kill the hokage virus
One way is wrong in promoting tourism is to make the virus. This
is done by the virus Hokage Killer who use popular names like Bridge
Kahayan id Palangkaraya, Palma is very potential to trigger a war that
ultimately harm the virus Indonesian IT community, especially the IT
community Palangkaraya. It
is clear that the virus makers are young programmers are smart and
great curiosity, but has one big problem that is sorely lacking
maturity and does not care (not conscious) will result of his actions
create and spread the virus can cause harm to other computer users. Ambush ability of the virus can be said to be adequate, but the ability of English was still rich as the name implies, Ambush. If you want a challenge to the Hokage menyamaikan should:Hey, Hokage, This is my place, Want to Start a War?(Hey Hokage, this cave house, would dig up the battle ax?)But perhaps because of too much to learn coding so seldom learn English as well as:Hey, Hokage, Is this My places, Wanna start a war **(Hey Hokage, Is this my house? Want to dig a battle ax?)Hopefully ** shambles virus makers are not issued specific new variant fix grammar errors.For
those of you who frequent the Central Kalimantan, most likely out with
Kahayan Bridge, the bridge which divides Kahajan in Palangkaraya,
Central Kalimantan, Indonesia. This
bridge has a length of 640 meters and 9 meters wide, consists of 12
spans with a special 150-meter span on river cruise line. The
bridge was first built in 1995 and was completed in 2001, and
inaugurated by President Megawati Sukarnoputri on January 13, 2002. Palangkaraya Kahayan bridge connecting with the South Barito districts and counties through the North Barito. So what to do?Having
previously appeared VBWorm.NUJ virus
(http://vaksin.com/2007/1107/moontox-bro.htm), has recently been
discovered a virus modified VM Palangkaraya (possible) can be seen from
the script and the file parent to be in the stretcher by this virus.For
now there are three variants in which for each of these variants have
the same characteristics, the virus is more commonly known by the name
W32/Amburadul.For the first variant detected as W32/Agent.XQXM Norman (54 KB)For the second variant has a name as W32/Agent.ETOR (56 KB)For all three variants have the name as W32/Autorun.CQJ (52 KB)For the fourth variant has a name as W32/Autorun.CIA (51 KB) (see figure 1)
Broadly speaking this virus with most of the local virus spread. Creating
duplicate files, block some windows functions like Regedit / Msconfig /
Search / Folder Option or Task Manager even block particular local
antivirus security software such as PC MAV, junior and ANSAV. He
also will try to kill the virus Hokage/VBWorm.gen16 who both came from
Central Kalimantan Sampit precisely in the area, this can be seen from
an existing script, where the script is trying to block the master file
from virus Hokage / VBWorm. This Gen16.Here are some of the characteristics of the files that will be on stretcher by Ambush and its variants:
*
Icon: Image (JPG)
*
File size: Varies according to the variant (51 KB, 52 KB, 54 KB and 56 KB)
*
File Extension: EXE
*
File Type: Application (see figure 2)
At
the time the virus is active, it will create some master file below
which will run every time the computer is turned on (this file will
also be made in all media including Flash drives Disk)
*
C: \ Windows \ system32 \ ~ A ~ m ~ B ~ u ~ R ~ a ~ D ~ u ~ L ~
o
csrcc.exe
o
smss.exe
o
lsass.exe
o
services.exe
o
winlogon.exe
o
Paraysutki_VM_Community.sys
o
msvbvm60.dll
*
C: \ Autorun.inf
*
C:
\ My Photos xx-x-xxx.exe, where x indicates the date virus proficiency
level in the switch (for example: a picture of me-2008.exe 14-3)
*
C: \ Friendster Community.exe
*
C: \ J3MbataN K4HaYan.exe
*
C: \ MyImages.exe (hidden file)
*
C: \ PaLMa.exe
*
C: \ Images
o
Ce_Pen9God4.exe
o
J34ñNy_Mö3tZ_CuTE.exe
o
M0D3L_P4ray_ 2008.exe
o
Night MinGGuan.exe
o
NonKroNG DJem8ataN K4H4yan.exe
o
Ph0to Ber5ama.exe
o
Picnic dT4ngKilin9.exe
o
King Nge5ex.exe
o
Trend 9aya RAm8ut 2008.exe
*
C: \ Images \ _PAlbTN
o
(V.4.9) _D053n ^ 908L0K.exe
o
~ ~ G0YanG bed. Exe
o
GePaCar4an Neh!. Exe
o
I ... BGT!. Exe
o
To .. N90C0k.exe monitoring view
o
Ma5tURbas1 XL1M4xs.exe
o
PraPtih G4diEs PuJAAnku.exe
o
SmunZa.exe Bali Circuit
What do the Ambush and its variants?Auto start-VirusIn
order for this virus can be activated automatically every time the
computer is on, it will create some strings to the registry berkut:
*
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run \ PaRaY_VM
o
C: \ WINDOWS \ system32 \ ~ A ~ m ~ B ~ u ~ R ~ a ~ D ~ u ~ L ~ \ winlogon.exe
*
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run \ ConfigVir
o
C: \ WINDOWS \ system32 \ ~ A ~ m ~ B ~ u ~ R ~ a ~ D ~ u ~ L ~ \ services.exe
*
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run \ NviDiaGT
o
C: \ WINDOWS \ system32 \ ~ A ~ m ~ B ~ u ~ R ~ a ~ D ~ u ~ L ~ \ lsass.exe
*
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run \ NarmonVirusAnti
o
C: \ WINDOWS \ system32 \ ~ A ~ m ~ B ~ u ~ R ~ a ~ D ~ u ~ L ~ \ smss.exe
*
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run \ AVManager
o
C: \ WINDOWS \ system32 \ ~ A ~ m ~ B ~ u ~ R ~ a ~ D ~ u ~ L ~ \ csrss.exe
*
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon
o
shell = Explorer.exe,
C: \ WINDOWS \ system32 \ ~ A ~ m ~ B ~ u ~ R ~ a ~ D ~ u ~ L ~ \ winlogon.exeFunction block Windows and security software (Antivirus)To
defend himself he will also conduct a block of some windows functions
such as Task Manager / Regedit / Msconfig / Folder Options / System
Restore or Search, and several other security software which enables to
shorten the life of the virus, with some strings in the registry makes
the following:
*
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Policies \ System
o
EnableLUA = 0
*
HKEY_LOCAL_MACHINE \ SOFTWARE \ Policies \ Microsoft \ Windows NT \ SystemRestore
o
DisableConfig
o
DisableSR
*
HKEY_LOCAL_MACHINE \ SOFTWARE \ Policies \ Microsoft \ Windows \ Installer
o
DisableMSI
o
LimitSystemRestoreCheckpointing
*
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ msconfig.exe
o
Debugger = rundll32.exe
*
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ rstrui.exe
o
Debugger = rundll32.exe
*
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ wscript.exe
o
Debugger = crundll32.exe
*
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ mmc.exe
o
Debugger = rundll32.exe
*
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ Setup.exe
o
Debugger = cmd.exe / c del
*
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ Instal.exe
o
Debugger = cmd.exe / c del
*
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ install.exe
o
Debugger = cmd.exe / c del
*
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ procexp.exe
o
Debugger = cmd.exe / c del
*
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ msiexec.exe
o
Debugger = rundll32.exe
*
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ taskmgr.exe
o
Debuger = rundll32.exe
*
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ System
o
DisableRegistryTools
*
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer
o
NoFind
*
HKEY_CLASSES_ROOT \ exefile
o
NeverShowExt
*
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ HideFileExt
o
UncheckedValue = 1
*
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ HideFileExt
o
DefaultValue = 1
*
o
CheckedValue = 0
*
o
DefaultValue = 0
*
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ SuperHidden
o
UncheckedValue = 0
*
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ SuperHidden
o
Type = checkbok
*
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced
o
ShowSuperHidden = 0
*
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced
o
SuperHidden = 0
*
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced
o
HideFileExt = 1
*
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ wscript.exe
o
debugger = rundll32.ex
*
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ taskkill.exe
o
debugger = rundll32.exe
*
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ cmd.exe
o
debugger = rundll32.exe
*
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ tasklist.exe
o
debugger = rundll32.exe
W32/Agent.EQXM
(and its variants) also will try to block some of the local antivirus
(including the likes amit-amit as the best antivirus in the world) as
PCMAV, junior or ANSAV to create a string in the registry the following:
*
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ PCMAV-CLN.exe
o
Debugger = cmd.exe / c del
*
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ PCMAV-RTP.exe
o
Debugger = cmd.exe / c del
*
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ Ansav.exe
o
Debugger = cmd.exe / c del
*
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ kspoold.exe
o
Debugger = cmd.exe / c del
*
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ kspool.exe
o
Debugger = cmd.exe / c del
*
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ boot.exe
o
Debugger = cmd.exe / c del
*
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ Ansavgd.exe
o
Debuger = cmd.exe / c del
*
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ SMP.exe
o
debugger = cmd.exe / c del
To
block the function of Windows and antivirus software in addition to
making the above string in the registry, he will also use the taskkill
command.These applications will be turned off by Agent.EQXM (and variants):taskkill / f / im winamp.exetaskkill / f / im winampa.exetaskkill / f / im firefox.exetaskkill / f / im iexplorer.exetaskkill / f / im wmplayer.exetaskkill / f / im PCMAVtaskkill / f / im CLN.exetaskkill / f / im Ansav.exetaskkill / f / im ansavgd.exetaskkill / f / im explorer.exeEradicate mission HokageShambles
and its variants have a mission to eradicate family Hokage
(VBWorm.Gen16) to block the virus file that can not be executed. This is confirmed by changing the title on the application of Internet Explorer (see the picture below). To do this he will make some string in the registry the following:
*
HKEY_CURRENT_USER \ Software \ Microsoft \ Internet Explorer \ Main
o
Window Title = + + + + Hey, Hokage / baboon (Anbu * Team * Sampit), Is this My places, Wanna start a War + + + + (see figure 3)
*
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ HokageFile.exe
o
Debugger = cmd.exe / c del
*
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ Rin.exe
o
Debugger = cmd.exe / c del
*
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ Obito.exe
o
Debugger = cmd.exe / c del
*
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ KakashiHatake.exe
o
Debugger = cmd.exe / c del
*
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ HOKAGE4.exe
o
Debugger = cmd.exe / c del
*
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ HOKAGE4.exe
o
Debugger = cmd.exe / c del
DDos web siteAgent.EQXM
will also try to perform DDos to the number of website addresses which
have been determined by doing a Ping request to the following website:
*
www.duniasex.com
*
www.data0.net
*
www.rasasayang.com.my
Hiding the image fileFiles
that become the target of this virus is an image file (JPG / BMP / PNG
/ TIFF / GIF), but it will only hide the image file in the Flash Disk. To trick the user it will create a duplicate file that has the same name as the file name of the hidden features:
*
Icon JPG
*
The size of the "random" (depending on the variant -> 51 KB / 52 KB / 54 KB / 56 KB)
*
Extension. Xx `. Exe, where xx indicates the extension of the original image file. For example if the original image file has a name data.bmp the virus will create a duplicate file with the name `data.bmp. Exe. (See figure 4)
*
File type "Application"
Every
time hide files, it simply "good heart" will register her logs in file
C: \ Windows \ Amburadul_List.txt, drawing attention to 5 below:
Spread through the Flash DiskTo
spread itself, it will use the media "Flash Disk" or "floppy" to create
multiple master files and multiple file support so that he can be
activated automatically each time the user access to the Flash Disk.
Here are some of the files to be created on the Flash Disk or diskette media:
*
C: \ Autorun.inf
*
C:
\ My Photos xx-x-xxx.exe, where x indicates the date virus proficiency
level in the switch (for example: a picture of me-2008.exe 14-3)
*
C: \ Friendster Community.exe
*
C: \ J3MbataN K4HaYan.exe
*
C: \ MyImages.exe (hidden)
*
C: \ PaLMa.exe
*
C: \ Images
o
Ce_Pen9God4.exe
o
J34ñNy_Mö3tZ_CuTE.exe
o
M0D3L_P4ray_ 2008.exe
o
Night MinGGuan.exe
o
NonKroNG DJem8ataN K4H4yan.exe
o
Ph0to Ber5ama.exe
o
Picnic dT4ngKilin9.exe
o
King Nge5ex.exe
o
Trend 9aya RAm8ut 2008.exe
*
C: \ Images \ _PAlbTN
o
(V.4.9) _D053n ^ 908L0K.exe
o
~ ~ G0YanG bed. Exe
o
GePaCar4an Neh!. Exe
o
I ... BGT!. Exe
o
To .. N90C0k.exe monitoring view
o
Ma5tURbas1 XL1M4xs.exe
o
PraPtih G4diEs PuJAAnku.exe
o
SmunZa.exe Bali Circuit
So
that the virus can be activated automatically each time the user access
or Flash Disk Drive it will use the Windows Autorun feature by creating
autorun.inf file in the root Flash Disk or Drive. This will run the Autorun file MyImage.exe file, where files will be hidden so as not to be easily removed by the user. (See figure 6)
How to Clean W32/Agent.EQXM (and variants)
A.
Disconnect the computer that will be cleared from the network
2.
Turn off the virus active in memory resident. To kill the process using tools "currprocess" (http://www.nirsoft.net/utils/cprocess.zip). Then turn off the virus that has a JPG with extension EXE icon. (See figure 7)
3.
Repair the registry has been changed by W32/Agent.EQXM (and variants). To expedite the repair process please copy the script below on the notepad and save it as repair.inf.
Execute the following ways:
*
Right click repair.inf
*
Click Install
[Version]Signature = "$ Chicago $"Provider = Vaksincom
[DefaultInstall]AddReg = UnhookRegKeyDelReg = del[UnhookRegKey]HKLM, Software \ CLASSES \ batfile \ shell \ open \ command,,, "" "% 1" "% *"HKLM, Software \ CLASSES \ comfile \ shell \ open \ command,,, "" "% 1" "% *"HKLM, Software \ CLASSES \ exefile \ shell \ open \ command,,, "" "% 1" "% *"HKLM, Software \ CLASSES \ piffile \ shell \ open \ command,,, "" "% 1" "% *"HKLM, Software \ CLASSES \ regfile \ shell \ open \ command,,, "regedit.exe"% 1 ""HKLM, Software \ CLASSES \ scrfile \ shell \ open \ command,,, "" "% 1" "% *"HKLM, SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon, Shell, 0, "Explorer.exe"HKLM,
SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \
Folder \ HideFileExt, UncheckedValue, 0x00010001, 0HKLM,HKLM,HKLM,
SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \
Folder \ SuperHidden, UncheckedValue, 0x00010001, 1HKLM, SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ SuperHidden, CheckedValue, 0x00010001, 0HKLM, SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ SuperHidden, defaultValue, 0x00010001, 0HKCU, Software \ Microsoft \ Internet Explorer \ Main, Start Page, 0, "about: blank"HKLM, SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ HideFileExt, type, 0, "checkbox"HKLM, SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ SuperHidden, type, 0, "checkbox"HKCU, Control Panel \ International, s1159, 0, "AM"HKCU, Control Panel \ International, s2359, 0, "PM"HKLM, SYSTEM \ ControlSet001 \ Control \ SafeBoot, AlternateShell, 0, "cmd.exe"HKLM, SYSTEM \ CurrentControlSet \ Control \ SafeBoot, AlternateShell, 0, "cmd.exe"HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced, ShowSuperHidden, 0x00010001, 1HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced, SuperHidden, 0x00010001, 1HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced, HideFileExt, 0x00010001, 0
[Del]HKCU, Software \ Microsoft \ Internet Explorer \ Main, Window TitleHKLM, SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ kspoold.exeHKLM, SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ kspool.exeHKLM, SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ msconfig.exeHKLM, SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ rstrui.exeHKLM, SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ wscript.exeHKLM, SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ mmc.exeHKLM, SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ HokageFile.exeHKLM, SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ Rin.exeHKLM, SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ cmd.exeHKLM, SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ SMP.exeHKLM, SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ taskkill.exeHKLM, SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ tasklist.exeHKLM, SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ Obito.exeHKLM, SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ KakashiHatake.exeHKLM, SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ PCMAV-CLN.exeHKLM, SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ PCMAV-RTP.exeHKLM, SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ boot.exeHKLM, SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ HOKAGE4.exeHKLM, SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ PCMAVHKLM, SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ PCMAVHKLM, SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ Ansav.exeHKLM, SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ Setup.exe, debuggerHKLM, SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ Instal.exe, debuggerHKLM, SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ install.exe, debuggerHKLM, SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ procexp.exeHKLM, SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ msiexec.exeHKLM, SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ taskmgr.exeHKLM, SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ Ansavgd.exeHKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ System, DisableRegistryToolsHKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer, NoFindHKLM, SOFTWARE \ Policies \ Microsoft \ Windows \ Installer, DisableMSIHKLM, SOFTWARE \ Policies \ Microsoft \ Windows \ Installer, LimitSystemRestoreCheckpointingHKCR, exefile, NeverShowExtHKLM, SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run, PaRaY_VMHKLM, SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run, ConfigVirHKLM, SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run, NviDiaGTHKLM, SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run, NarmonVirusAntiHKLM, SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run, AVManagerHKLM, SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Policies \ System, EnableLUAHKLM, SOFTWARE \ Policies \ Microsoft \ Windows NT \ SystemRestore
4.
Disable "System Restore" during the cleanup process
5.
Delete files W32/Agent parent virus. EQXM (and variants). Before deleting file should show hidden files do:
A.
Open Windows Explorer
2.
Click the menu "Tools"
3.
Click "Folder Options"
4.
Click the View Tab
5.
In the "Advanced settings"
*
Select the option "Show hidden files and folders"
*
Unchek "Hide extensions for known file types"
*
Uncheck "Hide protected operating system files (Recommended) (see figure 8)
Then
delete the following files (in all, including Flash Disk Drive except
for the files in the directory C: \ Windows \ system32 \ ~ A ~ m ~ B ~
u ~ R ~ a ~ D ~ u ~ L ~)
*
C: \ Windows \ system32 \ ~ A ~ m ~ B ~ u ~ R ~ a ~ D ~ u ~ L ~
+
csrcc.exe
+
smss.exe
+
lsass.exe
+
services.exe
+
winlogon.exe
+
Paraysutki_VM_Community.sys
+
msvbvm60.dll
*
C: \ Autorun.inf
*
C:
\ My Photos xx-x-xxx.exe, where x indicates the date virus proficiency
level in the switch (for example: a picture of me-2008.exe 14-3)
*
C: \ Friendster Community.exe
*
C: \ J3MbataN K4HaYan.exe
*
C: \ MyImages.exe
*
C: \ PaLMa.exe
*
C: \ Images
6.
Show images that have been disembbunyikan file in Flash Disk in a way:
*
Click "Start" menu
*
Click "Run"
*
Type "CMD"
*
At the Dos Prompt, move the cursor to the location of the Flash Disk and then type the command attrib-s-h / s / d
7.
For optimal cleaning and prevent re-infection with a virus scan is up-to-date and was able to identify this virus as well.
script type="text/javascript">
-
0 komentar:
Posting Komentar