Archive for the ‘3:Virus Removal’ Category

« Older Entries

Recycler virus autorun-inf file removal

Monday, February 15th, 2010


Recycler virus

is a virus that exploits the autorun feature of Windows. It copies the autorun.inf files on each drive of the computer, be it permanent or a removable media such as DVDs, CD ROMs, USB Devices, or Memory Sticks. The recycler virus originated from the W32.Lecna.H worm that spreads itself by copying itself to all the active drives.

The virus creates a hidden folder in each active drive. Each time you insert a removable media, it will execute itself. It uses a batch file to modify the system registry and executes itself each time the system starts up. You cannot remove the virus even after formatting your removable media. The anti-virus software may detect it but cannot remove it.

The recycler virus is very destructive. Once it infects your computer, it will connect itself to malicious websites and download the malicious code to your computer. The malicious code will then steal your personal information such as credit card information, social security, account numbers, usernames, and passwords stored on your computer.


Conduct a Recycler Virus Removal

You can remove the recycler virus both manually and by using any recycler virus removal tool. To remove the virus manually, you need to:

1. Search for the process called CTFMON.EXE and kill it through Task Manager.
2. Search CTFMON.EXE file in the Startup menu and delete it.
3. Boot the system in safe mode and open the command prompt.
4. Disable hidden, system, and read only attributes for autorun.inf and recycled folder delete them.
5. Clean the recycle bin.
6. Repeat these steps for all the drives on your computer.
7. Open registry editor and modify the NoDriveTypeAutoRun entry with 03ffffff value after searching it in following registry folders:
HKEY_LOCAL_MACHINESOFTWARE
HKEY_CURRENT_USERSOFTWARE
8. Reboot and scan your system with latest antivirus software.

The manual removal of the infection is not recommended because it requires an expertise to edit windows registry. In case you remove/modify a wrong registry entry, you may cause severe damage to your system. Therefore, it is always better to remove Recycler Virus with a specialized removal tool.

DownloadFlash DisInfector to remove this virus

Tags: , , , ,
Posted in 3:Virus Removal | No Comments »

Win32 Netsky worm removal guide

Monday, January 4th, 2010


Remove Worm win32 netsky

Worm.Win32.Netsky is a parasite that has returned recently in the popup warning messages claiming that your system has been hijacked and infected with this dangerous Worm infection. This fake alert is generated by a Trojan program that creeps into the system bundled with Active-X plug-ins related to fake video codecs. Once executed, this Trojan will bombard the user with irritating pop-ups in the system tray, warning messages and may even slow down tour system performance. If you click on any of these notifications, you will be directed to the website where the rogue anti-spyware applications will be promoted and you will be tricked into buying one of them.

Manual removal of Worm.Win32.Netsky may not be for everyone. Each manual Worm.Win32.Netsky removal step must be followed delicately to completely remove all related files and registry entries from your computer. If you are unsure or have doubts about editing your system registry, then we recommend that you use the automatic Worm.Win32.Netsky removal process.

Worm.Win32.Netsky can be removed manually by following the steps below.
1.With all programs closed, click the Start Menu and go to the Control Panel.

2.Locate the Add/Remove Programs icon and double click it.

3.Locate Worm.Win32.Netsky in the list of programs. If you find it, select it and remove it. If you cannot find Worm.Win32.Netsky, you can continue to step 5.

4.Restart your computer.

5.Close all open programs and windows on your desktop.

6.Open your registry editor (regedit) program by going to Start Menu, type in regedit, and click OK.

7.Find all of the following registry entries and delete them.

8.You may need to return to this removal process for removing Worm.Win32.Netsky. You can do this easily by bookmarking or adding a favorite to this page by clicking here. If you are using the FireFox web browser you can press the keys Ctrl and D simultaneously to bookmark this page.

9.Delete all of the following files that are associated with Worm.Win32.Netsky from your computer.

10.After locating and deleting the previous files you must remove all directories associated with Worm.Win32.Netsky by going to the C:\ProgramFiles\Worm.Win32.Netsky folder, select it, and delete it. In some cases you may not be able to find this directory. You can still continue to the next step.

11.Restart your computer. You do not need to boot into safe mode at this point. You should have removed Worm.Win32.Netsky completely from your computer. If you find that Worm.Win32.Netsky is still on your computer, you can repeat the steps again or go to the automatic Worm.Win32.Netsky removal process.


