main, Search Page,0, “about:blank”
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt, UncheckedValue,0x00010001,0
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden, UncheckedValue,0x00010001,1
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion, RegisteredOrganization,0, “Organization”
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion, RegisteredOwner,0, “Owner”
HKLM, SOFTWARE\Classes\txtfile, FriendlyTypeName,0, “@C:\Windows\system32\notepad.exe,-469″
HKLM, SOFTWARE\Classes\Word.Document.8,,,”Microsoft Word Document”
HKLM, SOFTWARE\Classes\Word.Document.8\DefaultIcon,,,”C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-01500 48383C9}\wordicon.exe,1″
HKLM, SOFTWARE\Classes\PowerPoint.Show.8,,, “Microsoft PowerPoint Presentation”
HKLM, SOFTWARE\Classes\PowerPoint.Show.8\DefaultIcon,,,”C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-015 0048383C9}\pptico.exe,1″
HKLM, SOFTWARE\Classes\Excel.Sheet.8,,,”Microsoft Excel Worksheet”
HKLM, SOFTWARE\Classes\Excel.Sheet.8\DefaultIcon,,,”C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-01500483 83C9}\xlicons.exe,1″
HKLM, SOFTWARE\Classes\Access.Application.11,,,”Microsoft Office Access Application”
HKLM, SOFTWARE\Classes\Access.Application.11\DefaultIcon,,,”C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-01 50048383C9}\accicons.exe,1″
HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced, Hidden, 0x00010001,1
HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced, HideFileExt, 0x00010001,0
HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced, ShowSuperHidden, 0x00010001,1
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden,WarningIfNotDefault,0,”@ shell32.dll,-28964″

[del]
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoFolderOptions
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System,DisableRegistryTools
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System,DisableTaskMgr
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System,DIsablecmd
HKCU, Software\Microsoft\Internet Explorer\Main, Window Title
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer,NoFolderOptions
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System,DisableRegistryTools
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System,DisableTaskMgr
HKLM, SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
HKCU, Software\Microsoft\Windows\CurrentVersion\Run, System
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop
HKCU, Software\Microsoft\Windows NT\CurrentVersion\Winlogon, shell
HKCU, Software\Policies\Microsoft\Windows\System, DisableCMD
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt, WarningIfNotDefault
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Run, cintaku
HKLM, SOFTWARE\Classes\exefile, FriendlyTypeName

5. Deleted file %systemroot%\Windows\desktop.ini using DOS prompt.
Read More »Remove K0pL4xZ Virus VBWorm.QTT

RELATED SEARCH TERMS:

7 Simple Step to Remove Virus “Conficker” W32/Conficker.DV

Hello world! Are your network attacking by Conficker? hahaha.. don’t get mad this virus can be removed using 7 simple step only. Anyway this virus make some people mad because it’s attacking network (they might have more trouble when try to clean it) and of course your protection 😛 , If we look more deeply this virus using mostly lame virus technique included all in one packet *lol*…. but in advanced the virus maker understand and really know hows really weak windows protection so he make you all mad 😛

How to detect if your computer infected by conficker? There many sign like…. Error message Generic Host Process, You can’t access some important site ex: www.microsoft.com, www.symantec.com, www.norman.com, www.clamav.com, www.grisoft.com, www.avast.com, etc. You can’t update your antivirus, Many application not working like usually specially network application, and many more sign.

This virus created with UPX compression with size 162kb, You might get trouble when try to killed this virus process because it’s (again) using lame technique by running .dll files following fake svchost.exe file. Virus is not automatically active, it will starts download some images files and created temporary files then building himself (again) LAME! *lol*

Once virus build completed it will starts to disabled some windows services, Virus will blocking any string he found on each active application, here is the list:

Read More »7 Simple Step to Remove Virus “Conficker” W32/Conficker.DV

RELATED SEARCH TERMS:

Remove Vista Virus: huhuhaha VBS/Autorun.AO

Who says new version of operating system would be safe and better than older version ?!?! In this case virus trouble maker show how they can adapted their new technique to touching new version of operating system. In this case “huhhaha” virus has been touched windows vista even it categorized as low risk virus.

“huhuhaha” virus has been created using language “VBScripting” virus size around 6 kb. Spreading technique almost same with classic technique using autorun.inf .. here us virus structure :

  1. autorun.inf (in all root drive)
  2. huhuhaha.vbs (in all root drive)
  3. %systemroot%\WINDOWS\system32\XpWin.vbs

How to detect when you get infected by this virus?

1. look on your run command.

huhuhaha-run

2. System restore deactivated automatically.

3. On your browser header.

huhuhaha-browser

4. Disable UAC (User Account Control) function, Vista team clarify this function as better protection for vista and now it’s already broken so who say vista are safe?

huhuhaha-uac

5. Change registry on name and organization on your registered version to become “huhuhaha

6. De-activated safe mode function, and try to make BSOD (Blue screen of death when you try to access “safe mode”.

huhuhaha-bsod

7. Turned off “security center” function.

How to clean your computer from huhuhaha VBS/Autorun.AO:

1. Unplug your computer from network.

2. Kill active virus process, in this case because this virus run as “VBScript” it will used file “wscript.exe” to run in computer background. Kill wscript.exe by select end process.

Read More »Remove Vista Virus: huhuhaha VBS/Autorun.AO

RELATED SEARCH TERMS:

Remove W32/VBWorm.QXE (bulubebek)

Bulubebek virus has been made using visual basic with size 53kb. Bulubebek Virus very easy to removed using some manual technique. Once virus active it will created master files:

  • \Windows\Script.exe
  • \Windows\LSASS.exe
  • \Documents and Settings\%user%\autorun.inf
  • \Documents and Settings\%user%\bulubebek.ini
  • \bulubebek.ini
  • \autorun.inf

When virus active it will blocking some windows functions such as task manager, folder option, command prompt and more… This virus spreading (usually because it was designed) using flashdisk media by creating autorun.inf files.

bulubebek_autorun.JPG

Hidden folder and duplicate folder

Bulubebek has been designed and working almost same with older brontox varian, it will hidden your real folder and make duplicate .exe files with folder icon to tricky some newbie out there.

Step to cleaning bulubebek virus

1. I recommended to unplug your computers from your network, not really necessary but I think it’s gonna be safe.
2. Disable “System Restore” when in cleaning process.Read More »Remove W32/VBWorm.QXE (bulubebek)

RELATED SEARCH TERMS: