Virus - Manual Deleting Solution

W32.Fujacks.D (spoclsv.exe/GameSetup.exe)- Virus

2009-01-03T14:50:00.000-08:00

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When the worm executes, it performs the following actions:

Copies itself as the following files:
- [DRIVE LETTER]\setup.exe
- [NETWORK DRIVE LETTER]\GameSetup.exe
- %System%\Drivers\spoclsv.exe
  
  Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
Creates the following file to execute [DRIVE LETTER]\setup.exe:

[DRIVE LETTER]\autorun.inf
Adds the value:

"svcshare"="spoclsv.exe"

to the following registry subkeys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

so that it executes whenever Windows starts.
May delete entries that contain the following strings:

"kav"
"KAVPersonal50"
"KvMonXP"
"McAfeeUpdaterUI"
"Network Associates Error Reporting Service"
"RavTask"
"ShStatEXE"
"yassistse"
"YLive.exe"

from the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Uses a series of "net share" commands to close any local shared folders found.
May delete files with the following extensions from the root folder of local partitions, except the C drive:
- .gho
- .exe
- .scr
- .pif
- .com
Uses the following password list in attempt to copy itself to available network shares:
- admin$
- admin$
- 1234
- password
- 6969
- harley
- 123456
- golf
- pussy
- mustang
- 1111
- shadow
- 1313
- fish
- 5150
- 7777
- qwerty
- baseball
- 2112
- letmein
- 12345678
- 12345
- ccc
- admin
- 5201314
- qq520
- 123
- 1234567
- 123456789
- 654321
- 54321
- 111
- 000000
- abc
- 11111111
- 88888888
- pass
- passwd
- database
- abcd
- abc123
- sybase
- 123qwe
- server
- computer
- 520
- super
- 123asd
- ihavenopass
- godblessyou
- enable
- 2002
- 2003
- 2600
- alpha
- 110
- 111111
- 121212
- 123123
- 1234qwer
- 123abc
- 007
- aaa
- patrick
- pat
- administrator
- root
- sex
- god
- foobar
- secret
- test
- test123
- temp
- temp123
- win
- asdf
- pwd
- qwer
- yxcv
- zxcv
- home
- xxx
- owner
- login
- Login
- pw123
- love
- mypc
- mypc123
- admin123
- mypass
- mypass123
- 901100
- Administrator
- Guest
- admin
- Root
Ends all processes in windows that contain the following strings in the title:
- QQKav
- QQAV
- VirusScan
- Symantec AntiVirus
- iDuba
- esteem procs
- Wrapped gift Killer
- Winsock Expert
- msctls_statusbar32
- pjf(ustc)
- IceSword
Ends the following processes:
- Mcshield.exe
- VsTskMgr.exe
- naPrdMgr.exe
- UpdaterUI.exe
- TBMon.exe
- scan32.exe
- Ravmond.exe
- CCenter.exe
- RavTask.exe
- Rav.exe
- Ravmon.exe
- RavmonD.exe
- RavStub.exe
- KVXP.kxp
- KvMonXP.kxp
- KVCenter.kxp
- KVSrvXP.exe
- KRegEx.exe
- UIHost.exe
- TrojDie.kxp
- FrogAgent.exe
- Logo1_.exe
- Logo_1.exe
- Rundl123.exe
May end the following services, some of which may be security-related:
- Schedule
- sharedaccess
- RsCCenter
- RsRavMon
- RsCCenter
- RsRavMon
- KVWSC
- KVSrvXP
- KVWSC
- KVSrvXP
- kavsvc
- AVP
- AVP
- kavsvc
- McAfeeFramework
- McShield
- McTaskManager
- McAfeeFramework
- McShield
- McTaskManager
- navapsvc
- wscsvc
- KPfwSvc
- SNDSrvc
- ccProxy
- ccEvtMgr
- ccSetMgr
- SPBBCSvc
- Symantec Core LC
- NPFMntor
- MskService
- FireSvc
Scans the compromised computer and infects any .exe files it finds.

Manual Deleting Solution:

Restart your PC. Then go to safe mode (press F8).
Open Start>>Run and type cmd and press enter. This will open windows command prompt window. On this window, type as directed in steps further and press enter at the end of each step.
type cd\
type cd windows\system32
type attrib -r -h -s spoclsv.exe
type del spoclsv.exe
type del spoclsv.exe
now type d: and press enter for d: drive partition.
type attrib -r -h -s gamesetup.exe
type gamesetup.exe
type exit
Open Start --->> Run and type msconfig and press enter. This will open windows msconfig window then uncheck spoclsv.exe and gamesetup.exe
Open Start --->> Run and type regedit and press enter. This will open windows Registry Editor window then find and remove. (spoclsv.exe and gamesetup.exe)
Then update your antivirus software (your all software (.exe) attacked virus). So reinstall your software.

