virus

Remove MaHaDeWa VBS.Autorun.AM

Look… Another lame virus maker… this virus not dangerous at all but it surelly can make you a little anger when your computers slow down and some configuration changed. Mahadewa virus has been created using visual basic scripting (not visual basic) it can simple deactivated by easily rename/deleted wscript.exe in your system32 folders.

This lame virus maker really noob hehehe.. he’s created a BIG size virus, LOL! usually virus has small size to help them spreaded fast but this one really crazy he have a BIG size that make me laugh really hard today.

mahadewa-1

Wait! I think I know this virus creator here’s him!

fat-blogger

Hahaha… I just joking don’t take it seriously people…

How to know your computer infected by mahadewa virus:

1. Your internet explorer header changed.

mahadewa-2

2. Your internet explorer start page changed to “https://webkom”

3. Your computer name and organization changed.

Read More »Remove MaHaDeWa VBS.Autorun.AM

RELATED SEARCH TERMS:

Remove Nadia Saphira Virus W32/VBTroj.AOQB

This virus has been infected my cybercafe server on 25/05/2009 not sure from where this virus coming from, it’s look like from my users flash disk in my cybercafe. After learn it surely this virus can be removed using manual technique.

This virus scripts almost same with bulubebek I think the creator is same person. Some people in forum said this virus is reincarnation of bulubebek. Badly, mostly antivirus company didn’t detected this virus, the only one can detect it only SMADAV but Norman detect it also as W32/VBTroj.AOQB.

Nadia Saphira virus characteristics:

  • File size 17kb and 69kb
  • File type “Application”
  • File extension .exe and .ini
  • Using folder icon
  • Created duplicated folder base on folder name and hiding the real folder
  • Remove folder options
  • Can’t used CD-rom
  • Can’t access command prompt
  • Can’t open registry editor

Same with bulubebek virus, Nadia Saphira virus has been created using visual basic. If virus success on infected your system it will created some file list:

  • autorun.inf (on all root drive)
  • NadiaSaphira.ini (on all root drive)
  • Documents and Settings\All User\Start Menu\Programs\Startup\lan.exe
  • Documents and Settings\%User%\NadiaSaphira.ini
  • WINDOWS\taskmgr.exe
  • WINDOWS\system32\.exe
  • WINDOWS\system32\allsys.exe
  • WINDOWS\system32\misconfig.exe
  • WINDOWS\system32\MS586.sys
  • WINDOWS\system32\System
  • WINDOWS\system32\wtoolsb.exe
  • WINDOWS\system32\dllcache\.exe
  • WINDOWS\system32\ dllcache\System

Same with bulubebek virus Nadia Saphira virus will hiding all your folder that already changed with “fake” folder to tricky some newbie out there to activate this virus. It also will blocking some windows function such as Folder Options, Registry Editor, Search/Find, and Command Prompt.

To make this virus more hard to removed his creator changed your registry and created autorun files when your computer start-up, the first file is lan.exe then it will calling another files to backup. take a look on picture…

nadia-saphira-virus

Infection Method:

As I said in the top articles this virus will using your flashdisk and hijacked windows autoplay function for infection method. Virus will created some autorun.inf files for make him spreading in your system.

nadia-saphira-virus-1

Alright enough let’s remove this sh*t *lol*

How to Remove Nadia Saphira Virus W32/VBTroj.AOQB

1. Disconnected your computer from networks

2. Turn off system restore when in cleaning process (Don’t forget to turn it on again when you already remove this virus)

3. Because this virus blocking your task manager you can use this 3rd tools CurrProcess Kill this process to stop active virus in your system:

Read More »Remove Nadia Saphira Virus W32/VBTroj.AOQB

RELATED SEARCH TERMS:

8 Tools Kido/Conficker/Downadup Remover

Hi all sorry for not blogging for 3 weeks, I’m just back after busy middle test in my campus. This come to my attention after analyze “keyword” that bring people reaching my blog. Many of them looking for virus removal. After reading on people trends many of them are infected by Kido/Conficker/Downadup so… here’s the short review for 8 tools to remove this virus and 5 steps to make sure your system clean.

1. Kaspersky AVP Removal Tool

kaspersky-avp-removal-tool

Download Here

2. Norman Malware Cleaner

norman-malware-cleaner

Download Here

3. McAfee AVERT Stinger

mcafee-avert-stinger

Download Here

Read More »8 Tools Kido/Conficker/Downadup Remover

RELATED SEARCH TERMS:

Remove K0pL4xZ Virus VBWorm.QTT

“K0pL4xZ” Virus or VBWorm.QTT is computer virus that targeted on Microsoft Office files. This virus has been created using Visual Basic, Basically K0pL4xZ will change the icon and file type Microsoft Office.

