Archive for August, 2009

« Older Entries

Remove Green AV Antivirus

Saturday, August 29th, 2009



Green Antivirus 2009 is a sleek, professional looking rogue spyware scanner that tempts it’s users to ‘upgrade for full real-time protection’ for a fee. The reality is that Green AV is a big, stinky scam. It’s hoping that in fear, you make the mistake of purchasing the full-version. All you will get if you do is more spyware and security holes, making your computer a hotbed for viruses. So let’s remove Green Antivirus before it does you any serious damage!

Green AV is usually promoted through the use of Trojans, fake online anti-malware scanners and other misleading websites. The rogue program is promoted on green-av-pro.com and green-av.com. Please stay away from these websites. It uses Microsoft Windows XP graphical user interface elements, logos, icons to make it look more reliable and reputable. Once installed, the rogue program will display fake security alerts claiming that your PC is under attack or that is seriously infected. These fake security alerts look like those legitimate from Widows Security Center. This parasite may also impersonate Windows Security Center and report that anti-virus protection is disabled.


Green AV manual removal:
Kill processes:
gav.exe uninstall.exe

Unregister DLLs:
mgrdll.exe

Delete files:
gav.exe uninstall.exe mgrdll.exe

Delete directories:
C:\Program Files\Documents and Settings\All Users\Application Data\GAV
C:\Program Files\GAV

=======================
Note: Manual removal guide can be confusing if you are a newbie. In that case, manual removal is not recommended. use an auto removal tool instead.
To automatically remove spywares,
use one of these great removal tools

Super Anti Spyware

Malware Bytes anti-malware (mbam.exe)

Spyware Doctor

=======================

Tags: , , ,
Posted in 1:Spyware Removal | No Comments »

How to enable or disable browser cookies

Thursday, August 27th, 2009



Help! how to enable cookies please help?
Well i’m trying to check my grades online,but whenever I try to,it says that I need to enable cookies for a domain or something like that..how do I do that?

Brandon:if its a bar underneath ur webar click it, if not go to internet options under tools, and im not sure but it shoudl have a cookies tab

Paul C:For Firefox: Go to tools-options-privacy tab- and click “accept cookies from sites” and “accept third party cookies”

For Internet Explorer: Tools-internet options- privacy and set the cookies to what you want.

If you are using safari I’m not sure what you do, and next time you post a question regarding a computer or internet problem, make sure to say your operating system or browser.

Tags: , , ,
Posted in 4:Windows & Computers | No Comments »

How to enable system restore windows xp disabled

Thursday, August 27th, 2009



How to enable the disabled system restore option in windows xp?
Yavben: Hello ,
after recovering my comp from spyware infestation

trying to enable system restore..getting following error

“system restore encountered an error trying to enable/dissable one or more drives please restart your machine and try again”

followed the instructions in microsoft’s website, no change

did anyone encountered this, pls let me know how to fix this
Configuration: Windows XP
Internet Explorer 7.0


ANSWER:Brakeers:Hi There I don’t know if you have overcome your problem with System Restore if not follow these instructions they worked for me.

Download System Restore/Enable File
Save it to a folder on your desktop and allow it to run, when its finished running try to re-enable system restore.
As I said in a previous listing I had two computers with this fault and both have now System Restore enabled.

Hope this helps.
Kindest Regards Tony B.

Tags: , , , ,
Posted in 4:Windows & Computers | No Comments »

How to reduce lower internet ping

Thursday, August 27th, 2009



QUESTION: Much more often now than before (CS Source update 20:th jan. 2006) I get kicked out cause my ping is claimed to be to high.

I find that hard to believe since I got upgraded from 1Mbps to 8Mbps just two weeks ago.
I was woundering if other programs slurps my throughput or if my Norton Internet sec. client effectivly blocks half or all ICMP packages which mayby be the protocol used by Steam to let Hosted CS Servers judge which clients to kick.
Four questions.

1. Which (in Windows) defaulprogram can I disconnect to boost my ping rate.

2. Will any tweaking in Norton give me positive effekt in pingcapasity.

3. Is there any Register tweaks that can make me a winner in my chase towards lower ping.

4. Could it be usefull to get an External hardware Firewall instead of my software?
This to tweak System performance in general.