Note: Similarly repeat from steps 8 to 10 for all your hard disk partitions to remove the files created by the virus.

Win32/NSAnti (amvo.exe/autorun.inf ) - Virus

2009-01-03T14:40:00.000-08:00

Your Ad Here

Trouble:

Recently we received a mail from one of our readers whose computer was infected by Win32/NSAnti virus, this virus mainly causes drive opening problem by double click in windows XP.

If your system is infected by this virus you can’t see hidden files and folders , even after applying the settings to show hidden folders. This setting is reverted back to Don’t show hidden files and folders by the virus.

This happens because virus protects the two hidden, system files called d.com and autorun,inf which are created by amvo.exe and amvo0.dll , amvo1.dll which resides in system32 folder on the OS drive (hard disk partition on which windows operating system is installed).

Fix:

In order to fix the problems caused by this virus ,you will need to delete all these files created by the virus.

Follow the set of commands to delete these files

Open Start>>Run and type cmd and press enter. This will open windows command prompt window. On this window, type as directed in steps further and press enter at the end of each step.
type cd\
type cd windows\system32
type attrib -r -h -s amvo.exe
type del amvo.exe
type attrib -r -h -s avmo0.dll ,repeat the steps 5 and 6 again to delete avmo1.dll
now type d: and press enter for d: drive partition.
type attrib -r -h -s autorun.inf
type del autorun.inf
type attrib -r -h -s d.com
type del d.com

Similarly repeat from steps 8 to 11 for all your hard disk partitions to remove the files created by the virus.

Note: Above procedure may seems cumbersome but proves to be of great help to repair your system, if none of your anti-virus tools is able to solve the problem and remove the infections caused by the virus.

How to view hidden files in Command Prompt (Windows XP)

2009-01-03T14:30:00.000-08:00

Your Ad Here

1. Go to Start >> Run. Type cmd and press Enter to open the command prompt.

2. Now navigate to the directory from the command prompt.

3. Type the command dir/ah to list all the files under your directory.

New Folder.exe Virus Removal

2009-01-03T14:20:00.000-08:00

Your Ad Here

Virus also known as- IT University Sohanad W32.HLLW.Ssdx newfolder.exe

If this virus infected in you computer, It will Disable the following …

Task Manager, Registry Editor, Folder Options, Run in start menu

And it will create exes like the icon of folders. If this virus is running it will use more than 50 % of your processor

Manually remove it (new folder.exe Fix)

Delete File named svichossst.exe

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
“@”=[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“Yahoo Messengger”=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
“Shell”=”Explorer.exe “

If u can delete "svichossst.exe" Manually Use fallowing methods...

First login system safe mode then try fallowing methods

Open Start>>Run and type cmd and press enter. This will open windows command prompt window. On this window, type as directed in steps further and press enter at the end of each step.
type cd\
type cd windows\system32
type attrib -r -h -s svichossst.exe
type del svichossst.exe ,repeat the steps 5 and 6 again to delete svichossst.exe

Godzilla virus removal MS32DLL.dll.vbs

2009-01-03T14:10:00.000-08:00

Your Ad Here

This virus is spreading through the pen drive / external HDDs. They use the autorun function of windows to run this. Its create files in windows folder in the name of MS32DLL.dll.vbs. and create file named autorun.inf in the root directory of each drive. So whenever we double click on the drive, the script will run from c:\windows\MS32DLL.dll.vbs

After infection

We can not Double Click to open any Drive on our computer. But we can Right Click to Open or Explore.

It will effect regedit, task manager, hidden folders/ files etc …

Related files
MS32DLL.dll.vbs
Autorun.inf
Flashy.exe

Manual Deleting Solution:

Open task manager and end following process
1. wscript.exe
2. mslogon.exe
3. systemnt.exe
4. wscript.exe
5. flashy.exe
6. sondmsg.exe

Open command prompt and do the following
Change attributes of the file
Attrib –s –r –h autorun.inf
Remove autorun.inf from root directory.
Del autorun.inf
Delete MS32DLL.dll.vbs from windows directory
Delete c:\windows\MS32DLL.dll.vbs
Open registry editor
Delete following values
HKLM\Software\Microsoft\Windows\CurrentVersion\Run - MS32DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Run - flashy.exe
HKU\Software\Microsoft\InternetExplorer\Main - "window Title"
HKU\Software\Microsoft\Windows\CurrentVersion\Policies\system - disabletaskmgr
HKU\Software\Microsoft\Windows\CurrentVersion\Policies\system - disableregistrytools
HKU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer - NoFolderOptions
Now restart the PC

How to avoid spreading
To avoid spreading this, disable autorun in windows.
And there is a small tric

Just create a folder named autorun.inf in all the root directory. And change the all the atribs to “+” so that they can’t chant put the files to root direct easly
Eg :
MD autorun.inf & Attrib +h +s +r autorun.inf

BubbleBoy virus

2009-01-03T14:00:00.000-08:00

Your Ad Here

Discovered: November 9, 1999

Updated: February 13, 2007 11:33:09 AM

Also Known As: VBS/BubbleBoy@MM [McAfee], I-Worm.BubbleBoy [AVP], VBS_BUBBLEBOY [Trend], VBS/BubbleBoy.Worm [CA], VBS/BubbleBoy [Panda], VBS/BubbleBoy-A [Sophos]

Type: Worm, Virus

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP

VBS.BubbleBoy is a worm that works under Windows 98 and Windows 2000. The worm also works under Windows 95, but only if the Windows Scripting Host is installed. The worm only works with the English and Spanish versions of these operating systems, and does not work under Windows NT.
The computer must use Microsoft Outlook (or Express) with Internet Explorer 5 in order for the worm to propagate.
The worm utilizes a known security hole in Microsoft Outlook/IE5 to insert a script file, Update.hta, when the email is viewed. It is not necessary to detach and run an attachment.
Update.hta is placed in the StartUp folder. Therefore, the infection routine is not executed until the next time you start your computer. Update.hta is a script file that uses MS Outlook to send the worm email message to everyone in the MS Outlook address book.
Patching the known security hole in Microsoft Outlook/IE5, prevents the worm from propagating. For further information regarding the security hole, please read the following Microsoft article:
http://www.microsoft.com/technet/security/bulletin/fq99-032.asp Microsoft has provided a patch to fix this problem at http://www.microsoft.com/technet/security/bulletin/ms99-032.asp
The worm will not propagate if IE5 Internet security settings have been set to "High."

Protection

Initial Rapid Release version November 15, 1999
Latest Rapid Release version August 20, 2008 revision 017
Initial Daily Certified version November 15, 1999
Latest Daily Certified version August 20, 2008 revision 016
Initial Weekly Certified release date November 15, 1999

Threat Assessment
Wild

Wild Level: Low
Number of Infections: 0 - 49
Number of Sites: 0 - 2
Geographical Distribution: Low
Threat Containment: Easy
Removal: Easy

Damage

Damage Level: Low

Distribution

Distribution Level: Low

Writeup By: Eric Chien

What is a Trojan Horse Virus?

2009-01-03T13:14:00.000-08:00

Your Ad Here

A Trojan Horse Virus is a common yet difficult to remove computer threat. This is a type of virus that attempts to make the user think that it is a beneficial application. A Trojan Horse virus works by hiding within a set of seemingly useful software programs. Once executed or installed in the system, this type of virus will start infecting other files in the computer. A Trojan Horse Virus is also usually capable of stealing important information from the user's computer. It will then send this information to Internet servers designated by the developer of the virus. The developer will then be able to gain a level of control over the computer through this Trojan virus. While these things take place, the user will notice that the infected computer has become very slow or unexpected windows pop up without any activity from the user. Later on, this will result to a computer crash. A Trojan Horse virus can spread in a number of ways. The most common means of infection is through email attachments. The developer of the virus usually uses various spamming techniques in order to distribute the virus to unsuspecting users. These emails contain attachments. Once the user opens the attachment, the Trojan Horse Virus immediately infects the system and performs the tasks mentioned above. Another method used by malware developers to spread their Trojan Horse viruses is via chat software such as Yahoo Messenger and Skype. Another method used by this virus in order to infect other machines is through sending copies of itself to the people in the address book of a user whose computer has already been infected by the virus. The best way to prevent a Trojan Horse Virus from entering and infecting your computer is to never open email attachments or files that have been sent by unknown senders. However, not all files we can receive are guaranteed to be virus-free. With this, a good way of protecting your PC against malicious programs such as this harmful application is to install and update an antivirus program.