Tuesday, June 9, 2009

Conficker Manual Removal Guide

Conficker Description

Conficker, also known as W32/Conficker.worm, Win32/Conficker.A, W32.Downadup, Downadup and Kido, is a worm that exploits flaws found in Windows MS08-067 vulnerability. When Conficker infects your PC, it may prevent you from accessing security websites and disables Windows system services such as Windows Security Center, Windows Error Reporting and Windows Defender. The danger with Conficker is its ability to spread itself to other vulnerable computers through network shares. If one computer in a network is infected, then it can spread to other computers within that network. Microsoft has released a patch to fix the Windows vulnerability.
Conficker Manual Removal Instructions
1b. How to Kill Conficker DLL files.
  1. Right-click the Explorer.exe process and choose the option “Properties”.
  2. Click on the “Threads” Tab, locate and highlight the Conficker DLL files listed below.
  3. To kill Conficker DLL files, click the “Kill” button.
  4. Kill the following Conficker DLL files:
  • %All Users Application Data%\[RANDOM FILE NAME].dll
  • %Program Files%\Movie Maker\[RANDOM FILE NAME].dll
  • %Program Files%\Internet Explorer\[RANDOM FILE NAME].dll
  • %Temp%\[RANDOM FILE NAME].dll
  • vhoinp.dll
  • %System%\[RANDOM FILE NAME].dll

Step 1: How to Delete Conficker Registry Keys and Values.

  1. Right-click on your Desktop > select “New” option > select “Text Document” (.txt file) option.
  2. Rename the .txt file as a .reg file and call it “Delete_Registry_Conficker_Entities.reg”. This renamed .reg file is a command that creates a shortcut to your Windows registry and allows you to easily delete registry values.
  3. Right-click and select the “Edit” option.
  4. Copy and paste the Conficker keys listed below.
  5. In the menu bar, go to “File” > select “Save” > then click the “X” button to close the file.
  6. Double-click on the .reg file.
  7. When the message box appears saying “Are you sure you want to add the information in C:DOCUME~1%username%DesktopDELETE~1.REG to the registry?”, click the “Yes” button.
  8. When the message box appears saying “Information in C:DOCUME~1%username%DesktopDELETE~1.REG has been successfully entered into the registry.”, click the “OK” button.
  9. The Conficker registry keys have been deleted from your registry.
  10. Copy and paste the following Conficker keys:Windows Registry Editor Version 5.00
    [-HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWSNT\CURRENTVERSION\WINDOWS\APPINIT_DLLS\vhoinp.dll]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\vhoinp.dll]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\vhoinp.dll]
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\vhoinp.dll]
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\URLSearchHooks\vhoinp.dll]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN\vhoinp.dll]
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\vhoinp.dll]
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Explorer Bars\vhoinp.dll]
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\vhoinp.dll]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\vhoinp.dll]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE\vhoinp.dll]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCEEX\vhoinp.dll]
    [-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\vhoinp.dll]
    [-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks\vhoinp.dll]
    [-HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN\vhoinp.dll]
    [-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\vhoinp.dll]
    [-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\vhoinp.dll]
    [-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\vhoinp.dll]
    [-HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\vhoinp.dll]
    [-HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE\vhoinp.dll]
    [-HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCEEX\vhoinp.dll]

comments (1)

TOP

Friday, January 16, 2009

Generic Trojan / Adware Infestation Removal Procedures


Generic Trojan / Adware Removal Procedures
(2 different procedures you can try for malware removal)
By: David Lipman

Procedure #1

  1. Download the following four items (links will open a new browser window)...

    McAfee Stinger
    http://vil.nai.com/vil/stinger/

    Trend Sysclean Package
    http://www.trendmicro.com/download/dcs.asp

    Latest Trend Virus Pattern Files. (example; lpt285.zip*)
    http://www.trendmicro.com/download/pattern.asp

    (*The file name lpt285.zip is simply an example name of the file and you'll find the filename posted at TrendMicro will have a higher number than 285. Each time TrendMicro produces new Pattern Files the number in the file name will be incremented accordingly.)

    Ad-Aware SE (free personal edition)
    http://www.lavasoftusa.com/

  2. Create a new directory.
    On drive "C:\"
    (e.g., "c:\New Folder")
    or the desktop
    (e.g., "C:\Documents and Settings\username\Desktop\New Folder")

    Place SYSCLEAN.COM (the Trend Sysclean Package referenced above) into the new directory you created. Extract the latest Trend Virus Pattern Files (Example: lpt$vpn.285 and WHATSNEW.TXT) from the zip file you downloaded above into the same new directory you created. The Trend Pattern File contained in the ZIP file must be placed in the same directory as SYSCLEAN.COM!

    Important: The TrendMicro Pattern file is updated reguarly. Aywhere from once per day to a few times in a day. Always make sure you have the latest version of SYSCLEAN.COM and the Pattern File before you scan your platform. The McAfee Stinger Internet worm and Trojan removal tool is upgraded periodically. Always make sure you have the latest version of McAfee Stinger utility before you scan your platform.

  3. Install and Update Ad-Aware with the latest definitions.

  4. If you are using WinME or WinXP, disable System Restore.
    http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.aspx

  5. Reboot your PC into Safe Mode [F8 key during boot process].

    How to Boot Into Safe Mode:

    Generic
    Windows XP
    How to perform a clean boot in Windows XP
  6. Using McAfee Stinger, the Trend Sysclean utility and Ad-Aware, perform a Full Scan of your platform and clean and/or delete any infectors and/or parasites found (a few cycles may be needed).

  7. Restart your PC and perform a "final" Full Scan of your platform using McAfee Stinger, the Trend Sysclean utility and Ad-Aware.

  8. If you are using WinME or WinXP,Re-enable System Restore and re-apply any System Restore preferences (e.g. HD space to use suggested 400 ~ 600MB).

  9. Reboot your PC.

  10. If you are using WinME or WinXP, create a new Restore point

End of Procedure #1

* * * Please report back your results * * *


Procedure #2

Download MULTI_AV.EXE from the URL --
http://www.pctipp.ch/index.cfm?pid=1411&pk=28470

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter { http://kixtart.org - Kixtart is CareWare } 4 batch files, 6 Kixtart scripts, one Link (.LNK) file, a PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will simplify the process of using; Sophos, Trend, Kaspersky and McAfee Anti VirusCommand Line Scanners to remove viruses, Trojans and various other malware.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor’s web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can download the files and perform a scan in Normal Mode. Once you have downloaded the files needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key during boot] and re-run the menu again and choose which scanner you want to run in Safe Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help file.

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your FireWall to allow it to download the needed AV vendor related files.

End of Procedure #2

* * * Please report back your results * * *

comments (2)

TOP

How to remove virus from mobile phone?

Shit happens, or any virus has attacked your mobile, its inevitable u do something wrong, Now what to do you simply have to format your phone. To format the phone, press *#7370#, then enter the lock code, which is the sec code of the phone. NOTE: battery must be filled, else if format is disrupted by low battery, consequences will be disastrous.
I heard the code *#7780# works too, pretty much the same i think. For 6600 users, to format the fone, there's an alternative way. Press and hold <3>, <*>, and the buttons, then power on fone, keep holding on the 3 buttons, till u come to a format screen. This method ONLY works on 6600, and need not enter the sec code. BUT sec code wun be reset to default 12345

comments (0)

TOP

Saturday, January 3, 2009

How to Manually Remove Net Screen Watcher ?


Net Screen Watcher:

1. a spyware program

2. monitors user activity on the compromised computer

3. can capture screenshots of the compromised computer

4. also modifies Windows registry

5. run each time Windows is started


Solution:

1. Temporarily Turn off System Restore.
2. Update the virus definitions.
3. Reboot computer in SafeMode (During BootUp process Press F8)
4. Run a full system scan and clean/delete all infected file(s)
5. Delete/Modify any values added to the registry.

  • Click Start > Run
  • Type regedit at the box
  • Click OK.

Navigate to and delete the following registry entries:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Net Screen Watcher ÍøÂçÆÁÄ»¼àÊÓ¹ÜÀí¶Ë ÆóÒµ°æ V1.78 (2008.08.26) wxw.mynsw.cn
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Net Screen Watcher ÍøÂçÆÁÄ»¼àÊÓ¹ÜÀí¶Ë ÆóÒµ°æ V1.78 (2008.08.26) wxw.mynsw.cn
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Net Screen WatcherÓû§¶Ë£¨ÊܼàÊӶˣ© ÆóÒµ°æ For Win98 V1.68 Beta3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Net Screen WatcherÓû§¶Ë£¨ÊܼàÊӶˣ© ÆóÒµ°æ For Windows Vista V1.68 Beta3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Net Screen WatcherÓû§¶Ë£¨ÊܼàÊӶˣ© ÆóÒµ°æ For Windows2000/XP/2003 V1.68 (2007.08.03) wxw.mynsw.cn
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Net Screen WatcherÓû§¶Ë£¨ÊܼàÊӶˣ© ÆóÒµ¾«¼ò°æ For Windows2000/XP/2003 V1.68 (2007.11.14) wxw.mynsw.cn
  • HKEY_LOCAL_MACHINE\SOFTWARE\ZQNSWkey
  • HKEY_LOCAL_MACHINE\SOFTWARE\ZQkey
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NSWServer
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”mynsw” = “C:\Program Files\Net Screen Watcher\wntsrv.exe”

6. Exit registry editor and restart the computer.
7. In order to make sure that threat is completely eliminated from your computer, carry out a full scan of your computer using AntiVirus and Antispyware Software.

comments (1)

TOP

Friday, December 26, 2008

How To Manually Remove Vundo Trojan ?

Vundo Description:

Vundo is a widely-spread trojan that shows large amount of unsolicited pop-up advertisements. The spyware also silently downloads from the Internet and runs arbitrary potentially harmful files, mostly adware components. Vundo is distributed by e-mail in messages containing links to insecure web sites, which exploit certain security vulnerabilities of the Internet Explorer web browser. Once the user clicks on such a link, Internet Explorer opens a dangerous site that automatically installs the trojan into the computer without user knowledge and consent. Vundo is responsible for the severe decrease of the amount of computer virtual memory available. This results in noticeable PC performance slowdowns. Vundo secretly runs on every Windows startup.

Vundo Manual Removal Instructions:

Step 1 : Use Windows File Search Tool to Find Vundo Path

  1. Go to Start > Search > All Files or Folders.
  2. In the "All or part of the the file name" section, type in "Vundo" file name(s).
  3. To get better results, select "Look in: Local Hard Drives" or "Look in: My Computer" and then click "Search" button.
  4. When Windows finishes your search, hover over the "In Folder" of "Vundo", highlight the file and copy/paste the path into the address bar. Save the file's path on your clipboard because you'll need the file path to delete Vundo in the following manual removal steps.

Step 2 : Use Registry Editor to Remove Vundo Registry Values

  1. To open the Registry Editor, go to Start > Run > type regedit and then press the "OK" button.
  2. Locate and delete the entry or entries whose data value (in the rightmost column) is the spyware file(s) detected earlier.
  3. To delete "Vundo" value, right-click on it and select the "Delete" option.
  4. Locate and delete "Vundo" registry entries:
  • HKEY_CURRENT_USERSoftwareMicrosoftInternetExplorerMainActiveState 02F96FB7-8AF6-439B-B7BA-2F952F9E4800
  • HKEY_LOCAL_MACHINESOFTWAREClassesATLEvents.ATLEvents.1
  • HKEY_LOCAL_MACHINESOFTWAREClassesATLEvents.ATLEvents 8109AF33-6949-4833-8881-43DCC232B7B2 2316230A-C89C-4BCC-95C2-66659AC7A775
  • HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunOnce*[filename]
  • HKEY_CURRENT_USER SoftwareMicrosoftInternet ExplorerMainActive State
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnce*WinLogon
  • HKEY_LOCAL_MACHINE SOFTWAREMicrosoftWindows CurrentVersionExplorerBrowser Helper Objects{8109AF33-6949-4833-8881-43DCC232B7B2}
  • HKEY_LOCAL_MACHINE SOFTWAREMicrosoftWindows CurrentVersionExplorerBrowser Helper Objects{2316230A-C89C-4BCC-95C2-66659AC7A775}
  • HKEY_LOCAL_MACHINE SOFTWAREMicrosoftWindows CurrentVersionExplorerBrowser Helper Objects{02F96FB7-8AF6-439B-B7BA-2F952F9E4800}
  • HKEY_LOCAL_MACHINE SOFTWAREClassesCLSID{02F96FB7-8AF6-439B-B7BA-2F952F9E4800}
  • HKEY_LOCAL_MACHINE SOFTWAREClassesATLEvents.ATLEvents.1
  • HKEY_LOCAL_MACHINE SOFTWAREClassesATLEvents.ATLEvents
  • HKEY_CLASSES_ROOTCLSID{8109AF33-6949-4833-8881-43DCC232B7B2}
  • HKEY_CLASSES_ROOTCLSID{2316230A-C89C-4BCC-95C2-66659AC7A775}
  • HKEY_LOCAL_MACHINE SoftwareMicrosoftWindows CurrentVersionRunOnce*[filename]
  • HKEY_CURRENT_USER SoftwareMicrosoftWindows CurrentVersionRunOnce*WinLogon