ANSWER: Ping is not throughput. Keep that in mind. You can have a gigabit connection to your ISP, but if your ISP’s network sucks, pings can be high.

You can disable unneeded services, but to be honest, you’re probably not going see a reduction in ping times.

Still not bad to disable stuff you don’t need anyway.

Disable the following services…

Alerter
Clipbook
Error Reporting Service
Help and Support
Indexing Service
Human Interface Device Access
Machine Debug Manager
Messenger
Network DDR
Network DDE DSDM
Routing and Remote Access
Secondary Logon
SSDP Discovery Service
Telnet
Themes
Wireless Zero Configurator (unless you use it for a wifi nic)

“2. Will any tweaking in Norton give me positive effekt in pingcapasity.”


The best tweak is get rid of it. Norton Security Suite is a piece of dog crap for security, and significantly reduces system performance. Replace with McAfee or Grisoft’s AVG (even FreeAVG is fine), and good adware/spyware scanners such as Spybot Search and Destroy as well as Lavasoft’s Ad-Aware Personal edition, both of which are free.
“3. Is there any Register tweaks that can make me a winner in my chase towards lower ping.”

Try the above first.

“4. Could it be usefull to get an External hardware Firewall instead of my software?”

It IS useful. Good security is layered. You should for security reasons run both a SOHO NAT router with an SPI firewall AND a software firewall, even the built in Windows Firewall is good enough if you have the previously mentioned router. With an external router, unsolicited connection attempts are blocked before your computer even sees them, which helps reduce system resource consumption.

With that said, if there are tons of unsolicited connection attempts, even if the router blocks them before hitting your PC, they still consume bandwidth and can increase pings. That is part of the effective nature of a Denial of Service (DoS) attack.

A software firewall is STILL necessary even with the router. Routers do not block ANY connection originating *FROM* your PC. For example, if your computer gets hit with a downloader trojan that goes out to the internet to download more malware on to your machine without your knowledge, a router won’t do diddly squat to stop it. A software firewall however may be able to stop it. That’s why I recommend even the built in Windows Firewall. No, it’s not the best software firewall, but it is easy to manage, and does a decent job. Coupled with a router, a good anti-virus, and good anti-spyware/adware scanners, you’re in good shape.
Recommended router: Linksys WRT54G – includes wifi with WPA support if you need wireless as well. Includes SPI firewall. If you don’t need wireless, Netgear and Linksys both make good wired routers. If you do get the wifi router but don’t need wifi now, make sure to disable the wireless access point.

Tags: , , , , ,
Posted in 4:Windows & Computers | 2 Comments »

Bloodhound-exploit-196-removal

Thursday, August 27th, 2009



Bloodhound.Exploit.196 is a trojan downloader that restricts Windows system functions and installs additional malware onto the infected pc. Once infecting the system, Exploit will execute harmful executable files and other payloads at every system start-up. Bloodhound.Exploit.196 is generally installed through spam email, adult websites or file sharing programs without victims knowledge. The Bloodhound.Exploit.196 is a harmful downloader trojan that can seriously harm Windows system!

Clone vulnerabilities: Bloodhound.Exploit.109, Bloodhound.Exploit.Shs, Bloodhound.Exploit.59, Bloodhound.Exploit.104, Bloodhound.Exploit.6, Bloodhound.Exploit.13, Bloodhound.Exploit.160, Bloodhound.Exploit.14, Bloodhound.Exploit.56, Bloodhound.Exploit.106, Bloodhound.Exploit.196, Bloodhound.Exploit.24, Bloodhound.Exploit.212


Bloodhound.Exploit.196 description:
Web browser and seach engines redirected to unusual webpages
Hijacked desktop wallpaper, tray icons and desktop shortcuts
Strange running Bloodhound.Exploit.196 processes/files in the task manager, frustrating tower speaker bleepings
Exploit.196 patch up and re-create its files after removal, severely difficult to remove manually
Missing system files, registry keys and dlls files “Blue Screen Of Death” error
Bandwidth issues – sluggish surfing speed and frequent browser shut downs
Hostile pornographic pop-ups and system tray balloons even with active blocker software
Bloodhound.Exploit.196 trojan behaviors:
Checks Windows system, records surfing activity to create equivalent pop up advertisements
Bypasses security utilities and forwards credit card, usernames, passwords and other private info to remote hackers
Infects system and downloads harmful programs to the pc via browser security leaks
Download Free Scanner tool to determine if your system is hijacked. Remove Bloodhound.Exploit.196 and eliminate its aliases for good!