Automatic removal of worm win32 netsky

Automatically remove Worm.Win32.Netsky for free. Free automatic Worm.Win32.Netsky removal process.
Do you wish to automatically remove Worm.Win32.Netsky from your computer? Are you looking for a free method to remove Worm.Win32.Netsky from your computer? If so, you can utilize the free automatic Worm.Win32.Netsky removal process below. Each step is designed to aid in the use of the program SmitfraudFix, which is a free tool created by S!Ri to remove parasites such as Worm.Win32.Netsky. Just so you know there’s no guarantee that SmitfraudFix or any other spyware remover will remove Worm.Win32.Netsky completely. These instructions are provided as a guide and are to be used at your own risk.

1.Download the SmitfraudFix tool to your computer by using our free download link here. Save the downloaded file to your desktop.

2.Restart your computer into safe mode. Safe mode will allow malicious files that are normally loaded into memory to be easily deleted by the SmitfraudFix program.

3.After booting into safe mode, double-click on the SmitfraudFix.exe icon that should be located on your desktop. Follow the on-screen instructions. Option number 2 should be selected once the program starts.

4.After SmitfraudFix performs the initial removal processes it will ask you “Do you want to clean the registry?” Select Y for yes.

5.Once SmitfraudFix has finished the registry clean you can restart your computer now.

6.Worm.Win32.Netsky should be removed from your computer. If not, you can start the automatic removal process over. It may take more than one try in some rare cases. There’s no guarantee that SmitfraudFix will remove all files due to the complex nature of new spyware files that are ever-changing. If necessary, you may need to get help from a person who knows about computer and spyware.

(Disclaimers: These instructions are provided to you for free and to be used at your own risk. The free removal process for Worm.Win32.Netsky is not guaranteed to work in all circumstances. We are not responsible for any damages.)

Malware Bytes anti malware (mbam.exe)

Download Malware Bytes Anti-Malware

Tags: , ,
Posted in 3:Virus Removal | No Comments »

Worm win32 Neeris gen.c removal

Wednesday, August 5th, 2009



Remove Neeris.Worm.gen!c

Worm:Win32/Neeris.gen!C is the generic detection for a member of the Win32/Neeris family of worms. These worms spread via MNS Messenger and may contain backdoor functionalities. New variants of this worm may exploit a vulnerability in the Windows Server Service (srvsvc) in computers that have not yet applied http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx Microsoft Security Bulletin MS08-067.

Also Known As:
Win32/Neeris.worm.101376 (AhnLab)
Win32/IRCBot.KA (CA)
Win32/AutoRun.IRCBot.Q (ESET)
Worm.Win32.AutoRun.fla (Kaspersky)
W32/IRCbot.gen.a (McAfee)
W32/Neeris-A (Sophos)
W32.Spybot.Worm (Symantec)

Symptoms
You may be informed by your MSN Messenger contacts that your account has attempted or is attempting to send them a ZIP archive, or you may notice an unknown TFTP transaction in your logs.

Technical Information
Worm:Win32/Neeris.gen!C is the generic detection for a member of the Win32/Neeris family of worms. These worms spread via MNS Messenger and may contain backdoor functionalities. New variants of this worm may exploit a vulnerability in the Windows Server Service (srvsvc) in computers that have not yet applied Microsoft Security Bulletin MS08-067.

Installation
Different samples of Win32/Neeris.gen!C install themselves in systems in varying ways. They commonly copy themselves in the Windows or Windows system folder and modify the system registry so that they run every time Windows starts.
For example, one variant of this family copies itself to a subfolder of the Windows folder as VMwareService.exe and makes the following registry autostart modification:
Adds value: “GON”
With data: “%windir%\system\VMwareService.exe”
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions
Another variant of this worm may copy itself as the following file
%windir%\system\netmon.exe


The worm may be present as a file with a two digit name and .SCR extension such as 21.scr.
The registry is modified to run the dropped worm copy at each Windows start. Other registry data may be created to execute the worm when booting in Windows safe mode.
Adds value: “netmon”
With data: “%windir%\system\netmon.exe”
To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Adds value: “(default)”
With data: “service”
To subkey: HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\netmon32

Adds value: “(default)”
With data: “service”
To subkey: HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\netmon32

Win32/Neeris.gen!C spreads by sending a copy of itself to all of a user’s contacts in MSN Messenger. The attached copy is usually a ZIP archive containing the EXE copy of the worm.
This worm may also drop a copy of itself and a corresponding autorun.inf file into all available removable drives. The function of the autorun.inf file is to ensure that the worm copy automatically runs when the drive is accessed and Autoplay is enabled. The image below illustrates how a user could potentially launch the worm when accessing an infected share:
Filenames of the dropped worm copy vary but may have a name such as ’smartkey.exe’.

Bypass Windows Firewall

This worm may add itself as an “authorized application” by modifying the Windows firewall policy stored in the registry.

Adds value: “%windir%\system\netmon.exe”
With data: “%windir%\system\netmon.exe:*:microsoft enabled”
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\List

Win32/Neeris.gen!C may connect to a predefined Internet Relay Channel (IRC) server using a specified port number such as TCP port 6667 or 449. Once connected, it awaits commands from a remote attacker.

Win32/Neeris.gen!C may drop a driver ‘\drivers\sysdrv32.sys’ which patches TCP/IP to remove connection throttling in Windows XP SP2 computers.

Analysis by Jireh Sanico

Recovery Steps
Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as the Microsoft online scanner (Safety.Live.com).

Tags: , , ,
Posted in 3:Virus Removal | No Comments »

Remove win32 mabezat.b worm

Wednesday, August 5th, 2009



Remove Mabezat.b.Worm.c
Virus:Win32/Mabezat.B is a polymorphic virus that infects PE files. Apart from spreading via file infection, it also attempts to spread via network shares, removable drives and by CD-burning. It contains a date-based payload that encrypts files with particular extensions.

Also Known As:
Win32/Mabezat.worm.32768 (AhnLab)
W32/AutoRun.APZ (Norman)
W32/Mabezat-B (Sophos)
W32.Mabezat-3 (Clam AV)
Win32/Mabezat.A (ESET)
Worm.Win32.Mabezat.b (other)
Worm.Win32.Mabezat.b (Kaspersky)
Win32.Worm.Mabezat.C (Sunbelt Software)
W32/Mabezat.a (McAfee)

Technical Information
Virus:Win32/Mabezat.B is a polymorphic virus that infects PE files. Apart from spreading via file infection, it also attempts to spread via network shares, removable drives and by CD-burning. It contains a date-based payload that encrypts files with particular file extensions.
Installation
Upon execution, Virus:Win32/Mabezat.B drops the file ‘%Root%\Documents and Settings\tazebama.dll’. It then loads an installation module from tazebama.dll, that drops the following copies of the virus:
%Root%\Documents and Settings\hook.dl_
%Root%\Documents and Settings\tazebama.dl_
It creates a process for tazebama.dl_, and then executes the original code of the host file.
Spreads Via…
E-mail
The virus checks for an Internet connection by attempting to connect to the following sites:
http://www.britishcouncil.com
http://www.yahoo.com
http://www.hotmail.com
http://www.microsoft.com

It avoids sending mail to e-mail addresses that contain the following strings:
MICROSOFT
KASPER
PANDA

E-mail sent by the virus are variable. The virus may send e-mail with the following characteristics:

Subject:
ABOUT PEOPLE WITH WHOM MATRIMONY IS PROHIBITED
Message Body:
1 : If a man commits adultery with a woman, then it is not permissible for him to marry her mother or her daughters.
2 : If a woman out of sexual passion and with evil intent commits sexual intercourse with a man, then it is not permissible for the mother or daughters of that woman to merry that man. In the same way, the man who committed sexual intercourse with a woman, because prohibited for her mother and daughters.
Download the attached article to read.
Attachment:
PROHIBITED_MATRIMONY.rar

Subject:
Windows secrets
Message Body:
The attached article is on
how to make a folder password
. If your are interested in this article download it, if you are not delete it.
Attachment:
FolderPW_CH(1).rar

Subject:
Canada immigration
Message Body:
The debate is no longer about whether Canada should remain open to immigration. That debate became moot when Canadians realized that low birth rates and an aging population would eventually lead to a shrinking populace. Baby bonuses and other such incentives couldn’t convince Canadians to have more kids, and demographic experts have forecasted that a Canada without immigration would pretty much disintegrate as a nation by 2050. Download the attached file to know about the required forms.
The sender of this email got this article from our side and forwarded it to you.
Attachment:
IMM_Forms_E01.rar

Subject:
Viruses history
Message Body:
Nowadays, the viruses have become one of the most dangerous systems to attack the computers. There are a lot of kinds of viruses. The common and popular kind is called Trojan.Backdoor
which runs as a backdoor of the victim machine. This enables the virus to have a full remote administration of the victim machine. To read the full story about the viruses history since 1970 download the attached and decompress It by WinRAR.
The sender has red the story and forwarded it to you.
Attachment:
virushistory.rar

Subject:
Web designer vacancy
Message Body:
Fortunately, we have recently received your CV/Resume from moister web site
and we found it matching the job requirements we offer.
If your are interested in this job Please send us an updated CV showing the required items with the attached file that we sent.
Thanks
Regards,
Ajy Bokra
Computer department.
AjyBokra@webconsulting.com
Attachment:
JobDetails.rar

Aside from the predefined attachments described above, it may use one of the following as a filename for its attachment:
GoogleToolbarNotifier.exe
PanasonicDVD_DigitalCam.exe
Antenna2Net.exe
RadioTV.exe
Microsoft MSN.exe
Sony Erikson DigitalCam.exe
IDE Conector P2P.exe
Windows Keys Secrets.exe
FaxSend.exe
RecycleBinProtect.exe
Disk Defragmenter.exe
CD Burner.exe
ShowDesktop.exe
BrowseAllUsers.exe
LockWindowsPartition.exe
Win98compatibleXP.exe
MakeUrOwnFamilyTree.exe
WindowsXp StartMenu Settings.exe
Recycle Bin.exe
Adjust Time.exe
Microsoft Windows Network.exe
HP_LaserJetAllInOneConfig.exe
FloppyDiskPartion.exe
msjavx86.exe
AmericanOnLine.exe
Crack_GoogleEarthPro.exe
Lock Folder.exe
InstallMSN11En.exe
InstallMSN11Ar.exe
JetAudio dump.exe
KasperSky6.0 Key.doc.exe
Office2007 Serial.txt.exe
Office2003 CD-Key.doc.exe
Make Windows Original.exe
NokiaN73Tools.exe
WinrRarSerialInstall.exe
My Documents
.exe Readme.doc .exe
My documents .exe

Archived files may use one of the following filenames:
windows.rar
office_crack.rar
serials.rar
passwords.rar
windows_secrets.rar
source.rar
imp_data.rar
documents_backup.rar
backup.rar
MyDocuments.rar

File Infection
Virus:Win32/Mabezat.B is a polymorphic virus that infects PE files with the following extensions:
.lnk
.exe
.scr

Recovery Steps
Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as the Microsoft online scanner (Safety.Live.Com).

Tags: , , ,
Posted in 3:Virus Removal | No Comments »

Remove win32 koobface worm

Wednesday, August 5th, 2009



Removing Win32 KoobFace worm/malware
Win32/Koobface is a multi-component family of malware used to compromise machines and direct them in various ways at the attacker’s will. This could include using the affected machine to distribute additional malware, generate ‘pay per click’ advertising revenue, steal sensitive data, break captchas, and subvert the affected user’s online experience. Its components are varied, but include a worm that spreads by utilizing social networking sites such as Facebook and MySpace.
Symptoms
System Changes
The following system changes may indicate the presence of this malware:
The presence of the following files:
%windir%\bolivar19.exe
%windir%\bolivar31.exe
%windir%\bolivar30.exe
%windir%\ld01.exe
%windir%\che08.exe
%windir%\freddy35.exe
The display of the following messages:
ERROR “ERROR INSTALLING CODEC. PLEASE CONTACT SUPPORT”

Technical Information
Win32/Koobface is a multi-component family of malware used to compromise machines and direct them in various ways at the attacker’s will. This could include using the affected machine to distribute additional malware, generate ‘pay per click’ advertising revenue, steal sensitive data, break captchas, and subvert the affected user’s online experience. Its components are varied, but include a worm that spreads by utilizing social networking sites such as Facebook and MySpace.


