Friday, December 26, 2008

How To Manually Remove Vundo Trojan ?

Vundo Description:

Vundo is a widely-spread trojan that shows large amount of unsolicited pop-up advertisements. The spyware also silently downloads from the Internet and runs arbitrary potentially harmful files, mostly adware components. Vundo is distributed by e-mail in messages containing links to insecure web sites, which exploit certain security vulnerabilities of the Internet Explorer web browser. Once the user clicks on such a link, Internet Explorer opens a dangerous site that automatically installs the trojan into the computer without user knowledge and consent. Vundo is responsible for the severe decrease of the amount of computer virtual memory available. This results in noticeable PC performance slowdowns. Vundo secretly runs on every Windows startup.

Vundo Manual Removal Instructions:

Step 1 : Use Windows File Search Tool to Find Vundo Path

  1. Go to Start > Search > All Files or Folders.
  2. In the "All or part of the the file name" section, type in "Vundo" file name(s).
  3. To get better results, select "Look in: Local Hard Drives" or "Look in: My Computer" and then click "Search" button.
  4. When Windows finishes your search, hover over the "In Folder" of "Vundo", highlight the file and copy/paste the path into the address bar. Save the file's path on your clipboard because you'll need the file path to delete Vundo in the following manual removal steps.

Step 2 : Use Registry Editor to Remove Vundo Registry Values

  1. To open the Registry Editor, go to Start > Run > type regedit and then press the "OK" button.
  2. Locate and delete the entry or entries whose data value (in the rightmost column) is the spyware file(s) detected earlier.
  3. To delete "Vundo" value, right-click on it and select the "Delete" option.
  4. Locate and delete "Vundo" registry entries:
  • HKEY_CURRENT_USERSoftwareMicrosoftInternetExplorerMainActiveState 02F96FB7-8AF6-439B-B7BA-2F952F9E4800
  • HKEY_LOCAL_MACHINESOFTWAREClassesATLEvents.ATLEvents.1
  • HKEY_LOCAL_MACHINESOFTWAREClassesATLEvents.ATLEvents 8109AF33-6949-4833-8881-43DCC232B7B2 2316230A-C89C-4BCC-95C2-66659AC7A775
  • HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunOnce*[filename]
  • HKEY_CURRENT_USER SoftwareMicrosoftInternet ExplorerMainActive State
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnce*WinLogon
  • HKEY_LOCAL_MACHINE SOFTWAREMicrosoftWindows CurrentVersionExplorerBrowser Helper Objects{8109AF33-6949-4833-8881-43DCC232B7B2}
  • HKEY_LOCAL_MACHINE SOFTWAREMicrosoftWindows CurrentVersionExplorerBrowser Helper Objects{2316230A-C89C-4BCC-95C2-66659AC7A775}
  • HKEY_LOCAL_MACHINE SOFTWAREMicrosoftWindows CurrentVersionExplorerBrowser Helper Objects{02F96FB7-8AF6-439B-B7BA-2F952F9E4800}
  • HKEY_LOCAL_MACHINE SOFTWAREClassesCLSID{02F96FB7-8AF6-439B-B7BA-2F952F9E4800}
  • HKEY_LOCAL_MACHINE SOFTWAREClassesATLEvents.ATLEvents.1
  • HKEY_LOCAL_MACHINE SOFTWAREClassesATLEvents.ATLEvents
  • HKEY_CLASSES_ROOTCLSID{8109AF33-6949-4833-8881-43DCC232B7B2}
  • HKEY_CLASSES_ROOTCLSID{2316230A-C89C-4BCC-95C2-66659AC7A775}
  • HKEY_LOCAL_MACHINE SoftwareMicrosoftWindows CurrentVersionRunOnce*[filename]
  • HKEY_CURRENT_USER SoftwareMicrosoftWindows CurrentVersionRunOnce*WinLogon

Step 3 : Use Windows Command Prompt to Unregister Vundo DLL Files

  1. To open the Windows Command Prompt, go to Start > Run > type cmd and then click the "OK" button.
  2. Type "cd" in order to change the current directory, press the "space" button, enter the full path to where you believe the Vundo DLL file is located and press the "Enter" button on your keyboard. If you don't know where Vundo DLL file is located, use the "dir" command to display the directory's contents.
  3. To unregister "Vundo" DLL file, type in the exact directory path + "regsvr32 /u" + [DLL_NAME] (for example, :C\Spyware-folder\> regsvr32 /u Vundo.dll) and press the "Enter" button. A message will pop up that says you successfully unregistered the file.
  4. Search and unregister "Vundo" DLL files: vzbb.dll

Step 4 : Detect and Delete Other Vundo Files

  1. To open the Windows Command Prompt, go to Start > Run > type cmd and then press the "OK" button.
  2. Type in "dir /A name_of_the_folder" (for example, C:\Spyware-folder), which will display the folder's content even the hidden files.
  3. To change directory, type in "cd name_of_the_folder".
  4. Once you have the file you're looking for type in "del name_of_the_file".
  5. To delete a file in folder, type in "del name_of_the_file".
  6. To delete the entire folder, type in "rmdir /S name_of_the_folder".
  7. Select the "Vundo" process and click on the "End Process" button to kill it.
  8. Remove the "Vundo" processes files: vzbb.dll

comments (0)

TOP

Tuesday, December 23, 2008

How To Remove Zlob Trojan?

What's Zlob Trojan?

Zlob Trojan is a backdoor Trojan which can give an anonymous attacker remote control over your PC. Zlob Trojan also lets the attacker execute commands on your PC, so that the attacker can gain control of your system and disable your security. Zlob Trojan puts your personal and financial information at risk.

Do I have Zlob Trojan?

  1. Slow computer performance
  2. New desktop shortcuts or switched homepage
  3. Annoying popups on your PC

How did I get Zlob Trojan?

  1. Freeware or Shareware
  2. Peer-to-Peer Software
  3. Questionable Websites

Remove Zlob Trojan Manually!

To remove Zlob Trojan manually, you need to delete Zlob Trojan files.

Step 1 : Use Windows File Search Tool to Find Zlob Path

  1. Go to Start > Search > All Files or Folders.
  2. In the "All or part of the the file name" section, type in "Zlob" file name(s).
  3. To get better results, select "Look in: Local Hard Drives" or "Look in: My Computer" and then click "Search" button.
  4. When Windows finishes your search, hover over the "In Folder" of "Zlob", highlight the file and copy/paste the path into the address bar. Save the file's path on your clipboard because you'll need the file path to delete Zlob in the following manual removal steps.
Step 2 : Use Windows Task Manager to Remove Zlob Processes
  1. To open the Windows Task Manager, use the combination of CTRL+ALT+DEL or CTRL+SHIFT+ESC.
  2. Click on the "Image Name" button to search for "Zlob" process by name.
  3. Select the "Zlob" process and click on the "End Process" button to kill it.
  4. Remove the "Zlob" processes files:
  • msmsgs.exe
  • nvctrl.exe
  • msmsgs.exe
  • nvctrl.exe
Step 3 : Use Registry Editor to Remove Zlob Registry Values
  1. To open the Registry Editor, go to Start > Run > type regedit and then press the "OK" button.
  2. Locate and delete the entry or entries whose data value (in the rightmost column) is the spyware file(s) detected earlier.
  3. To delete "Zlob" value, right-click on it and select the "Delete" option.
  4. Locate and delete "Zlob" registry entries:
  • HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsNTCurrentVersionWinlogonShell=explorer.exe
  • HKEY_LOCAL_MACHINE SoftwareMicrosoftWindows NT CurrentVersionWinlogonShell=explorer.exe, msmsgs.exe
  • HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunRegSvr32=%System%msmsgs.exe
  • HKEY_LOCAL_MACHINE SoftwareMicrosoftWindows CurrentVersionRunRegSvr32=%System%msmsgs.exe
Step 4 : Use Windows Command Prompt to Unregister Zlob DLL Files
  1. To open the Windows Command Prompt, go to Start > Run > type cmd and then click the "OK" button.
  2. Type "cd" in order to change the current directory, press the "space" button, enter the full path to where you believe the Zlob DLL file is located and press the "Enter" button on your keyboard. If you don't know where Zlob DLL file is located, use the "dir" command to display the directory's contents.
  3. To unregister "Zlob" DLL file, type in the exact directory path + "regsvr32 /u" + [DLL_NAME] (for example, :C\Spyware-folder\> regsvr32 /u Zlob.dll) and press the "Enter" button. A message will pop up that says you successfully unregistered the file.
  4. Search and unregister "Zlob" DLL files:
  • uimcu.dll
  • antzozc.dll
  • dtjby.dll
Step 5 : Detect and Delete Other Zlob Files
  1. To open the Windows Command Prompt, go to Start > Run > type cmd and then press the "OK" button.
  2. Type in "dir /A name_of_the_folder" (for example, C:\Spyware-folder), which will display the folder's content even the hidden files.
  3. To change directory, type in "cd name_of_the_folder".
  4. Once you have the file you're looking for type in "del name_of_the_file".
  5. To delete a file in folder, type in "del name_of_the_file".
  6. To delete the entire folder, type in "rmdir /S name_of_the_folder".
  7. Select the "Zlob" process and click on the "End Process" button to kill it.
  8. Remove the "Zlob" processes files:
  • uimcu.dll
  • antzozc.dll
  • dtjby.dll
  • dumpserv.com
  • zxserv0.com
  • vnp7s.net
  • Protect
  • RSA
  • ncompat.tlb
  • msvol.tlb
  • hp[X].tmp
  • msmsgs.exe
  • nvctrl.exe
  • dumpserv.com
  • zxserv0.com
  • vnp7s.net
  • %UserProfile%\Application Data\Microsoft\Protect
  • %UserProfile%\Application Data\Microsoft\Crypto\RSA
  • ncompat.tlb
  • msvol.tlb
  • hp[X].tmp

Note: Here "%System" is a variable referring to your PC's System folder. Maybe you renamed it, but by default your System folder is "C:\Windows\System32" on Windows XP, "C:\Winnt\System32" on Windows NT/2000," or "C:\Windows\System" on Windows 95/98/Me.

"%Program_Files", "%ProgramFiles", or "%Profile" is a variable referring to a folder in your PC where applications that aren't a part of your PC's operating system are installed by default. You may have changed this folder's name or moved it, but if you didn't touch it, find the folder as "C:\Program Files". If you're having trouble finding this folder, you can locate it by looking up registry value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir".

Also, "%UserProfile" is a variable referring to your current user's profile folder. If you're using Windows NT/2000/XP, by default this is "C:\Documents and Settings\[CURRENT USER]" (e.g., "C:\Documents and Settings\JoeSmith").

comments (1)

TOP

Sunday, December 21, 2008

How To Manually Remove SCVHOST.EXE Virus?


In some antivirus they are detected as W32/YahLover.Worm.gen from McAfee Antivirus and Win32/Autorun.R.worm from NOD32

Solution:
  • Restart your PC and press F8 and select the option Safe Mode Command Prompt Only
  • And after you log-in the command prompt you must log-in as Administrator.
  • Type cd C:\windows\system32
  • Type dir /ah, to display all hidden files on this directory folder. You will see the following files which is used by the virus to spread itself: AUTORUN.INI, BLASTCLNNN.EXE, and SCVHOST.EXE
  • Type ATTRIB -H -R -S SCVHOST.EXE
  • Type ATTRIB -H -R -S BLASTCLNNN.EXE
  • Type ATTRIB -H -R -S AUTORUN.INI
  • Type DEL SCVHOST.EXE
  • Type DEL BLASTCLNNNN.EXE
  • Type DEL AUTORUN.INI
  • Type CD\
  • Type ATTRIB -H -R -S AUTORUN.INF
  • Type DEL AUTORUN.INF
You are almost done, reboot your PC.

Go Start Menu and click the Run and type the REGEDIT command. Take note guys before make any changes into your Registry Editor you must make a full back-up to your registry to avoid system errors. :)

Look the location entry:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, if you see an entry Yahoo! Messengger (it’s spelled like this) with a value c:\windows\system32\scvhost.exe, Delete this entry.

Look the location entry:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, in the entry named: SHELL, a value = Explorer.exe,SCVHOST.EXE. Edit this value, delete the SCVHOST.EXE only and the value must be Explorer.exe. Once you delete all this value, your computer will not login anymore.

We are now done. Please Restart your PC now.

comments (2)

TOP

Wednesday, December 17, 2008

How to remove WORM_AGENT.VDO?

Solution:

Identifying the Malware Program

To remove this malware, first identify the malware program.

  1. Scan your computer with your antivirus product.
  2. NOTE the path and file name of all files detected as WORM_AGENT.VDO.

Terminating the Malware Program

This procedure terminates the running malware process. You will need the name(s) of the file(s) detected earlier.

If the process you are looking for is not in the list displayed by Task Manager, proceed to the succeeding solution set.

  1. Open Windows Task Manager.
    • On Windows 98 and ME, press
    CTRL+ALT+DELETE
    • On Windows NT, 2000, XP, and Server 2003, press
    CTRL+SHIFT+ESC, then click the Processes tab.
  2. In the list of running programs*, locate the malware file(s) detected earlier.
  3. Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your computer.
  4. Do the same for all detected malware files in the list of running processes.
  5. To check if the malware process has been terminated, close Task Manager, and then open it again.
  6. Close Task Manager.
*NOTE: On computers running Windows 98 and ME, Windows Task Manager may not show certain processes. You can use a third party process viewer such as Process Explorer to terminate the malware process.

On computers running all Windows platforms, if the process you are looking for is not in the list displayed by Task Manager or Process Explorer, continue with the next solution procedure, noting additional instructions. If the malware process is in the list displayed by either Task Manager or Process Explorer, but you are unable to terminate it, restart your computer in safe mode.

Editing the Registry

This malware modifies the computer's registry. Users affected by this malware may need to modify or delete specific registry keys or entries. For detailed information regarding registry editing, please refer to the following articles from Microsoft:

  1. HOW TO: Backup, Edit, and Restore the Registry in Windows 95, Windows 98, and Windows ME
  2. HOW TO: Backup, Edit, and Restore the Registry in Windows NT 4.0
  3. HOW TO: Backup, Edit, and Restore the Registry in Windows 2000
  4. HOW TO: Back Up, Edit, and Restore the Registry in Windows XP and Server 2003

Removing Autostart Entry from the Registry

Removing autostart entries from the registry prevents the malware from executing at startup. In this procedure, you will need the name(s) of the file(s) detected earlier.

If the registry entry below is not found, the malware may not have executed as of detection. If so, proceed to the succeeding solution set.

  1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>
    Windows>CurrentVersion>Run
  3. In the right panel, locate and delete the entry or entries whose data value is the malware path and file name of the file(s) detected earlier.

Restoring Modified Registry Entry

  1. Still in the Registry Editor, in the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft\
    Windows NT\CurrentVersion\Winlogon
  2. In the right panel, locate the entry:
    Userinit = "%System%\userinit.exe, {Malware name}"
    (Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)
  3. Right-click on the value name and choose Modify. Change the value data of this entry to:
    Userinit = "%System%\userinit.exe,"
  4. Close Registry Editor.

Deleting AUTORUN.INF

  1. Right-click Start then click Search... or Find..., depending on the version of Windows you are running.
  2. In the Named input box, type:
    AUTORUN.INF
  3. In the Look In drop-down list, select a drive, then press Enter.
  4. Select the file, then open using Notepad.
  5. Check if the following lines are present in the file:
  6. [Autorun]
    OPEN=fooool.exe
    shell\open=
    shell\open\Command=fooool.exe
    shell\open\Default=1
    shell\explore=
    shell\explore\Command=fooool.exe
  7. If the lines are present, delete the file.
  8. Repeat steps 3 to 6 for AUTORUN.INF files in the remaining removable drives.
  9. Close Search Results.

Important Windows ME/XP Cleaning Instructions

Users running Windows ME and XP must disable System Restore to allow full scanning of infected computers.

Users running other Windows versions can proceed with the succeeding solution set(s).

Running Antivirus

If you are currently running in safe mode, please restart your computer normally before performing the following solution.

Scan your computer with antivirus and delete files detected as WORM_AGENT.VDO. To do this, users must download the latest virus pattern file and scan their computer.

comments (0)

TOP

Monday, December 15, 2008

How to remove newfolder.exe or regsvr.exe or autorun.inf virus?


1. Cut The Supply Line

  1. Search for autorun.inf file. It is a read only file so you will have to change it to normal by right clicking the file , selecting the properties and un-check the read only option
  2. Open the file in notepad and delete everything and save the file.
  3. Now change the file status back to read only mode so that the virus could not get access again.
  4. Autorun INF: cutting the supply line
  5. Click start->run and type msconfig and click ok
  6. Go to startup tab look for regsvr and uncheck the option click OK.
  7. Click on Exit without Restart, cause there are still few things we need to do before we can restart the PC.
  8. Now go to control panel -> scheduled tasks, and delete the At1 task listed their.
2. Open The Gates Of Castle
  1. Click on start -> run and type gpedit.msc and click Ok.
  2. Opening the gate of castle: starting the gepedit or msconfig
  3. If you are Windows XP Home Edition user you might not have gpedit.msc in that case download and install it from Windows XP Home Edition: gpedit.msc and then follow these steps.
  4. Go to users configuration->Administrative templates->system
  5. Find “prevent access to registry editing tools” and change the option to disable.
  6. Opening the gate of castle: Group Edit Policies
  7. Once you do this you have registry access back.
3. Launch The Attack At Heart Of Castle
  1. Click on start->run and type regedit and click ok
  2. Go to edit->find and start the search for regsvr.exe,
  3. Launch the attack in the heart of castle: registry search
  4. Delete all the occurrence of regsvr.exe; remember to take a backup before deleting. KEEP IN MIND regsvr32.exe is not to be deleted. Delete regsvr.exe occurrences only.
  5. At one ore two places you will find it after explorer.exe in theses cases only delete the regsvr.exe part and not the whole part. E.g. Shell = “Explorer.exe regsvr.exe” the just delete the regsvr.exe and leave the explorer.exe
4. Seek And Destroy the enemy soldiers, no one should be left behind
  1. Click on start->search->for files and folders.
  2. Their click all files and folders
  3. Type “*.exe” as filename to search for
  4. Click on ‘when was it modified ‘ option and select the specify date option
  5. Type from date as 1/31/2008 and also type To date as 1/31/2008
  6. Seek and destory enemy soldiers: the search option
  7. Now hit search and wait for all the exe’s to show up.
  8. Once search is over select all the exe files and shift+delete the files, caution must be taken so that you don’t delete the legitimate exe file that you have installed on 31st January.
  9. Also selecting lot of files together might make your computer unresponsive so delete them in small bunches.
  10. Also find and delete regsvr.exe, svchost .exe( notice an extra space between the svchost and .exe)
5. Time For Celebrations
  1. Now do a cold reboot (ie press the reboot button instead) and you are done.
Soon all antivirus programs will be able to automatically detect and clean this virus.

comments (3)

TOP

Saturday, December 13, 2008

Four Easy Steps to Manually Remove Viruses from Your Computer!

[Note: This solution will work only against those Viruses which does not infect Windows own .exe files (e.g. like Explorer.exe)]

Some of the symptoms of viruses are:

  • Disables Task Manager
  • Disables Registry Editor
  • Disables Command Prompt
  • Sometime you have no application running but CPU usage goes over 50%
  • Computer Drives are not opening by Double Click
  • Automatic Shutdown
  • Computer Slows down
  • Hidden Files will not be showing
  • Folder Options will disappear
Solution:
[Caution: While the manual process is going on do not open any My Computer drive through My Computer]

Step1. Process Termination

Download Process Explorer and Autoruns in order to complete the instructions below.
  1. Close all programs (even from tray) except your Internet Browser.
  2. Run Process Explorer by typing procexp in the Start menu. Run and do as illustrated.
Process ExplorerProcess Explorer
After collapsing:

mspaint.exe Properties[Note: procexp.exe is Process Explorer’s own process]

All the system processes are collapsed in the system tree, so if you see a process like winlogon.exe in explorer tree then it is surely a virus.

If you do see any suspicious process, Processes can be sought for their suspiciousness at Process Library. And follow the following steps:
  1. Right click on it if the process is found and then properties. In the path: field copy the path and Open Run Dialogue and paste the path there.
  2. Now terminate the suspicious task in Process Explorer.
  3. If the same process starts again then suspend the process by right clicking on it and click suspend on the menu. Remove the name of the application from path now listing only folder.
E.g.:- If you have copied C:\WINDOWS\System32\mspaint.exe then remove mspaint.exe and you will see C:\WINDOWS\System32\ this in the Run Dialogue.

7-ZIP File Manager

Step2. File Deletion

The second step is deleting files. If you have installed powerexe, Start Menu–> 7-ZIP–> 7-ZIP File Manager which will show you all hidden files and go through the root path of every drive.

Autoruns
Delete .exe and autorun.inf like ravmon.exe, smss.exe, Funny UST Scandal.exe. But do not delete the following files autoexec.bat, boot.ini, bootmgr, config.sys, io.sys, msdos.sys, ntdetect.com, pagefile.sys, ntldr, hiberfil.sys as these are system files.

Step3. Removal of Startup Entries

Now you have successfully terminated virus process the next thing is to remove those virus files which run upon system start.
  1. Open Autoruns by typing autoruns in the Run Dialogue. Wait while refreshing completes.
  2. In the Options –> Hide Microsoft Entries. And click Refresh button on the interface OR Close the program and start again.
  3. After scanning completes select Logon tab and uncheck all the entries be sure do not unselect any Microsoft Entry. Restart system for the changes to take effect.
Step4. Restoring Windows Default settings

Now scan your system with a fully functional Anti-Virus will be the last suggestion.

Troubleshooting: Incase of any problem means you did a wrong move. Open Autoruns, in the Options –> Unselect Hide Microsoft Entries. And click Refresh button on the interface OR and select all entries. Close the program and start your system again.

comments (0)

TOP

Sunday, December 7, 2008

How to manually remove Backdoor.livup (msstart.exe) Trojan-horse?

This method only works on Windows 2000/XP/2003/NT/ME.

Step 1: Configure Microsoft Windows Explorer to show all files, because most Virus and Trojan horse can hide itself. If you already did it, you may skip this step.

1. Click Start, point to Settings, and Control Panel, and then click Folder Options.

2. In the Folder Options dialog box, click the View tab.

3. In the Advanced settings box, deselect the Hide protected operating system files (Recommended).

4. Select the Show hidden files and folders.

5. Deselect the Hide file extensions for unknown file types.

6. Click OK to save changes.

Or Download RRT(Remove Restrictions Tool) a tool to re-enable Ctrl+Alt+Del, Folder Options and Registry tools.

Step 2: Press Ctrl+Alt+Del, open Task Manager Program, click Processes tab, and find msstart.exe process, if found, select it and click End Process to kill it.

Step 3: Go to the folder of SystemRoot\Winnt\System32 (If your Windows NT/2000/XP/2003 installed on driver C: then the folder is C:\Winnt\System32), find msstart.exe and directly delete it. Or you can also search for all of msstart.exe files by using Windows Search feature (WINDOWS+F shortcut key), and delete them all.

If all of the steps are completed correctly, then the Trojan has been completely removed.

comments (0)

TOP

Subscribe to: Posts (Atom)