Download Bloodhound.Exploit.196 remover tool

Tags: , , ,
Posted in 2:Trojan Removal | No Comments »

Generic Host Process for win32 services encountered problem error

Tuesday, August 18th, 2009



Generic Host Process for win32 services Errors` soluction /svchost.exe/netapi32.dll Errors:
Possible solutions here

looks like this problem with lost internet connection showed up some days earlier here in Europe. This issue seems to be related to a newly discovered security hole in XP, which has been adressed by MS already. It doesn’t seem to be clear what exactly causes the Generic Host Process to crash, but many people over here solved it pretty simple:

They just updated their XP with the most recent security patches from MS. If for some unknown reasons :rolleyes: the automatic updater failed or isn’t active on your computer, try to install one of the “after SP2″-update packs, provided on some sites like:
http://www.ryanvm.net/msfn/updatepack.html

Most users here report the problem solved after updating the OS. If it doesn’t work, you probably have an additional infection with malware.
The crashing Generic Host Process issue itself seems not to have any further malicious effects, so it could be a friendly “proof of concept” for an exploit of the security hole, just being spread all over the world.

I found these single hotfixes
WindowsXP-KB921883-x86-ENU.exe (MS06040)
and probably
WindowsXP-KB894391-x86-ENU.exe


fixed the problem for most affected people. Everybody should be able to download them from the MS site:
http://www.microsoft.com/athome/secu…ns/200608.mspx
The first and seemingly deciding one can be found also here:
http://www.softwarepatch.com/windows/index.html

There is a workaround to prevent your internet connection from being cut: Just drag the error message window out of sight and don’t click on any button. This way you can go on trying to fix it.

Another approach to the problem is disabling certain services (which is basically no bad idea anyway) by using a simple tool like Windows Worms Doors Cleaner v1.4.1 which can be found here:
http://www.firewallleaktester.com/tools_list.htm
or here (another similar tool)
http://www.dingens.org

The reason for this new massive appearance of GHP errors is probably described here:
http://isc.sans.org/diary.php?storyi…c9bb52fce76370
and here:
http://www.lurhq.com/mocbot-ms06040.html
According to these, this is not a “friendly proof-of-concept” but almost all people with that problem report clean HJT logs and no antivirus software found something. If they found something, it seems to be by coincidence and there is most likely no correlation. It has some analogy to the outbreak of the “Blaster”-worm in August (!) 2003, which manifested itself by a similar error message. But little is known yet…

Remember, there are many reasons for svchost crashes and maybe your problem is not related to this issue. Only error messages like Neilster23 got

[example debug code]
EventType : BEX P1 : svchost.exe P2 : 5.1.2600.2180 P3 : 41107ed6
P4 : netapi32.dll P5 : 5.1.2600.2180 P6 : 411096ac P7 : 0000a3c0
P8 : c0000409 P9 : 00000000

point to that specific issue, but many of them appeared in the past few days.

Maybe that helps somebody now. :cheesy: Good luck!

Tags: , , , , , , , ,
Posted in 4:Windows & Computers | No Comments »

Total secure 2009 fake security virus removal

Tuesday, August 18th, 2009



Total Secure 2009, also known as Total Security 2009 is a rogue anti-spyware, whose purpose is to rob your money and give you a piece of software, which is full of crap. Once it comes in contact with your system, it gives fake warning messages that your system is infected with many malware and spyware.

Don’t take notice of them and purchase Total Secure 2009.

Total Secure 2009 or total security 2009 fake rogue spyware program

Total Secure 2009 or total security 2009 fake rogue spyware program


If you have got any trace of Total Secure 2009 in your system, we recommend that you take immediate action for the removal of Total Secure 2009 before further damage.

Technical Details of TotalSecure 2009
Full name: Total Secure 2009, Total Secure 2009, Total Secure 2009
Date Appeared:
Characteristic: Rogue security program
URL: http://Totalsecure2009. com
Additional sites associated with this scam: Secure-order-box. com, Gettotalsec2008. com, Getdefender2009. com
Do I need to remove Total Secure 2009
You can yourself search your computer manually, but it is not recommended unless you are a tech-geek. To save time and effort, we recommend you to download a FREE Scanner.



How to Uninstall Total Secure 2009 scam manually:
The best way for the removal of Total Secure 2009 is to install a good quality Anti-spyware Program and scan your system for any TotalSecure 2009 infections.

Automatic removal of TotalSecure2009 is always good and complete as compared to any attempts to manually remove Total Secure 2009, which may sometime lead to erroneous results. If you are not completely aware of all the files and registry entries used by this rogue anti-spyware, then we do not recommend you to attempt for the manual removal of TotalSecure2009.

Instructions to get rid of Total Secure 2009
If you really want to remove the Total Secure 2009 infection on your system manually then proceed as follows.

Step 1: Kill the Total Secure 2009 Processes – Learn how to do that

TotalSecure2009.exe
Step 2: Remove Total Secure 2009 files, folders and all associated Total Secure 2009 DLL files: Learn how to do that

wsaozt.dll
dasaozt.dll
wsaszt.dll
xdidczt.dll
dasaszt.dll
xdaszt.dll
wsidczt.dll
dasidczt.dll
dasaomt.dll
wsaont.dll
dasaont.dll
xdaont.dll
wsasnt.dll
wsidcmt.dll
xdasnt.dll
wsidcnt.dll
dasidcnt.dll
xdaozt.dll
xdidcnt.dll
wsaomt.dll
wsidczr.dll
xdaomt.dll
wsasmt.dll
dasasmt.dll
xdasmt.dll
xdaozr.dll
dasidcmt.dll
xdidcmt.dll
wsaozr.dll
dasaozr.dll
wsidcmr.dll
wsaszr.dll
dasaszr.dll
xdaszr.dll
dasidczr.dll
xdidczr.dll
wsaonr.dll
dasaonr.dll
xdaonr.dll
wsasnr.dll
dasasnr.dll
xdasnr.dll
wsidcnr.dll
dasidcnr.dll
xdidcnr.dll
dasasnt.dll
wsaomr.dll
dasaomr.dll
xdaomr.dll
dasasmr.dll
xdasmr.dll
dasidcmr.dll
xdidcmr.dll
wsaozy.dll
dasaozy.dll
xdaozy.dll
wsaszy.dll
dasaszy.dll
wsidczy.dll
dasidczy.dll
xdidczy.dll
wsaony.dll
dasaony.dll
xdaony.dll
dasidcmy.dll
dasasny.dll
wsasmr.dll
xdasny.dll
wsidcny.dll
dasidcny.dll
xdidcny.dll
wsasmy.dll
wsaomy.dll
dasaomy.dll
xdaomy.dll
dasasmy.dll
xdasmy.dll
wsidcmy.dll
xdaszy.dll
xdidcmy.dll
wsasny.dll

Total Secure 2009.lnk
scan.exe
totalsecure.s1
totalsecure.s2
totalsecure.s3
totalsecure.s4
totalsecure.s5
totalsecure.s6
uninstall.exe
Step 3: Uninstall Total Secure 2009 registry entries: Learn how to do that

HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\CurrentVersion\Run\”TotalSecure2009 = “C:\Program Files\TotalSecure2009\scan.exe”
HKEY_CURRENT_USER\Software\TotalSecure2009
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Total Secure 2009
=======================
Note: Manual removal guide can be confusing if you are a newbie. In that case, manual removal is not recommended. use an auto removal tool instead.
To automatically remove spywares,
use one of these great removal tools

Super Anti Spyware

Malware Bytes anti-malware (mbam.exe)

Spyware Doctor

=======================

Tags: , , ,
Posted in 1:Spyware Removal | No Comments »

pc antispyware 2010 removal

Thursday, August 6th, 2009



Remove Fake PC AntiSpyware 2010
PC Antispyware 2010 is another rogue security program from the same family as WinReanimator, PC Security 2009 and Home Antivirus 2010. The bogus application is promoted through the use of Trojan Braviax. This Trojan virus displays fake security alerts about possible or supposedly existing malware infections. The main goal of PCAntispyware 2010 is to coerce you into purchasing the program. You should uninstall PC Antispyware 2010 from your PC if it is already infected.

PC Antispyware 2010 can be also promoted on various misleading websites that provide fake online anti-malware scanners or it may be download and installed manually. Once active, it will be configured to scan your computer each time you log on into Windows. Of course, you can’t change the way this program works. The scan results are false and are being shown only to convince you that your computer is seriously infected. To make things worse, PCAntispyware2010 will display alarmist alerts about computer threats. These alerts look like legitimate ones, so it might be difficult to envisage the difference between them. However, a reputable security application won’t scan your computer without your permission.

SNAPSHOT of PC ANTISPYWARE 2010-

pc-anti-spyware-2010


PC Antispyware 2010 manual removal:
PC Antispyware 2010 manual removal:
Kill processes:
PC_Antispyware2010.exe
Uninstall.exe
jugifyryve.exe

Delete registry values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Uninstall\PC_Antispyware2010

HKEY_LOCAL_MACHINE\SOFTWARE\PC_Antispyware2010
HKEY_CURRENT_USER\Control Panel\don’t load “scui.cpl”
HKEY_CURRENT_USER\Control Panel\don’t load “wscui.cpl”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run “PC Antispyware 2010″

Unregister DLLs:
AVEngn.dll
htmlayout.dll
pthreadVC2.dll
msvcm80.dll
msvcp80.dll
msvcr80.dll

Delete files:
aqamodero.dat
hubeweqa.lib
jatikysup._dl
ofyxodaqa.dat
sahaso.bat
zotys.bin
AVEngn.dll
htmlayout.dll
PC_Antispyware2010.cfg
PC_Antispyware2010.exe
pthreadVC2.dll
Uninstall.exe
wscui.cpl
daily.cvd
Microsoft.VC80.CRT
Microsoft.VC80.CRT.manifest
msvcm80.dll
msvcp80.dll
msvcr80.dll
akudyta.lib
hoxigawax.inf
kyci.dl
nuxojih.scr
qynomikov.bin
seni.reg
yfoneby.db
_scui.cpl
cocefezyj.dl
qebykiti.dl
pybisezyr.db
ulycozoho._dl
ekenubes.com
icosagula.reg
jugifyryve.exe
PC_Antispyware2010.lnk
ajeby.reg
yqeqaranym.vbs
zebav.pif
_scui.cpl.txt
xoqupuwytu._dl
Uninstall.lnk

Delete directories:
c:\Program Files\PC_Antispyware2010
c:\Program Files\PC_Antispyware2010\data
%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch
%UserProfile%\Start Menu\Programs\PC_Antispyware2010

Auto Removal tools to remove this virus:

Download Super Anti Spyware

Tags: , ,
Posted in 1:Spyware Removal | No Comments »

Worm win32 Neeris gen.c removal

Wednesday, August 5th, 2009



Remove Neeris.Worm.gen!c

Worm:Win32/Neeris.gen!C is the generic detection for a member of the Win32/Neeris family of worms. These worms spread via MNS Messenger and may contain backdoor functionalities. New variants of this worm may exploit a vulnerability in the Windows Server Service (srvsvc) in computers that have not yet applied http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx Microsoft Security Bulletin MS08-067.

Also Known As:
Win32/Neeris.worm.101376 (AhnLab)
Win32/IRCBot.KA (CA)
Win32/AutoRun.IRCBot.Q (ESET)
Worm.Win32.AutoRun.fla (Kaspersky)
W32/IRCbot.gen.a (McAfee)
W32/Neeris-A (Sophos)
W32.Spybot.Worm (Symantec)

Symptoms
You may be informed by your MSN Messenger contacts that your account has attempted or is attempting to send them a ZIP archive, or you may notice an unknown TFTP transaction in your logs.