Installation of Koobface:
If this worm is executed, Win32/Koobface copies itself to the Windows folder as in the following examples:

%windir%\fbtre6.exe
%windir%\mstre5.exe
%windir%\bolivar19.exe
%windir%\bolivar31.exe
%windir%\bolivar30.exe
%windir%\ld01.exe
%windir%\che08.exe
%windir%\freddy35.exe

The worm may drop a cleanup Batch script file also having a random file name to the root of the local drive, as in this example:

c:\42123.bat

The worm may execute the cleanup batch script to remove the originally executed worm and to remove itself. The registry is modified to execute the dropped worm copy at each Windows start.

Adds value: systray
With data: “%windir%/”
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Depending on the variant, other values are created instead such as “sysftray2″ or “sysldtray”.

Spreads Via…
MySpace and FaceBook Contacts
Win32/Koobface searches in the default Internet Explorer cookies folder for browser cookies related to the Internet social network sites including the following:
facebook.com
friendster.com
hi5.com
myspace.com
bebo.com

In some variants of Win32/Koobface, if the worm determines that none of these sites are visited, the worm may delete itself and may display following message box:

In the wild, the worm may connect to the Web site ‘zzzping.com’ to download and execute malware.

The worm spreads by sending messages containing a hyperlink to a copy of worm to friends or contacts of the infected user. Friends that receive the message may visit the link to download the worm and repeat the cycle of spreading to others.
Payload
Removes Audible Navigation Alerts
Some variants of Win32/Koobface may delete a registry subkey that references navigation sounds such as the ‘click’ sound when navigating from one Web site to another. The following subkey may be deleted by the worm:

HKEY_CURRENT_USER\AppEvents\Schemes\Apps\Explorer\Navigating
TO REMOVE THIS THREAT FROM YOUR PC, DOWNLOAD MICROSOFT MALICIOUS SOFTWARE REMOVAL TOOL

Tags: , , , ,
Posted in 3:Virus Removal | No Comments »

Remove win32 sasser worm windows auto shutdown warning time box

Wednesday, August 5th, 2009



Removing Win32 Sasser.Worm
W32-Sasser Worm
Win32/Sasser is a family of network worms that exploit the Local Security Authority Subsystem Service (LSASS) vulnerability fixed in Microsoft Security Update MS04-011. The worm spreads by randomly scanning IP addresses for vulnerable machines and infecting any that are found.

Also Known As:
W32/Sasser.worm (McAfee)
W32.Sasser.Worm (Symantec)
WORM_SASSER (Trend Micro)
Win32.Sasser (CA)
Sasser (F-secure)
Sasser (Panda)
W32/Sasser (Sophos)
W32/Sasser (Norman)

Symptoms
Your computer may be infected with Win32/Sasser if you experience one or more of the following symptoms:

You see an LSA Shell crash dialog box
Your computer restarts every few minutes without user interaction. You may see a system shutdown dialog box, like the one (snap) below:
sasser-worm-windows-auto-shutdown

Your computer performance is decreased or your network connection is slow.

Technical Information
When Win32/Sasser runs on a computer, it copies itself to the %WINDOWS% folder. In most cases, it adds a value to the registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. This value causes the worm to start when Windows is started.

Win32/Sasser acts as an FTP server listening on TCP port 5554. For each connection made on this port, the worm sends a copy of itself to that connected host using the file name _up.exe.

The worm generates random IP addresses using a certain logic and then sends the exploit shell code to these IP addresses on TCP port 445. If the exploit is successful, a command line shell listens on a TCP port of the remote infected machine. To complete the infection, the worm executes a remote shell script that instructs the newly infected machine to connect to the infecting host and download and execute the worm through FTP. The worm records the count of successful infections to a file on the C: drive.

Win32/Sasser also attempts to abort any unexpected system shutdown by calling AbortSystemShutdown every several seconds in a continuous loop.

Later variants of the worm may drop a variant of Netsky worm. Later variants may not infect Windows 2000 because they import IcmpSendEcho from IPHlpAPI.dll, which is not present in Windows 2000.

TO REMOVE THIS THREAT FROM YOUR PC, DOWNLOAD MICROSOFT MALICIOUS SOFTWARE REMOVAL TOOL

Tags: , , , , , , ,
Posted in 3:Virus Removal | No Comments »

w32 Sality AE virus removal steps

Wednesday, August 5th, 2009



Remove Sality.AE

W32/Sality.AESality is a computer virus which will infect any files with extension .exe .com and .scr , sality will use your default share folder to be spread in your network area, besides that sality uses old autorun.inf technique also to spread. Your application will become a little bigger in size around 60kb-80kb after sality infected it.

