Mediaplex and 207.net tracking cookie Removal Guide - manual removal instructions

Mediaplex and 207.net tracking cookie Removal Guide - manual removal instructions

Mediaplex Description
Mediaplex is a tracking cookie that monitors your Internet activity and gathers your personal information as you surf the web. This information may be retrieved by the parent company, without your consent.
How can I Detect Mediaplex?
Cookies may contain information about you, such as a password, usernames, how many times you visit a website, how you shop on a website and other surfing habits. Generally there might not be any reason to worry about certain cookies in your computer. Yet the fact remains that a cookie's main purpose is to reveal what websites you've visited and it's up to you whether you want that information to be in the hands of a third-party.

To get rid of Mediaplex cookie and other cookies follow the manual cookie removal instructions provided below.
Mediaplex Manual Removal Instructions
Below is a list of Mediaplex manual removal instructions and Mediaplex components listed to help you remove SpyCrush from your PC. Backup Reminder: Always be sure to back up your PC before making any changes.
Note: This manual removal process are to be used at your own risk. We recommend that you use SpyHunter's detection tool to check for cookies.

Step 1 : Search and Remove Mediaplex Cookie
To remove Mediaplex cookie with Internet Explorer 6, 5, 5.01, and 5.5 for Windows 95, Windows 98, Windows NT 4.0 and Windows 2000, follow the manual removal steps below:
Start Internet Explorer.
Go to Tools > Internet Options > General tab.
In the Temporary Internet Files, select Settings > View Files.
On the View, select Details.
Click the Internet Address column header, and search for the Internet addresses of the cookie file(s) below:
Mediaplex
Mediaplex
Mediaplex Mediaplex
Right-click on the Mediaplex cookie file, and then press Delete. If you are prompted to confirm that you wish to delete the Mediaplex cookie file, click Yes. You can repeat this step for each cookie file you want to remove.

Step 2 : Detect and Remove Other Cookies
You might want to keep some cookies on your computer. Registration cookies, for example, are useful to keep on your computer because you'll need them for websites you visit frequently. NKeep in mind that some cookies you may want to keep to log on into certain services so you might not want to delete all the cookies.
To delete all cookies in Internet Explorer 6, 5, 5.01, and 5.5 for Windows 95, Windows 98, Windows NT 4.0 and Windows 2000, follow the manual removal steps below:

Open Internet Explorer.
Go to Tools > Internet Options > General Tab.
In the Temporary Internet Files, select Delete Cookies > OK, and then click OK again.



To learn more on Mediaplex cookie, see our Mediaplex cookie resource section below.
More Mediaplex Resources
What is Tracking Cookie?
Mediaplex is a type of Tracking Cookie.
Tracking cookies, like regular cookies, are small files that get deposited onto your computer's hard drive as you browse the Internet. Unlike harmless cookies that normally let you use certain websites more easily, tracking cookies usually collect and report information about what websites you visit and what you do at those websites. If you fill out forms online with your real name and contact information, click on banners and then purchase an item, or fill out sweepstakes or contests forms, then it's possible that major online advertisers know your name and have associated it with your IP address and other information.
Think you have Mediaplex? Run SpyHunter's Mediaplex scan and automatically detect Mediaplex on your PC.
Cookie Prevention Steps
Do you want to be able to block and allow cookies from certain websites or domains? You can block cookies from certain websites or from all of them by going to the Settings cookies on your browser.
To Block Certain Cookies:
To prevent certain websites from setting cookies on your PC, follow the steps below.
Start Internet Explorer (IE).
Go to Tools > Internet Options > Privacy tab > Advanced.
Check "Override automatic cookie handling".
Set "First Party Cookies" to Block, and then set "Third Party Cookies" to Block.
Click the "OK" button.

To Allow Certain Cookies:
To allow certain cookies, follow the steps below.
Go to Tools > Internet Options > Privacy tab > Sites.
Then type the URL(s) of website(s) that you trust and that use cookies to remember your logging info.
Some websites are required to have tracking cookies. It is advised that you add websites such as '*.microsoft.com' (no quotes) to the "Always Allow" list in order to get Windows Update or other Microsoft websites which require cookies to be accepted.
To Block All Cookies:

You can also prevent all cookies from being used on your computer. To set your browser to block all cookies, follow the steps below.

For Internet Explorer (IE):

Go to Tools > Internet Options > Security > Set security level to "High", or Custom level > Cookies > Disable.

For Mozilla Firefox:
Go to Tools > Options > Privacy > Cookies > Uncheck "Allow sites to set cookies".

User Comments
Username: Suzanne Date Posted: 2007-11-05 13:42:54
Comment:
Could you please post "Mediaplex Manual Removal Instructions for Mozilla Firefox? Also whatever other materials are posted about this for Mozilla. Thank you

Username: ghostrider01 Date Posted: 2007-11-09 10:05:51
Comment:
Suzanne,
Mediaplex Manual Removal Instructions for Mozilla Firefox:
Step 1 : Search and Remove Mediaplex Cookie

1. Start Mozilla Firefox.
2. Go to Tools > Options > Privacy and select Show Cookies...
3. Type in MediaPlex in the Search line and press Clear.

Step 2 : Detect and Remove Other Cookies
1. Start Mozilla Firefox.
2. Go to Tools > Options > Privacy and select Show Cookies...
3. Click on Remove All Cookies.
Don't worry so much about the cookies, because they are not so dangerous. It's enough to clean them weekly from your computer.

Username: Sharon Date Posted: 2008-02-24 10:23:30
Comment:
MEDIAPLEX is coming from eBay. Best thing to do is everyone protest this. eBay was using Doubleclick and now they are using Mediaplex to bug the hell out of everyone. Maybe time to go back to shopping locally and [REMOVED WORD] thinking globally?

Username: Tibor Toth Torma Date Posted: 2008-03-06 16:09:27
Comment:
Thank you for helping to remove zedo, tacoda, yieldmanger and 207.net cookies. Great site!

How to remove NewFolder.exe Virus.

How to remove NewFolder.exe Virus.

Problem:
One of our readers reported about a virus in his pen drive,his drive is infected with Newfolder.exe virus. He has some very crucial data on the drive, so he cannot format the drive.

What is NewFolder.exe virus?
New Folder.exe virus disables task manager, disables registry editor, disables folder options, and disables run option from start menu. Virus creates exe files like the icon of folders with the same name as the name of the folder, it also consumes more than 50 % of your processor usage so slows down your computer.

Let’s see how we can remove this virus without formatting the drive.
Fix:
In order to remove the newfolder.exe virus you can use two types of tools, again there is a manual procedure also but the tools mentioned below are much better:

Tools to remove Newfolder.exe virus

Manual Method:
You need delete a file named svichossst.exe where ever you find this file on your system



Remove the following keys from registry

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
“@”=[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“Yahoo Messengger”=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
“Shell”=”Explorer.exe “

We hope at least one of the above method given above will help you fix the trouble.
Newfolder Virus removal tool by Albin
Download Andymanchesta`s Newfolder.exe virus removal tool (FREE)

What is Amburadul virus and how to remove amburadul

What is Amburadul virus and how to remove amburadul

how to remove amburadul virus for all varian no need for antivirus program. you can simply clean it using manual technique.
The simple way to know if your computer infected by this virus is you will see JPEG files with aplication extension. Now let’s start to remove it!

1. Unplug your infected computer from your network to stop this virus spreading.
2. Disable “System Restore” when in cleaning process.
3. Kill the virus process using power tools “currprocess” kill all process with icon JPG.



4. Repair your registry that already changed by the virus using this code:

[Version]
Signature=”$Chicago$”
Provider=Nobody

[DefaultInstall]
AddReg=UnhookRegKey
DelReg=del

[UnhookRegKey]
HKLM, Software\CLASSES\batfile\shell\open\command,,,”"”%1” %*”
HKLM, Software\CLASSES\comfile\shell\open\command,,,”"”%1” %*”
HKLM, Software\CLASSES\exefile\shell\open\command,,,”"”%1” %*”
HKLM, Software\CLASSES\piffile\shell\open\command,,,”"”%1” %*”
HKLM, Software\CLASSES\regfile\shell\open\command,,,”regedit.exe “%1”
HKLM, Software\CLASSES\scrfile\shell\open\command,,,”"”%1” %*”
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell,0, “Explorer.exe”
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Folder\HideFileExt, UncheckedValue,0×00010001,0

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Folder\HideFileExt,CheckedValue,0×00010001,1

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Folder\HideFileExt,DefaultValue,0×00010001,1

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Folder\SuperHidden, UncheckedValue,0×00010001,1

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Folder\SuperHidden, CheckedValue,0×00010001,0

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Folder\SuperHidden, DefaultValue,0×00010001,0

HKCU, Software\Microsoft\Internet Explorer\Main, Start Page,0, “about:blank”
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt, type,0, “checkbox”

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden, type,0, “checkbox”

HKCU, Control Panel\International, s1159,0, “AM”
HKCU, Control Panel\International, s2359,0, “PM”
HKLM, SYSTEM\ControlSet001\Control\SafeBoot, AlternateShell,0, “cmd.exe”
HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot, AlternateShell,0, “cmd.exe”
HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced, ShowSuperHidden,0×00010001,1
HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced, SuperHidden,0×00010001,1
HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced, HideFileExt,0×00010001,0

[del]
HKCU, Software\Microsoft\Internet Explorer\Main, Window Title,
HKLM, SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore, DisableConfig
HKLM, SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore, DisableSR
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Britney Spears-CLN.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Britney Spears-RTP.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Britney Spears
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Britney Spears
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe,debugger
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe, debugger
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe,debugger
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegistryTools
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoFind
HKLM, SOFTWARE\Policies\Microsoft\Windows\Installer, DisableMSI
HKLM, SOFTWARE\Policies\Microsoft\Windows\Installer, LimitSystemRestoreCheckpointing
HKCR, exefile, NeverShowExt
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, PaRaY_VM
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, ConfigVir
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, NviDiaGT
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, NarmonVirusAnti
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, AVManager
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, EnableLUA

5. Delete the master virus in %systemroot%\system32\~A~m~B~u~R~a~D~u~L~ before you do this you have to make hiden files become visible.
Then deleted this file list:

csrcc.exe
smss.exe
lsass.exe
services.exe
winlogon.exe
Paraysutki_VM_Community.sys
msvbvm60.dll
Drive:\Autorun.inf
Drive:\FoToKu xx-x-*.exe, where x show the date when virus active
Drive:\Friendster Community.exe
Drive:\J3MbataN K4HaYan.exe
Drive:\MyImages.exe
Drive:\PaLMa.exe
Drive:\Images

How to remove trojans that uses autorun.inf file

How to remove trojans that uses autorun.inf file

These trojans uses autorun.inf file for infects systems. Once infected with autorun.inf trojan your computer will display many popups, Internet Explorer start page can to be change, TaskManager and Registry editor can be disabled. Also autorun.inf trojan configures itself to run automatically every time, when you start your computer. In addition the autorun.inf trojan creates a files with strange names, some examples:

ampfrb.cmd, hbs.exe, yfog8p.exe, as.bat, phwe.com, o0s.cmd, xa2c.exe, AutoStart.exe, ncyrf.bat, rcukd.cmd, 2u.com, q.com, RavMon.exe, x6.bat, rqq2v.bat, t.com, xp19.com, x0.cmd, yg.cmd, ntde1ect.com, tio8×6.cmd, d6fagcs8.cmd, gbiehbsb.dll, tio8×6.cmd, fooool.exe, 8ng8w.com, x.com, xn1i9x.com, invwft2h.com, selamat_berposa_dari_umt.js, ktnquo.exe, NewVirusRemoval.vbs, kinza.exe, rs.cmd, yssjnngm.cmd, h3.bat, 6fnlpetp.exe, boot.exe, winde32.exe, 6j2j.com, kjibu.com, fun.xls.exe, iqe68o.bat, boot.exe, killVBS.vbs, autorun.pif, lin32.exe, USB.exe, RisinG.exe. f.bat, uxdeiect.com, awda2.exe, clshsy.cmd, kongxsg.exe, autorunme.exe, x2tpc.cmd, winconfig.dll.vbs, w1hva13.exe, jun.exe, xpbkh.com

The trojans may drastically slow the performance of your computer.
Step1: Remove autorun.inf files from all your drives, include any usb/flash drives.
1. Manually:

Reboot your PC in Safe mode.

1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.

Click Start -> Run.
In the type box enter cmd and press Enter.
In the command console type del /a:h /f c:\autorun.*
Repeat previous step to all drives, make replacing “c” with the appropriate drive letter.
2. Automatically.

Download Flash_Disinfector by sUBs and save it to your desktop.
Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone.
Please do so and allow the utility to clean up those drives as well.
Wait until it has finished scanning and then exit the program.
Reboot your computer when done.
Step 2: Remove autorun.inf trojan from the windows registry.
 
Download and install HijackThis.

Run HijackThis and scan, put a checkmark next to the following items (if exists):

F2 - REG:system.ini: Shell=Explorer.exe csrcs.exe
O4 - HKLM\..\Run: [SystemDrive] c:\windows\system32\SVCH0ST.EXE
O4 - HKCU\..\Run: [avp] C:\WINDOWS\system32\avp.exe
O4 - HKCU\..\Run: [amva] C:\WINDOWS\system32\amvo.exe
O4 - HKCU\..\Run: [kxva] C:\WINDOWS\system32\kxvo.exe
O4 - HKCU\..\Run: [kava] C:\WINDOWS\system32\kavo.exe
O4 - HKCU\..\Run: [tava] C:\WINDOWS\system32\tavo.exe
O4 - HKCU\..\Run: [TaskMonitor] C:\WINDOWS\system32\TaskMonitor.exe
O4 - HKCU\..\Run: [Realshade] C:\WINDOWS\system32\realshade.exe
O4 - HKCU\..\Run: [cftmonn] C:\WINDOWS\system32\cftmonn.exe
O4 - HKCU\..\Run: [kamsoft] C:\WINDOWS\system32\kamsoft.exe
O4 - HKCU\..\Run: [vamsoft] C:\WINDOWS\system32\vamsoft.exe
O4 - HKCU\..\Run: [kmmsoft] C:\WINDOWS\system32\revo.exe
O4 - HKCU\..\Run: [cdoosoft] C:\WINDOWS\system32\olhrwef.exe
O4 - HKCU\..\Run: [cbvcs] C:\WINDOWS\system32\urretnd.exe
O4 - HKCU\..\Run: [jvsoft] C:\WINDOWS\system32\j3ewro.exe
O4 - HKCU\..\Run: [ckvo] c:\windows\system32\ckvo.exe
O4 - HKLM\..\Run: [winconfig] C:\WINDOWS\winconfig.dll.vbs
O4 - HKLM\..\Policies\Explorer\Run: [csrcs] C:\WINDOWS\system32\csrcs.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

Now close all browser and other windows except for HijackThis, and click “Fix Checked” to have HijackThis fix the entries you checked.

Step 3: Remove autorun.inf trojans files.
Download Avenger from here and unzip to your desktop.
Run Avenger, copy,then paste the following text in Input script Box:



Files to delete:

c:\0jbnlnu8.exe
c:\1q8p0y.com
c:\2g.com
c:\39ysi89.com
c:\3jkka91.com
c:\6fnlpetp.exe
C:\6fnlpetp.exe
C:\6j2j.com
C:\8.bat
c:\80avp08.com
C:\8ng8w.com
c:\92j11sm.com
c:\a.exe
C:\a2h2.com
c:\ampfrb.cmd
c:\as.bat
c:\AutoRun\autorun.pif
c:\AutoRun\AutoStart.exe
c:\AutoRun\AutoStart.exe
c:\awda2.exe
c:\boot.exe
c:\cjrp8.com
c:\clshsy.cmd
C:\d6fagcs8.cmd
c:\dp.exe
C:\e.cmd
C:\fooool.exe
c:\fun.xls.exe
C:\gbiehbsb.dll
C:\gfqgq.cmd
c:\gumkrhf.bat
C:\gy.exe
c:\h3.bat
c:\hbs.exe
C:\ij.bat
C:\imo.exe
c:\invwft2h.com
c:\iqe68o.bat
c:\jg6w3yx.com
c:\killVBS.vbs
c:\kinza.exe
C:\kjibu.com
c:\ktnquo.exe
c:\MicrosoftPowerPoint.exe
c:\NewVirusRemoval.vbs
C:\ntde1ect.com
c:\ntnq.exe
c:\nw0t1l0d.exe
c:\o0s.cmd
c:\phwe.com
C:\pook.com
c:\q0rppr.exe
C:\rcukd.cmd
c:\resycled\boot.com
c:\RECYCLED\appmgmt.exe
C:\rqq2v.bat
c:\rs.cmd
C:\sq.com
c:\System\DriveGuard\DriveProtect.exe
C:\t.com
C:\tio8x6.cmd
c:\tj8odymw.exe
c:\uh31.exe
c:\usbcash.exe
C:\uvsqfgwd.cmd
c:\uxdeiect.com
c:\vnkucvv.com
c:\VirusCleaner.vbe
c:\VirusRemoval.vbs
c:\w1hva13.exe
C:\x0.cmd
c:\x2tpc.cmd
c:\xa2c.exe
C:\x.com
C:\x.cmd
C:\x2csvg.exe
C:\xih9.cmd
C:\xn1i9x.com
C:\xp19.com
c:\xpq63xl.exe
c:\xwpehlv.com
c:\yfog8p.exe
C:\yg.cmd
c:\yssjnngm.cmd
C:\w98.com
%Temp%\dwg3gngs.exe
%Temp%\kxvo.exe
%Temp%\new folder\ufjtre.exe
%Temp%\o2g.exe
%Temp%\ufjtre.exe
%Windir%\expiorer.exe
%windir%\system32\afmain0.dll
%Windir%\system32\amvo.exe
%Windir%\system32\avp.exe
%windir%\system32\avpo.exe
%Windir%\system32\Bitkv0.dll
%Windir%\system32\Bitkv1.dll
%Windir%\system32\cftmonn.exe
%Windir%\system32\ckvo0.dll
%Windir%\system32\ckvo.exe
%windir%\system32\expiorer.exe
%Windir%\system32\gasretyw0.dll
%Windir%\system32\gasretyw1.dll
%windir%\system32\haozs0.dll
%Windir%\system32\j3ewro.exe
%Windir%\system32\jwedsfdo0.dll
%Windir%\system32\kamsoft.exe
%Windir%\system32\kavo0.dll
%Windir%\system32\kavo1.dll
%Windir%\system32\kavo.exe
%Windir%\system32\kxvo.exe
%windir%\system32\locale.exe
%windir%\system32\nmdfgds1.dll
%windir%\system32\nmdfgds0.dll
%windir%\system32\olhrwef.exe
%Windir%\system32\RavMon.exe
%Windir%\system32\realshade.exe
%Windir%\system32\revo.exe
%Windir%\system32\SCVVHSOT.exe
%Windir%\system32\TaskMonitor.exe
%Windir%\system32\tavo0.dll
%Windir%\system32\tavo1.dll
%Windir%\system32\tavo.exe
%Windir%\system32\urretnd.exe
%Windir%\system32\vamsoft.exe
%Windir%\system32\vbsdfe0.dll
%Windir%\system32\vbsdfe1.dll
%Windir%\system32\wincab.sys
%Windir%\winconfig.dll.vbs

Then click on ‘Execute’.
Your computer will be reloaded.

Note: Flash_Disinfector will remove any autorun.inf files, create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don’t delete this folder. It will help protect your drives from future infection.

HijackThis - your first tool for remove homepage hijackers

HijackThis - your first tool for remove homepage hijackers

HijackThis examines certain key areas of the Registry and Hard Drive and lists their contents. These are areas which are used by both legitimate programmers and hijackers. It’s up to you to decide what should be removed. Some items are perfectly fine. You should not remove them. Never remove everything. Doing that could leave you with missing items needed to run legitimate programs and add-ins.

How to make a HijackThis log.
Download HijackThis and save it to your Desktop.
Doubleclick on the HJTinstall.exe icon for install (By default it will install to C:\Program Files\Trend Micro\HijackThis). Click on Install, It will create a HijackThis icon on the desktop.
Once installed, it will launch Hijackthis. Click on the Do a system scan and save a logfile button. It will scan and the log should open in Notepad.
How to remove malware using HijackThis.
Run HijackThis.
Click on the Do a system scan only button.
Place a checkmark in the box in front of each item you plan to remove.
Click the Fix checked button.
A confirmation box will appear. Click Yes. HijackThis will now remove the checked items.
How to make a Startup List using HijackThis.
StartupList is a utility which creates a list of everything which starts up when you boot your computer plus a few other items.



Run HijackThis.
Click on the Open the Misc Tools Section button.
Click the Generate StartupList log button. A confirmation box will pop up. Click Yes.
The Startup list text file will now be generated and opened on the screen.
If you are posting at a Forum, please highlight all, and then copy and paste the contents into your Reply in the same post where you originally asked your question.
Note: If you have run and fixed anything with Spybot Search and Destroy or AdAware, please reboot before scanning.

Download HijackThis Installer (HJTinstall.exe) from here

remove downadup kido conficker windows worm virus

remove downadup kido conficker windows worm virus

The Downadup worm also known as, Kido,Conficker and Windows worm, is yet another of those malicious software that are there on the loose infecting worldwide PC's using internet as a camouflage. Latest news reports say that this malicious thing has infected nearly 3.5 million PC's around the world. There have been many other viruses and worms on the loose in the year 2008 and Downadup is also part of these as it started infecting PC's in late 2008.

The people at Microsoft say that many more PC's are prone to this worm and the numbers could rise drastically. Engineers say that windows users must have their latest patch installed in their PC's in order to protect their PC's from it's attack.

The worm uses very complex methods to enter user's PC and create havoc. It looks for "services.exe" files in a PC and then attaches it self to this file. The file than makes it self part of the system dll files and Windows considers it as a normal service dll file and runs it along side others dll files.

Once it gets loaded by fooling the system, it starts its malicious work by playing with browsers. It redirects users to websites full of malware and then starts downloading more worms and spammy softwares. The worm also plays with system restore operation making it difficult for people to recover a PC.

---

A week and a half ago, Panda Security warned about the potential spread of the Conficker worm, a virus spread via USB devices. Since then, Panda has found that nearly six percent of scanned computers were infected, spanning 83 countries.

Originating in China, Conficker worm infection seems concentrated in the United States, Taiwan and Brazil. PandaLabs found 18,000 infected computers in the US alone. Analyzing two million computers, 5.77 percent, or 115,000 were found to be carrying the Conficker worm.
In the time since the security company issued an "orange alert" regarding the threat level of this malicious program, Panda says variants have been identified that launch brute force attacks to extract passwords from infected computers and internal networks. The company says the frequency of "weak" passwords-common dictionary words, own names-have aided the outbreak.
"Of the two million computers analyzed, around 115,000 were infected with this malware, a phenomenon we haven't seen since the times of the great epidemics of Kournikova or Blaster," says Luis Corrons, Technical Director of PandaLabs.
"This is no doubt an epidemic and the worst may still be to come, as the worm could begin to download more malware onto computers or to spread through other channels. The outbreak of this worm really highlights the need for users to establish strong passwords both on personal computers and corporate networks, as otherwise, an infection could spread across an entire company leaving computers at the mercy of attackers."
Conficker uses a system of social engineering to spread via USB devices. When the Windows options menu appears after inserting a USB device, a prompt appearing to be an option to open a folder to see the files is actually an option to run the program and activate the malware.

---

The guys at the Microsoft feel that it is hard to track the origin of this worm because most known worms and trojans are downloaded from the same websites which people come across while searching for a software download. These websites are easy to track and action can be taken swiftly but with Downadup uses slightly different technique. What it does is that it creates multiple domain names everyday and the worm may reside in any one of them. This makes engineers hard to detect it.

Downadup Removal

Fortunately the worm could be removed if you are having 'Symantec antivirus' installed in your PC along with it's latest upgrades. But at times removal may get difficult as it doesn't allow you to use windows explorer properly. You can download a small and free Removal Tool developed by Symantec if you do not have the whole system installed. Make sure you follow all the instructions strictly before attempting to remove this nuisance out of your PC.

Download Downadup removal tool

Although I haven't really tested this tool but this is currently the latest available removal tool on the internet.

What is Google search rdirect virus and how to remove it?

What is Google search rdirect virus and how to remove it?

Google redirect virus, also known as WEB Redirect virus or Yahoo search redirect virus is a most spreading malware virus these days. Google redirect virus speards via Internet called the go.google.com redirects virus which will redirect the user web browser while browsing to some fake/wrong web sites containing advertisements / ads.

The virus, Go.google.com mostly redirects the google search results to spam websites that contain adsense or other online advertising companies ads. This google redirect virus also blocks user from downloading programs or any file from the Internet. When the user clicks on download links go.google.com displays the following fake errors

Internet explorer cannot open web page filename.exe is not a valid win 32 application
Setup files are corrupted. Please obtain new copy of program Go.google.com virus is web browser hijacker tool which commonly infects Mozila firefox and microsoft Internet explorer and redirects the user to the following web-sites

clearask.com
web-analytics.google.com
brittaniasearch.com
go.google.com
Let’s see the symptoms of this virus and how can we remove go.google.com on Windows Vista and Windows XP.



How to fix the google redirect virus problem/issue:
The virus, Go.google.com disables the running firewalls and anti-virus softwares and breaks your security, it records and send the web urls visited on the infected computer to the hacker.

Most common signs of this virus go.google.com browser hijacker is that It corrupt Registry files and it causes “Blue Screen of Death” error in windows
This virus also changes the desktop background
MS IE and mozila Firefox brows the web slow after getting infected by go.google.com and this virus also infects e-mail attachments, messenger and other freeware programs
There are two tools available on the Internet which can remove go.google.com virus from Windows XP and Windows Vista

Note: Both of these tools are Shareware programs classified as spyware and antivirus tools which lets you remove the virus completely free of cost, so you can use them in their trail version time period.

[ Download go.google.com virus removal tool for windows XP | Download go.google.com tool for Windows Vista ]

Solution # 2 to fix Hacked Browser
Download and Run UnHack Me tool that will fixx any browser hijacking, hacking and redriect issues.
The main difference between UnHackMe and other antirootkit software is the detection method.
UnHackMe tries to detect the hidden rookits by watching the computer from early study of the boot process till the normal Windows mode.

UnHackMe is a first bootwatch antirootkit.
Most modern antirookit programs try to detect the rookits when the rookit is already active. They use the very complex methods for detecting hooked system functions. But the rookit authors creates the new tricks and this war will not have the end.

Download UnHack Me tool

Google Redirect Virus manual Removal Instructions If you wish to remove the google redirect virus manually instead of using auto removal tools, it might be difficult because google redirect virus creat files with fifferent names and it is not same for every computer user. So its better to remove it by using auto removal tools, Still though , here is a manual removal tutorial that might help you removing this virus manually.

Follow the instructions below:
1: Go to my computer and C:-->Windows-->System32-->Drivers-->etc folder.
2: In this folder, Look for a file named "Hosts"
3: Right click on this file and open it with the notepad
4: Now delete all the lines of IP addresses in the text document except for "127.0.0.1 localhost".
5: Save the file and close it.

Doing this solvs the problem and Now you should be able to surf Internet without any redirect problem. But remember! you still need to get rid of several infected files from your computer, remote registry entries and un-register the DLL files.

Surabaya in my birthday - W32/Drowor.worm

Surabaya in my birthday - W32/Drowor.worm

Overview -
W32/Drowor.worm may get send around using a deceiving filename Google Earth .scr.

Show this message:Surabaya in my birthday
Don't kill me, i'm just send message from your computer
Terima kasih telah menemaniku walaupun hanya sesaat, tapi bagiku sangat berarti......

Symptoms -
Modified autoexec.bat to display a message upon system start: "Don't kill me, i'm just send message from your computer"
your folder has file size 40K
Modified PE binary files

How to remove Surabaya Virus

Symptoms -

Modified autoexec.bat to display a message upon system start: “Surabaya is my birthday”….."Don't kill me, i'm just send message from your computer"…and then some blah - blah in some Thai language I guess.

Your folder has file size 40K

All your hard disk partitions become autorun…if you right click on any partition or any drive letter it’ll give the “autorun” option instead “open”.

All your existing original folders become hidden and are replaced by another dummy folder with same file name but with size of 40KB. If you right click on any file, the menu which opens will show “test”, “configure”….etc options but no “open” option.

Removal Steps:
Step 1:
Press Start -> Run -> cmd (or command) -> press Enter
Type in command box- cd\
Type again in command box- c:
Type again in command box- attrib -s -h -r /d /s -> press Enter
Type again in command box- del autorun.inf -> press Enter
Type again in command box- del thumb*.* -> press Enter

Repeat the same with your other hard drive partitions as well…say if you have 3 drive partitions viz. “C”, ”D” & ”E”…for this:

Type again in command box- d:
Type again in command box- attrib -s -h -r /d /s -> press Enter
Type again in command box- del autorun.inf -> press Enter
Type again in command box- del thumb*.* -> press Enter
Type again in command box- e:
Type again in command box- attrib -s -h -r /d /s -> press Enter
Type again in command box- del autorun.inf -> press Enter
Type again in command box- del thumb*.* -> press Enter

If you have any USB hard drive on pen drive connected, do the above procedure with its drive name. For example if your USB drive name is “G”…

Type again in command box- g:
Type again in command box- attrib -s -h -r /d /s -> press Enter
Type again in command box- del autorun.inf -> press Enter
Type again in command box- del thumb*.* -> press Enter
Type again in command box- exit



Step 2:
Press Start -> Run -> regedit ->press Enter
Click on following (in left side window):
“HKEY_LOCAL_MACHINE”->“SOFTWARE” -> “Microsoft” -> “Windows NT” -> “Current Version” -> “WinLogon”.
Now on the right side window (under data) delete “LegalNoticeCaption” & “LegalNoticeText”.

Step 3:
Go to Start menu -> Programs -> Accessories -> System Tools -> System restore
This’ll open a box where you’ll get the option - “Restore my system to an earlier time”... Select any old date on which you think your system was working fine…push on next..next…till the system restore starts…
System restore takes a few minutes to complete depending on your computer speed….so be patient….after system restore completes….Your computer will restart…..the problem should have been solved.

Step 4:
Press Start -> Run -> regedit ->press Enter
Press Ctrl + F
In the find window type Surabaya if at all you find any entries in the registry with this name…”Surabaya”…delete them

Step 5:
This virus makes your system’s show hidden file option in folder menu to get disabled. To make your computer to show Hidden files, and to get your computer again back into normalcy…
Start --- Run --- regedit --- OK
HKEY_LOCAL_MACHINE -> Software -> Microsoft -> Windows ->
Current Version -> Explorer -> Advanced -> Folder -> Hidden -> Show All
On the right side window, locate this: CheckedValue = "0"
Modify this value to 1. (right click on the Checked value under Name column -> Modify)

Note:
This virus usually reaches to your computer through any USB drive (pen drive or hard disc). Whenever you plug your USB drive into any other computer, infected with this virus, the virus will infect this drive and will infect the next computer, in which the drive is plugged in next time. So its always advisable not to open the pen drive directly. Instead always right click on the drive and select open option. If at all you see the first option as “autorun”, after you right click on the USB drive, this means that the drive is infected.

How to remove w32/ALMAN Computer virus

How to remove w32/ALMAN Computer virus

Remove W32/ALMAN Computer virus . My Laptop and PC got infected by W32/ALMAN. All I can say this virus is smart and not easy to be killed. It cannot be stopped by just viewing in background process, in services, and startup list. This virus will make 2 master source files on %SystemRoot%\System32 first wmdrtc32.dll (40 KB) and wmdrtc32.dl_ (26,5 KB). Once it is active, it will inject code to any executable file and infect it. If you got message box with message “There is no disk blabla” or you cannot run any executable file, you should check on your system files about those 2 d**n files.



To clean infected files use this free W32/ALMAN remover from grisoft. Download these both files and save in one folder

rmalman.exe (click to download) and rmalman.nt(click to download). Run rmalman.exe and follow instructions. Anyway , theres no guarantee this remover will make your computer totally clean from this virus.

In my case this remover not clean my computer totally from this virus, it keep generate .dll files again and again I do scan with ANSAV, AVG and rmalman.exe but there is nothing can help me out. I was so frustrated because much of important data in my laptop should be safe. After searching in google I found out we can check and bring back Windows genuine file by using command sfc (Windows System File Checker) so I test it run “sfc /scannow” from command prompt. It’s WORKS this virus stopped infected my computer now.

Tips
You lost your windows CD or you install your windows from your Hard disk? you can run sfc command without CD by following this tricks.. Run regedit and find..
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Setup\ServicePackSourcePath

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Setup\SourcePath

Change Value Data and point it into your i386 folder! example: the structure is D:\blabla\i386 then you should change Value Data to D:\blabla

Run “sfc /scannow” It should work if you set right Value Data on registry!

Script not found. Virusremoval.vbs missing

Script not found. Virusremoval.vbs missing Neel:Hello, When I boot my machine it gives an error " Script not found. Virusremoval.vbs missing" please suggest me the way to get out of it. Raj:Just copy important files of ur c drive to another and format ur c drive The process belongs to the software wscript.exe by unknown. Description: File VirusRemoval.vbs is located in a not identifiable folder. The file size on Windows XP is 0 bytes. The program has a visible window. There is no information about the maker of the file. Note: File does not exist any longer. The application starts when Windows starts (see Registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit). It is not a Windows core file. Therefore the technical security rating is 26% dangerous. Important: Some malware camouflage themselves as VirusRemoval.vbs, particularly if they are located in c:\windows or c:\windows\system32 folder. Thus check the VirusRemoval.vbs process on your pc whether it is pest. Usman Khan:1. From the start menu click Run -> type Regedit 2. Registry Editor will open 3. In the Registry Editor, go to Edit menu and press find 4. In the find dialog box type - virusremoval.vbs and press find next button 5. The search will end at some folder in the registry at the key - "userint"; doubleclick it; you will find many paths separated by commas - eg: c:windows/system32/userinit.exe,c:/windo... and so on. Among those paths you will find "C:\windows\system32\virusremoval.vbs". Delete the path. Ensure that remaining paths are unaltered so that your genuine scripts are not affected. 6. Press F3 (find next) to see if the same path exists somewhere else in your registry. If found again at some other place remove the path there also. 7. Repeat F3 until you get a message that search has finished. Thank you,

What is W32/VBWorm.QXE Bluebebek and how to remove it

What is W32/VBWorm.QXE Bluebebek and how to remove it

Remove W32/VBWorm.QXE (bulubebek)Bulubebek virus has been made using visual basic with size 53kb. Bulubebek Virus very easy to removed using some manual technique. Once virus active it will created master files:

\Windows\Script.exe
\Windows\LSASS.exe
\Documents and Settings\%user%\autorun.inf
\Documents and Settings\%user%\bulubebek.ini
\bulubebek.ini
\autorun.inf
When virus is active, it will block some windows functions such as task manager, folder option, command prompt and more… This virus spreading (usually because it was designed) using flashdisk media by creating autorun.inf files.

Hidden folder and duplicate folder

Bulubebek is designed and working almost same with older brontox varian, it will hidden your real folder and make duplicate .exe files with folder icon to tricky some newbie out there.



Step to cleaning bulubebek virus
1. I recommended to unplug your computers from your network, not really necessary but I think it’s gonna be safe.
2. Disable “System Restore” when in cleaning process.
3. Kill active virus process using 3rd party tools such as process explorer, kill virus process with icon folder.

4. Repair registry has been changed by virus, save this code as any name with .inf extension and install it.

[Version]
Signature=”$Chicago$”
Provider=Nobody

[DefaultInstall]
AddReg=UnhookRegKey
DelReg=del

[UnhookRegKey]
HKLM, Software\CLASSES\batfile\shell\open\command,,,”"”%1?” %*”
HKLM, Software\CLASSES\comfile\shell\open\command,,,”"”%1?” %*”
HKLM, Software\CLASSES\exefile\shell\open\command,,,”"”%1?” %*”
HKLM, Software\CLASSES\piffile\shell\open\command,,,”"”%1?” %*”
HKLM, Software\CLASSES\regfile\shell\open\command,,,”regedit.exe “%1?”
HKLM, Software\CLASSES\scrfile\shell\open\command,,,”"”%1?” %*”
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell,0, “Explorer.exe”
HKLM, SYSTEM\ControlSet001\Control\SafeBoot, AlternateShell,0, “cmd.exe”
HKLM, SYSTEM\ControlSet002\Control\SafeBoot, AlternateShell,0, “cmd.exe”
HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot, AlternateShell,0, “cmd.exe”
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden, UncheckedValue,0×00010001,1
HKLM, SOFTWARE\Microsoft\Command Processor, AutoRun,0,
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL, CheckedValue, 0×00010001,1
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL, DefaultValue, 0×00010001,2
HKCU, Software\Microsoft\Command Processor, AutoRun,0,

[del]
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegistryTools
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableTaskMgr
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoFolderOptions
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NOFind
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NORun
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\WinOldApp
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PAYXX.exe
HKCU, Software\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Folder\Hidden\HideFileExt

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Folder\Hidden\ShowFullPath

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Folder\Hidden\ShowFullPathAddress

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Folder\Hidden\SuperHidden

HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoFolderOptions
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegistryTools

5. Find and deleted duplicate folder has been made by virus using search function. find any folders or files with rules:
Using folder icon.
Size 53 KB.
.exe extension
File type Application.

6. Shown your hidden files back, You can use your 3rd favorite tool or you can do it manually using attrib command by typing:
ATTRIB –s –h –r /s /d

NOTE: Should typing in drive root.

7. To make sure it was totally clean you can scan your computers with your best antivirus program.

Win32.kolabc worm removal guide

Win32.kolabc worm removal guide

Get rid of Win32.worm.Kolabc
Win32.Worm.Kolabc is a worm virus, variant of the malicious Kolabc family. Kolabc will infect XP and Vista systems with harmful executable files and run in memory processes making it particularly difficult to remove. The Win32.worm.Kolabc threat is usually installed via porn related adult websites, SPAM e-mails or through Shareware and p2p programs. The Win32.worm.Kolabc worm can alter system files and intensely degrade Windows Vista and XP speed!

Worm.Kolabc Related Infections and Clones: Win32.Worm.Gimmiv.B, Win32.Worm.Mydoom, Win32.Worm.Agent, Win32.Worm.Benjamin, Win32.Worm.Supova.C, Win32.Worm.Bobax.A/C, Win32.Worm.Sasser, Win32.Worm.Iksmas, Win32.Worm.Fabot, Win32.Worm.Womble, Win32.Worm.Sumom.A, Win32.Worm.Zhelatin, Win32.Worm.Eyeveg



Potential signs:
Corrupt or missing registry files cause Blue Screen Of Death error
Popup blocker unable to block irritating adult mass pop-up advertisements
Redirected search engine results and Web browser home page
Computer slowdowns, system errors and Windows crashes
Strange desktop shortcuts and icons, hijacked Windows desktop wallpaper
Abnormal Win32.worm.Kolabc processes running in Windows task list, can't avoid weird beeping noise
Common Kolabc behaviors:
Worm.Kolabc downloads third-party programs into Windows system and infects Pc with malware through browser security holes
Records system settings, registry activity and captures surfing habits to install matching pop-ups
Worm.Kolabc bypasses securtiy tool by disguise itself as legiti Windows file, sends passwords, usernames and other confidential info to hackers
Install instant remover to determine if you are infected. Remove Win32.worm.Kolabc and delete all its parts permanently! 
Download BHO Trojan removal Program

What is Worm32.NetBooster and how to remove it?

What is Worm32.NetBooster and how to remove it?

Worm.Win32.Netbooster - worm? Actually Worm.Win32.Netbooster is not a real worm. Few Rogue Anti-Spyware application programs like Malware Bell 3.2, Virusheat, AntiVirProtect, MalwareAlarm, PC-Antispyware and Trojan horses like Trojan Zlob will generate fake security alerts that users computer is infected with Worm.Win32.Netbooster to trick them into buying Rogue Anti-Spyware removers.
The possible error messages can be:

“Your browser was hijacked by Worm.Win32.Netbooster”
or
“Your browser was hijacked by Worm.Win32.Netbooster”

Worm.Win32.Netbooster can slow users computer performens and can cause critical system errors. Do not trust any rogue anti-spyware programs thatWorm.Win32.Netbooster promotes and delete him as soon as possible.



How to manually remove Worm.Win32.Netbooster

To save time and avoid risking destroying your computer, we highly recommend use a spyware scanner such as SpyHunter, to detect Worm.Win32.Netbooster and other spyware, adware, Trojans, viruses, keyloggers, and more that can be hidden in your PC.

Files associated with Worm.Win32.Netbooster infection:

mscfg32.dll
cjvy.dll
vtssp.dll
ttvbonvgl.dll
ssqppol.dll
gqagksr.dll
esent9.dll
pmspl.dll
windivx.dll
msvideo.dll
ecxwp.dll
stream32a.dll
websrc32.dll
mlljh.dll
urqnomm.dll

Worm.Win32.Netbooster DLL's to remove:

mscfg32.dll
cjvy.dll
vtssp.dll
ttvbonvgl.dll
ssqppol.dll
gqagksr.dll
esent9.dll
pmspl.dll
Download Auto removal Tools

Malware bytes Anti Malware Download ( FREE )

Malware bytes Anti Malware Download ( FREE )

Removing Win32 Mydoom wrom

Removing Win32 Mydoom wrom
Also Known As:
W32.Mydoom@mm (Symantec)
W32/Mydoom@MM (McAfee)
WORM_MYDOOM (Trend Micro)
Win32.Mydoom (CA)
Summary
Win32/Mydoom is a family of mass-mailing worms that spread through e-mail. Some variants also spread through peer-to-peer networks. The worm acts as a backdoor Trojan, which allows an attacker to access the infected system. This backdoor may be used to distribute other malicious software. Some variants of Win32/Mydoom launch denial of service (DoS) attacks against specific Web sites.
Symptoms
If your computer is infected by Win32/Mydoom, you may notice one or more of the following symptoms:
Some variants create a text file containing random data

Some variants overwrite the hosts file, which may block access to some Microsoft and antivirus vendor Web sites.


Technical Information
When Win32/Mydoom worm is executed, it copies itself to the %system% or %temp% directory. The worm also creates a registry value in one of the following keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
This value causes the worm to start when Windows is started.

Win32/Mydoom creates a backdoor Trojan in %system% or %windows% directory. The backdoor Trojan allows unauthorized access to the infected system. The worm may load and execute the backdoor Trojan. The worm may modify the default values of the following registry keys to reference the backdoor Trojan; this causes Explorer.exe to load and execute the Trojan when the system restarts:
HKEY_CURRENT_USER\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
HKEY_CURRENT_USER\CLSID\{35CEC8A3-2BE6-11D2-8773-92E220524153}\InProcServer32

Win32/Mydoom may copy itself to the share folder of the Kazaa P2P application, in order to spread through P2P networks. The worm obtains the location of the share folder from the value DlDir0 in the registry key HKEY_CURRENT_USER\Software\Kazaa\Transfer.

Win32/Mydoom may copy itself to random directories on an infected system.

Win32/Mydoom collects e-mail addresses from files on an infected system and sends e-mail with an attached copy of the worm to the addresses. This function is the primary propagation method the worm uses.
Steps
Take the following steps to help prevent infection on your system:
Enable a firewall on your computer
Get the latest computer updates
Use up-to-date antivirus software
Use caution with unknown attachments
Enable a firewall on your computer
Use a third-party firewall product or turn on the Microsoft® Windows® XP Internet Connection Firewall.
To turn on the Internet Connection Firewall in Windows XP
Click Start, and click Control Panel.
Click Network and Internet Connections, and click Network Connections. If you do not see Network and Internet Connections, click Switch to Category View.
Highlight a connection that you want to help protect, and click Change settings of this connection.
Click Advanced, and select Protect my computer and network by limiting or preventing access to this computer from the Internet.
Click OK.
Get the latest computer updates
Updates help protect your computer from viruses, worms, and other threats as they are discovered. You can use the Automatic Updates feature in Microsoft Windows® XP to automatically download future Microsoft security updates while your computer is on and connected to the Internet.
To turn on Automatic Updates
Click Start, and click Control Panel.
Click Performance and Maintenance. If you do not see Performance and Maintenance , click Switch to Category View.
Click System.
Click Automatic Updates, and select Keep my computer up to date.
Select a setting. Microsoft recommends selecting Automatically download the updates, and install them on the schedule that I specify and setting a regular update time.
If you choose to have Automatic Updates notify you in step 5, you will see a notification balloon when new downloads are available to install. Click the notification balloon to review and install updates.
Use up-to-date antivirus software
Most antivirus software can detect and prevent infection by known malicious software. You should always run antivirus software on your computer that is updated with the latest signature files to automatically help protect you from infection.
Use caution with unknown attachments
Use caution before opening unknown e-mail or IM attachments, even if you know the sender. If you cannot confirm with the sender that a message is valid and that an attachment is safe, delete the message immediately, and run up-to-date antivirus software to check your computer for viruses.

This Malious Software can be removed using MICROSOFT MALICIOUS SOFTWARE REMOVAL TOOL
Download Now 

Removing Win32 KoobFace worm/malware

Removing Win32 KoobFace worm/malware
Summary
Win32/Koobface is a multi-component family of malware used to compromise machines and direct them in various ways at the attacker's will. This could include using the affected machine to distribute additional malware, generate 'pay per click' advertising revenue, steal sensitive data, break captchas, and subvert the affected user's online experience. Its components are varied, but include a worm that spreads by utilizing social networking sites such as Facebook and MySpace.
Symptoms
System Changes
The following system changes may indicate the presence of this malware:
The presence of the following files:
%windir%\bolivar19.exe
%windir%\bolivar31.exe
%windir%\bolivar30.exe
%windir%\ld01.exe
%windir%\che08.exe
%windir%\freddy35.exe
The display of the following messages:
ERROR "ERROR INSTALLING CODEC. PLEASE CONTACT SUPPORT"


Technical Information
Win32/Koobface is a multi-component family of malware used to compromise machines and direct them in various ways at the attacker's will. This could include using the affected machine to distribute additional malware, generate 'pay per click' advertising revenue, steal sensitive data, break captchas, and subvert the affected user's online experience. Its components are varied, but include a worm that spreads by utilizing social networking sites such as Facebook and MySpace.
Installation
If this worm is executed, Win32/Koobface copies itself to the Windows folder as in the following examples:

%windir%\fbtre6.exe
%windir%\mstre5.exe
%windir%\bolivar19.exe
%windir%\bolivar31.exe
%windir%\bolivar30.exe
%windir%\ld01.exe
%windir%\che08.exe
%windir%\freddy35.exe

The worm may drop a cleanup Batch script file also having a random file name to the root of the local drive, as in this example:

c:\42123.bat

The worm may execute the cleanup batch script to remove the originally executed worm and to remove itself. The registry is modified to execute the dropped worm copy at each Windows start.

Adds value: systray
With data: "%windir%/"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Depending on the variant, other values are created instead such as "sysftray2" or "sysldtray".

Spreads Via…
MySpace and FaceBook Contacts
Win32/Koobface searches in the default Internet Explorer cookies folder for browser cookies related to the Internet social network sites including the following:
facebook.com
friendster.com
hi5.com
myspace.com
bebo.com

In some variants of Win32/Koobface, if the worm determines that none of these sites are visited, the worm may delete itself and may display following message box:

In the wild, the worm may connect to the Web site 'zzzping.com' to download and execute malware.

The worm spreads by sending messages containing a hyperlink to a copy of worm to friends or contacts of the infected user. Friends that receive the message may visit the link to download the worm and repeat the cycle of spreading to others.
Payload
Removes Audible Navigation Alerts
Some variants of Win32/Koobface may delete a registry subkey that references navigation sounds such as the 'click' sound when navigating from one Web site to another. The following subkey may be deleted by the worm:

HKEY_CURRENT_USER\AppEvents\Schemes\Apps\Explorer\Navigating

This Malious Software can be removed using MICROSOFT MALICIOUS SOFTWARE REMOVAL TOOL
Download Now 

Worm Pif Starter.A

Worm Pif Starter.A
To know when your computer infected by this virus there are 4 important points:

In your “My Documents” folder there is file named “database.mdb“.
There is clone folder with extension .lnk maximum 5 first folder arranged by name, rules until second sub folders.
There is files Autorun.inf, Thumb.db, Microsoft.lnk in each root drive and folders, rules until second sub folders. (You might not see them because it’s set hidden)
Your Registry Editor is disabled.
This virus master actually in “My Document” folder named “database.mdb” Wait… you will know why this is called as virus master. Actually virus will created clone for folder using “wscript.exe” execution. wscript.exe is microsoft windows based script host programs.

Virus will change your registry:

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
“Explorer”=”Wscript.exe //e:VBScript \”C:\Documents and Settings\Administrator\My Documents\database.mdb\”"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
“WinUpdate”=”Wscript.exe /e:VBScript \”C:\WINDOWS\:Microsoft Office Update for Windows XP.sys\”"

I think you all know how this registry changed will affect on your computer each time it reboot no need to explain this right? Really simple social technique.


Remove Virus Manually
1. Disabled “System Restore” in cleaning process.

2. Kill wscript.exe process from your computer background programs.

3. In cleaning process you have to rename file wscript.exe to any name ex:blabla (temporary only in cleaning process) and don’t forget to rename it back again to wscript.exe once your computer clean.

4. Deleted file “database.mdb” from “My Documents” folder.

5. Disabled any startup process which has link with “database.mdb” you can use msconfig or hijackthis.

6. Delete file autorun.inf, microsoft.inf and thumb.db use command prompt and type “del Microsoft.inf /s” (should in root drive to deleted in all in drive) for autorun.inf and thumb.db since this file set with attrib RSHA type “del autorun.inf /s /ah /f” (should in root drive to deleted in all in drive, change autorun.inf with thumb.db to deleted all thumb.db)

7. deleted all .lnk files with size 1kb, you can use advanced search function. Carefully when you want to deleted look on this sample:

Deleted only shortcut with size 1kb and using folder icon, this is social virus spreading technique that mostly tricky newbie out there.

7. Repair your registry

[Version]
Signature=”$Chicago$”
Provider=Nobody

[DefaultInstall]
AddReg=UnhookRegKey
DelReg=del
[UnhookRegKey]
HKLM, Software\CLASSES\batfile\shell\open\command,,,”"”%1” %*”
HKLM, Software\CLASSES\comfile\shell\open\command,,,”"”%1” %*”
HKLM, Software\CLASSES\exefile\shell\open\command,,,”"”%1” %*”
HKLM, Software\CLASSES\piffile\shell\open\command,,,”"”%1” %*”
HKLM, Software\CLASSES\regfile\shell\open\command,,,”regedit.exe “%1”
HKLM, Software\CLASSES\scrfile\shell\open\command,,,”"”%1” %*”
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell,0, “Explorer.exe”
HKLM, SYSTEM\ControlSet001\Control\SafeBoot, AlternateShell,0, “cmd.exe”
HKLM, SYSTEM\ControlSet002\Control\SafeBoot, AlternateShell,0, “cmd.exe”

[del]
HKLM,SOFTWARE\Microsoft\Windows\CurrentVersion\Run, Winupdate
HKCU,SOFTWARE\Microsoft\Windows\CurrentVersion\Run, explorer

8. Scan with your best antivirus program to make sure your system clean and restarted your computer.

Win32.Zafi.B worm infection Manual removal guide

Win32.Zafi.B worm infection Manual removal guide

What is Win32.Zafi.B
Win32/Zafi.B is a worm spreading via e-mail and P2P networks.

Zafi.B worm is a moderately destructive worm that may cause antivirus and security products to stop working. It also may overwrite executables of installed security products. Zafi also disables RegEdit, MSconfig and the Task Manager and may also launch a DoS attack against several Hungarian web sites.

Technical Details of Win32.Zafi.B
Full name: Win32.Zafi.B
Date Appeared: 2004
Characteristic: Worm



How to Uninstall Win32.Zafi.B scam
The best way for the removal of Win32.Zafi.B is to install a good quality Anti-spyware Program and scan your system for any Win32.Zafi.B infections.

Automatic removal of Win32.Zafi.B is always good and complete as compared to any attempts to manually remove Win32.Zafi.B, which may sometime lead to erroneous results. If you are not completely aware of all the files and registry entries used by this rogue anti-spyware, then we do not recommend you to attempt for the manual removal of Win32.Zafi.B.

Instructions to get rid of Win32.Zafi.B
If you really want to remove the Win32.Zafi.B infection on your system manually then proceed as follows.

Turn off System Restore if you’re using Windows ME or XP. When you make changes to your system, Windows does a restoration checkpoint. If it does this while the system is infected, it may come back to re-infect later.
Restart the computer in Safe Mode. Since the Zafi.B worm creates running processes, and Windows doesn’t allow you to delete files connected with running processes, restarting is necessary. Using Safe mode prevents Windows from loading drivers and auto run entries so your system boots relatively clean. In addition, Zafi.B blocks the use of Regedit which is required below.
Run a full system scan with an updated antivirus scanner (or one of the online scanners mentioned above). If your scanner does not remove everything, follow the next few steps.
IMPORTANT: Your antivirus software should, during detection, produce a list of files associated with the W32/Zafi.B or W32/Erkez virus (depends on scanner). The files will be copies of the worm stored in the Windows system folder and shared folders mentioned above. You should set your antivirus to delete them. If not, delete them manually.
Make a backup of the registry before you edit. Delete the Run entries associated with Zafi.B from the registry. These will be:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
and delete the key:
“_Hazafibb”=”%system%\.exe”
Also delete the key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\_Hazafibb
Exit the registry editor.
Re-enable System Restore, reboot machine.
Re-scan to be sure all files are clean. 

Removing Win32 Kido.ih, kido.dv and kido.fx net worm

Removing Win32 Kido.ih, kido.dv and kido.fx net worm
Technical details

This network worm spreads via local networks and removable storage media. The program itself is a Windows PE DLL file. The worm components vary in size from 155KB to 165KB. It is packed using UPX.

Installation
The worm copies its executable file with random names as shown below:

%System%\dir.dll
%Program Files%\Internet Explorer\.dll
%Program Files%\Movie Maker\.dll
%All Users Application Data%\.dll
%Temp%\.dll
%System%\tmp
%Temp%\.tmp
is a random string of symbols.

In order to ensure that the worm is launched next time the system is started, it creates a system service which launches the worm’s executable file each time Windows is booted. The following registry key will be created:

[HKLM\SYSTEM\CurrentControlSet\Services\netsvcs]
The worm also modifies the following system registry key value:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
"netsvcs" = " %System%\.dll"
Propagation
The worm then launches an HTTP server on a random TCP port; this is then used to download the worm's executable file to other computers.

The worm gets the IP addresses of computers in the same network as the victim machine and attacks them via a buffer overrun vulnerability (MS08-067) in the Server service. The worm sends a specially crafted RPC request to remote machines. This causes a buffer overrun when the wcscpy_s function is called in netapi32.dll; this launches code that downloads the worm's executable file to the victim machine and launches it. The worm is then installed on the new victim machine.

In order to exploit the vulnerability described above, the worm attempts to connect to the Administrator account on the remote machine. The worm uses the passwords shown below to brute force the account:
99999999 9999999 999999 99999 88888888 8888888 888888 88888 8888 888 88 8 77777777 7777777 777777 77777 7777 777 77 7 66666666 6666666 666666 66666 6666 666 66 6 55555555 5555555 555555 55555 5555 555 55 5 44444444 4444444 444444 44444 4444 444 44 4 33333333 3333333 333333 33333 3333 333 33 3 22222222 2222222 222222 22222 2222 222 22 2 11111111 1111111 111111 11111 1111 111 explorer exchange customer cluster nobody codeword codename changeme desktop security secure public system shadow office supervisor superuser share super secret server computer owner backup database lotus oracle business manager temporary ihavenopass nothing nopassword nopass Internet internet example sample love123 boss123 work123 home123 mypc123 temp123 test123 qwe123 abc123 pw123 root123 pass123 pass12 pass1 admin123 admin12 admin1 password123 password12 password1 9999 999 99 9 11 1 00000000 0000000 00000 0000 000 00 0987654321 987654321 87654321 7654321 654321 54321 4321 321 21 12 fuck zzzzz zzzz zzz xxxxx xxxx xxx qqqqq qqqq qqq aaaaa aaaa aaa sql file web foo job home work intranet controller killer games private market coffee cookie forever freedom student account academia files windows monitor unknown anything letitbe letmein domain access money campus default foobar foofoo temptemp temp testtest test rootroot root adminadmin mypassword mypass pass Login login Password password passwd zxcvbn zxcvb zxccxz zxcxz qazwsxedc qazwsx q1w2e3 qweasdzxc asdfgh asdzxc asddsa asdsa qweasd qwerty qweewq qwewq nimda administrator Admin admin a1b2c3 1q2w3e 1234qwer 1234abcd 123asd 123qwe 123abc 123321 12321 123123 1234567890 123456789 12345678 1234567 123456 12345 1234 123  
Spreading via removable storage media The worm copies its executable file to all removable media under the following name: :\RECYCLER\S-<%d%>-<%d%>-%d%>-%d%>-%d%>-%d%>-%d%>\.vmx, In addition to its executable file, the worm also places the file shown below in the root of every disk: :\autorun.inf This file will launch the worm's executable file each time Explorer is used to open the infected disk. Payload

When launched, the worm injects its code in the address space of one of the active “svchost.exe” system processes. This code delivers the worm's main malicious payload and:

disables the following services:
wuauserv BITS blocks access to addresses which contain any of the strings listed below: indowsupdate wilderssecurity threatexpert castlecops spamhaus cpsecure arcabit emsisoft sunbelt securecomputing rising prevx pctools norman k7computing ikarus hauri hacksoft gdata fortinet ewido clamav comodo quickheal avira avast esafe ahnlab centralcommand drweb grisoft eset nod32 f-prot jotti kaspersky f-secure computerassociates networkassociates etrust panda sophos trendmicro mcafee norton symantec microsoft defender rootkit malware spyware virus  
The worm may also download files from links of the type shown below:
http:///search?q=<%rnd2%>

rnd2 is a random number; URL is a link generated by a special algorithm which uses the current date. The worm gets the current date from one of the sites shown below:

http://www.w3.org
http://www.ask.com
http://www.msn.com
http://www.yahoo.com
http://www.google.com
http://www.baidu.com
Downloaded files are saved to the Windows system directory under their original names.


Removal instructions:

If your computer does not have an up-to-date antivirus solution, or does not have an antivirus solution at all, you can either use a special removal tool (which can be found here or follow the instructions below:

Delete the following system registry key:
[HKLM\SYSTEM\CurrentControlSet\Services\netsvcs]
Delete “%System%\.dll” from the system registry key value shown below:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
"netsvcs"
Reboot the computer.
Delete the original worm file (the location will depend on how the program originally penetrated the victim machine).

Delete copies of the worm:
%System%\dir.dll
%Program Files%\Internet Explorer\.dll
%Program Files%\Movie Maker\.dll
%All Users Application Data%\.dll
%Temp%\.dll
%System%\tmp
%Temp%\.tmp
is a random string of symbols.

Delete the files shown below from all removable storage media:
:\autorun.inf
:\RECYCLER\S-<%d%>-<%d%>-%d%>-%d%>-%d%>-%d%>-%d%>\.vmx,

Download and install updates for the operating system:
Download System updates
Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).

OR, To remove this Malious Software , try MICROSOFT MALICIOUS SOFTWARE REMOVAL TOOL
Download Now 

Remove Fujacks.e Worm

Remove Fujacks.e Worm

Fujacks.e is a worm that targets networks with weak passwords, and tries to infect all executable files on the computers in the network.

Fujacks.e can close popular antivirus or antispyware programs, and even disable your firewall. Fujacks.e boots up with the computer and may sit there undetected for quite a while, until you scan and detect Fujacks.e.

Almost the only way you’ll notice Fujacks.e is if Fujacks.e slows down your computer and disables your legitimate security programs.


How to remove FuJacks.e worm manually.

Stop Fujacks.e Processes:

gamesetup.exe
setup.exe
spoclsv.exe

Remove Fujacks.e Register Keys:
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run\svcshare

Get rid of Fujacks.e files:

desktop_.ini

Note: In any Fujacks.e files I mention above, “%UserProfile%” is a variable referring to your current user’s profile folder. If you’re using Windows NT/2000/XP, by default this is “C:\Documents and Settings\[CURRENT USER]” (e.g., “C:\Documents and Settings\JoeSmith”). If you have any questions about manual Fujacks.e removal, go ahead and leave a comment.

Removing Win32 Sasser.Worm

Removing Win32 Sasser.Worm
W32-Sasser Worm

Also Known As:
W32/Sasser.worm (McAfee)
W32.Sasser.Worm (Symantec)
WORM_SASSER (Trend Micro)
Win32.Sasser (CA)
Sasser (F-secure)
Sasser (Panda)
W32/Sasser (Sophos)
W32/Sasser (Norman)

Summary
Win32/Sasser is a family of network worms that exploit the Local Security Authority Subsystem Service (LSASS) vulnerability fixed in Microsoft Security Update MS04-011. The worm spreads by randomly scanning IP addresses for vulnerable machines and infecting any that are found.

Symptoms
Your computer may be infected with Win32/Sasser if you experience one or more of the following symptoms:

You see an LSA Shell crash dialog box

Your computer restarts every few minutes without user interaction. You may see a system shutdown dialog box, like the one (snap) below:

Your computer performance is decreased or your network connection is slow.

Technical Information
When Win32/Sasser runs on a computer, it copies itself to the %WINDOWS% folder. In most cases, it adds a value to the registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. This value causes the worm to start when Windows is started.

Win32/Sasser acts as an FTP server listening on TCP port 5554. For each connection made on this port, the worm sends a copy of itself to that connected host using the file name _up.exe.

The worm generates random IP addresses using a certain logic and then sends the exploit shell code to these IP addresses on TCP port 445. If the exploit is successful, a command line shell listens on a TCP port of the remote infected machine. To complete the infection, the worm executes a remote shell script that instructs the newly infected machine to connect to the infecting host and download and execute the worm through FTP. The worm records the count of successful infections to a file on the C: drive.

Win32/Sasser also attempts to abort any unexpected system shutdown by calling AbortSystemShutdown every several seconds in a continuous loop.

Later variants of the worm may drop a variant of Netsky worm. Later variants may not infect Windows 2000 because they import IcmpSendEcho from IPHlpAPI.dll, which is not present in Windows 2000.

This Malious Software can be removed using MICROSOFT MALICIOUS SOFTWARE REMOVAL TOOL
Download Now 

Remove Neeris.Worm.gen!c

Remove Neeris.Worm.gen!c

Also Known As:
Win32/Neeris.worm.101376 (AhnLab)
Win32/IRCBot.KA (CA)
Win32/AutoRun.IRCBot.Q (ESET)
Worm.Win32.AutoRun.fla (Kaspersky)
W32/IRCbot.gen.a (McAfee)
W32/Neeris-A (Sophos)
W32.Spybot.Worm (Symantec)
Summary

Worm:Win32/Neeris.gen!C is the generic detection for a member of the Win32/Neeris family of worms. These worms spread via MNS Messenger and may contain backdoor functionalities. New variants of this worm may exploit a vulnerability in the Windows Server Service (srvsvc) in computers that have not yet applied http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx Microsoft Security Bulletin MS08-067.

Symptoms
You may be informed by your MSN Messenger contacts that your account has attempted or is attempting to send them a ZIP archive, or you may notice an unknown TFTP transaction in your logs.

Technical Information
Worm:Win32/Neeris.gen!C is the generic detection for a member of the Win32/Neeris family of worms. These worms spread via MNS Messenger and may contain backdoor functionalities. New variants of this worm may exploit a vulnerability in the Windows Server Service (srvsvc) in computers that have not yet applied Microsoft Security Bulletin MS08-067.

Installation
Different samples of Win32/Neeris.gen!C install themselves in systems in varying ways. They commonly copy themselves in the Windows or Windows system folder and modify the system registry so that they run every time Windows starts.
For example, one variant of this family copies itself to a subfolder of the Windows folder as VMwareService.exe and makes the following registry autostart modification:
Adds value: "GON"
With data: "%windir%\system\VMwareService.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions
Another variant of this worm may copy itself as the following file
%windir%\system\netmon.exe

The worm may be present as a file with a two digit name and .SCR extension such as 21.scr.
The registry is modified to run the dropped worm copy at each Windows start. Other registry data may be created to execute the worm when booting in Windows safe mode.
Adds value: "netmon"
With data: "%windir%\system\netmon.exe"
To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Adds value: "(default)"
With data: "service"
To subkey: HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\netmon32

Adds value: "(default)"
With data: "service"
To subkey: HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\netmon32




Win32/Neeris.gen!C spreads by sending a copy of itself to all of a user's contacts in MSN Messenger. The attached copy is usually a ZIP archive containing the EXE copy of the worm.
This worm may also drop a copy of itself and a corresponding autorun.inf file into all available removable drives. The function of the autorun.inf file is to ensure that the worm copy automatically runs when the drive is accessed and Autoplay is enabled. The image below illustrates how a user could potentially launch the worm when accessing an infected share:
Filenames of the dropped worm copy vary but may have a name such as 'smartkey.exe'.

Bypass Windows Firewall

This worm may add itself as an "authorized application" by modifying the Windows firewall policy stored in the registry.

Adds value: "%windir%\system\netmon.exe"
With data: "%windir%\system\netmon.exe:*:microsoft enabled"
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\List

Win32/Neeris.gen!C may connect to a predefined Internet Relay Channel (IRC) server using a specified port number such as TCP port 6667 or 449. Once connected, it awaits commands from a remote attacker.

Win32/Neeris.gen!C may drop a driver '\drivers\sysdrv32.sys' which patches TCP/IP to remove connection throttling in Windows XP SP2 computers.

Analysis by Jireh Sanico

Recovery Steps Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as the Microsoft online scanner (http://safety.live.com).

Removal of W32.Randex

Removal of W32.Randex
Win32/Randex

Also Known As:
W32.Randex (Symantec)
W32/Sdbot.worm (McAfee)
WORM_RANDEX (Trend Micro)
W32/Randex (Sophos)

Summary
Win32/Randex is a family of worms that targets computers running Microsoft Windows 9x, Windows NT 4.0, Windows 2000, Windows Server 2003, and Windows XP. The worm scans randomly generated IP addresses to attempt to spread to network shares with weak passwords. After the worm infects a computer, it connects to an IRC server to receive commands from the attacker. If your computer is infected by this worm, you may notice crashes or slowdowns during normal operation.

Symptoms
If your computer is infected by Win32/Randex, you may notice system performance degradation and slower network connectivity.


Technical Information
When Win32/Randex runs, it copies itself to the system folder. It may add a value to the following registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices

This value causes the worm to run when Windows restarts.
The Win32/Randex worm may connect to randomly generated IP addresses through TCP port 445. The worm then uses a predefined list of weak passwords to attempt log on to writeable network shares on remote computers. After gaining access, the worm copies itself to the remote computer and creates a task to run the copy.

The Win32/Randex worm connects to a remote IRC server and joins a specific channel to receive commands from attackers. Upon successful installation, the worm notifies attackers through a private message. Attackers can then use the established IRC channel to perform backdoor actions such as launching distributed denial of service (DDoS) attacks against IP addresses, scanning for vulnerable computers with weak administrator passwords, downloading remote files and running them, retrieving computer configuration information, retrieving CD keys of popular games, joining or leaving specific IRC channels, adding or removing IRC users, and updating the worm.

Some variants of the worm also drop a backdoor Trojan component, which opens TCP ports and acts as an HTTP proxy.


This Malious Software can be removed using MICROSOFT MALICIOUS SOFTWARE REMOVAL TOOL
Download Now