To hiding K0pL4xZ will use Windows Media Player Classic icon, but if you always working carefully you will know this file type is .exe, OK let’s remove it.

Step to Remove K0pL4xZ Virus VBWorm.QTT

1. Disconnected your computer from network.

2. Turn off “System Restore” when in cleaning process.

3. Kill active virus process in your computer background using THIS 3rd tool.

4. Repair your registry using code below save it as repair.inf the right click on it choose install, or just download it HERE

[Version]
Signature=”$Chicago$”
Provider=Nobody

[DefaultInstall]
AddReg=UnhookRegKey
DelReg=del

[UnhookRegKey]
HKLM, Software\CLASSES\batfile\shell\open\command,,,”””%1″” %*”
HKLM, Software\CLASSES\comfile\shell\open\command,,,”””%1″” %*”
HKLM, Software\CLASSES\exefile\shell\open\command,,,”””%1″” %*”
HKLM, Software\CLASSES\piffile\shell\open\command,,,”””%1″” %*”
HKLM, Software\CLASSES\regfile\shell\open\command,,,”regedit.exe “%1″”
HKLM, Software\CLASSES\scrfile\shell\open\command,,,”””%1″” %*”
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell,0, “Explorer.exe”
HKLM, SYSTEM\ControlSet001\Control\SafeBoot, AlternateShell,0, “cmd.exe”
HKLM, SYSTEM\ControlSet002\Control\SafeBoot, AlternateShell,0, “cmd.exe”
HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot, AlternateShell,0, “cmd.exe”
HKLM, SOFTWARE\Classes\exefile,,,application
HKCU, Software\Microsoft\Internet Explorer\Main, start page,0, “about:blank”
HKCU, Software\Microsoft\Internet Explorer\Main, Search Page,0, “about:blank”
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt, UncheckedValue,0x00010001,0
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden, UncheckedValue,0x00010001,1
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion, RegisteredOrganization,0, “Organization”
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion, RegisteredOwner,0, “Owner”
HKLM, SOFTWARE\Classes\txtfile, FriendlyTypeName,0, “@C:\Windows\system32\notepad.exe,-469″
HKLM, SOFTWARE\Classes\Word.Document.8,,,”Microsoft Word Document”
HKLM, SOFTWARE\Classes\Word.Document.8\DefaultIcon,,,”C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-01500 48383C9}\wordicon.exe,1″
HKLM, SOFTWARE\Classes\PowerPoint.Show.8,,, “Microsoft PowerPoint Presentation”
HKLM, SOFTWARE\Classes\PowerPoint.Show.8\DefaultIcon,,,”C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-015 0048383C9}\pptico.exe,1″
HKLM, SOFTWARE\Classes\Excel.Sheet.8,,,”Microsoft Excel Worksheet”
HKLM, SOFTWARE\Classes\Excel.Sheet.8\DefaultIcon,,,”C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-01500483 83C9}\xlicons.exe,1″
HKLM, SOFTWARE\Classes\Access.Application.11,,,”Microsoft Office Access Application”
HKLM, SOFTWARE\Classes\Access.Application.11\DefaultIcon,,,”C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-01 50048383C9}\accicons.exe,1″
HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced, Hidden, 0x00010001,1
HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced, HideFileExt, 0x00010001,0
HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced, ShowSuperHidden, 0x00010001,1
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden,WarningIfNotDefault,0,”@ shell32.dll,-28964″

[del]
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoFolderOptions
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System,DisableRegistryTools
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System,DisableTaskMgr
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System,DIsablecmd
HKCU, Software\Microsoft\Internet Explorer\Main, Window Title
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer,NoFolderOptions
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System,DisableRegistryTools
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System,DisableTaskMgr
HKLM, SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
HKCU, Software\Microsoft\Windows\CurrentVersion\Run, System
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop
HKCU, Software\Microsoft\Windows NT\CurrentVersion\Winlogon, shell
HKCU, Software\Policies\Microsoft\Windows\System, DisableCMD
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt, WarningIfNotDefault
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Run, cintaku
HKLM, SOFTWARE\Classes\exefile, FriendlyTypeName

5. Deleted file %systemroot%\Windows\desktop.ini using DOS prompt.
Read More »Remove K0pL4xZ Virus VBWorm.QTT

RELATED SEARCH TERMS:

Microsoft.lnk Shortcut Virus? Worm:PIF/Starter.A

Hello everyone sorry for late update this blog, I have been really very busy analyze forex market and grown my another business, busy IRL also… 😀

Now my story…….