Technical Information
Worm:Win32/Neeris.gen!C is the generic detection for a member of the Win32/Neeris family of worms. These worms spread via MNS Messenger and may contain backdoor functionalities. New variants of this worm may exploit a vulnerability in the Windows Server Service (srvsvc) in computers that have not yet applied Microsoft Security Bulletin MS08-067.

Installation
Different samples of Win32/Neeris.gen!C install themselves in systems in varying ways. They commonly copy themselves in the Windows or Windows system folder and modify the system registry so that they run every time Windows starts.
For example, one variant of this family copies itself to a subfolder of the Windows folder as VMwareService.exe and makes the following registry autostart modification:
Adds value: “GON”
With data: “%windir%\system\VMwareService.exe”
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions
Another variant of this worm may copy itself as the following file
%windir%\system\netmon.exe


The worm may be present as a file with a two digit name and .SCR extension such as 21.scr.
The registry is modified to run the dropped worm copy at each Windows start. Other registry data may be created to execute the worm when booting in Windows safe mode.
Adds value: “netmon”
With data: “%windir%\system\netmon.exe”
To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Adds value: “(default)”
With data: “service”
To subkey: HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\netmon32

Adds value: “(default)”
With data: “service”
To subkey: HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\netmon32

Win32/Neeris.gen!C spreads by sending a copy of itself to all of a user’s contacts in MSN Messenger. The attached copy is usually a ZIP archive containing the EXE copy of the worm.
This worm may also drop a copy of itself and a corresponding autorun.inf file into all available removable drives. The function of the autorun.inf file is to ensure that the worm copy automatically runs when the drive is accessed and Autoplay is enabled. The image below illustrates how a user could potentially launch the worm when accessing an infected share:
Filenames of the dropped worm copy vary but may have a name such as ’smartkey.exe’.

Bypass Windows Firewall

This worm may add itself as an “authorized application” by modifying the Windows firewall policy stored in the registry.

Adds value: “%windir%\system\netmon.exe”
With data: “%windir%\system\netmon.exe:*:microsoft enabled”
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\List

Win32/Neeris.gen!C may connect to a predefined Internet Relay Channel (IRC) server using a specified port number such as TCP port 6667 or 449. Once connected, it awaits commands from a remote attacker.

Win32/Neeris.gen!C may drop a driver ‘\drivers\sysdrv32.sys’ which patches TCP/IP to remove connection throttling in Windows XP SP2 computers.

Analysis by Jireh Sanico

Recovery Steps
Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as the Microsoft online scanner (Safety.Live.com).

Tags: , , ,
Posted in 3:Virus Removal | No Comments »

Remove win32 mabezat.b worm

Wednesday, August 5th, 2009



Remove Mabezat.b.Worm.c
Virus:Win32/Mabezat.B is a polymorphic virus that infects PE files. Apart from spreading via file infection, it also attempts to spread via network shares, removable drives and by CD-burning. It contains a date-based payload that encrypts files with particular extensions.

Also Known As:
Win32/Mabezat.worm.32768 (AhnLab)
W32/AutoRun.APZ (Norman)
W32/Mabezat-B (Sophos)
W32.Mabezat-3 (Clam AV)
Win32/Mabezat.A (ESET)
Worm.Win32.Mabezat.b (other)
Worm.Win32.Mabezat.b (Kaspersky)
Win32.Worm.Mabezat.C (Sunbelt Software)
W32/Mabezat.a (McAfee)

Technical Information
Virus:Win32/Mabezat.B is a polymorphic virus that infects PE files. Apart from spreading via file infection, it also attempts to spread via network shares, removable drives and by CD-burning. It contains a date-based payload that encrypts files with particular file extensions.
Installation
Upon execution, Virus:Win32/Mabezat.B drops the file ‘%Root%\Documents and Settings\tazebama.dll’. It then loads an installation module from tazebama.dll, that drops the following copies of the virus:
%Root%\Documents and Settings\hook.dl_
%Root%\Documents and Settings\tazebama.dl_
It creates a process for tazebama.dl_, and then executes the original code of the host file.
Spreads Via…
E-mail
The virus checks for an Internet connection by attempting to connect to the following sites:
http://www.britishcouncil.com
http://www.yahoo.com
http://www.hotmail.com
http://www.microsoft.com

It avoids sending mail to e-mail addresses that contain the following strings:
MICROSOFT
KASPER
PANDA

E-mail sent by the virus are variable. The virus may send e-mail with the following characteristics:

Subject:
ABOUT PEOPLE WITH WHOM MATRIMONY IS PROHIBITED
Message Body:
1 : If a man commits adultery with a woman, then it is not permissible for him to marry her mother or her daughters.
2 : If a woman out of sexual passion and with evil intent commits sexual intercourse with a man, then it is not permissible for the mother or daughters of that woman to merry that man. In the same way, the man who committed sexual intercourse with a woman, because prohibited for her mother and daughters.
Download the attached article to read.
Attachment:
PROHIBITED_MATRIMONY.rar

Subject:
Windows secrets
Message Body:
The attached article is on
how to make a folder password
. If your are interested in this article download it, if you are not delete it.
Attachment:
FolderPW_CH(1).rar

Subject:
Canada immigration
Message Body:
The debate is no longer about whether Canada should remain open to immigration. That debate became moot when Canadians realized that low birth rates and an aging population would eventually lead to a shrinking populace. Baby bonuses and other such incentives couldn’t convince Canadians to have more kids, and demographic experts have forecasted that a Canada without immigration would pretty much disintegrate as a nation by 2050. Download the attached file to know about the required forms.
The sender of this email got this article from our side and forwarded it to you.
Attachment:
IMM_Forms_E01.rar

Subject:
Viruses history
Message Body:
Nowadays, the viruses have become one of the most dangerous systems to attack the computers. There are a lot of kinds of viruses. The common and popular kind is called Trojan.Backdoor
which runs as a backdoor of the victim machine. This enables the virus to have a full remote administration of the victim machine. To read the full story about the viruses history since 1970 download the attached and decompress It by WinRAR.
The sender has red the story and forwarded it to you.
Attachment:
virushistory.rar

Subject:
Web designer vacancy
Message Body:
Fortunately, we have recently received your CV/Resume from moister web site
and we found it matching the job requirements we offer.
If your are interested in this job Please send us an updated CV showing the required items with the attached file that we sent.
Thanks
Regards,
Ajy Bokra
Computer department.
AjyBokra@webconsulting.com
Attachment:
JobDetails.rar

Aside from the predefined attachments described above, it may use one of the following as a filename for its attachment:
GoogleToolbarNotifier.exe
PanasonicDVD_DigitalCam.exe
Antenna2Net.exe
RadioTV.exe
Microsoft MSN.exe
Sony Erikson DigitalCam.exe
IDE Conector P2P.exe
Windows Keys Secrets.exe
FaxSend.exe
RecycleBinProtect.exe
Disk Defragmenter.exe
CD Burner.exe
ShowDesktop.exe
BrowseAllUsers.exe
LockWindowsPartition.exe
Win98compatibleXP.exe
MakeUrOwnFamilyTree.exe
WindowsXp StartMenu Settings.exe
Recycle Bin.exe
Adjust Time.exe
Microsoft Windows Network.exe
HP_LaserJetAllInOneConfig.exe
FloppyDiskPartion.exe
msjavx86.exe
AmericanOnLine.exe
Crack_GoogleEarthPro.exe
Lock Folder.exe
InstallMSN11En.exe
InstallMSN11Ar.exe
JetAudio dump.exe
KasperSky6.0 Key.doc.exe
Office2007 Serial.txt.exe
Office2003 CD-Key.doc.exe
Make Windows Original.exe
NokiaN73Tools.exe
WinrRarSerialInstall.exe
My Documents
.exe Readme.doc .exe
My documents .exe

Archived files may use one of the following filenames:
windows.rar
office_crack.rar
serials.rar
passwords.rar
windows_secrets.rar
source.rar
imp_data.rar
documents_backup.rar
backup.rar
MyDocuments.rar

File Infection
Virus:Win32/Mabezat.B is a polymorphic virus that infects PE files with the following extensions:
.lnk
.exe
.scr

Recovery Steps
Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as the Microsoft online scanner (Safety.Live.Com).

Tags: , , ,
Posted in 3:Virus Removal | No Comments »

« Older Entries