No need to hide this virus was created in China /Taiwan. it has some websites` list to update itself with new varian. some of them are pedmeo222nb.info, pzrk.ru, technican.w.interia.pl, www.kjwre9fqwieluoi.info and many more. Blocking this site list using hosts file might help you in short condition but after its updated you might in trouble again. like almost smart virus in the past sality have protection to keep it alive in their computer target. Sality will kill any application/website with some string list such as, avast! Antivirus, F-Secure Gatekeeper Handler Starter, NOD32krn and many more. Sality will block your firewall, security notification, and also your computer safe mode.

The easiest way to know if you’re infected by this virus is you can’t boot your computer in safe mode or some applications will not run when you open them. When this happen follow this step…..

Remove W32/Sality.AE

1. Disconnected your computer from the network.

2. Turn off “System Restore” when in cleaning process.

3. Turn off “Autorun” and “Default Share” download this file right click on it then choose install.

4. Kill active process in your computer backround and checking your startup file you can use hijackthis.

5. Scan with Norman Malware Cleaner please note because this virus will infected files with extesion .exe com and .scr you have to rename Norman_Malware_Cleaner.exe with new extension example Norman_Malware_Cleaner.cmd

please make sure you downloaded fresh new cleaner from norman official website and don’t run it before you change the extension or this cleaner will get infected first before it can eliminate sality.

6. To repair your computer for booting in safe mode please download this file and merge only one that same with your windows version.

7. Repair your registry using this file ( right click on it then choose install)
8. Reboot your computer and scan again with norman malware cleaner, after that reboot again to make sure your system clean.

Tags: , , ,
Posted in 3:Virus Removal | No Comments »

Remove Microsoft.lnk Shortcut Lik Worm PIF Starter A

Wednesday, August 5th, 2009



Worm Pif Starter.A
To know when your computer infected by this virus there are 4 important points:

In your “My Documents” folder there is file named “database.mdb“.
There is clone folder with extension .lnk maximum 5 first folder arranged by name, rules until second sub folders.
There is files Autorun.inf, Thumb.db, Microsoft.lnk in each root drive and folders, rules until second sub folders. (You might not see them because it’s set hidden)
Your Registry Editor is disabled.
This virus master actually in “My Document” folder named “database.mdb” Wait… you will know why this is called as virus master. Actually virus will created clone for folder using “wscript.exe” execution. wscript.exe is microsoft windows based script host programs.

Virus will change your registry:

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
“Explorer”=”Wscript.exe //e:VBScript \”C:\Documents and Settings\Administrator\My Documents\database.mdb\””

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
“WinUpdate”=”Wscript.exe /e:VBScript \”C:\WINDOWS\:Microsoft Office Update for Windows XP.sys\””

I think you all know how this registry changed will affect on your computer each time it reboot no need to explain this right? Really simple social technique.



Remove Virus Manually
1. Disabled “System Restore” in cleaning process.

2. Kill wscript.exe process from your computer background programs.

3. In cleaning process you have to rename file wscript.exe to any name ex:blabla (temporary only in cleaning process) and don’t forget to rename it back again to wscript.exe once your computer clean.

4. Deleted file “database.mdb” from “My Documents” folder.

5. Disabled any startup process which has link with “database.mdb” you can use msconfig or hijackthis.

6. Delete file autorun.inf, microsoft.inf and thumb.db use command prompt and type “del Microsoft.inf /s” (should in root drive to deleted in all in drive) for autorun.inf and thumb.db since this file set with attrib RSHA type “del autorun.inf /s /ah /f” (should in root drive to deleted in all in drive, change autorun.inf with thumb.db to deleted all thumb.db)

7. deleted all .lnk files with size 1kb, you can use advanced search function. Carefully when you want to deleted look on this sample:

Deleted only shortcut with size 1kb and using folder icon, this is social virus spreading technique that mostly tricky newbie out there.

7. Repair your registry

[Version]
Signature=”$Chicago$”
Provider=Nobody

[DefaultInstall]
AddReg=UnhookRegKey
DelReg=del
[UnhookRegKey]
HKLM, Software\CLASSES\batfile\shell\open\command,,,”””%1” %*”
HKLM, Software\CLASSES\comfile\shell\open\command,,,”””%1” %*”
HKLM, Software\CLASSES\exefile\shell\open\command,,,”””%1” %*”
HKLM, Software\CLASSES\piffile\shell\open\command,,,”””%1” %*”
HKLM, Software\CLASSES\regfile\shell\open\command,,,”regedit.exe “%1”
HKLM, Software\CLASSES\scrfile\shell\open\command,,,”””%1” %*”
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell,0, “Explorer.exe”
HKLM, SYSTEM\ControlSet001\Control\SafeBoot, AlternateShell,0, “cmd.exe”
HKLM, SYSTEM\ControlSet002\Control\SafeBoot, AlternateShell,0, “cmd.exe”

[del]
HKLM,SOFTWARE\Microsoft\Windows\CurrentVersion\Run, Winupdate
HKCU,SOFTWARE\Microsoft\Windows\CurrentVersion\Run, explorer

8. Scan with your best antivirus program to make sure your system clean and restarted your computer.

Tags: , , , , ,
Posted in 3:Virus Removal | No Comments »

Remove Fujacks e worm

Wednesday, August 5th, 2009



Remove Fujacks.e Worm

Fujacks.e is a worm that targets networks with weak passwords, and tries to infect all executable files on the computers in the network.

Fujacks.e can close popular antivirus or antispyware programs, and even disable your firewall. Fujacks.e boots up with the computer and may sit there undetected for quite a while, until you scan and detect Fujacks.e.

Almost the only way you’ll notice Fujacks.e is if Fujacks.e slows down your computer and disables your legitimate security programs.



How to remove FuJacks.e worm manually.

Stop Fujacks.e Processes:

gamesetup.exe
setup.exe
spoclsv.exe

Remove Fujacks.e Register Keys:
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run\svcshare

Get rid of Fujacks.e files:

desktop_.ini

Note: In any Fujacks.e files I mention above, “%UserProfile%” is a variable referring to your current user’s profile folder. If you’re using Windows NT/2000/XP, by default this is “C:\Documents and Settings\[CURRENT USER]” (e.g., “C:\Documents and Settings\JoeSmith”). If you have any questions about manual Fujacks.e removal, go ahead and leave a comment.

Tags: ,
Posted in 3:Virus Removal | No Comments »

Remove worm win32 netbooster

Monday, August 3rd, 2009



What is Worm32.NetBooster and how to remove it?

Worm.Win32.Netbooster – worm? Actually Worm.Win32.Netbooster is not a real worm. Few Rogue Anti-Spyware application programs like Malware Bell 3.2, Virusheat, AntiVirProtect, MalwareAlarm, PC-Antispyware and Trojan horses like Trojan Zlob will generate fake security alerts that users computer is infected with Worm.Win32.Netbooster to trick them into buying Rogue Anti-Spyware removers.
The possible error messages can be:

“Your browser was hijacked by Worm.Win32.Netbooster”
or
“Your browser was hijacked by Worm.Win32.Netbooster”

Worm.Win32.Netbooster can slow users computer performens and can cause critical system errors. Do not trust any rogue anti-spyware programs thatWorm.Win32.Netbooster promotes and delete him as soon as possible.



How to manually remove Worm.Win32.Netbooster

To save time and avoid risking destroying your computer, we highly recommend use a spyware scanner such as SpyHunter, to detect Worm.Win32.Netbooster and other spyware, adware, Trojans, viruses, keyloggers, and more that can be hidden in your PC.

Files associated with Worm.Win32.Netbooster infection:

mscfg32.dll
cjvy.dll
vtssp.dll
ttvbonvgl.dll
ssqppol.dll
gqagksr.dll
esent9.dll
pmspl.dll
windivx.dll
msvideo.dll
ecxwp.dll
stream32a.dll
websrc32.dll
mlljh.dll
urqnomm.dll

Worm.Win32.Netbooster DLL’s to remove:

mscfg32.dll
cjvy.dll
vtssp.dll
ttvbonvgl.dll
ssqppol.dll
gqagksr.dll
esent9.dll
pmspl.dll

OR, Download Super anti spyware(FREE) Spywares, Adwares, Malwares Removal tool

Tags: , ,
Posted in 3:Virus Removal | No Comments »

« Older Entries