Last week my cousins tell me in his office he got strange virus. He said there is lot shortcut in desktop an computers running slow. How actually some newbie out there know exactly which one real programs/folders and which one shortcut? Don’t say you’re not noob! almost many people not take to much attention on this simple different, that’s why with simple social technique virus maker can win beating yourself! 😛

LOOOOOOOOOOOOKKKKKKKK!!!!!!

shortcut

To know when your computer infected by this virus there is 4 important point:

  1. In your “My Documents” folder there is file named “database.mdb“.
  2. There is clone folder with extension .lnk maximum 5 first folder arranged by name, rules until second sub folders.
  3. There is files Autorun.inf, Thumb.db, Microsoft.lnk in each root drive and folders, rules until second sub folders. (You might not see them because it’s set hidden)
  4. Your Registry Editor is disabled.

This virus master actually in “My Document” folder named “database.mdb” Wait… you will know why this is called as virus master. Actually virus will created clone for folder using “wscript.exe” execution. wscript.exe is microsoft windows based script host programs.

Read More »Microsoft.lnk Shortcut Virus? Worm:PIF/Starter.A

RELATED SEARCH TERMS:

YM and Skype Virus:YouTube Lady_Eats_Her_Shit Worm:Coutsonif.A

Last week I got IRC bot virus in my server. I don’t know the virus name but I cleaned it manually. We’re not talking about this IRC bot virus cause it really simple cleaned manually using ANSAV UPX tools and Hidden Revealer I cleaned it in within short 1 minutes 😛 In this article we will write to clean YM and Skype bot virus Worm:Coutsonif.A

This virus spreading using social technique and autorun.inf, since it using social technique this virus can spreading easy. Did you ever received message from your TRUSTED friend like this sample?

coutsonif

Listen to me, don’t so easy clicked any link in email or anything! even it come from trusted source. In this case social technique can make you in danger position, Think if virus collecting your financial information :p

When you download this virus it will making 2 random file in %systemroot%\Documents and Settings\%user%\Local Settings\Temp with extension .tmp and .exe then created vshost.exe with size 122kb, file will available on every drive root.

Virus will also make another files:

  • %systemroot%\autorun.inf [all drive]
  • %systemroot%\RECYCLER\S-1-5-21-9949614401-9544371273-983011715-7040\winservices.exe
  • %systemroot%\WINDOWS\system32\sysmgr.exe
  • %systemroot%\WINDOWS\TEMP\5755.tmp
  • %systemroot%\windows\system32\crypts.dll
  • %systemroot%\windows\system32\msvcrt2.dll

It wil also change your registry to automatically started when your computers booting. Beside that, old autorun.inf technique also adopted in this virus spreading:

coutsonif-autorun

Virus will change your registry to allowed only 11 maximum active application, it also blocking your maximum port to only port 8000.

Automatic Update:

This virus will try to automatically update himself to this address list:

66.90.103.169:99/a.exe
66.90.103.169:6666/lsass .exe
66.90.103.169:443/crss .exe
TCP:72.249.94.146:7008 Port:27
TCP:127.0.0.1:1092 Port:30
TCP:66.90.103.169:99 Port:29
TCP:66.90.103.169:6666 Port:30
TCP:66.90.103.169:443 Port:30
Port 80 IP:83.133.127.5
Port 80 IP:68.180.151.74
Port 25 IP:127.0.0.1
Port 80 IP:65.55.21.250
TCP:83.133.127.5:443 Port:17
TCP:65.54.186.47:443 Port:17
Port 80 IP:87.248.208.54
TCP:89.149.254.14:443 Port:21
Port 80 IP:64.4.33.7
Port 80 IP:207.46.11.121
Port 80 IP:65.54.186.47
Port 80 IP:88.221.26.64
TCP:65.55.16.123:443 Port:28
TCP:92.122.112.124:443 Port:28
TCP:92.122.112.124:443 Port:28
TCP:88.221.165.186:443 Port:29
TCP:88.221.165.186:443 Port:29
TCP:83.133.127.5:443 Port:18
TCP:89.149.254.14:443 Port:2
TCP:65.55.16.123:443 Port:27
TCP:65.54.186.47:443 Port:27
TCP:92.122.112.124:443 Port:27
TCP:92.122.112.124:443 Port:28
TCP:88.221.165.186:443 Port:28
TCP:89.149.254.14:443 Port:21

Simple steps to cleaning Coutsonif.A:

1. Disable “System Restore” when in cleaning process.

2. Disable “autoplay/autorun” function by:

Read More »YM and Skype Virus:YouTube Lady_Eats_Her_Shit Worm:Coutsonif.A

RELATED SEARCH TERMS:

7 Simple Step to Remove Virus “Conficker” W32/Conficker.DV

Hello world! Are your network attacking by Conficker? hahaha.. don’t get mad this virus can be removed using 7 simple step only. Anyway this virus make some people mad because it’s attacking network (they might have more trouble when try to clean it) and of course your protection 😛 , If we look more deeply this virus using mostly lame virus technique included all in one packet *lol*…. but in advanced the virus maker understand and really know hows really weak windows protection so he make you all mad 😛

How to detect if your computer infected by conficker? There many sign like…. Error message Generic Host Process, You can’t access some important site ex: www.microsoft.com, www.symantec.com, www.norman.com, www.clamav.com, www.grisoft.com, www.avast.com, etc. You can’t update your antivirus, Many application not working like usually specially network application, and many more sign.