Step 3 : Use Windows Command Prompt to Unregister Vundo DLL Files

  1. To open the Windows Command Prompt, go to Start > Run > type cmd and then click the "OK" button.
  2. Type "cd" in order to change the current directory, press the "space" button, enter the full path to where you believe the Vundo DLL file is located and press the "Enter" button on your keyboard. If you don't know where Vundo DLL file is located, use the "dir" command to display the directory's contents.
  3. To unregister "Vundo" DLL file, type in the exact directory path + "regsvr32 /u" + [DLL_NAME] (for example, :C\Spyware-folder\> regsvr32 /u Vundo.dll) and press the "Enter" button. A message will pop up that says you successfully unregistered the file.
  4. Search and unregister "Vundo" DLL files: vzbb.dll

Step 4 : Detect and Delete Other Vundo Files

  1. To open the Windows Command Prompt, go to Start > Run > type cmd and then press the "OK" button.
  2. Type in "dir /A name_of_the_folder" (for example, C:\Spyware-folder), which will display the folder's content even the hidden files.
  3. To change directory, type in "cd name_of_the_folder".
  4. Once you have the file you're looking for type in "del name_of_the_file".
  5. To delete a file in folder, type in "del name_of_the_file".
  6. To delete the entire folder, type in "rmdir /S name_of_the_folder".
  7. Select the "Vundo" process and click on the "End Process" button to kill it.
  8. Remove the "Vundo" processes files: vzbb.dll

comments (0)

TOP

Tuesday, December 23, 2008

How To Remove Zlob Trojan?

What's Zlob Trojan?

Zlob Trojan is a backdoor Trojan which can give an anonymous attacker remote control over your PC. Zlob Trojan also lets the attacker execute commands on your PC, so that the attacker can gain control of your system and disable your security. Zlob Trojan puts your personal and financial information at risk.

Do I have Zlob Trojan?

  1. Slow computer performance
  2. New desktop shortcuts or switched homepage
  3. Annoying popups on your PC

How did I get Zlob Trojan?

  1. Freeware or Shareware
  2. Peer-to-Peer Software
  3. Questionable Websites

Remove Zlob Trojan Manually!

To remove Zlob Trojan manually, you need to delete Zlob Trojan files.

Step 1 : Use Windows File Search Tool to Find Zlob Path

  1. Go to Start > Search > All Files or Folders.
  2. In the "All or part of the the file name" section, type in "Zlob" file name(s).
  3. To get better results, select "Look in: Local Hard Drives" or "Look in: My Computer" and then click "Search" button.
  4. When Windows finishes your search, hover over the "In Folder" of "Zlob", highlight the file and copy/paste the path into the address bar. Save the file's path on your clipboard because you'll need the file path to delete Zlob in the following manual removal steps.
Step 2 : Use Windows Task Manager to Remove Zlob Processes
  1. To open the Windows Task Manager, use the combination of CTRL+ALT+DEL or CTRL+SHIFT+ESC.
  2. Click on the "Image Name" button to search for "Zlob" process by name.
  3. Select the "Zlob" process and click on the "End Process" button to kill it.
  4. Remove the "Zlob" processes files:
  • msmsgs.exe
  • nvctrl.exe
  • msmsgs.exe
  • nvctrl.exe
Step 3 : Use Registry Editor to Remove Zlob Registry Values
  1. To open the Registry Editor, go to Start > Run > type regedit and then press the "OK" button.
  2. Locate and delete the entry or entries whose data value (in the rightmost column) is the spyware file(s) detected earlier.
  3. To delete "Zlob" value, right-click on it and select the "Delete" option.
  4. Locate and delete "Zlob" registry entries:
  • HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsNTCurrentVersionWinlogonShell=explorer.exe
  • HKEY_LOCAL_MACHINE SoftwareMicrosoftWindows NT CurrentVersionWinlogonShell=explorer.exe, msmsgs.exe
  • HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunRegSvr32=%System%msmsgs.exe
  • HKEY_LOCAL_MACHINE SoftwareMicrosoftWindows CurrentVersionRunRegSvr32=%System%msmsgs.exe
Step 4 : Use Windows Command Prompt to Unregister Zlob DLL Files
  1. To open the Windows Command Prompt, go to Start > Run > type cmd and then click the "OK" button.
  2. Type "cd" in order to change the current directory, press the "space" button, enter the full path to where you believe the Zlob DLL file is located and press the "Enter" button on your keyboard. If you don't know where Zlob DLL file is located, use the "dir" command to display the directory's contents.
  3. To unregister "Zlob" DLL file, type in the exact directory path + "regsvr32 /u" + [DLL_NAME] (for example, :C\Spyware-folder\> regsvr32 /u Zlob.dll) and press the "Enter" button. A message will pop up that says you successfully unregistered the file.
  4. Search and unregister "Zlob" DLL files:
  • uimcu.dll
  • antzozc.dll
  • dtjby.dll
Step 5 : Detect and Delete Other Zlob Files
  1. To open the Windows Command Prompt, go to Start > Run > type cmd and then press the "OK" button.
  2. Type in "dir /A name_of_the_folder" (for example, C:\Spyware-folder), which will display the folder's content even the hidden files.
  3. To change directory, type in "cd name_of_the_folder".
  4. Once you have the file you're looking for type in "del name_of_the_file".
  5. To delete a file in folder, type in "del name_of_the_file".
  6. To delete the entire folder, type in "rmdir /S name_of_the_folder".
  7. Select the "Zlob" process and click on the "End Process" button to kill it.
  8. Remove the "Zlob" processes files:
  • uimcu.dll
  • antzozc.dll
  • dtjby.dll
  • dumpserv.com
  • zxserv0.com
  • vnp7s.net
  • Protect
  • RSA
  • ncompat.tlb
  • msvol.tlb
  • hp[X].tmp
  • msmsgs.exe
  • nvctrl.exe
  • dumpserv.com
  • zxserv0.com
  • vnp7s.net
  • %UserProfile%\Application Data\Microsoft\Protect
  • %UserProfile%\Application Data\Microsoft\Crypto\RSA
  • ncompat.tlb
  • msvol.tlb
  • hp[X].tmp

Note: Here "%System" is a variable referring to your PC's System folder. Maybe you renamed it, but by default your System folder is "C:\Windows\System32" on Windows XP, "C:\Winnt\System32" on Windows NT/2000," or "C:\Windows\System" on Windows 95/98/Me.

"%Program_Files", "%ProgramFiles", or "%Profile" is a variable referring to a folder in your PC where applications that aren't a part of your PC's operating system are installed by default. You may have changed this folder's name or moved it, but if you didn't touch it, find the folder as "C:\Program Files". If you're having trouble finding this folder, you can locate it by looking up registry value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir".

Also, "%UserProfile" is a variable referring to your current user's profile folder. If you're using Windows NT/2000/XP, by default this is "C:\Documents and Settings\[CURRENT USER]" (e.g., "C:\Documents and Settings\JoeSmith").

comments (1)

TOP

Sunday, December 21, 2008

How To Manually Remove SCVHOST.EXE Virus?


In some antivirus they are detected as W32/YahLover.Worm.gen from McAfee Antivirus and Win32/Autorun.R.worm from NOD32

Solution:
  • Restart your PC and press F8 and select the option Safe Mode Command Prompt Only
  • And after you log-in the command prompt you must log-in as Administrator.
  • Type cd C:\windows\system32
  • Type dir /ah, to display all hidden files on this directory folder. You will see the following files which is used by the virus to spread itself: AUTORUN.INI, BLASTCLNNN.EXE, and SCVHOST.EXE
  • Type ATTRIB -H -R -S SCVHOST.EXE
  • Type ATTRIB -H -R -S BLASTCLNNN.EXE
  • Type ATTRIB -H -R -S AUTORUN.INI
  • Type DEL SCVHOST.EXE
  • Type DEL BLASTCLNNNN.EXE
  • Type DEL AUTORUN.INI
  • Type CD\
  • Type ATTRIB -H -R -S AUTORUN.INF
  • Type DEL AUTORUN.INF
You are almost done, reboot your PC.

Go Start Menu and click the Run and type the REGEDIT command. Take note guys before make any changes into your Registry Editor you must make a full back-up to your registry to avoid system errors. :)

Look the location entry:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, if you see an entry Yahoo! Messengger (it’s spelled like this) with a value c:\windows\system32\scvhost.exe, Delete this entry.

Look the location entry:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, in the entry named: SHELL, a value = Explorer.exe,SCVHOST.EXE. Edit this value, delete the SCVHOST.EXE only and the value must be Explorer.exe. Once you delete all this value, your computer will not login anymore.

We are now done. Please Restart your PC now.

comments (2)

TOP

Wednesday, December 17, 2008

How to remove WORM_AGENT.VDO?

Solution:

Identifying the Malware Program

To remove this malware, first identify the malware program.

  1. Scan your computer with your antivirus product.
  2. NOTE the path and file name of all files detected as WORM_AGENT.VDO.

Terminating the Malware Program

This procedure terminates the running malware process. You will need the name(s) of the file(s) detected earlier.

If the process you are looking for is not in the list displayed by Task Manager, proceed to the succeeding solution set.

  1. Open Windows Task Manager.
    • On Windows 98 and ME, press
    CTRL+ALT+DELETE
    • On Windows NT, 2000, XP, and Server 2003, press
    CTRL+SHIFT+ESC, then click the Processes tab.
  2. In the list of running programs*, locate the malware file(s) detected earlier.
  3. Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your computer.
  4. Do the same for all detected malware files in the list of running processes.
  5. To check if the malware process has been terminated, close Task Manager, and then open it again.
  6. Close Task Manager.
*NOTE: On computers running Windows 98 and ME, Windows Task Manager may not show certain processes. You can use a third party process viewer such as Process Explorer to terminate the malware process.

On computers running all Windows platforms, if the process you are looking for is not in the list displayed by Task Manager or Process Explorer, continue with the next solution procedure, noting additional instructions. If the malware process is in the list displayed by either Task Manager or Process Explorer, but you are unable to terminate it, restart your computer in safe mode.

Editing the Registry

This malware modifies the computer's registry. Users affected by this malware may need to modify or delete specific registry keys or entries. For detailed information regarding registry editing, please refer to the following articles from Microsoft:

  1. HOW TO: Backup, Edit, and Restore the Registry in Windows 95, Windows 98, and Windows ME
  2. HOW TO: Backup, Edit, and Restore the Registry in Windows NT 4.0
  3. HOW TO: Backup, Edit, and Restore the Registry in Windows 2000
  4. HOW TO: Back Up, Edit, and Restore the Registry in Windows XP and Server 2003

Removing Autostart Entry from the Registry

Removing autostart entries from the registry prevents the malware from executing at startup. In this procedure, you will need the name(s) of the file(s) detected earlier.

If the registry entry below is not found, the malware may not have executed as of detection. If so, proceed to the succeeding solution set.

  1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>
    Windows>CurrentVersion>Run
  3. In the right panel, locate and delete the entry or entries whose data value is the malware path and file name of the file(s) detected earlier.

Restoring Modified Registry Entry

  1. Still in the Registry Editor, in the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft\
    Windows NT\CurrentVersion\Winlogon
  2. In the right panel, locate the entry:
    Userinit = "%System%\userinit.exe, {Malware name}"
    (Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)
  3. Right-click on the value name and choose Modify. Change the value data of this entry to:
    Userinit = "%System%\userinit.exe,"
  4. Close Registry Editor.

Deleting AUTORUN.INF

  1. Right-click Start then click Search... or Find..., depending on the version of Windows you are running.
  2. In the Named input box, type:
    AUTORUN.INF
  3. In the Look In drop-down list, select a drive, then press Enter.
  4. Select the file, then open using Notepad.
  5. Check if the following lines are present in the file:
  6. [Autorun]
    OPEN=fooool.exe
    shell\open=
    shell\open\Command=fooool.exe
    shell\open\Default=1
    shell\explore=
    shell\explore\Command=fooool.exe
  7. If the lines are present, delete the file.
  8. Repeat steps 3 to 6 for AUTORUN.INF files in the remaining removable drives.
  9. Close Search Results.

Important Windows ME/XP Cleaning Instructions

Users running Windows ME and XP must disable System Restore to allow full scanning of infected computers.

Users running other Windows versions can proceed with the succeeding solution set(s).

Running Antivirus

If you are currently running in safe mode, please restart your computer normally before performing the following solution.

Scan your computer with antivirus and delete files detected as WORM_AGENT.VDO. To do this, users must download the latest virus pattern file and scan their computer.

comments (0)

TOP

Subscribe to: Posts (Atom)