Sunday, January 18, 2009

W32/Dloader.HFZC

Do you still remember on article about batosai viruses (viruses that change the background folder windows into Japanese comic background image, Batosai). This time, I want to explain about Maxtrox, the virus creator (Maximum Troxer).

If you are confused with what is meant Maximum Troxer, ask your friend who fans of games. For online game lovers, of course very familiar with the game from Blizzard Entertaiment called World of Warcraft. Whether the relationship between what this game with the virus, most likely the creator of the virus is one of the fans this game.

Norman Security Suite, this category of viruses identified as W32/Dloader.HFZC. (see picture 1)

Changing Wallpaper

One of the main effects of the virus MaxTrox is to change the desktop wallpaper image into MaxTrox (Maximum Troxer), with additional time in the middle of the top and bottom of the comment in the middle and identity in the bottom left. (see image 2)
This wallpaper will be active in each 1 s / d 6 in April, August and December. Time is created by the virus is always changing in accordance with the time on the computer user. To adjust the comment made by the name of the user who is active at this time.

The characteristics File Virus

The characteristics of this virus from the file of which are as follows:
* Using WinRAR icon
* Has the size of 77 KB
* File Type "application" and "screen saver"
* Having main extension "exe" and "scr", with supporters "MSD" and "sysm" (see figure 3)


Changing the background folder WINDOWS

Just like virus batosai, change the display background MaxTrox WINDOWS folder with background MaxTrox. (see figure 4)
How to clean Virus
1.It's better to do cleaning mode in safe mode.
2.Turn off the virus is active in memory. Use the tools of task manager, as itty Bitty Process Manager (you can download at the address below)

http://majorgeeks.com/Itty_Bitty_Process_Manager_d4690.html

Do kill process, the file the virus is active, namely: (see figure 5)
* C: \ Documents and Settings \% username% \ Application Data \ Microsoft \%% dsh. Exe

(name of the random viruses / random, such aizw.exe, scnp.exe, etc.)

3.Delete string registry that has been created by the virus. To facilitate the registry can use the script below.

[Version]
Signature="$Chicago$"
Provider=Vaksincom Oyee
[DefaultInstall]
AddReg=UnhookRegKey
DelReg=del
[UnhookRegKey]
HKLM, SOFTWARE\Classes\batfile\shell\open\command,,,"""%1"" %*"
HKLM, SOFTWARE\Classes\comfile\shell\open\command,,,"""%1"" %*"
HKLM, SOFTWARE\Classes\exefile\shell\open\command,,,"""%1"" %*"
HKLM, SOFTWARE\Classes\piffile\shell\open\command,,,"""%1"" %*"
HKLM, SOFTWARE\Classes\regfile\shell\open\command,,,"regedit.exe "%1""
HKLM, SOFTWARE\Classes\scrfile\shell\open\command,,,"""%1"" %*"
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell,0, "Explorer.exe"
HKLM, SYSTEM\ControlSet001\Control\SafeBoot, AlternateShell,0, "cmd.exe"
HKLM, SYSTEM\ControlSet002\Control\SafeBoot, AlternateShell,0, "cmd.exe"
HKLM, SYSTEM\ControlSet003\Control\SafeBoot, AlternateShell,0, "cmd.exe"
HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot, AlternateShell,0, "cmd.exe"
HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced, ShowSuperHidden, 0x00010001,1
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden, CheckedValue, 0x00010001,0
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden, DefaultValue, 0x00010001,0
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\ShowFullPath, DefaultValue, 0x00010001,0
[del]
HKCR, exefile, NeverShowExt
HKLM, SOFTWARE\Classes\exefile, NeverShowExt
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, VisualStyle
HKCU, Control Panel\Desktop, SCRNSAVE.EXE

Use notepad, then save with the name "repair.inf" (use the Save As Type option became All Files to avoid an error occurred).

Repair.inf run with the right-click and select install.

Repair.inf should create a file on a clean computer, so that the virus is not active.

4.Delete mothervirus files that have characteristics as follows:
* Icon "WinRAR"
* the extension *. exe, *. scr, *. MSD, *. sysm
* Size 77 kb

Notes
* We recommend that show hidden files in order to facilitate the search file virus.
* To facilitate the search process should use the "Search Windows" with the file filter *. exe, *. scr, *. MSD, *. sysm that have the size of 77 KB.
* Delete the file that the virus usually have the same date modified. (see picture 6)
5.Delete duplication of virus in the file folder C: \ Program Files (usually a file virus followed the original executable file has been rename EXE files by a virus). For optimal cleaning, you should use the Norman Security Suite is one or antivirus update and can recognize the virus page to facilitate the removal of the virus. You can use the Norman Malware Cleaner to do with the deletion of page download at: (see figure 7)

http://download.norman.no/public/Norman_Malware_Cleaner.exe
6.Rechange executable file extension that has been rename the folders by the virus in the C: \ Program Files. Use software / tool to facilitate the extension rename quickly. (see figure 8)
7.For prevent re-infection of your computer protected with anti-virus that has been able to detect and eradicate this virus.
Posted by No comments:
Labels:

Saturday, January 3, 2009

Kaspersky Anti-Virus Update

Updated on January 3, 2009. This is a special update application to install the latest virus databases and various fixes to AntiViral Toolkit Pro for Windows 95/98/NT Versionn 3.0.129 and above.

It is essential to update antivirus databases on a regular basis. If yyou do not do this, your antivirus program will not detect new malicious programs. This update not only detect malicious program or software, but other which are potentially harmfull like :

- Adware
- Remote administration programs
- Utilities which can be used by malicious programs or users

Daily - contains all updates and modifications released during the current week. The current week starts from the previous Friday, when the last weekly update was released. It is placed on the update server every hour. You should download daily.zip if you update your antivirus databases at least once a week.

Previous week's updates - contains all updates and modifications released during the previous week (a full version of the week's daily.zip). It is placed on the server once a week, on Friday. When this file is placed on the server, it will cause the size of daily.zip to be equal to zero. You should download this file if you update your antivirus databases less than once a week, but more often than once every two weeks.

Complete update - contains all the updates and modifications released at the time of the previous week's update. This is placed on the sever at the same time as the new weekly.zip. You should download this file if you have not updated your antivirus databases in the last two weeks.

NOTE: After the archives have been downloaded, unpack them to a separate folder on a disc. If you have downloaded several archives, unpack them in the following order: first unpack av-i386-cumul.zip, then - av-i386-weekly.zip and the last - av-i386-daily.zip. Unpacking, click Yes when you are suggested to replace files with the same name.

After the archives have been unpacked, launch automatic update of the anti-virus database. As an update source define folder with the unpacked archives in the anti-virus database update task.

External Mirror 1 - Daily [ZIP]


External Mirror 2 - Daily [ZIP]


External Mirror 3 - Weekly [ZIP]


External Mirror 4 - Weekly [ZIP]


External Mirror 5 - Cumul [ZIP]


External Mirror 6 - Cumul [ZIP]
Posted by No comments:
Subscribe to: Posts (Atom)