This virus created with UPX compression with size 162kb, You might get trouble when try to killed this virus process because it’s (again) using lame technique by running .dll files following fake svchost.exe file. Virus is not automatically active, it will starts download some images files and created temporary files then building himself (again) LAME! *lol*

Once virus build completed it will starts to disabled some windows services, Virus will blocking any string he found on each active application, here is the list:

Read More »7 Simple Step to Remove Virus “Conficker” W32/Conficker.DV

RELATED SEARCH TERMS:

Remove Vista Virus: huhuhaha VBS/Autorun.AO

Who says new version of operating system would be safe and better than older version ?!?! In this case virus trouble maker show how they can adapted their new technique to touching new version of operating system. In this case “huhhaha” virus has been touched windows vista even it categorized as low risk virus.

“huhuhaha” virus has been created using language “VBScripting” virus size around 6 kb. Spreading technique almost same with classic technique using autorun.inf .. here us virus structure :

  1. autorun.inf (in all root drive)
  2. huhuhaha.vbs (in all root drive)
  3. %systemroot%\WINDOWS\system32\XpWin.vbs

How to detect when you get infected by this virus?

1. look on your run command.

huhuhaha-run

2. System restore deactivated automatically.

3. On your browser header.

huhuhaha-browser

4. Disable UAC (User Account Control) function, Vista team clarify this function as better protection for vista and now it’s already broken so who say vista are safe?

huhuhaha-uac

5. Change registry on name and organization on your registered version to become “huhuhaha

6. De-activated safe mode function, and try to make BSOD (Blue screen of death when you try to access “safe mode”.

huhuhaha-bsod

7. Turned off “security center” function.

How to clean your computer from huhuhaha VBS/Autorun.AO:

1. Unplug your computer from network.

2. Kill active virus process, in this case because this virus run as “VBScript” it will used file “wscript.exe” to run in computer background. Kill wscript.exe by select end process.

Read More »Remove Vista Virus: huhuhaha VBS/Autorun.AO

RELATED SEARCH TERMS:

6 Step to: Remove Jengkol Virus

Jengkol.. What a stupid virus name, Jengkol is traditional food in Indonesia, I don’t know how to categorized this one as food or fruit… usually some people like to eat this thing but I’m not those crazy one. THE SMELL *LOL*

jengkol

Alright I think no need to explain more about what is jengkol ha..ha..ha..

This virus jengkol affect is it will logging off your computers once you executed .INF files or when you editing .VBS file. This virus will works by hiding all files he found with .DOC extension. You work in big company? when this happen your bos will fire you *LOL*

Alright let’s remove this virus out from your computers with 6 simple steps. Read More »6 Step to: Remove Jengkol Virus

RELATED SEARCH TERMS:

ARP Spoofing:PART III, W32/RootKit.STG, Gameeeeeee.vbs, Gameeeeeee.pif

This is new variant of those d**n Chinese virus maker, It’s working sameÂlike older technique in oldÂARP SpoofingÂpart II, If you see file name they using this team looks like gamers team in china. What they looking for? Spoofing your log! get your financial information, get yourÂsensitive information, etc.

Know your enemy!

How actually this virus working? It’s actually attacking your network, no matter what operating system you’re using, what browser you’re using, this virus can reach windows, linux and mac. Actually this virus active on windows platform but in linux or mac with wine application installed on it this virus can active! Browser? Any browser can hijacked! said internet explorer, mozilla firefox, opera, even new google browser chrome! in short words “anyone, anything, can be infected by this virus“.

To know this virus active in your computer, the easiest way is lookingÂfrom yahoo messenger error script the code for this virus is “]

yahoo.jpg

Same like older version it will hijack source of any website you access with modification code through fake gateway which infected for virus spreading,ÂYou have toÂstop access internet if you alreadyÂknow you’re infected.

hijack.jpg

Once active this virus will Read More »ARP Spoofing:PART III, W32/RootKit.STG, Gameeeeeee.vbs, Gameeeeeee.pif

RELATED SEARCH TERMS: